Local rule deletion doesnt commit to the cloudngfw firewall

[shankar-bala]

Is there an existing issue for this?

• I have searched the existing issues

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment and review the contribution guide to help.

Terraform Version

v1.3.7

AzureRM Provider Version

3.69.0

Affected Resource(s)/Data Source(s)

azurerm_palo_alto_next_generation_firewall_virtual_network_local_rulestack

Terraform Configuration Files

locals {
    # timestring = "${formatdate("YYYYMMDDhhmmss", timestamp())}"
    timestring = "02"
}

# create resource group
resource azurerm_resource_group "rg" {
    name = "${var.resource_prefix}-rg-${local.timestring}"
    location = var.location
}

# create vnet/subnets

resource "azurerm_virtual_network" "vnet" {
  name                = "${var.resource_prefix}-fwVnet-vnet-${local.timestring}"
  address_space       = [var.vnet_cidr]
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name

  tags = {
    Purpose = "terraform testing"
  }
}

resource "azurerm_subnet" "trust" {
  name                 = "${var.resource_prefix}-trustsubnet-${local.timestring}"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = [var.trust_subnet_cidr]

  delegation {
    name = "trusted"

    service_delegation {
      name = "PaloAltoNetworks.Cloudngfw/firewalls"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
}

resource "azurerm_subnet" "untrust" {
  name                 = "${var.resource_prefix}-untrustsubnet-${local.timestring}"
  resource_group_name  = azurerm_resource_group.rg.name
  virtual_network_name = azurerm_virtual_network.vnet.name
  address_prefixes     = [var.untrust_subnet_cidr]

  delegation {
    name = "untrusted"

    service_delegation {
      name = "PaloAltoNetworks.Cloudngfw/firewalls"
      actions = [
        "Microsoft.Network/virtualNetworks/subnets/join/action",
      ]
    }
  }
}

data "azurerm_palo_alto_local_rulestack" "lrs-out" {
  resource_group_name = azurerm_resource_group.rg.name
  name = azurerm_palo_alto_local_rulestack.lrs.name
}

# create localrulestack
resource azurerm_palo_alto_local_rulestack "lrs" {
    name = "${var.resource_prefix}-lrs-${local.timestring}"
    resource_group_name = azurerm_resource_group.rg.name
    location = var.location
    description = "rulestack update testing5"
}

resource azurerm_palo_alto_local_rulestack "lrs2" {
    name = "${var.resource_prefix}-lrs2-${local.timestring}"
    resource_group_name = azurerm_resource_group.rg.name
    location = var.location
    description = "rulestack2 testing2"
}

# create prefix list
resource "azurerm_palo_alto_local_rulestack_prefix_list" "prefix" {
  name         = "${var.resource_prefix}-prefix-${local.timestring}"
  prefix_list  = [ "10.0.2.0/26" ]
  rulestack_id = azurerm_palo_alto_local_rulestack.lrs.id
  description = "prefixlist update"
}
resource "azurerm_palo_alto_local_rulestack_rule" "localrule" {
  name          = "${var.resource_prefix}-rule-${local.timestring}"
  rulestack_id = azurerm_palo_alto_local_rulestack.lrs.id
  priority      = 1000
  
  applications  = ["any"]
  source {
    cidrs = ["10.0.2.0/24"]
  }
  destination {
    cidrs = ["192.168.16.0/24"]
  }
  action = "Allow"
}
resource "azurerm_public_ip" "fw-vnet-pubip" {
  name                ="${var.resource_prefix}-fwVnet-pubip-${local.timestring}"
  location            = var.location
  resource_group_name = azurerm_resource_group.rg.name
  allocation_method   = "Static"
  sku                 = "Standard"
}
resource "azurerm_palo_alto_next_generation_firewall_virtual_network_local_rulestack" "firewall1" {
  name                = "${var.resource_prefix}-fw-${local.timestring}"
  resource_group_name = azurerm_resource_group.rg.name
  rulestack_id        = azurerm_palo_alto_local_rulestack.lrs.id

  network_profile {
    public_ip_address_ids = [azurerm_public_ip.fw-vnet-pubip.id]

    vnet_configuration {
      virtual_network_id  = azurerm_virtual_network.vnet.id
      trusted_subnet_id   = azurerm_subnet.trust.id
      untrusted_subnet_id = azurerm_subnet.untrust.id
    }
  }

  dns_settings {
    dns_servers = [azurerm_public_ip.fw-vnet-pubip.ip_address]
  }

  destination_nat {
    backend_config {
      port = 80
      public_ip_address = "10.3.1.12"
    }
    frontend_config {
      port = 80
      public_ip_address_id = azurerm_public_ip.fw-vnet-pubip.id
    }
    protocol = "TCP"
    name = "${var.resource_prefix}-fw-${local.timestring}-dnat1"
  }
}

