Skip to content

feat(terraform): add panos_ip_tag resource and data source#728

Open
migara wants to merge 1 commit into
mainfrom
feat/panos-ip-tag
Open

feat(terraform): add panos_ip_tag resource and data source#728
migara wants to merge 1 commit into
mainfrom
feat/panos-ip-tag

Conversation

@migara

@migara migara commented Jun 12, 2026

Copy link
Copy Markdown
Member

Summary

Adds a custom resource and data source for PAN-OS dynamic IP-to-tag registration via the User-ID API. These registrations live in the firewall's User-ID table (runtime state), not the candidate config — so there is no commit and the resource is not importable (adopt by declaring and applying; registration is idempotent).

panos_ip_tag resource

  • Registers a managed set of tags against an IP. Non-destructive and idempotent — re-registering existing tags is a no-op, and tags it does not manage are never touched.
  • Real Update: registers added tags, unregisters removed tags; an IP change moves the managed tags from old to new.
  • Drift reconciliation: state holds only managed tags still present on the firewall; the resource is removed from state when none remain.
  • Three locations: vsys (NGFW), panorama (Panorama's own User-ID table), target_device (Panorama-managed firewall by serial).

panos_ip_tag data source

  • Single-IP lookup: given a location and ip, returns every tag currently registered on that IP (empty set if none).

Docs

  • Custom tfplugindocs templates carrying the drift-reconciliation walkthrough and the overlap-ownership limitation (the firewall has no refcount, so two resources owning the same IP+tag will interfere on delete).
  • Examples for all three resource locations and the data source.

Design note

The data source is a single-IP lookup rather than a filtered listing (ip/tag filters → entries + total). A listing shape isn't expressible in this codegen: a custom data source's model is fixed to the spec params, a fully hand-written data source can't be registered (the provider's DataSources() list is generated), and there's no datasource-only param override. The single-IP lookup is the codegen-native shape.

Testing

  • Unit (white-box Ginkgo): tag-set diff, register/unregister XML marshaling, paginated registered-ip response parsing + multi-page assembly.
  • Acceptance (TF_ACC, live-verified against Panorama): resource create → update-tags → delete with CheckDestroy, and the data-source read. Both passing live.

Notes for reviewers

A self-review surfaced several non-blocking cleanup/test-quality items to revisit in follow-ups (e.g. the live read path bypasses the unit-tested toMap/parseRegisteredIpResponse decode path; CheckDestroy doesn't paginate; dead tagFilter param; concrete *pango.Client vs the util.PangoClient convention). None affect correctness of the shipped behavior.

🤖 Generated with Claude Code

@migara @claude
feat(terraform): add panos_ip_tag resource and data source
240b0a2 
Add a custom resource and data source for PAN-OS dynamic IP-to-tag
registration via the User-ID API (op/user-id, no candidate config and
no commit).

Resource (panos_ip_tag):
- Registers a managed set of tags against an IP; non-destructive and
  idempotent (re-registering existing tags is a no-op).
- Real Update: registers added tags, unregisters removed tags; an IP
  change moves the managed tags. Tags not managed by the resource are
  never touched.
- Drift reconciliation stores only managed tags still present on the
  firewall; the resource is removed from state when none remain.
- Three locations: vsys (NGFW), panorama (Panorama's own User-ID
  table), and target_device (Panorama-managed firewall by serial).

Data source (panos_ip_tag):
- Single-IP lookup: given a location and ip, returns every tag
  currently registered on that IP (empty set if none).

Docs include the drift-reconciliation example and the overlap-ownership
limitation (the firewall has no refcount for registered tags).

Tested with white-box unit specs (tag-set diff, register/unregister
marshaling, paginated response parsing) and acceptance tests covering
the resource lifecycle + CheckDestroy and the data-source read, both
verified live against Panorama.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
@migara migara requested a review from kklimonda-cl June 12, 2026 00:51
kklimonda-cl
kklimonda-cl reviewed Jun 12, 2026
View reviewed changes
Comment thread specs/objects/ip-tag.yaml
- "config"
- "shared"
vars: []
- name: "target-device"

@kklimonda-cl kklimonda-cl Jun 12, 2026

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is this location specific for IP tags?

@migara migara Jun 12, 2026

Copy link
Copy Markdown
Member Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's blanket implementation. No location. The spec location is dummy

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@kklimonda-cl kklimonda-cl kklimonda-cl left review comments

At least 1 approving review is required to merge this pull request.

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@migara @kklimonda-cl