09-05-2023 07:02 PM
Hi Team ,
We are testing the panos_nat_rule_group on panorama and somehow it is not working
1) Below is the official terraform documentation for Panorama Nat Policy group
https://registry.terraform.io/providers/migara/pan-os/latest/docs/resources/nat_rule_group
The example provided is not working. When we do ‘terraform plan’ – it is not showing any error but when we do terraform apply – it is throwing lots of errors.
Below is the verion we are using
terraform {
required_providers {
panos = {
source = "PaloAltoNetworks/panos"
version = "1.11.1"
}
}
}
Could you share the working code example of terraform for panos_nat_rule_group
thanks
===below is the code and the error ===============
============== code from the above website ===================
resource "panos_nat_rule_group" "bot" {
rule {
name = "second"
original_packet {
source_zones = [panos_zone.z2.name]
destination_zone = panos_zone.z3.name
destination_interface = panos_ethernet_interface.x.name
source_addresses = ["any"]
destination_addresses = ["any"]
}
translated_packet {
source {}
destination {
static_translation {
address = "10.2.3.1"
port = 5678
}
}
}
}
rule {
name = "third"
original_packet {
source_zones = [panos_zone.z3.name]
destination_zone = panos_zone.z2.name
destination_interface = panos_ethernet_interface.x.name
source_addresses = ["any"]
destination_addresses = ["any"]
}
translated_packet {
source {
static_ip {
translated_address = "192.168.1.5"
bi_directional = true
}
}
destination {}
}
}
}
resource "panos_nat_rule_group" "top" {
position_keyword = "directly before"
position_reference = panos_nat_rule_group.bot.rule.0.name
rule {
name = "first"
original_packet {
source_zones = [panos_zone.z1.name]
destination_zone = panos_zone.z1.name
destination_interface = panos_ethernet_interface.x.name
source_addresses = ["any"]
destination_addresses = ["any"]
}
translated_packet {
source {
dynamic_ip_and_port {
interface_address {
interface = panos_ethernet_interface.x.name
ip_address = panos_ethernet_interface.x.static_ips.0
}
}
}
destination {
static_translation {
address = "10.1.1.1"
port = 1234
}
}
}
}
}
resource "panos_ethernet_interface" "x" {
name = "ethernet1/6"
mode = "layer3"
vsys = "vsys1"
static_ips = ["10.5.5.1/24"]
}
resource "panos_zone" "z1" {
name = "z1"
mode = "layer3"
}
resource "panos_zone" "z2" {
name = "z2"
mode = "layer3"
}
resource "panos_zone" "z3" {
name = "z3"
mode = "layer3"
}
=========================
[autouser@svrvm1 terraform]$ terraform plan
panos_address_object.objects1["snet-appgw"]: Refreshing state... [id=FW_POC_grp:snet-appgw]
panos_address_object.objects1["snet-greenpreprd"]: Refreshing state... [id=FW_POC_grp:snet-greenpreprd]
panos_panorama_static_route_ipv4.static_route["snet-greenprd"]: Refreshing state... [id=Templates_POC::VR-Trust:snet-greenprd]
panos_address_object.objects1["snet-ext-green"]: Refreshing state... [id=FW_POC_grp:snet-ext-green]
panos_address_object.objects1["nic-fw-amsaw-preprd-pa-001-untrust"]: Refreshing state... [id=FW_POC_grp:nic-fw-amsaw-preprd-pa-001-untrust]
panos_address_object.objects1["green-lb-preprd-frontend"]: Refreshing state... [id=FW_POC_grp:green-lb-preprd-frontend]
panos_panorama_static_route_ipv4.static_route["snet-greenpreprd"]: Refreshing state... [id=Templates_POC::VR-Trust:snet-greenpreprd]
panos_panorama_service_object.service_object["TCP-44308"]: Refreshing state... [id=shared:TCP-44308]
panos_security_policy.tfpostrule1: Refreshing state... [id=FW_POC_grp:post-rulebase:vsys1]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
+ create
Terraform will perform the following actions:
# panos_ethernet_interface.x will be created
+ resource "panos_ethernet_interface" "x" {
+ id = (known after apply)
+ mode = "layer3"
+ name = "ethernet1/6"
+ static_ips = [
+ "10.5.5.1/24",
]
+ vsys = "vsys1"
}
# panos_nat_rule_group.bot will be created
+ resource "panos_nat_rule_group" "bot" {
+ id = (known after apply)
+ vsys = "vsys1"
+ rule {
+ name = "second"
+ type = "ipv4"
+ uuid = (known after apply)
+ original_packet {
+ destination_addresses = [
+ "any",
]
+ destination_interface = "ethernet1/6"
+ destination_zone = "z3"
+ service = "any"
+ source_addresses = [
+ "any",
]
+ source_zones = [
+ "z2",
]
}
+ translated_packet {
+ destination {
