PaloAltoNetworks/pan-os-ansible

panos_security_rule returns inconsistent datatypes for group_profile value

jgiroso opened this issue · 0 comments

jgiroso commented

Describe the bug

Module documentation for panos_security_rule specifies that the group_profile datatype is of type string, however the register output when state is gathered or absent is type list.

Expected behavior

The datatype for group_profile should consistently remain type string regardless of the state specified.

Current behavior

The register output for state = 'present' outputs group_profile as a string, however when the state is 'gathered' or 'absent', group_profile's value is output as a list of strings.

Steps to reproduce

  1. Create a task to provision a palo security rule. Settings can be as you wish, but it should require a group_profile and a register for the output.
  2. Create another task to query the policy after it's created. State should be gathered and the gather_filter should search by rule_name. Add a register for this task as well.
  3. Create a debug task for the following: the create security_rule register, the gather security_rule register, a boolean value stating create_register == query_register

image

Screenshots

Module documentation

image

state = 'present'

task
image

group_profile output
image

state = 'gathered'

task
image

group_profile output
image

state= 'absent'

task
image

group_profile output
image

Context

To ensure a safe deprovision of our firewall policies, any policies created with our automation have the policy details saved from provision. To set this, we use the register output from the provision role.

Before deprovisioning, we compare the policy created to the policy currently existing on palo to ensure no one has made any manual changes to the policy. We do this by checking that the saved dictionary == the current policy values from the query register.

Due to the different data types this will always fail.

Our current workaround is to re-query the firewall policy immediately after it is created and store that query output, however this is an extra task that should be unnecessary were it not for the inconsistent data types.

It also means that when we ask a user to supply the values individually, our role has to convert the data type before comparing.
image

Your Environment

Collection: paloaltonetworks.panos 2.17.7
Python: 3.9.16
Ansible: 2.14.9
PAN-OS Python Library & version: pan-os-python 1.8.1