In Panorama, I can create Address Groups, where the members are simply IP addresses. It seems that in Terraform, it errors on this, and requires you building individual Address objects for each member.

Again, fantastic job and many kudos to Palo Alto Networks for building out this panos Terraform provider!

We would like a new panos attachment or _entry resource that gives us the ability to individually include a template in a specified template stack.

Our use case is a template that contains the gap of everything we can't yet configure via Terraform, we need to build a Panorama template manually. We want the ability to attach that manually-created template to the template stack that was created by Terraform.

Currently, the panos_panorama_template_stack resource includes an exhaustive list of all templates which are included in the stack. If we try to login to the Panorama GUI and attach our manually-created template to this stack, the next time we run terraform apply it will remove our pet template from the stack.

Need functionality similar to how panos_panorama_device_group_entry and panos_panorama_template_stack_entry work for attaching individual device serial numbers to the respective resources, but instead for managing the list of templates which are included in the stack.

There's an unfortunate collision on the name panos_panorama_template_stack_entry. It's already used for attaching individual devices to the template stack. We need the other list in the stack to be individually attachable too. Not sure what to suggest for a name for the new attachment resource.

The Device group resource does not contain the ability to tie device groups together.
Would like to be able to to do this in terraform in order to manage device groups entirely in terrafom

resource "panos_panorama_device_group" "example" {
    name = "my device group"
    description = "description here"
}

There are instances where rule order is important for NAT rules.
Sometimes we will have NAT rules that do address and port translation, followed by a rule that just does address translation as a catch-all.
It looks like Terraform is doesn't do ordering, like the Firewall Rules sections does, so the results are unpredictable.

Hello,
When we use a panos_panorama_template_stack resource, Terraform applies successfully. However, when we login to the GUI to perform a Commit, it fails to commit with the following error message:

Removing the default VSYS will result in VSYS configuration not being pushed to firewalls with single virtual system.

The assumption based on the documentation (specifically, the absence of a "vsys" argument) is that we can ignore the VSYS entirely. It seems that the template stack is either staging the deletion of the VSYS or setting it to a different value than vsys1.

Ref: https://www.terraform.io/docs/providers/panos/r/panorama_template_stack.html

Separate side note -- this documentation page is missing an Attribute Reference section header... :)

Just looking or some guidance, or even useful if it were in the docs, regarding how to make the provider for panos depend on the VM for the vm-series.

tnx

Support is there for security rules to add a profile, but I don't think there is an object to create a log forwarding profile.

It'll be nice to have the option to set best practices on the firewall mainly the security related ones since that helps with the initial firewall on boarding process.
https://github.com/PaloAltoNetworks/iron-skillet
https://iron-skillet.readthedocs.io/en/panos_v8.0/panos_template_guide.html#general-device-configuration
https://www.paloaltonetworks.com/documentation/71/pan-os/pan-os/threat-prevention/best-practices-for-securing-your-network-from-layer-4-and-layer-7-evasions
It could be defined as a single flag to enable them all.

It works properly for Shared Objects, but can't put services into specific Device Groups.

panos_panorama_service_object.tcp_1026: Could not find schema node for xpath /config/devices/entry[@name='localhost.localdomain']/vsys/entry[@name='exampledg']/service

Was originally trying with nested Device groups, but all levels fail except for Shared. The Device Groups work properly for any manually created services.

Hello, we'd like to be able to perform a terraform import command on several panos_panorama_ resources. It seems that each Terraform resource needs to support the terraform import command.

Would you please add support for all panos resources in general to be able to be imported, beginning with these:

panos_panorama_zone
panos_panorama_virtual_router
panos_panorama_management_profile
panos_panorama_ethernet_interface

I have been trying out the panorama support 1.1.0, thanks for the hard work @shinmog!

I am afraid though, in its present form, I cannot make use of panos_panorama_security_policies due to the flow used in creating/updating policies. Currently, it seems the entire rulebase for a device group is deleted and recreated on an apply. I can see how this was the easy solution when thinking all policy is managed with terraform. However, I have to argue one's panorama use case is often different. In my particular case, my terraform config and state is broken down at the application and environment level. All the while, the policies created in these disparate places, all go into a small set of device groups in panorama. This is the just the nature of the firewall deployments. Plus, there is human managed policy mixed in, in some cases. Again this is just the nature of how panorama is used.

