feat(specs): Add new security and device profile specs

[repl-dheeraj-v]

• Add data_filtering_security_profile spec with vsys and template locations
• Add decryption_profile spec (ssl-inbound-proxy element, correct field names)
• Add snmp_trap_profile spec with v2c/v3 variant support
• Add email_server_profile spec matching syslog profile structure
• Add administrator spec with correct permissions/role-based XML structure
• Fix pango error parser to surface raw Panorama response when msg is empty

Description

Adds five new codegen specs for Terraform provider resources that were missing from the v2 provider, plus a bug fix in the pango error handler.

New Resources

Resource	Suffix	Location
Data Filtering Security Profile	panos_data_filtering_security_profile	shared, vsys, device-group, template, template-stack
Decryption Profile	panos_decryption_profile	shared, vsys, device-group
SNMP Trap Server Profile	panos_snmp_trap_profile	panorama, vsys, template, template-stack
Email Server Profile	panos_email_server_profile	panorama, vsys, template, template-stack
Administrator	panos_administrator	panorama, template, template-stack

Bug Fix — pango error parser (assets/pango/errors/panos.go)

When Panorama returns an error response with an empty or unparseable <msg> element, errors.Parse() previously returned an empty string, causing Terraform to display "failed to create entry on the server: " with no detail. The fix falls back to embedding the raw XML response body in the error so the actual rejection reason is always visible without needing PANOS_LOG_LEVEL=DEBUG.

Motivation and Context

These resources exist in the v1 provider but were not yet available in v2. They are required to manage common PAN-OS security and device configurations via Terraform, including SSL/TLS decryption profiles, DLP data filtering, log forwarding via SNMP/email, and administrator account lifecycle.

Key implementation notes:

• Decryption profile: The SSL inbound inspection block uses the XML element ssl-inbound-proxy (not ssl-inbound-inspection as in older PAN-OS docs). Verified against PAN-OS 11.2.8 XML API.
• Administrator: Role assignment uses the permissions/role-based/<role>yes</role> XML structure, not a flat role element. The disabled field is not valid in this context and was excluded.
• Data filtering: Extended the existing partial spec to add vsys, template, template-vsys, template-stack, and template-stack-vsys locations for full NGFW and Panorama template support.

How Has This Been Tested?

• Codegen run successfully against all new specs (go run cmd/codegen/main.go)
• Generated provider tested against a live Panorama 11.2.8 instance:
  • panos_decryption_profile — forward proxy and inbound proxy profiles created at device-group scope
  • panos_administrator — superuser and superreader accounts created via template
• XML structure for each resource verified against reference Panorama config using show config running xpath ...

Types of Changes

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to change)

Checklist

• I have updated the documentation accordingly.
• I have read the CONTRIBUTING document.
• I have added tests to cover my changes if appropriate.
• All new and existing tests passed.

[repl-dheeraj-v]

@migara can you please review. The terraform provider was generated from this and was tested against our configuration

[repl-dheeraj-v]

@migara verified the workflow is passing on my fork repl-dheeraj-v#1

[kklimonda-cl]

Thanks for the PR,

I've started review, but there are quite a few differences between your YAML specs and what I get internally for those XPaths, so I'll have to spend some time to understand where are the differences coming from, and what can be pulled in (definitely all descriptions, as those are something we are always in a short supply of!).

See my inline comments for some questions I have.

I'll be back on 4th of May and work on adding tests to all those resources and verifying those differences, and get back to you.

[kklimonda-cl]

Is the password actually hashed by the device? I believe we need to have a separate hasher that does hashing first and then sends a hashed password to the device.

When you open your terraform tfstate file, and look for the resource it should have a private key with base64 encoded value, and that value has another base64 encoded value under "encrypted_values" key. If value for the password there is plaintext, then device is not hashing the password and is expecting it to be hashed beforehand.

I have some code intenally to get it working, but it's a part of a bigger change to our hashing codegen.

[repl-dheeraj-v]

Yes, upon decoding twice I see the password is being passed in this format {"hashing_type":"solo","plaintext":""}. The password is blank because we use LDAP with Active Directory. Do you think this limitation is going to affect us till the bigger change get's released @kklimonda-cl ?

[kklimonda-cl]

@repl-dheeraj-v I've pushed a separate branch with your changes and tests for enum values - there is a large difference between what enum values I get from our schema and what is in this PR, and on my test devices some of your values are failing

If you have access to Panorama device, can you checkout branch feat-specs-email-snmptrap-decryption-profiles run those tests against it:

TESTARGS="-run 'TestAccEmailServerProfile|TestAccSnmptrapProfile|TestAccDecryptionProfile'" make test/terraform-acc

and report back what is passing/failing with error messages?

