terraform-provider-prismacloud
terraform-provider-prismacloud copied to clipboard
PaloAltoNetworks
Importing the `prismacloud_permission_group` doesn't import the actual permissions.
Describe the bug
When I import an existing prismacloud_permission_group it only imports the id of the resource, nothing else.
Expected behavior
I would think the actual permissions would be imported as well?
Current behavior
Create the correct Terraform code and import the resource:
❯ tg import prismacloud_permission_group.system-admin-read-only xxx
prismacloud_permission_group.system-admin-read-only: Importing from ID "xxx"...
prismacloud_permission_group.system-admin-read-only: Import prepared!
Prepared prismacloud_permission_group for import
prismacloud_permission_group.system-admin-read-only: Refreshing state... [id=xxx]
Import successful!
The resources that were imported are shown above. These resources are now in
your Terraform state and will henceforth be managed by Terraform.
❯
When I then run a plan where the Terraform code matches what's in the UI, I see the below output. Normally, I would think all those arguments should be automatically imported and there should be no change in the plan:
❯ tg plan -out "terraform.plan"
prismacloud_permission_group.system-admin-read-only: Refreshing state... [id=xxx]
Terraform used the selected providers to generate the following execution
plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# prismacloud_permission_group.system-admin-read-only will be updated in-place
~ resource "prismacloud_permission_group" "system-admin-read-only" {
+ associated_roles = (known after apply)
+ description = "Terraform "
id = "xxx"
+ name = "System Admin Read-Only"
+ features {
+ feature_name = "settingsAuditLogs"
+ operations {
+ create = false
+ delete = false
+ read = true
+ update = false
}
}
}
Plan: 0 to add, 1 to change, 0 to destroy.
─────────────────────────────────────────────────────────────────────────────
Saved the plan to: terraform.plan
To perform exactly these actions, run the following command to apply:
terraform apply "terraform.plan"
❯
Looking at the state, I see the only argument that's imported is the id:
❯ tg state list
prismacloud_permission_group.system-admin-read-only
❯ tg state show 'prismacloud_permission_group.system-admin-read-only'
# prismacloud_permission_group.system-admin-read-only:
resource "prismacloud_permission_group" "system-admin-read-only" {
id = "xxx"
}
❯
If I apply a plan with permissions and roles that already exist in the UI for this access group, they are added to the resource just fine:
❯ tg state show 'prismacloud_permission_group.system-admin-read-only'
# prismacloud_permission_group.system-admin-read-only:
resource "prismacloud_permission_group" "system-admin-read-only" {
accept_account_groups = true
accept_code_repositories = true
accept_resource_lists = true
associated_roles = {
"xxx" = "System Admin Read-Only"
}
custom = true
description = "Terraform - System Admin Read-Only"
id = "xxx"
last_modified_by = "xxx"
last_modified_ts = 1703874385273
name = "System Admin Read-Only"
permission_group_type = "Custom"
features {
feature_name = "alarmCentre"
operations {
create = false
delete = false
read = true
update = false
}
}
features {
feature_name = "alarmCentreSettings"
operations {
create = false
delete = false
read = true
update = false
}
}
...
}
❯
Possible solution
Import everything from the first go?
Steps to reproduce
See above.
- Create a
prismacloud_permission_groupresource for an existing access group with its correct roles & permissions etc. - Import that resource. Only the
idis imported. - Need to plan & apply.
Context
From working with other Terraform providers (aws, cloudflare, ...), an import usually imports all the arguments.
