panos_panorama_security_rule_group destination is invalid

Skip to first unread message

Pflugfelder, Mike

Mar 10, 2021, 5:56:31 PM3/10/21

I'm trying to add a new security rule group, and when I do, I'm getting an error "destination is invalid".


Looking at Objects > Addresses, I see the address that I want to use.  I've copied the text directly from panorama and pasted it in terraform.  I'm trying to create the security rule group in the same device group as the address object.


I don't know what I'm missing here, and I'm not quite sure where else to go to look for help.


I'm using terraform v0.14.5 and my provider is v1.8.0


Here is the sanitized terraform resource:

resource "panos_panorama_security_rule_group" "test" {


  device_group = "NON-Production_Environment"

  rule {

    name                  = "test-${var.env}"

    tags                  = ["Terraform"]

    source_zones          = ["DMZ"]

    source_addresses      = ["any"]

    source_users          = ["any"]

    hip_profiles          = ["any"]

    destination_zones     = ["SVC"]

    destination_addresses = ["xxxxxx"]

    applications          = ["any"]

    services = [





    categories  = ["any"]

    action      = "allow"

    log_setting = "Panorama"




Here is my error


Error:  NON-Production_Environment -> pre-rulebase -> security -> rules -> test -> destination is invalid


  on line 21, in resource "panos_panorama_security_rule_group" "test":

  21: resource "panos_panorama_security_rule_group" "test" {

This email, including attachments, may contain information that is private or confidential. If you received this communication in error, please delete it from your system without copying it and notify sender by reply communication. ADT Security Services and its affiliates reserve the right to monitor communications handled by its data communications systems to help ensure compliance with ADT’s policies, confidentiality obligations, and applicable laws.

Adrian Bool

Mar 13, 2021, 9:05:53 AM3/13/21
to Terraform

Hi Charles,

Could it be that the firewall is not accepting the content of your destination_addresses parameter — perhaps a typo in the string (e.g. comma in place of a dot) or maybe you're referencing the name of an address object that has not been defined?

Note that if you're also creating your address objects in Terraform, but referring to the address object's names as strings in your destination_addresses parameter, then Terraform doesn't know about that dependency and could be trying to create the rule before the address.  To remove this issue, reference the Terraform objects instead.  Something like:

        destination_addresses = [ panos_address_object.my_address_1, panos_address_object.my_address_2 ]

(Same applies to your zones etc.)



On Wednesday, March 10, 2021 at 10:56:31 PM UTC wrote:

    destination_addresses = ["xxxxxx"]

Reply all
Reply to author
0 new messages