Skip to content

panos_device_group module removes the existing objects and is not idempotent #615

New issue
New issue
Open
Open
panos_device_group module removes the existing objects and is not idempotent#615
Labels
bugSomething isn't working
@mhca99

Description

@mhca99
mhca99
opened on Apr 13, 2025

Describe the bug

We are creating device group and then create tag objects in the device group with ansible. At first play run they both are successfully created, however, on the subsequent runs , the device group creation task removes all the previously created tags from the device group and then if next immediate task is failed for some reason the device group will be left with no previously created tags until the next task of "tags creation" is resumed that creates the tags in that particular device group.

Expected behavior

The device group task with "panos_device_group " should be idempotent and it should not remove any objects from the device group as this task was just supposed to create the device group only.

Current behavior

The device group task with "panos_device_group" deletes the previously created tags objects.

Possible solution

Steps to reproduce

- name: Palo Alto test
  hosts: panorama_dev
  connection: local

  collections:
    - paloaltonetworks.panos
  vars:
    panos_admin: admin
    panos_password: giveyourpass

    policy_tags:
      - name: "internal_to_external"
        device_group: "test_dg"
        color: "blue"
      - name: "internal_to_external_ssh"
        device_group: "test_dg"
        color: "red"

    provider:
      ip_address: "{{ansible_host}}"
      username: "{{panos_admin}}"
      password: "{{panos_password}}"

  tasks: 

    - name: Create device group
      paloaltonetworks.panos.panos_device_group:
        provider: '{{ provider }}'
        name: "test_dg"

    - name: Pause to check the device group objects status if they are vanished
      ansible.builtin.pause:
        prompt: |
          Verify if tags in device group are present or gone and then press Enter
          On first run they will not be there
          On second run they will be removed by the previous task 

    - name: Create tag object
      paloaltonetworks.panos.panos_tag_object:
        provider: "{{ provider }}"
        name: "{{ item.name }}"
        device_group: "{{ item.device_group }}"
        color: "{{ item.color | default(omit)}}"
      loop: "{{ policy_tags }}"
            
    - name: commit candidate configs on panorama
      paloaltonetworks.panos.panos_commit_panorama:
        provider: '{{ provider }}'
  1. create the above playbook
  2. execute it and it should create the device group and tags
  3. execute it second time , and then during the run before the next task is run , check the status of device group , it should show that all the previously created tags are removed from it.
  4. Hit enter and resume the task and the next task should recreate all the removed tags.

Screenshots

Context

We are creating multiple device groups and tags to be used with security policies.

Your Environment

- Collection paloaltonetworks.panos: 2.21.4
- Panorama OS ver:  11.2.5
- Python:   3.12.3
- Ansible: 2.18.4
- pan-os-python 1.12.1
- pan-python    0.17.0
- pandevice     0.14.0

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't working

    Type

    No type

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions