PaloAltoNetworks/pan-os-ansible

panos_nat_rule2 - failure to gather policies when address field contains null values

jgiroso opened this issue ยท 2 comments

jgiroso commented

Describe the bug

paloaltonetworks.panos.panos_nat_rule2 module failure when attempting to use the gathered_filter on a list-type field that may contain 'none'/'null' values

Expected behavior

The module should ignore these null values when using state: 'gathered' and gathered_filter: {{ field }} contains {{ value }} and only pull the nat policies where those values that are defined. If none are defined, it should output gathered: [] instead of fail.

Current behavior

When attempting to use gathered_filter on a list-type field that contains null values in some policies, the module fails with the error: "'NoneType' is not iterable". This is not the same case for string datatypes as those will succeed.

In the example above, I use the 'contains' operator but this is affecting all iterable operators (contains, does-not-contain, contains-regex, does-not-contain-regex)

Possible solution

Steps to reproduce

  1. Ensure there are nat policies on the palo alto panorama with 'none' in any of the list-type address fields such as source_translation_translated_addresses.
  2. Set up the following tasks in a playbook:

panos_provider is a dictionary that contains the panorama host, username, and password
palo_device_group is a string to points to a particular device group on the panorama
translated_address is a string containing one of the source translation translated addresses currently existing on the palo alto

  - name: 'Query panos nat policies'
    paloaltonetworks.panos.panos_nat_rule2:
      provider: "{{ panos_provider }}"
      device_group: "{{ palo_device_group }}"
      state: 'gathered'
      gathered_filter: "source_translation_translated_addresses contains {{ translated_address }}"
    register: output

  - name: 'debug register'
    ansible.builtin.debug:
      msg: "{{ output }}"
  1. Run the playbook
  2. The task will fail stating "'NoneType' is not iterable"

Screenshots

image

Context

This is preventing our ability to validate current policies on the palo alto to see what has been configured to an existing policy. This is a pre-check we do before provisioning all new NAT policies with public facing IPs.

Your Environment

  • Collection: paloaltonetworks.panos 2.17.2
  • Python: 3.8
  • Ansible: 2.13.7
  • PAN-OS Python Library & version: pan-os-python 1.11.0
welcome-to-palo-alto-networks commented

๐ŸŽ‰ Thanks for opening your first issue here! Welcome to the community!

github-actions commented

๐ŸŽ‰ This issue has been resolved in version 2.17.5 ๐ŸŽ‰

The release is available on Ansible Galaxy and GitHub release

Posted by semantic-release bot