terraform-provider-panos icon indicating copy to clipboard operation
terraform-provider-panos copied to clipboard

Published 20 hours ago verified publisher icon PaloAltoNetworks

Commit via Terraform shows successful but Console shows commit failed on incorrect NAT rule

Open mhca99 opened this issue 1 year ago • 1 comments

Describe the bug

After creating a simple NAT rule via Palo Alto Terraform module "panos_nat_rule_group" , when commit is done via API in Terraform null_resource , the API response is successful and commit job is queued . However, when checking the FW GUI under Task Manager , the status of commit is failed due to incorrect NAT rule which Terraform pushed successfully earlier with "panos_nat_rule_group".

Expected behavior

  1. If NAT rule had incorrect settings , Terraform should not have applied it successfully on the firewall.
  2. When doing the commit via API , it should not respond successful commit message if commit failing due to incorrect FW configuration.

Current behavior

  1. NAT rule with incorrect settings was successfully pushed by Terraform module
  2. Commit was enqueued and reported successful during the Terraform deployment , however, the Firewall Console/Task Manager shows the commit failed due to configuration error in NAT rule.

Possible solution

Steps to reproduce

create svc object , NAT rule , null_resource as follows

resource "panos_service_object" "svc" {
    name = "ssh-5678"
    vsys = "vsys1"
    protocol = "tcp"
    description = "ssh port for web"
    destination_port = "5678"

      lifecycle {
          create_before_destroy = true
      }
  }

resource "panos_nat_rule_group" "test" {
    rule {
        name = "nat_rule04"
        audit_comment = "Initial config"
        original_packet {
            source_zones = ["untrust"]
            destination_zone = "untrust"
            destination_interface = "any"
            source_addresses = ["any"]
            destination_addresses = ["any"]
            service = "ssh-5678"
        }
        translated_packet {
            source {}
            destination {
                static_translation {
                    address = "10.0.0.3"
                    port = 22
                }
            }
        }
    }

    lifecycle {
        create_before_destroy = true
    }
    depends_on = [resource.panos_service_object.svc ]
}

resource "null_resource" "commit" {
  provisioner "local-exec" {
    command = <<EOF
  
    curl -k -X GET -H 'Authorization: Basic XXXX ' 'https://${var.primary_mgmt_ip}/api/?type=commit&cmd=<commit></commit>'
    EOF
  }
 depends_on = [ resource.panos_nat_rule_group.test, resource.panos_service_object.svc ]
}

Screenshots

image

image

Context

Adding and testing firewall policies/rules

Your Environment

model: PA-VM vm-mode: KVM cloud-mode: cloud sw-version: 11.0.1 vm_series: vm_series-4.0.1 platform-family: vm

mhca99 avatar Jun 07 '23 15:06 mhca99