paloaltonetworks / terraform-templates Goto Github PK

Scott Summer, cloud CE, has written a bunch for GCP. Can you add a link to them or merge them into here.

https://github.com/PaloAltoNetworks/GCP-Terraform-Samples

Hi

I'm have used one-click-aws to spin up mutli tier in aws and I'm not able to login to panos firewall it says invalid credentials. ended up with the below log.

null_resource.check_fw_ready (local-exec): > GET /api/?type=op&cmd=&key=LUFRPT10VGJKTEV6a0R4L1JXd0ZmbmNvdUEwa25wMlU9d0N5d292d2FXNXBBeEFBUW5pV2xoZz09 HTTP/1.1
null_resource.check_fw_ready (local-exec): > User-Agent: curl/7.29.0
null_resource.check_fw_ready (local-exec): > Host: 52.70.227.127
null_resource.check_fw_ready (local-exec): > Accept: /
null_resource.check_fw_ready (local-exec): >
null_resource.check_fw_ready (local-exec): < HTTP/1.1 403 Invalid Credential
null_resource.check_fw_ready (local-exec): < Date: Wed, 22 Jul 2020 11:31:17 GMT
null_resource.check_fw_ready (local-exec): < Content-Type: application/xml; charset=UTF-8
null_resource.check_fw_ready (local-exec): < Content-Length: 97
null_resource.check_fw_ready (local-exec): < Connection: keep-alive
null_resource.check_fw_ready (local-exec): < X-FRAME-OPTIONS: SAMEORIGIN
null_resource.check_fw_ready (local-exec): < X-XSS-Protection: 1; mode=block
null_resource.check_fw_ready (local-exec): < X-Content-Type-Options: nosniff
null_resource.check_fw_ready (local-exec): < Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-eval' 'unsafe-inline'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
null_resource.check_fw_ready (local-exec): < Strict-Transport-Security: max-age=31536000
null_resource.check_fw_ready (local-exec): < Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
null_resource.check_fw_ready (local-exec): < Expires: Thu, 19 Nov 1981 08:52:00 GMT
null_resource.check_fw_ready (local-exec): < Pragma: no-cache
null_resource.check_fw_ready (local-exec): < Set-Cookie: PHPSESSID=ae15918469f0eeb738eb2fd211d7eee6; path=/; secure; HttpOnly
null_resource.check_fw_ready (local-exec): < Status: 403 Invalid Credential
null_resource.check_fw_ready (local-exec): <
null_resource.check_fw_ready (local-exec): { [data not shown]
null_resource.check_fw_ready (local-exec): * Connection #0 to host 52.70.227.127 left intact
null_resource.check_fw_ready: Still creating... (38m30s elapsed)

Also I have tried to the script ./configure_firewall.sh and found that this is where its getting failed.

PLAY [localhost] ****************************************************************************************************************************************

TASK [PaloAltoNetworks.paloaltonetworks : pip] **********************************************************************************************************
ok: [localhost]

TASK [PaloAltoNetworks.paloaltonetworks : pip] **********************************************************************************************************
ok: [localhost]

TASK [PaloAltoNetworks.paloaltonetworks : pip] **********************************************************************************************************
ok: [localhost]

TASK [create a global service for TCP 221] **************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: pandevice.errors.PanURLError: URLError: code: 403 reason: Invalid Credential
fatal: [localhost]: FAILED! => {"changed": false, "failed": true, "module_stderr": "Traceback (most recent call last):\n File "/tmp/ansible_hfxXfF/ansible_module_panos_object.py", line 452, in \n main()\n File "/tmp/ansible_hfxXfF/ansible_module_panos_object.py", line 332, in main\n device = base.PanDevice.create_from_device(ip_address, username, password, api_key=api_key)\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 2725, in create_from_device\n system_info = device.refresh_system_info()\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 3135, in refresh_system_info\n system_info = self.show_system_info()\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 3092, in show_system_info\n root = self.xapi.op(cmd="show system info", cmd_xml=True)\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 2956, in xapi\n self._xapi_private = self.generate_xapi()\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 2998, in generate_xapi\n kwargs = {'api_key': self.api_key,\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 2950, in api_key\n self._api_key = self._retrieve_api_key()\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 3085, in _retrieve_api_key\n xapi.keygen(retry_on_peer=False)\n File "/usr/lib/python2.7/site-packages/pandevice/base.py", line 2851, in method\n raise the_exception\npandevice.errors.PanURLError: URLError: code: 403 reason: Invalid Credential\n", "module_stdout": "", "msg": "MODULE FAILURE", "rc": 0}
to retry, use: --limit @/home/ansible-pan/ansible-playbooks/one_click_multicloud/one_click_aws.retry