You can create Makefile.local next to Makefile with environment variables that describe your device:

PANOS_HOSTNAME=[hostname]
PANOS_USERNAME=[user]
PANOS_PASSWORD=[password]
PANOS_USE_CREDENTIALS=true

If you can't test it I'll just go with the values I'm getting from the schema, and adding what I have:

Removed:

┌──────────┬──────────────────┬────────────────────┐
  │ Resource │  PR enum value   │       Status       │
  ├──────────┼──────────────────┼────────────────────┤
  │ Email    │ tls-version 1.0  │ Rejected by device │
  ├──────────┼──────────────────┼────────────────────┤
  │ SNMP     │ authproto MD5    │ Rejected by device │
  ├──────────┼──────────────────┼────────────────────┤
  │ SNMP     │ privproto AES128 │ Rejected by device │
  ├──────────┼──────────────────┼────────────────────┤
  │ SNMP     │ privproto DES    │ Rejected by device │
  └──────────┴──────────────────┴────────────────────┘

Added:

┌──────────┬─────────────┬────────────────────────────────────┐
  │ Resource │    Enum     │  Values in our spec but not in PR  │
  ├──────────┼─────────────┼────────────────────────────────────┤
  │ Email    │ protocol    │ SMTP, TLS                          │
  ├──────────┼─────────────┼────────────────────────────────────┤
  │ SNMP     │ authproto   │ SHA-224, SHA-256, SHA-384, SHA-512 │
  ├──────────┼─────────────┼────────────────────────────────────┤
  │ SNMP     │ privproto   │ AES, AES-192, AES-256              │
  └──────────┴─────────────┴────────────────────────────────────┘

[repl-dheeraj-v]

@repl-dheeraj-v I've pushed a separate branch with your changes and tests for enum values - there is a large difference between what enum values I get from our schema and what is in this PR, and on my test devices some of your values are failing

If you have access to Panorama device, can you checkout branch feat-specs-email-snmptrap-decryption-profiles run those tests against it:

TESTARGS="-run 'TestAccEmailServerProfile|TestAccSnmptrapProfile|TestAccDecryptionProfile'" make test/terraform-acc

and report back what is passing/failing with error messages?

You can create Makefile.local next to Makefile with environment variables that describe your device:

PANOS_HOSTNAME=[hostname]
PANOS_USERNAME=[user]
PANOS_PASSWORD=[password]
PANOS_USE_CREDENTIALS=true

If you can't test it I'll just go with the values I'm getting from the schema, and adding what I have:

Removed:

┌──────────┬──────────────────┬────────────────────┐
  │ Resource │  PR enum value   │       Status       │
  ├──────────┼──────────────────┼────────────────────┤
  │ Email    │ tls-version 1.0  │ Rejected by device │
  ├──────────┼──────────────────┼────────────────────┤
  │ SNMP     │ authproto MD5    │ Rejected by device │
  ├──────────┼──────────────────┼────────────────────┤
  │ SNMP     │ privproto AES128 │ Rejected by device │
  ├──────────┼──────────────────┼────────────────────┤
  │ SNMP     │ privproto DES    │ Rejected by device │
  └──────────┴──────────────────┴────────────────────┘

Added:

┌──────────┬─────────────┬────────────────────────────────────┐
  │ Resource │    Enum     │  Values in our spec but not in PR  │
  ├──────────┼─────────────┼────────────────────────────────────┤
  │ Email    │ protocol    │ SMTP, TLS                          │
  ├──────────┼─────────────┼────────────────────────────────────┤
  │ SNMP     │ authproto   │ SHA-224, SHA-256, SHA-384, SHA-512 │
  ├──────────┼─────────────┼────────────────────────────────────┤
  │ SNMP     │ privproto   │ AES, AES-192, AES-256              │
  └──────────┴─────────────┴────────────────────────────────────┘

