panos_panorama_security_rule_group destination is invalid

44 views
Skip to first unread message

Pflugfelder, Mike

unread,
Mar 10, 2021, 5:56:31 PM3/10/21
to terrafo...@googlegroups.com

I'm trying to add a new security rule group, and when I do, I'm getting an error "destination is invalid".

 

Looking at Objects > Addresses, I see the address that I want to use.  I've copied the text directly from panorama and pasted it in terraform.  I'm trying to create the security rule group in the same device group as the address object.

 

I don't know what I'm missing here, and I'm not quite sure where else to go to look for help.

 

I'm using terraform v0.14.5 and my provider is registry.terraform.io/paloaltonetworks/panos v1.8.0

 

Here is the sanitized terraform resource:

resource "panos_panorama_security_rule_group" "test" {

 

  device_group = "NON-Production_Environment"

  rule {

    name                  = "test-${var.env}"

    tags                  = ["Terraform"]

    source_zones          = ["DMZ"]

    source_addresses      = ["any"]

    source_users          = ["any"]

    hip_profiles          = ["any"]

    destination_zones     = ["SVC"]

    destination_addresses = ["xxxxxx"]

    applications          = ["any"]

    services = [

      "tcp-12443",

      "tcp-13443"

    ]

 

    categories  = ["any"]

    action      = "allow"

    log_setting = "Panorama"

  }

}

 

Here is my error

 

Error:  NON-Production_Environment -> pre-rulebase -> security -> rules -> test -> destination is invalid

 

  on firewall_sec_rules.tf line 21, in resource "panos_panorama_security_rule_group" "test":

  21: resource "panos_panorama_security_rule_group" "test" {

This email, including attachments, may contain information that is private or confidential. If you received this communication in error, please delete it from your system without copying it and notify sender by reply communication. ADT Security Services and its affiliates reserve the right to monitor communications handled by its data communications systems to help ensure compliance with ADT’s policies, confidentiality obligations, and applicable laws.

Adrian Bool

unread,
Mar 13, 2021, 9:05:53 AM3/13/21
to Terraform

Hi Charles,

Could it be that the firewall is not accepting the content of your destination_addresses parameter — perhaps a typo in the string (e.g. comma in place of a dot) or maybe you're referencing the name of an address object that has not been defined?

Note that if you're also creating your address objects in Terraform, but referring to the address object's names as strings in your destination_addresses parameter, then Terraform doesn't know about that dependency and could be trying to create the rule before the address.  To remove this issue, reference the Terraform objects instead.  Something like:

        destination_addresses = [ panos_address_object.my_address_1, panos_address_object.my_address_2 ]

(Same applies to your zones etc.)

Cheers,

aid

On Wednesday, March 10, 2021 at 10:56:31 PM UTC charlespf...@adt.com wrote:

    destination_addresses = ["xxxxxx"]

Reply all
Reply to author
Forward
0 new messages