Thus, I cannot delete and rebuild a device group rulebase on each apply, because the policy is distributed across many terraform configs.

Is there any way to make the error messages more useful?
For example, the following two "errors" create the same rules is invalid message.

1. Rule Name length over 31 characters
2. Duplication rule name.

Any logic would help, or even an error message saying at which Line number, the rules file became invalid.

I create an interface object, as layer3 as ethernet1/1

I can create the zone with layer3 just fine, but if I try to create the zone with layer3 and interfaces = ["ethernet1/1"] I get an error that layer3 is invalid.

So it doesn't seem possible to define an interface, and a zone, and associate the zone to the interface.

Originally posted by @AnujSehgall in https://github.com/terraform-providers/terraform-provider-panos/issues/71#issuecomment-435008449

Please add the ability to use a "dotfile" like AWS provider, and pan-python, instead of using environment variables or Terraform variables for credentials. Environment variables can be discoverable during the run.

Other Terraform providers with which I'm familiar provide documentation on each of the values that are output, but the panos provider does not seem to have any Outputs section in any of the resources. Prior to working with the panos provider I was unaware that Terraform Providers had a default set of outputs. It would assist us Terraform developers to include documentation in each resource type exactly which outputs can be expected, and their value types.

In AWS, trying to do a Nat Destination translation to an ELB which would have multiple addresses. It seems like I can't choose Destination Address Translation Type, it defaults to the Static IP, where I need Dynamic IP ( with session distribution) . When I try to push from Terraform, with a FQDN object, it errors out, which makes sense if you can't choose Dynamic.

Is there a workaround, or a different way of accomplishing this?

First, thank you for the fantastic work in this panos provider!

We are automating as much as possible, and using the panos provider as much as possible. We create zones in one Terraform stack and then call a module to set up new VPN tunnels. Each VPN Connection setup involves, among other resources, a pair of new tunnel interfaces.

Intuitively, we would want to create the new tunnel interfaces inside the module, as they are part of the VPN Connection package/service offering. However, currently we have to move the creation of these two tunnel interfaces outside the module, because currently the only way to include an interface in a zone is by listing the interface in the zone resource (either panos_zone or panos_panorama_zone). This works, but is sub-optimal.

I'd like to suggest a panos_zone_interface_attachment resource type that creates the connection between the ID of the panos_zone resource and the ID of the panos_tunnel_interface. This type of resource would enable us to then pass the zone resource ID as a variable into our VPN Connection setup module, create the tunnel interface and include it in the zone all from inside the module.

Here's a good illustrative example from the AWS provider:
https://www.terraform.io/docs/providers/aws/r/iam_role_policy_attachment.html

Our use case is injecting default routes across VPN tunnels into AWS VPCs. We require the dynamic routing type of AWS VPN because we have designed the architecture around the instantaneous failover experience of BGP (static would require passing around a detached ENI like a hot potato and takes 30-90 seconds because of how AWS works).

Specifically, we need the ability to configure the following features at minimum:

• redistribution profile (gives remote VPCs a default route pointing towards the Egress VPN tunnel)
  • Static is all we need for now
• BGP routing
  • AS Number
  • Router ID
  • Peer Groups
  • Redistribute Rules (specifying the redist profile)

This is a request for adding functionality of adding static routes to virtual routers via. terraform panos.

I suggets something like this:

resource "panos_static_route" "sroute" {
    name = "default_route"
    destination = "0.0.0.0/0"
    interface = "${panos_ethernet_interface.ethernet1.name}"
    type = "ip-address" // (next-hop) (ip address | next vr | discard | none)
    value = "124.124.124.124" // whatever ip address
    admin_distance = "default" // or between 10 - 240
    metric = 10
    route_table = "unicast" // (unicast | multicast | both | no install)
}

I have left out path monitoring, as this is not something particularly necessary to be configurable. Of course, it's inclusion would be nice. I don't feel it's something that should halt the progress of implementing static routes though :)

Let me know if you would like assistance with implementation,

Thanks!

