Terraform - Unable to create Security Policy

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Terraform - Unable to create Security Policy

L0 Member

I'm using Terraform to deploy configurations on a VM-50 series virtual Palo Alto Firewall appliance.  I have a problem when it comes to deploying a security policy using panos_security_policy.  Essentially, the policies never create and the Terraform command status stays on 'Still Creating...'.  Is there a known issue with using Terraform to create security policies?  If not, how do I troubleshoot this?  Thanks in advance.



Please note you are posting a public message where community members and experts can provide assistance. Sharing private information such as serial numbers or company information is not recommended.
1 accepted solution

Accepted Solutions

L5 Sessionator

Depending on how many rules are in your policy, it could take a while, yes.  After creating all the security rules, it has to adjust the placement of each rule to ensure that they are placed where they need to be.

 

If you want to see what's going on, you can always tell Terraform to show you debug output using the TF_LOG environment variable so you can see what the provider is sending and receiving with regards to PAN-OS:

 

TF_LOG=debug terraform apply 2>&1 | tee out.log

 

Then you can view the "out.log" file afterwards to see the API calls and what's happening.

 

You'll also need to configure the provider to output both "send" and "receive" within your provider configuration block:

 

provider "panos" {
    # ...other config options here
    logging = [
        "send",
        "receive",
        "action",
        "query",
        "op",
    ]
}

View solution in original post

5 REPLIES 5

L5 Sessionator

Depending on how many rules are in your policy, it could take a while, yes.  After creating all the security rules, it has to adjust the placement of each rule to ensure that they are placed where they need to be.

 

If you want to see what's going on, you can always tell Terraform to show you debug output using the TF_LOG environment variable so you can see what the provider is sending and receiving with regards to PAN-OS:

 

TF_LOG=debug terraform apply 2>&1 | tee out.log

 

Then you can view the "out.log" file afterwards to see the API calls and what's happening.

 

You'll also need to configure the provider to output both "send" and "receive" within your provider configuration block:

 

provider "panos" {
    # ...other config options here
    logging = [
        "send",
        "receive",
        "action",
        "query",
        "op",
    ]
}

Thanks for the reply, I'll try out the logging.  Although the screenshot I shared has 8 minutes.  I've let it run for over 2 hours!  It just seems stuck.  And, I'm only attempting to create a simple rule.  For example:

resource "panos_security_policy" "server" {
    rule {
        name = "server"
        audit_comment = "Terraform"
        source_zones = ["any"]
        source_addresses = ["any"]
        source_users = ["any"]
        hip_profiles = ["any"]
        destination_zones = ["any"]
        destination_addresses = ["any"]
        applications = ["any"]
        services = ["application-default"]
        categories = ["any"]
        action = "allow"
    }
    lifecycle {
        create_before_destroy = true
    }
}

 

 While I'll try the logging, I'm not sure how I'll be able to use that information to actually fix the issue.  Everything else I've tried to create works fine.  It seems fundamental to how Terraform is interacting with the PA api.

That hip_profiles param might be causing issues, depending on which version of PAN-OS you're running.  It was removed in PAN-OS v10.1.5.  I'd recommend leaving it unspecified and trying terraform apply again.

After enabling the logging, I was able to see that the issue was indeed the fact that I had an argument that was throwing an error.  Once I removed it, the security policy created successfully, rapidly.  

 

The argument that cause me an issue is:  

hip_profiles = ["any"]

 Which is strange because it is used in the example block on the Terraform Registry site for the Palo Alto provider.  Either way, thank you so much for your help.  Your advice was spot on.  I learned a lot!!  Thanks again!!!

this was the case for me as well, PAN OS version 10.2.2-h2, terraform panos provder is 1.11.0. Omitting hip_profile solved the issue. Thank you!

  • 1 accepted solution
  • 4455 Views
  • 5 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!