- Access exclusive content
- Connect with peers
- Share your expertise
- Find support resources
Content translations are temporarily unavailable due to site maintenance. We apologize for any inconvenience.
10-27-2022 02:29 PM
I'm using Terraform to deploy configurations on a VM-50 series virtual Palo Alto Firewall appliance. I have a problem when it comes to deploying a security policy using panos_security_policy. Essentially, the policies never create and the Terraform command status stays on 'Still Creating...'. Is there a known issue with using Terraform to create security policies? If not, how do I troubleshoot this? Thanks in advance.
10-27-2022 04:23 PM
Depending on how many rules are in your policy, it could take a while, yes. After creating all the security rules, it has to adjust the placement of each rule to ensure that they are placed where they need to be.
If you want to see what's going on, you can always tell Terraform to show you debug output using the TF_LOG
environment variable so you can see what the provider is sending and receiving with regards to PAN-OS:
TF_LOG=debug terraform apply 2>&1 | tee out.log
Then you can view the "out.log" file afterwards to see the API calls and what's happening.
You'll also need to configure the provider to output both "send" and "receive" within your provider configuration block:
provider "panos" {
# ...other config options here
logging = [
"send",
"receive",
"action",
"query",
"op",
]
}
10-27-2022 04:23 PM
Depending on how many rules are in your policy, it could take a while, yes. After creating all the security rules, it has to adjust the placement of each rule to ensure that they are placed where they need to be.
If you want to see what's going on, you can always tell Terraform to show you debug output using the TF_LOG
environment variable so you can see what the provider is sending and receiving with regards to PAN-OS:
TF_LOG=debug terraform apply 2>&1 | tee out.log
Then you can view the "out.log" file afterwards to see the API calls and what's happening.
You'll also need to configure the provider to output both "send" and "receive" within your provider configuration block:
provider "panos" {
# ...other config options here
logging = [
"send",
"receive",
"action",
"query",
"op",
]
}
10-27-2022 05:17 PM
Thanks for the reply, I'll try out the logging. Although the screenshot I shared has 8 minutes. I've let it run for over 2 hours! It just seems stuck. And, I'm only attempting to create a simple rule. For example:
resource "panos_security_policy" "server" {
rule {
name = "server"
audit_comment = "Terraform"
source_zones = ["any"]
source_addresses = ["any"]
source_users = ["any"]
hip_profiles = ["any"]
destination_zones = ["any"]
destination_addresses = ["any"]
applications = ["any"]
services = ["application-default"]
categories = ["any"]
action = "allow"
}
lifecycle {
create_before_destroy = true
}
}
While I'll try the logging, I'm not sure how I'll be able to use that information to actually fix the issue. Everything else I've tried to create works fine. It seems fundamental to how Terraform is interacting with the PA api.
10-27-2022 05:29 PM
That hip_profiles
param might be causing issues, depending on which version of PAN-OS you're running. It was removed in PAN-OS v10.1.5. I'd recommend leaving it unspecified and trying terraform apply
again.
10-27-2022 05:47 PM
After enabling the logging, I was able to see that the issue was indeed the fact that I had an argument that was throwing an error. Once I removed it, the security policy created successfully, rapidly.
The argument that cause me an issue is:
hip_profiles = ["any"]
Which is strange because it is used in the example block on the Terraform Registry site for the Palo Alto provider. Either way, thank you so much for your help. Your advice was spot on. I learned a lot!! Thanks again!!!
01-02-2023 01:32 PM
this was the case for me as well, PAN OS version 10.2.2-h2, terraform panos provder is 1.11.0. Omitting hip_profile solved the issue. Thank you!
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!