Ran the tests

dheeraj-v@IN100197:/mnt/c/Users/dheeraj.v/Documents/Workspace/pan-os-codegen$ TESTARGS="-run 'TestAccEmailServerProfile|TestAccSnmptrapProfile|TestAccDecryptionProfile'" make test/terraform-acc
=== RUN   TestAccDecryptionProfile_Basic
=== PAUSE TestAccDecryptionProfile_Basic
=== RUN   TestAccDecryptionProfile_SshProxy
=== PAUSE TestAccDecryptionProfile_SshProxy
=== RUN   TestAccDecryptionProfile_SslInboundProxy
=== PAUSE TestAccDecryptionProfile_SslInboundProxy
=== RUN   TestAccDecryptionProfile_SslNoProxy
=== PAUSE TestAccDecryptionProfile_SslNoProxy
=== RUN   TestAccDecryptionProfile_SslProtocolSettings_Versions
=== PAUSE TestAccDecryptionProfile_SslProtocolSettings_Versions
=== RUN   TestAccDecryptionProfile_SslProtocolSettings_LegacyVersions
=== PAUSE TestAccDecryptionProfile_SslProtocolSettings_LegacyVersions
=== RUN   TestAccEmailServerProfile_Basic
=== PAUSE TestAccEmailServerProfile_Basic
=== RUN   TestAccEmailServerProfile_Protocol_TLS
=== PAUSE TestAccEmailServerProfile_Protocol_TLS
=== RUN   TestAccEmailServerProfile_MultipleServers
=== PAUSE TestAccEmailServerProfile_MultipleServers
=== RUN   TestAccEmailServerProfile_TlsVersion_1_0
=== PAUSE TestAccEmailServerProfile_TlsVersion_1_0
=== RUN   TestAccSnmptrapProfile_Basic_V2c
=== PAUSE TestAccSnmptrapProfile_Basic_V2c
=== RUN   TestAccSnmptrapProfile_Basic_V3
=== PAUSE TestAccSnmptrapProfile_Basic_V3
=== RUN   TestAccSnmptrapProfile_V3_AuthProto_SHA224
=== PAUSE TestAccSnmptrapProfile_V3_AuthProto_SHA224
=== RUN   TestAccSnmptrapProfile_V3_AuthProto_SHA384
=== PAUSE TestAccSnmptrapProfile_V3_AuthProto_SHA384
=== RUN   TestAccSnmptrapProfile_V3_AuthProto_SHA512
=== PAUSE TestAccSnmptrapProfile_V3_AuthProto_SHA512
=== RUN   TestAccSnmptrapProfile_V3_Legacy_MD5
=== PAUSE TestAccSnmptrapProfile_V3_Legacy_MD5
=== RUN   TestAccSnmptrapProfile_V3_Legacy_AES128
=== PAUSE TestAccSnmptrapProfile_V3_Legacy_AES128
=== CONT  TestAccDecryptionProfile_Basic
=== CONT  TestAccEmailServerProfile_TlsVersion_1_0
=== CONT  TestAccDecryptionProfile_SslProtocolSettings_LegacyVersions
=== CONT  TestAccSnmptrapProfile_V3_Legacy_AES128
=== CONT  TestAccDecryptionProfile_SslNoProxy
=== CONT  TestAccEmailServerProfile_Protocol_TLS
=== CONT  TestAccSnmptrapProfile_V3_AuthProto_SHA384
=== CONT  TestAccDecryptionProfile_SslProtocolSettings_Versions
=== NAME  TestAccDecryptionProfile_SslProtocolSettings_LegacyVersions
    resource_decryption_profile_test.go:428: Step 1/1 error: Error running apply: exit status 1

        Error: Error in create

          with panos_decryption_profile.example,
          on terraform_plugin_test.tf line 23, in resource "panos_decryption_profile" "example":
          23: resource "panos_decryption_profile" "example" {

        failed to create entry on the server: (raw response: <response status="error"
        code="12"><msg><line><line><![CDATA[ profiles -> decryption ->
        test-acc-7paqsb -> ssl-protocol-settings -> min-version 'sslv3' is not an
        allowed keyword]]></line><line><![CDATA[ profiles -> decryption ->
        test-acc-7paqsb -> ssl-protocol-settings -> min-version is
        invalid]]></line></line></msg></response>)
=== NAME  TestAccSnmptrapProfile_V3_Legacy_AES128
    resource_snmptrap_profile_test.go:567: Step 1/1 error: Error running apply: exit status 1

        Error: Error in create

          with panos_snmptrap_profile.example,
          on terraform_plugin_test.tf line 23, in resource "panos_snmptrap_profile" "example":
          23: resource "panos_snmptrap_profile" "example" {

        failed to create entry on the server: (raw response: <response status="error"
        code="12"><msg><line><line><![CDATA[ shared -> log-settings -> snmptrap ->
        test-acc-87292g -> version -> v3 -> server -> aes128-server -> privproto
        'AES128' is not an allowed keyword]]></line><line><![CDATA[ shared ->
        log-settings -> snmptrap -> test-acc-87292g -> version -> v3 -> server ->
        aes128-server -> privproto is invalid]]></line></line></msg></response>)
=== NAME  TestAccEmailServerProfile_TlsVersion_1_0
    resource_email_server_profile_test.go:482: Step 1/1 error: Error running apply: exit status 1