The PAN pre-defined service objects should be referenced via TF data objects, such that I can utilize them in my TF files. For example, SSH is already defined as an application; however, I need a way to reference it in a security policy. All customers will eventually want to consume this data, so if there was a .tf file we could all download that contained all of the objects, that would be awesome. As services change or get added with major releases, they could be updated here, and people could use the corresponding version.

Please update the README to reflect the similar information found here:

• https://github.com/terraform-providers/terraform-provider-aws/blob/master/README.md

I want to be able to configure URL filtering, AV, and other items in a security profile.

Dear all,
as a beginner I try to compile commit.go as indicated in the documentation ( https://www.terraform.io/docs/providers/panos/index.html)
and unfortunately I've got the following error.

go build commit.go
commit.go:7:1: cannot find package "github.com/PaloAltoNetworks/pango" in any of:
/usr/lib/go-1.6/src/github.com/PaloAltoNetworks/pango (from $GOROOT)
/home/ubuntu/go/src/github.com/PaloAltoNetworks/pango (from $GOPATH)

What I doing wrong ?
Thank a lot in advance for your support
Best regards
Paul

As an opt-in, allow for the commit to Panorama and/or Firewalls, and the push of the config from Panorama to the Firewalls.

Terraform Version

Terraform v0.11.8
+ provider.panos v1.4.0

Terraform Configuration Files

We are using IKE and IPSec resources to reproduce this error, but a zone is a simpler resource to illustrate this issue.

resource "panos_panorama_template" "tmpl1" {
  name = "MyInfrastructureTemplate"
}

resource "panos_panorama_template" "tmpl2" {
  name = "MyLocationSpecificTemplate"
}

resource "panos_panorama_ethernet_interface" "example1" {
    name = "ethernet1/1"
    template = "${panos_panorama_template.tmpl1.name}"
    mode = "layer3"
    enable_dhcp = "true"
}

resource "panos_panorama_zone" "example2" {
    name = "my_zone"
    template = "${panos_panorama_template.tmpl2.name}"
    mode = "layer3"
    interfaces = ["${panos_panorama_ethernet_interface.example1.name}"]
}

Expected Behavior

panos_panorama_template.tmpl2: Creating...
  default_vsys: "" => "<computed>"
  devices.#:    "" => "<computed>"
  name:         "" => "MyOtherTemplate"
panos_panorama_template.tmpl1: Creating...
  default_vsys: "" => "<computed>"
  devices.#:    "" => "<computed>"
  name:         "" => "MyTemplate"
panos_panorama_template.tmpl1: Creation complete after 1s (ID: MyTemplate)
panos_panorama_ethernet_interface.example1: Creating...
  create_dhcp_default_route: "" => "true"
  dhcp_default_route_metric: "" => "10"
  enable_dhcp:               "" => "true"
  mode:                      "" => "layer3"
  name:                      "" => "ethernet1/1"
  template:                  "" => "MyTemplate"
  vsys:                      "" => "vsys1"
panos_panorama_template.tmpl2: Creation complete after 1s (ID: MyOtherTemplate)
panos_panorama_ethernet_interface.example1: Creation complete after 0s (ID: MyTemplate::vsys1:ethernet1/1)
panos_panorama_zone.example2: Creating...
  interfaces.#: "" => "1"
  interfaces.0: "" => "ethernet1/1"
  mode:         "" => "layer3"
  name:         "" => "my_zone"
  template:     "" => "MyOtherTemplate"
  vsys:         "" => "vsys1"

Apply complete! Resources: 4 added, 0 changed, 0 destroyed.

Actual Behavior

panos_panorama_template.tmpl2: Creating...
  default_vsys: "" => "<computed>"
  devices.#:    "" => "<computed>"
  name:         "" => "MyOtherTemplate"
panos_panorama_template.tmpl1: Creating...
  default_vsys: "" => "<computed>"
  devices.#:    "" => "<computed>"
  name:         "" => "MyTemplate"
panos_panorama_template.tmpl1: Creation complete after 1s (ID: MyTemplate)
panos_panorama_ethernet_interface.example1: Creating...
  create_dhcp_default_route: "" => "true"
  dhcp_default_route_metric: "" => "10"
  enable_dhcp:               "" => "true"
  mode:                      "" => "layer3"
  name:                      "" => "ethernet1/1"
  template:                  "" => "MyTemplate"
  vsys:                      "" => "vsys1"
panos_panorama_template.tmpl2: Creation complete after 1s (ID: MyOtherTemplate)
panos_panorama_ethernet_interface.example1: Creation complete after 0s (ID: MyTemplate::vsys1:ethernet1/1)
panos_panorama_zone.example2: Creating...
  interfaces.#: "" => "1"
  interfaces.0: "" => "ethernet1/1"
  mode:         "" => "layer3"
  name:         "" => "my_zone"
  template:     "" => "MyOtherTemplate"
  vsys:         "" => "vsys1"