Debug Output/Panic Output

Terraform apply works with the above code
=====

terraform apply -auto-approve                                          SIGINT(2) ↵
azurerm_resource_group.rg: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02]
azurerm_palo_alto_local_rulestack.lrs2: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs2-02]
azurerm_palo_alto_local_rulestack.lrs: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02]
azurerm_public_ip.fw-pano-pubip: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/Microsoft.Network/publicIPAddresses/tfTest-pano-02]
azurerm_public_ip.fw-vnet-pubip: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/Microsoft.Network/publicIPAddresses/tfTest-fwVnet-pubip-02]
azurerm_public_ip.fw-vhub-pubip: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/Microsoft.Network/publicIPAddresses/tfTest-vhub-02]
azurerm_virtual_network.vnet: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/Microsoft.Network/virtualNetworks/tfTest-fwVnet-vnet-02]
azurerm_palo_alto_local_rulestack_fqdn_list.fqdn: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02/fqdnLists/tfTest-fqdn-02]
azurerm_palo_alto_local_rulestack_prefix_list.prefix: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02/prefixLists/tfTest-prefix-02]
azurerm_palo_alto_local_rulestack_rule.localrule: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02/localRules/1000]
data.azurerm_palo_alto_local_rulestack.lrs-out: Reading...
data.azurerm_palo_alto_local_rulestack.lrs-out: Read complete after 0s [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02]
azurerm_subnet.trust: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/Microsoft.Network/virtualNetworks/tfTest-fwVnet-vnet-02/subnets/tfTest-trustsubnet-02]
azurerm_subnet.untrust: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/Microsoft.Network/virtualNetworks/tfTest-fwVnet-vnet-02/subnets/tfTest-untrustsubnet-02]
azurerm_palo_alto_next_generation_firewall_virtual_network_local_rulestack.firewall1: Refreshing state... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/firewalls/tfTest-fw-02]

No changes. Your infrastructure matches the configuration.


====

After removing the "azurerm_palo_alto_local_rulestack_rule" block., performed terraform apply

====

# azurerm_palo_alto_local_rulestack_rule.localrule will be destroyed
  # (because azurerm_palo_alto_local_rulestack_rule.localrule is not in configuration)
  - resource "azurerm_palo_alto_local_rulestack_rule" "localrule" {
      - action               = "Allow" -> null
      - applications         = [
          - "any",
        ] -> null
      - decryption_rule_type = "None" -> null
      - enabled              = true -> null
      - id                   = "/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02/localRules/1000" -> null
      - logging_enabled      = false -> null
      - name                 = "tfTest-rule-02" -> null
      - negate_destination   = false -> null
      - negate_source        = false -> null
      - priority             = 1000 -> null
      - protocol             = "application-default" -> null
      - protocol_ports       = [] -> null
      - rulestack_id         = "/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02" -> null
      - tags                 = {} -> null

      - destination {
          - cidrs                           = [
              - "192.168.16.0/24",
            ] -> null
          - countries                       = [] -> null
          - feeds                           = [] -> null
          - local_rulestack_fqdn_list_ids   = [] -> null
          - local_rulestack_prefix_list_ids = [] -> null
        }

      - source {
          - cidrs                           = [
              - "10.0.2.0/24",
            ] -> null
          - countries                       = [] -> null
          - feeds                           = [] -> null
          - local_rulestack_prefix_list_ids = [] -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

azurerm_palo_alto_local_rulestack_rule.localrule: Destroying... [id=/subscriptions/91b2c91c-8d81-421e-9102-027c530ff81d/resourceGroups/tfTest-rg-02/providers/PaloAltoNetworks.Cloudngfw/localRulestacks/tfTest-lrs-02/localRules/1000]
azurerm_palo_alto_local_rulestack_rule.localrule: Still destroying... [id=/subscriptions/91b2c91c-8d81-421e-9102-...lestacks/tfTest-lrs-02/localRules/1000, 10s elapsed]
azurerm_palo_alto_local_rulestack_rule.localrule: Destruction complete after 13s

Apply complete! Resources: 0 added, 0 changed, 1 destroyed.

====

on the firewall console., there were no commits happened.

In order to get the rule removed from the firewall.. we added the rule back with other name or perform rulestack operation., then the commit is happening to the firewall which removes the local rule from the firewall configs.

Expected Behaviour

Local rule delete also should perform commit to the firewall as like other operations (rulestack update/create )

Actual Behaviour

Commit to the firewall didnt happen when localrule was deleted.

Steps to Reproduce

No response

Important Factoids

No response

References

No response

[github-actions]

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues.
If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.