+ static_translation {
+ address = "10.2.3.1"
+ port = 5678
}
}
+ source {
}
}
}
+ rule {
+ name = "third"
+ type = "ipv4"
+ uuid = (known after apply)
+ original_packet {
+ destination_addresses = [
+ "any",
]
+ destination_interface = "ethernet1/6"
+ destination_zone = "z2"
+ service = "any"
+ source_addresses = [
+ "any",
]
+ source_zones = [
+ "z3",
]
}
+ translated_packet {
+ destination {
}
+ source {
+ static_ip {
+ bi_directional = true
+ translated_address = "192.168.1.5"
}
}
}
}
}
# panos_nat_rule_group.top will be created
+ resource "panos_nat_rule_group" "top" {
+ id = (known after apply)
+ position_keyword = "directly before"
+ position_reference = "second"
+ vsys = "vsys1"
+ rule {
+ name = "first"
+ type = "ipv4"
+ uuid = (known after apply)
+ original_packet {
+ destination_addresses = [
+ "any",
]
+ destination_interface = "ethernet1/6"
+ destination_zone = "z1"
+ service = "any"
+ source_addresses = [
+ "any",
]
+ source_zones = [
+ "z1",
]
}
+ translated_packet {
+ destination {
+ static_translation {
+ address = "10.1.1.1"
+ port = 1234
}
}
+ source {
+ dynamic_ip_and_port {
+ interface_address {
+ interface = "ethernet1/6"
+ ip_address = "10.5.5.1/24"
}
}
}
}
}
}
# panos_zone.z1 will be created
+ resource "panos_zone" "z1" {
+ id = (known after apply)
+ interfaces = (known after apply)
+ mode = "layer3"
+ name = "z1"
+ vsys = "vsys1"
}
# panos_zone.z2 will be created
+ resource "panos_zone" "z2" {
+ id = (known after apply)
+ interfaces = (known after apply)
+ mode = "layer3"
+ name = "z2"
+ vsys = "vsys1"
}
# panos_zone.z3 will be created
+ resource "panos_zone" "z3" {
+ id = (known after apply)
+ interfaces = (known after apply)
+ mode = "layer3"
+ name = "z3"
+ vsys = "vsys1"
}
Plan: 6 to add, 0 to change, 0 to destroy.
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Note: You didn't use the -out option to save this plan, so Terraform can't guarantee to take exactly these actions if
you run "terraform apply" now.
[autouser@svrvm1 terraform]$
Here is the terraform apply and it’s errors
[autouser@svrvm1 terraform]$ terraform apply --auto-approve
panos_panorama_service_object.service_object["TCP-44308"]: Refreshing state... [id=shared:TCP-44308]
panos_address_object.objects1["snet-ext-green"]: Refreshing state... [id=FW_POC_grp:snet-ext-green]
panos_address_object.objects1["snet-greenpreprd"]: Refreshing state... [id=FW_POC_grp:snet-greenpreprd]
panos_address_object.objects1["snet-appgw"]: Refreshing state... [id=FW_POC_grp:snet-appgw]
panos_address_object.objects1["nic-fw-amsaw-preprd-pa-001-untrust"]: Refreshing state... [id=FW_POC_grp:nic-fw-amsaw-preprd-pa-001-untrust]
panos_address_object.objects1["green-lb-preprd-frontend"]: Refreshing state... [id=FW_POC_grp:green-lb-preprd-frontend]
panos_panorama_static_route_ipv4.static_route["snet-greenprd"]: Refreshing state... [id=Templates_POC::VR-Trust:snet-greenprd]
panos_panorama_static_route_ipv4.static_route["snet-greenpreprd"]: Refreshing state... [id=Templates_POC::VR-Trust:snet-greenpreprd]
panos_security_policy.tfpostrule1: Refreshing state... [id=FW_POC_grp:post-rulebase:vsys1]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with
the following symbols:
+ create
Terraform will perform the following actions:
# panos_ethernet_interface.x will be created
+ resource "panos_ethernet_interface" "x" {
+ id = (known after apply)
+ mode = "layer3"
+ name = "ethernet1/6"
+ static_ips = [
+ "10.5.5.1/24",
]
+ vsys = "vsys1"
}
# panos_nat_rule_group.bot will be created
+ resource "panos_nat_rule_group" "bot" {
+ id = (known after apply)
+ vsys = "vsys1"
+ rule {
+ name = "second"
+ type = "ipv4"
+ uuid = (known after apply)
+ original_packet {
+ destination_addresses = [
+ "any",
]
+ destination_interface = "ethernet1/6"
+ destination_zone = "z3"
+ service = "any"
+ source_addresses = [
+ "any",
]
+ source_zones = [
+ "z2",
]
}
+ translated_packet {
+ destination {
+ static_translation {
+ address = "10.2.3.1"
+ port = 5678
}
}
+ source {
}
}
}
+ rule {
+ name = "third"
+ type = "ipv4"
+ uuid = (known after apply)
+ original_packet {
+ destination_addresses = [
+ "any",
]
+ destination_interface = "ethernet1/6"
+ destination_zone = "z2"
+ service = "any"
+ source_addresses = [
+ "any",
]
+ source_zones = [
+ "z3",
]
}
+ translated_packet {
