Creating a `scm_ike_gateway` then attempting to push config for `Service Connection` results in error

[zbuchheit]

Describe the bug

When attempting to create a scm_ike_gateway via terraform, the resource completes being created, but when I attempt to push the config for the parent service connection, it results in a validation error.

Validation Error:
 network -> ike -> gateway -> entry attribute name is missing
 network -> ike -> gateway is invalid

Expected behavior

I would expect the resource to create successfully, and also not have validation errors when I attempt to push the service connection's config.

Current behavior

Pushing the created ike gateway and service connection results in error.

Possible solution

Steps to reproduce

1. Create a scm_ike_gateway, scm_ipsec_tunnel, and scm_service_connection via TF
2. Attempt to push config
3. Witness validation error

Screenshots

Context

I was able to create a service connection via ui without issue and push the config. Also, when looking at the API response in the UI, my IKE gateway does have a value for name as "@name": "US-DevXX-XXXX",. I believe the values I have provided for the IKE gateway to be valid as they work when I create them through the UI as opposed to the API/TF.

Your Environment

• Version used:
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
• Operating System and version (desktop or mobile):
• Link to your project:

[shinmog]

I noticed that there is no Terraform code to reproduce the issue. Could you guys please share a complete Terraform plan that results in an invalid IKE gateway error when attempting to push the config? You also said that when you create the IKE gateway via UI it works. Using the scm_ike_gateway data source to compare the resulting configs for Terraform vs UI would also give me more info. If the data source output doesn't have any differences between Terraform created vs UI created, enable debug logging on Terraform and check the JSON returned from the API, as there may be fields present in the JSON that are not present in the schema for the scm_ike_gateway data source and resource.

[zbuchheit]

Hi @shinmog, thanks for the reply! I will try and get you a repro and some additional details today.

[zbuchheit]

@shinmog the other engineer I am working with indicated that it seems the behavior is caused by a required naming structure with the IKE gateway. They observed changing the name and being able to resolve the issue. Is there some sort of predefined naming structure required for the resource or documentation somewhere that details what structure the name has to follow?

I am not seeing anything specificied in the API https://pan.dev/access/api/prisma-access-config/post-sse-config-v-1-ike-gateways/ other than [0-9a-zA-Z._-]

[shinmog]

It certainly sounds like there is some requirements on the naming, but if the provider itself doesn't present those requirements (aka - must match a regex), then that means the OpenAPI file the provider was built from didn't contain that information.

If the OpenAPI spec contains this information, then the provider can help enforce it.

But it sounds like you have a solution at this point..?

[zbuchheit]

We have a workaround for right now in that we have figured out a value that will work by reverse-engineering one from a successful creation via GUI, but this is very fragile and brittle.

It would be nice to have a precise answer for what the undocumented naming requirements needs to be. Is there a resource internally you could get an answer to this?

I understand the OpenAPI spec is missing this information, but just adding details to the docs on this would be quite helpful.

[stealthllama]

I was unable to reproduce this error. I was able to create an IKE gateway named gateway1, associate it to an IPsec tunnel resource, and then create a remote network. Everything passed the commit validation and deployed without issue.

resource "scm_ike_gateway" "gw1" {
  folder = "Remote Networks"
  name   = "gateway1"
  peer_address = {
    dynamic_address = true
  }
  peer_id = {
    type = "fqdn"
    id = "Terrafoo"
  }

  protocol = {
    version = "ikev2"
    ikev2 = {
      ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto"
      dpd = {
        enable = false
      }
    }
  }
  authentication = {
    pre_shared_key = {
      key = "secret123!"
    }
  }
}

resource "scm_ipsec_tunnel" "tun1" {
    folder = "Remote Networks"
    name = "tunnel1"
    auto_key = {
        ike_gateways = [
            {
                name = scm_ike_gateway.gw1.name
            }
        ]
        ipsec_crypto_profile = "PaloAlto-Networks-IPSec-Crypto"
    }
}

resource "scm_remote_network" "rn1" {
    folder = "Remote Networks"
    name = "Test"
    region = "us-east-1"
    spn_name = "us-east-coral"
    ipsec_tunnel = scm_ipsec_tunnel.tun1.name
}

[zbuchheit]

if you try with the scm_ike_gateway with a name of "ZbuchheitServiceConnectionIkeGw1" does your repro still work? That is the format we used on our name an encountered trouble.