topic Re: Terraform - Unable to create Security Policy in Automation/API Discussions

Terraform - Unable to create Security Policy

Ajene — Thu, 27 Oct 2022 21:29:06 GMT

I'm using Terraform to deploy configurations on a VM-50 series virtual Palo Alto Firewall appliance. I have a problem when it comes to deploying a security policy using panos_security_policy. Essentially, the policies never create and the Terraform command status stays on 'Still Creating...'. Is there a known issue with using Terraform to create security policies? If not, how do I troubleshoot this? Thanks in advance.

Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.

Re: Terraform - Unable to create Security Policy

gfreeman — Thu, 27 Oct 2022 23:23:54 GMT

Depending on how many rules are in your policy, it could take a while, yes. After creating all the security rules, it has to adjust the placement of each rule to ensure that they are placed where they need to be.

If you want to see what's going on, you can always tell Terraform to show you debug output using the TF_LOG environment variable so you can see what the provider is sending and receiving with regards to PAN-OS:

TF_LOG=debug terraform apply 2>&1 | tee out.log

Then you can view the "out.log" file afterwards to see the API calls and what's happening.

You'll also need to configure the provider to output both "send" and "receive" within your provider configuration block:

provider "panos" { # ...other config options here logging = [ "send", "receive", "action", "query", "op", ] }

Re: Terraform - Unable to create Security Policy

Ajene — Fri, 28 Oct 2022 00:17:25 GMT

Thanks for the reply, I'll try out the logging. Although the screenshot I shared has 8 minutes. I've let it run for over 2 hours! It just seems stuck. And, I'm only attempting to create a simple rule. For example:

resource "panos_security_policy" "server" { rule { name = "server" audit_comment = "Terraform" source_zones = ["any"] source_addresses = ["any"] source_users = ["any"] hip_profiles = ["any"] destination_zones = ["any"] destination_addresses = ["any"] applications = ["any"] services = ["application-default"] categories = ["any"] action = "allow" } lifecycle { create_before_destroy = true } }

While I'll try the logging, I'm not sure how I'll be able to use that information to actually fix the issue. Everything else I've tried to create works fine. It seems fundamental to how Terraform is interacting with the PA api.

Re: Terraform - Unable to create Security Policy

gfreeman — Fri, 28 Oct 2022 00:29:23 GMT

That hip_profiles param might be causing issues, depending on which version of PAN-OS you're running. It was removed in PAN-OS v10.1.5. I'd recommend leaving it unspecified and trying terraform apply again.

Re: Terraform - Unable to create Security Policy

Ajene — Fri, 28 Oct 2022 00:47:53 GMT

After enabling the logging, I was able to see that the issue was indeed the fact that I had an argument that was throwing an error. Once I removed it, the security policy created successfully, rapidly.

The argument that cause me an issue is:

hip_profiles = ["any"]

Which is strange because it is used in the example block on the Terraform Registry site for the Palo Alto provider. Either way, thank you so much for your help. Your advice was spot on. I learned a lot!! Thanks again!!!

Re: Terraform - Unable to create Security Policy

AdrianTotilaz1 — Mon, 02 Jan 2023 21:32:31 GMT

this was the case for me as well, PAN OS version 10.2.2-h2, terraform panos provder is 1.11.0. Omitting hip_profile solved the issue. Thank you!