+ destination {
}
+ source {
+ static_ip {
+ bi_directional = true
+ translated_address = "192.168.1.5"
}
}
}
}
}
# panos_nat_rule_group.top will be created
+ resource "panos_nat_rule_group" "top" {
+ id = (known after apply)
+ position_keyword = "directly before"
+ position_reference = "second"
+ vsys = "vsys1"
+ rule {
+ name = "first"
+ type = "ipv4"
+ uuid = (known after apply)
+ original_packet {
+ destination_addresses = [
+ "any",
]
+ destination_interface = "ethernet1/6"
+ destination_zone = "z1"
+ service = "any"
+ source_addresses = [
+ "any",
]
+ source_zones = [
+ "z1",
]
}
+ translated_packet {
+ destination {
+ static_translation {
+ address = "10.1.1.1"
+ port = 1234
}
}
+ source {
+ dynamic_ip_and_port {
+ interface_address {
+ interface = "ethernet1/6"
+ ip_address = "10.5.5.1/24"
}
}
}
}
}
}
# panos_zone.z1 will be created
+ resource "panos_zone" "z1" {
+ id = (known after apply)
+ interfaces = (known after apply)
+ mode = "layer3"
+ name = "z1"
+ vsys = "vsys1"
}
# panos_zone.z2 will be created
+ resource "panos_zone" "z2" {
+ id = (known after apply)
+ interfaces = (known after apply)
+ mode = "layer3"
+ name = "z2"
+ vsys = "vsys1"
}
# panos_zone.z3 will be created
+ resource "panos_zone" "z3" {
+ id = (known after apply)
+ interfaces = (known after apply)
+ mode = "layer3"
+ name = "z3"
+ vsys = "vsys1"
}
Plan: 6 to add, 0 to change, 0 to destroy.
panos_zone.z2: Creating...
panos_zone.z1: Creating...
panos_zone.z3: Creating...
panos_ethernet_interface.x: Creating...
╷
│ Error: Request cancelled
│
│ with panos_ethernet_interface.x,
│ on main.tf line 160, in resource "panos_ethernet_interface" "x":
│ 160: resource "panos_ethernet_interface" "x" {
│
│ The plugin.(*GRPCProvider).ApplyResourceChange request was cancelled.
╵
╷
│ Error: tmpl or ts must be specified
│
│ with panos_zone.z1,
│ on main.tf line 167, in resource "panos_zone" "z1":
│ 167: resource "panos_zone" "z1" {
│
╵
╷
│ Error: tmpl or ts must be specified
│
│ with panos_zone.z2,
│ on main.tf line 172, in resource "panos_zone" "z2":
│ 172: resource "panos_zone" "z2" {
│
╵
╷
│ Error: tmpl or ts must be specified
│
│ with panos_zone.z3,
│ on main.tf line 177, in resource "panos_zone" "z3":
│ 177: resource "panos_zone" "z3" {
│
╵
Stack trace from the terraform-provider-panos_v1.11.1 plugin:
panic: interface conversion: interface {} is *pango.Panorama, not *pango.Firewall
goroutine 31 [running]:
github.com/terraform-providers/terraform-provider-panos/panos.createEthernetInterface(0x11a59a0, {0x131bda0, 0xc00000a1e0})
github.com/terraform-providers/terraform-provider-panos/panos/resource_ethernet_interface.go:204 +0x2b7
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc00060d540, 0xc000ab0410, 0xc000b96500, {0x131bda0, 0xc00000a1e0})
github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc00004cb80, 0xc000ee3a68, 0x132fd4b, 0xf)
github.com/hashicorp/terraform-plugin-sdk@v1.17.2/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc00011ad20, {0xc000b5e2a0, 0x4b5646}, 0xc000b5e2a0)
github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x12e14c0, 0xc00011ad20}, {0x1572b90, 0xc000ed4e70}, 0xc000e8c360, 0x0)
github.com/hashicorp/terraform-plugin-sdk@v1.17.2/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc000357880, {0x1583bc0, 0xc000418600}, 0xc000d5a100, 0xc000ab24b0, 0x1d5c340, 0x0)
google.golang.org/grpc@v1.32.0/server.go:1194 +0xc8f
google.golang.org/grpc.(*Server).handleStream(0xc000357880, {0x1583bc0, 0xc000418600}, 0xc000d5a100, 0x0)
google.golang.org/grpc@v1.32.0/server.go:1517 +0xa2a
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/grpc@v1.32.0/server.go:859 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/grpc@v1.32.0/server.go:857 +0x294
Error: The terraform-provider-panos_v1.11.1 plugin crashed!
This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.
[autouser@svrvm1 terraform]$
======================================================================
09-26-2023 08:57 AM
Hi @ManojManoj, the best place to report this is on GitHub: https://github.com/PaloAltoNetworks/terraform-provider-panos/issues
Please check in the existing Issues if this has already been reported, and if it has not been reported, please create a new Issue.
Thank you 🙂
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!
