About gfreeman

Yes, this is possible I think, and the modification that I think might go in before the provider is officially released.   Right now the polling for commit verification is in the Read stage of the provider.  If that is also moved into the Create and Update steps, then the resource ensures that the commit must succeed or else the resource will error out.  Then, when specifying the rulestack in the cloudngfwaws_ngfw resource, you reference the rulestack from the cloudngfwaws_commit_rulestack resource to create the dependency.   You'll still need two terraform directories, I think...  Otherwise users will need to manually build up an explicit depends_on and put that inside the cloudngfwaws_commit_rulestack definition, and that won't get fun once there's even a couple hundred resources per rulestack, much less thousands. ... View more

That's fair, the way it is now you have to check the status manually and then conditionally launch the 3rd directory's terraform apply .  This is why I said that it's possible that the cloudngfwaws_commit_rulestack resource could change between now and launch to error on commit failure, so that you could at least pair the cloudngfwaws_ngfw resources in the same plan file as the commit.  This would get the workflow down from three directories to two directories....   But because of the commit, there really isn't a way to have the commit be in the same plan file as the rulestack configuration. ... View more

This feels like TAC territory again to me...  You are in a situation where even using the GUI is not working / allowing you to recover.   The AWS config I am honestly not very familiar with, so I won't be able to provide useful feedback on that part of it, sorry..   But to double back on what I was saying before:  you'll want to have 3 separate directories for your Terraform config:   dir1) All the code that defines both the rulestack and its contents (prefix lists, intelligent feeds, etc) dir2) cloudngfwaws_commit_rulestack only dir3) All your cloudngfwaws_ngfw instances   -- Edit --   Forgot to mention:  and you only run the Dir3 terraform code if the commit shows as successfully committed from Dir2 (check using terraform show ).  Currently the cloudngfwaws_commit_rulestack only returns an error if issuing the commit command fails, not if the commit itself fails.  It's possible that this will change before the provider exits beta, but this is the current implementation. ... View more

...huh.  Is the rulestack associated with a NGFW which you've spun up?  If so, you might have to bring down / delete that NGFW before you can delete the rulestack. ... View more

Actually, I've only seen SUCCESS / FAILURE / PENDING, I've not seen PrecommitDone before.  If you do terraform refresh / terraform show , is it showing that the cloudngfwaws_commit_rulestack.(terraform_name).CommitStatus is PrecommitDone...?? ... View more

You shouldn't have cloudngfwaws_commit_rulestack in the same plan file as cloudngfwaws_rulestack , this is called out in the docs.  This is because of the order of operations that Terraform does things in, there will always be, what is referred to in Terraform, as "configuration drift."  Commit rulestack needs to be in its own plan file, but can be paired with other commit rulestack operations.   The commit rulestack resource has 15min set as the timeout, so I don't know why it timed out after 5min...?  I've also not encountered PrecommitDone sticking around for a long time, but I suspect at this point it is no longer in this state..? ... View more

I keep forgetting how golang treats XML and JSON is not the same.  Ok, this should be fixed now, just re-pull and SDK and the provider.  I added NGFW tagging and rulestack tagging last night.   Awesome to hear it's working for you! ... View more

I can't share my config, unfortunately.....  But I'm glad that you can engage TAC for figuring out API access. ... View more

Oh sorry, another thing:  I just noticed that in your error message, the ARN looks different from mine, but there's enough stuff going on that I don't know if this is a result of how the AWS SDK formats things or not.  And looking back, it does seem like you're using the ARN of the IAM role, but I just wanted to make sure...  The ARN that I specify in the provider configure block looks like this, just wanted to be certain that's what yours looks like also (I was using two different ARNs instead of a single one):   provider "cloudngfwaws" { lfa_arn = "arn:aws:iam::<number>:role/CloudNGFWFirewallAdmin1" lra_arn = "arn:aws:iam::<number>:role/CloudNgfwRuleStackAdmin" #.... other params }       ... View more

OK, two things:   First is that I think the value of the tag is the important bit, not the key name.  In my setup, the keys are actually named "CloudNGFWFirewallAdmin1" and "CloudNgfwRulestackAdmin".  Try setting the values to the values mentioned in the 2nd link I provided and see if that changes the result.   Second, since you are essentially stuck at, "I'm trying to enable API access," this is fully supported TAC territory.  If you have a support contract with Palo Alto Networks in place, then I'd encourage you to reach out to TAC for help.  The Terraform provider is unreleased currently and should otherwise be considered beta code, but enabling API access has nothing to do with the provider. ... View more

Looking at that response, it seems like something is misconfigured with your AWS setup.   Found some other documentation and this does actually have the updated role tags that I mentioned above, so maybe there's something in here that's the answer..? https://pan.dev/cloudngfw/aws/api   ... View more

I have been told that the docs are wrong with regards to the tags needed for the role created in AWS.  Change the tags as follows:   CloudFirewallAdmin > CloudNGFWFirewallAdmin CloudRulestackAdmin > CloudNGFWRulestackAdmin ... View more

Run terraform apply with logging enabled, it might have more information: TF_LOG=debug terraform apply ... View more

The password hash has to be created using the function:   https://pan-os-python.readthedocs.io/en/latest/module-device.html#panos.device.Administrator.change_password   Alternatively, you can use this to create the password and use the value returned as the panos.device.Administrator.password_hash value:   https://pan-os-python.readthedocs.io/en/latest/module-base.html#panos.base.PanDevice.request_password_hash   ... View more