PLAY RECAP **********************************************************************************************************************************************
localhost : ok=3 changed=0 unreachable=0 failed=1

Can someone help me to fix this?

Thanks

I had to manually update the AMI ID for my region to launch the PA VM. Please update the AMIs.

Describe the bug

While using resource "panos_syslog_server_profile" is resulting in stack trace

Expected behavior

Creation of syslog server profile

Current behavior

terraform apply fails with go lang stack trace

Possible solution

Steps to reproduce

`resource "panos_syslog_server_profile" "syslog_setup" {
name = "myProfile"
syslog_server {
name = "my-server"
server = "syslog.example.com"
}

lifecycle {
    create_before_destroy = true
}

}`

Error:
`Plan: 1 to add, 0 to change, 0 to destroy.
panos_syslog_server_profile.syslog_setup: Creating...
╷
│ Error: Request cancelled
│
│ with panos_syslog_server_profile.syslog_setup,
│ on templates.tf line 54, in resource "panos_syslog_server_profile" "syslog_setup":
│ 54: resource "panos_syslog_server_profile" "syslog_setup" {
│
│ The plugin.(*GRPCProvider).ApplyResourceChange request was cancelled.
╵

Stack trace from the terraform-provider-panos_v1.11.1 plugin:

panic: interface conversion: interface {} is nil, not string

goroutine 47 [running]:
github.com/terraform-providers/terraform-provider-panos/panos.createSyslogServerProfile(0x1da3660, {0x1f1a2c0, 0xc00000a1e0})
github.com/terraform-providers/terraform-provider-panos/panos/syslog_server_profile.go:145 +0x56c
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Resource).Apply(0xc0007d0960, 0xc0008f6f50, 0xc00091e1e0, {0x1f1a2c0, 0xc00000a1e0})
github.com/hashicorp/[email protected]/helper/schema/resource.go:320 +0x438
github.com/hashicorp/terraform-plugin-sdk/helper/schema.(*Provider).Apply(0xc0001a8900, 0xc000e21a68, 0x1f2e05d, 0xf)
github.com/hashicorp/[email protected]/helper/schema/provider.go:294 +0x70
github.com/hashicorp/terraform-plugin-sdk/internal/helper/plugin.(*GRPCProviderServer).ApplyResourceChange(0xc0000b3520, {0xc0008f0cb0, 0x10b08e6}, 0xc0008f0cb0)
github.com/hashicorp/[email protected]/internal/helper/plugin/grpc_provider.go:895 +0x7c5
github.com/hashicorp/terraform-plugin-sdk/internal/tfplugin5._Provider_ApplyResourceChange_Handler({0x1edfec0, 0xc0000b3520}, {0x2170bf0, 0xc0007e4300}, 0xc00064c0c0, 0x0)
github.com/hashicorp/[email protected]/internal/tfplugin5/tfplugin5.pb.go:3305 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0008d4380, {0x2181c20, 0xc0005fa000}, 0xc000316b00, 0xc0008d3920, 0x295e3c0, 0x0)
google.golang.org/[email protected]/server.go:1194 +0xc8f
google.golang.org/grpc.(*Server).handleStream(0xc0008d4380, {0x2181c20, 0xc0005fa000}, 0xc000316b00, 0x0)
google.golang.org/[email protected]/server.go:1517 +0xa2a
google.golang.org/grpc.(*Server).serveStreams.func1.2()
google.golang.org/[email protected]/server.go:859 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
google.golang.org/[email protected]/server.go:857 +0x294

Error: The terraform-provider-panos_v1.11.1 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.
`

• Version used: Terraform v1.5.4, terraform-provider-panos_v1.11.1, panorama/panos 11.0.1

## Documentation link

when I run the terraform plan in the inner module (aws_modules_version/) it gives me the below error.
when I go and change the variable type to list.
the endpoint will not be created in a later stage as it should be a string and not list.

