Creating/modifying IKE gateway get 'Error: Provider produced inconsistent result after apply' #487
Description
Describe the bug
Attempting to create or modify an IKE gateway in Panorama template I get following error:
│ Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.paloalto_vpn.panos_ike_gateway.tunnel1, provider "provider[\"registry.terraform.io/paloaltonetworks/panos\"]" produced an unexpected new value:
│ .authentication: inconsistent values for sensitive attribute.
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
The above output is if variable is marked as sensitive.
If I mark the variable as not sensitive I get following result (actual string values modified in output)
Error: Provider produced inconsistent result after apply
│
│ When applying changes to module.paloalto_vpn.panos_ike_gateway.tunnel1, provider "provider[\"registry.terraform.io/paloaltonetworks/panos\"]" produced an unexpected new value:
│ .authentication.pre_shared_key.key: was cty.StringVal("plain-text-string-here"), but now cty.StringVal("-AQ==z20E-removed-hashed-strings-from-here-elqhUdQ=").
│
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
The ike gateway is created but terraform stops with the above error code.
Expected behavior
Creating and/or modifying the ike gateway should work and full terraform run should succeed.
Current behavior
Terraform run stops with the above error or errors if one or multiple ike gateways are being created.
Possible problem cause
It seems panorama creates a hash of ike pre-shared key and terraform is not able to compare the value.
Steps to reproduce
Following terraform code, using Panos provider 2.0.4 produces this error when pushing to Panorama.
Panorama version 11.1.6-H10.
resource "panos_ike_gateway" "tunnel2" {
location = {
template = {
name = var.panorama_template
}
}
name = "${var.vpn_name_prefix}-tunnel2-gw"
local_address = {
interface = var.local_interface
ip = var.customer_gateway_ip
}
peer_address = {
ip = var.tunnel2_peer_ip
}
authentication = {
pre_shared_key = {
key = var.pre_shared_key
}
}
local_id = {
type = "ipaddr"
id = var.customer_gateway_ip
}
peer_id = {
type = "ipaddr"
id = var.tunnel2_peer_ip
}
protocol = {
version = "ikev2"
ikev2 = {
ike_crypto_profile = panos_ike_crypto_profile.aws_ike_profile.name
}
}
}
Probably not relevant but referenced crypto profile is created with:
IPSec Crypto Profile
resource "panos_ipsec_crypto_profile" "aws_ipsec_profile" {
location = {
template = {
name = var.panorama_template
}
}
name = "${var.vpn_name_prefix}-ipsec"
esp = {
authentication = [var.tunnel_phase2_integrity_algorithm]
encryption = [var.tunnel_phase2_encryption_algorithm]
}
dh_group = "group${var.dh_group}"
lifetime = {
seconds = var.tunnel_phase2_lifetime_seconds
}
}
The used variables are not relevant, anything can be used to replicate the problem.
Context
Trying to create full ipsec tunnel configuration between AWS and PaloAlto firewalls.
NOTE. Tested panos provider version 1.11.1 and there we don't have the same issue.
Your Environment
Panorama version 11.1.6-H10.
Terraform v1.12.2
on darwin_arm64
- provider registry.terraform.io/hashicorp/aws v5.100.0
- provider registry.terraform.io/paloaltonetworks/panos v2.0.4