Error: Error applying plan:

1 error(s) occurred:

* panos_panorama_zone.example2: 1 error(s) occurred:

* panos_panorama_zone.example2:  vsys -> vsys1 -> zone -> my_zone -> network -> layer3 is invalid

Terraform does not automatically rollback in the face of errors.
Instead, your Terraform state file has been partially updated with
any resources that successfully completed. Please address the error
above and apply again to incrementally change your infrastructure.

Steps to Reproduce

1. Set up .tf file with the above quoted code and configure a panos provider in a temp dir
2. terraform init
3. terraform apply

If you change the template of panos_panorama_zone.example2 to match the same template as the one which creates the ethernet interface (template = "${panos_panorama_template.tmpl1.name}"), then everything applies successfully.

Additional Context

It appears that certain networking resources are required to be created within the same template as where they are referenced. Our intuitive template hierarchy separates the creation of ethernet interfaces away from the setup of VPN tunnels that will use that interface, so that we can modularize the VPN tunnel setup. If the Panorama template ecosystem is designed in such a way that we cannot separate these, then we will need several more data sources to be made available in the panos provider so that we can lookup the needed values (e.g. the name of an ethernet interface created by an infrastructure template).

This may be obvious to someone more experienced with the Palo Alto Networks ecosystem, but it was a struggle to figure out based on the given error message that the root cause here was actually a template mismatch.

Would like the ability to create server profiles for syslog

The panos_ethernet_interface resource does not permit to create subinterface.

The use case is the ability to create subinterface for VLAN tagging when the parent interface is configured as a trunk.

Running 8.1 PA on Azure. Trying this provider for the first time.

I apply with TF, and it's fine. When I manually commit through the UI, it warns me about my interfaces not having a zone, but then it hangs half-way through the commit and the VM is effectively dead, even a reboot doesn't save it.

This happens consistently.

Hi,

First of all, thank you for your work, it's very helpful!

I would love to have the possibility to assign an interface (Ethernet, VLAN, loopback, tunnel) to a "Virtual Router" and "Security Zone" from the panos_*_interface resource. Same as the "Assign Interface To" option in the web interface when one creates an interface.

Something like:

resource "panos_tunnel_interface" "tunnel_int" {
  name           = "tunnel.${local.tunnel_number}"
  static_ips     = ["${panos_address_object.tunnelip.name}"]
  virtual_router = "${var.virtual_router_name}"
  zone           = "${panos_zone.zone.name}"
  comment        = "tf - Used for IPSEC"
}

My use case:

I want to use Terraform to create a Site-to-Site VPN between our network and dynamics infrastructure in Azure.

So "terraform apply" will create the infrastructure in Azure and the VPN on site.

To add a static route to the other side of the VPN I need to assign the tunnel.XX interface to our virtual router. But I don't want to manage the virtual router with Terraform as it is not only used for that specific use case and a "terraform "destroy would delete it.

Regards,

Cédric

Is there any way to add a redistribution profile to a virtual router?

Since only one security policy is created per resource, this would make the naming convention consistent.

Need the ability to activate and deactivate licenses for VM-Series devices. This is key for users that have BYOL licensing versus PAYG.

A good example of how this may be used is available in the pan-python repo.

All of our configuration on firewalls is performed through Panorama. Please add Panorama support so we can specify the device group or template to which resources should be applied.

While creating the resource, facing the following error.

panos_zone.external: network -> layer3 is invalid

Please add support to manage certificates on the Device tab for a particular Template through Panorama. For certificates with the private key, please do not store the key in the state file, or if you do make sure it is the encrypted key, and do not store the password.