PaloAltoNetworks/pan-os-ansible

"state: merged" merges default values in with existing ones

Opened this issue · 0 comments

mejrot commented

Describe the bug

Disclaimer: It's possible that this is less a bug and more a disagreement as to how the merge state SHOULD work. Nevertheless:

If I want to update an existing security rule, say add a tag, unless I explicitly supply values (or blank), ansible will merge in default values (ex. ['any']) with the existing rule properties (ex. source_ip)

Expected behavior

When using state: merge, I expect it to work like a REST PATCH operation, where I only supply the parameters I want to change. If I have to supply all the parameters anyway, I might just as well use state: replaced (?)

Current behavior

There seem to be default values for each parameter type. These are submitted with the task regardless of if the existing security rule has any values for the given parameter already. In my case I ended up with a rule that had both explicit address objects AND "any" in the source_ip field. This configuration is (thankfully) not possible to commit.

Possible solution

Make merge NOT use default values for parameters that already have values set in Panorama
OR
Create a new state, akin to patch

Steps to reproduce

Create a security rule and populate source IP with an address object.
Try to add a tag to the rule with a task like this

- name: "Tag filtered rules with delete-rule"
  paloaltonetworks.panos.panos_security_rule:
    provider: "{{ provider }}"
    state: merged
    device_group: "{{ device_group }}"
    rulebase: "{{ rulebase }}"
    rule_name: "{{ rule }}"
    tag_name: "{{ tag_name }}"

This would result in Source IP containing both the address object AND "any"

Context

I'm trying to add a tag to a rule, and having to worry about unrelated parameters needlessly complicates this task. It means that I need to have an opinion on rule properties that I'm not planning on changing. It also means that if somewhere down the line a new parameter is introduced, all existing tasks must be updated to include this.

Your Environment

  • Collection: 2.20.0
  • Python: 3.10.12
  • Ansible: core 2.14.2
  • PAN-OS Python Library & version (e.g. pandevice 0.14.0, pan-os-python 1.0.2): pan-os-python 1.11.0, pan-python 0.17.0