Describe the bug
panos_syslog_profile cannot manage syslog profiles that are located in shared on an unmanaged firewall.
This is inconsistent with:
- PAN-OS behavior, where syslog profiles on a standalone firewall are stored under
shared log-settings syslog
- the generic provider
location guide, which documents location = { shared = {} } for common objects
However, the panos_syslog_profile resource schema does not expose location.shared, so there is currently no way to represent a standalone firewall syslog profile in its real location.
Expected behavior
panos_syslog_profile should support location = { shared = {} } for unmanaged firewalls and operate on the correct XPath:
config/shared/log-settings/syslog
This should also work for:
terraform importterraform planterraform apply
so that an existing shared syslog profile can be represented in Terraform without drift.
Current behavior
panos_syslog_profile only supports these locations in its resource schema:
panoramavsystemplatetemplate_vsystemplate_stacktemplate_stack_vsys
There is no shared location for this resource.
Because of that:
- the real location of the object on the firewall cannot be expressed
- using
vsys as a workaround is not valid for a shared object
Example workaround failure:
resource "panos_syslog_profile" "lms_infra" {
location = {
vsys = {
ngfw_device = "localhost.localdomain"
name = "shared"
}
}
name = "lms-infra"
}This fails with:
failed to create entry on the server: shared 'shared' is invalid. vsys name should begin with 'vsys'
Possible solution
Add shared support for panos_syslog_profile in both:
pango device/profiles/syslog/location.go- provider
internal/provider/syslog_profile.go
This looks similar to how shared is already implemented for other resources, for example panos_ssl_tls_service_profile.
Concretely, this likely means:
- adding
SharedLocation to the syslog profile location model in pango
- mapping it to
config/shared/log-settings/syslog
- exposing
location.shared in the Terraform resource schema
- updating import/marshal/unmarshal logic accordingly
- aligning the resource docs with the generic
location guide
Steps to reproduce
- Use provider
paloaltonetworks/panos version 2.0.9 against an unmanaged firewall.
- Verify that the syslog profile exists in
shared, for example:
show shared log-settings syslog lms-infra
- Try to model it with
panos_syslog_profile using its real location:
resource "panos_syslog_profile" "lms_infra" {
location = {
shared = {}
}
name = "lms-infra"
}
- Observe that
shared is not supported by the resource schema, and any attempt to force the object into vsys fails because the real object is not a vsys-scoped object.
Screenshots
Relevant error when trying the vsys workaround:
failed to create entry on the server: shared 'shared' is invalid. vsys name should begin with 'vsys'
Context
I am trying to recreate the existing firewall configuration in Terraform so that terraform plan/apply is a no-op.
For standalone firewalls, syslog profiles are actually stored in shared, so without location.shared support in panos_syslog_profile there is no faithful way to import/manage these objects. This prevents representing the real device configuration and introduces unavoidable drift.
Describe the bug
panos_syslog_profilecannot manage syslog profiles that are located insharedon an unmanaged firewall.This is inconsistent with:
shared log-settings sysloglocationguide, which documentslocation = { shared = {} }for common objectsHowever, the
panos_syslog_profileresource schema does not exposelocation.shared, so there is currently no way to represent a standalone firewall syslog profile in its real location.Expected behavior
panos_syslog_profileshould supportlocation = { shared = {} }for unmanaged firewalls and operate on the correct XPath:This should also work for:
terraform importterraform planterraform applyso that an existing shared syslog profile can be represented in Terraform without drift.
Current behavior
panos_syslog_profileonly supports these locations in its resource schema:panoramavsystemplatetemplate_vsystemplate_stacktemplate_stack_vsysThere is no
sharedlocation for this resource.Because of that:
vsysas a workaround is not valid for a shared objectExample workaround failure:
This fails with:
Possible solution
Add
sharedsupport forpanos_syslog_profilein both:pangodevice/profiles/syslog/location.gointernal/provider/syslog_profile.goThis looks similar to how
sharedis already implemented for other resources, for examplepanos_ssl_tls_service_profile.Concretely, this likely means:
SharedLocationto the syslog profile location model inpangoconfig/shared/log-settings/sysloglocation.sharedin the Terraform resource schemalocationguideSteps to reproduce
paloaltonetworks/panosversion2.0.9against an unmanaged firewall.shared, for example:panos_syslog_profileusing its real location:sharedis not supported by the resource schema, and any attempt to force the object intovsysfails because the real object is not a vsys-scoped object.Screenshots
Relevant error when trying the
vsysworkaround:Context
I am trying to recreate the existing firewall configuration in Terraform so that
terraform plan/applyis a no-op.For standalone firewalls, syslog profiles are actually stored in
shared, so withoutlocation.sharedsupport inpanos_syslog_profilethere is no faithful way to import/manage these objects. This prevents representing the real device configuration and introduces unavoidable drift.