Error: Error running plan: 2 errors occurred:
* module.sns.aws_sns_topic_subscription.LambdaENISNSTopicSubscription: endpoint must be a single value, not a list

## Describe the problem

Refreshing Terraform state in-memory prior to plan...
The refreshed state will be used to calculate this plan, but will not be
persisted to local or remote state storage.

Error: Error running plan: 2 errors occurred:
* module.lambda.var.AddENILambda: variable AddENILambda in module lambda should be type string, got list
* module.sns.var.AddENILambdaARN: variable AddENILambdaARN in module sns should be type string, got list

This file is publicly open and a customer reported he can see the AWS key and Secret in it:

https://github.com/PaloAltoNetworks/terraform-templates/blob/02e6431d7491762c43dea9fa9c735b9053c22da3/one-click-multi-cloud/one-click-aws/aws_creds.tf

And in this one:

https://github.com/wwce/terraform.git
linked from: https://live.paloaltonetworks.com/t5/AWS/ct-p/AWS

Expected behavior

Current behavior

Possible solution

Steps to reproduce

Screenshots

Context

Your Environment

• Version used:
• Environment name and version (e.g. Chrome 59, node.js 5.4, python 3.7.3):
• Operating System and version (desktop or mobile):
• Link to your project:

Tested on Ubuntu 16.04, default interpreter ran by provisioner is /bin/sh causing the script to fail. Adding sha-bang '#!/bin/bash' fixes the issue. Provisioner could also declare the correct interpreter for the script.

Error:
null_resource.check_fw_ready (local-exec): ./check_fw.sh: 9: ./check_fw.sh: [[: not found

Am I missing something...? Not seeing any errors in the cloudformation that's spun up... but also not seeing any palo alto instances.

Running off master.

aws_elb_autoscale/ dir

It's my understanding that the PA behind the ELB will not be able to see the original client IP (other than X-Forwarded-For for HTTP traffic), so is this solution only for HTTP based traffic or is there something I'm not understanding?

Prisma credentials not configured properly. Please reinstall and complete the configuration.

Has the vinayvenkat image been superceed by the paloaltonetworks image?

docker search terraform_ansible
NAME DESCRIPTION STARS OFFICIAL AUTOMATED
vinayvenkat/terraform_ansible 0
dalloriam/terraform_ansible Terraform + Ansible build environment 0 [OK]
gunjan5/terraform_ansible 0
kyleatpanw/terraform_ansible_aws_azure_gcp 0
paloaltonetworks/terraform_ansible 0

When trying to run this I get:

• azurerm_virtual_machine.PAN_FW_FW: 1 error(s) occurred:

• azurerm_virtual_machine.PAN_FW_FW: compute.VirtualMachinesClient#CreateOrUpdate: Failure sending request: StatusCode=400 -- Original Error: Code="ResourcePurchaseValidationFailed" Message="User failed validation to purchase resources. Error message: 'Legal terms have not been accepted for this item on this subscription. To accept legal terms using PowerShell, please use Get-AzureRmMarketplaceTerms and Set-AzureRmMarketplaceTerms API(https://go.microsoft.com/fwlink/?linkid=862451) or deploy via the Azure portal to accept the terms'"

• azurerm_virtual_machine_extension.PAN_FW_WEB_EXT_MIN: 1 error(s) occurred:

• azurerm_virtual_machine_extension.PAN_FW_WEB_EXT_MIN: azure#WaitForCompletion: context has been cancelled: StatusCode=200 -- Original Error: context deadline exceeded

Seems linked to hashicorp/terraform-provider-azurerm#1283

This issue was opened by a bot called Community Health (PANW) because this repo has failed too many community health checks.

Repo maintainers: Please take the time to fix the issues in the table to reach the target score. These improvements will help others find your work and contribute to it. This issue will update as your score improves until it hits the target score.

Click More info for instructions to fix each item.

Current score: 65
Target threshold: 100
Total possible: 110