        Error: Error in create

          with panos_email_server_profile.example,
          on terraform_plugin_test.tf line 23, in resource "panos_email_server_profile" "example":
          23: resource "panos_email_server_profile" "example" {

        failed to create entry on the server: (raw response: <response status="error"
        code="12"><msg><line><line><![CDATA[ shared -> log-settings -> email ->
        test-acc-gvws1d -> server -> tls10-server -> tls-version '1.0' is not an
        allowed keyword]]></line><line><![CDATA[ shared -> log-settings -> email ->
        test-acc-gvws1d -> server -> tls10-server -> tls-version is
        invalid]]></line></line></msg></response>)
--- FAIL: TestAccDecryptionProfile_SslProtocolSettings_LegacyVersions (5.59s)
=== CONT  TestAccSnmptrapProfile_Basic_V3
--- FAIL: TestAccSnmptrapProfile_V3_Legacy_AES128 (5.72s)
=== CONT  TestAccSnmptrapProfile_V3_AuthProto_SHA224
--- FAIL: TestAccEmailServerProfile_TlsVersion_1_0 (5.86s)
=== CONT  TestAccEmailServerProfile_Basic
--- PASS: TestAccEmailServerProfile_Protocol_TLS (9.50s)
=== CONT  TestAccEmailServerProfile_MultipleServers
--- PASS: TestAccDecryptionProfile_SslNoProxy (9.62s)
=== CONT  TestAccSnmptrapProfile_V3_Legacy_MD5
--- PASS: TestAccDecryptionProfile_SslProtocolSettings_Versions (9.84s)
=== CONT  TestAccSnmptrapProfile_V3_AuthProto_SHA512
--- PASS: TestAccDecryptionProfile_Basic (10.49s)
--- PASS: TestAccSnmptrapProfile_V3_AuthProto_SHA384 (10.49s)
=== CONT  TestAccSnmptrapProfile_Basic_V2c
=== CONT  TestAccDecryptionProfile_SslInboundProxy
=== NAME  TestAccSnmptrapProfile_V3_AuthProto_SHA224
    resource_snmptrap_profile_test.go:288: Step 1/1 error: Error running apply: exit status 1

        Error: Error in create

          with panos_snmptrap_profile.example,
          on terraform_plugin_test.tf line 23, in resource "panos_snmptrap_profile" "example":
          23: resource "panos_snmptrap_profile" "example" {

        failed to create entry on the server: (raw response: <response status="error"
        code="12"><msg><line><line><![CDATA[ shared -> log-settings -> snmptrap ->
        test-acc-vuuosh -> version -> v3 -> server -> sha224-server -> authproto
        'SHA-224' is invalid. Please configure a stronger Authentication
        Protocol.]]></line><line><![CDATA[ shared -> log-settings -> snmptrap ->
        test-acc-vuuosh -> version -> v3 -> server -> sha224-server -> authproto is
        invalid]]></line></line></msg></response>)
--- FAIL: TestAccSnmptrapProfile_V3_AuthProto_SHA224 (7.37s)
=== CONT  TestAccDecryptionProfile_SshProxy
=== NAME  TestAccSnmptrapProfile_V3_Legacy_MD5
    resource_snmptrap_profile_test.go:495: Step 1/1 error: Error running apply: exit status 1

        Error: Error in create

          with panos_snmptrap_profile.example,
          on terraform_plugin_test.tf line 23, in resource "panos_snmptrap_profile" "example":
          23: resource "panos_snmptrap_profile" "example" {

        failed to create entry on the server: (raw response: <response status="error"
        code="12"><msg><line><line><![CDATA[ shared -> log-settings -> snmptrap ->
        test-acc-c9aoz9 -> version -> v3 -> server -> md5-server -> authproto 'MD5'
        is not an allowed keyword]]></line><line><![CDATA[ shared -> log-settings ->
        snmptrap -> test-acc-c9aoz9 -> version -> v3 -> server -> md5-server ->
        authproto is invalid]]></line></line></msg></response>)
--- FAIL: TestAccSnmptrapProfile_V3_Legacy_MD5 (6.02s)
--- PASS: TestAccEmailServerProfile_Basic (10.07s)
--- PASS: TestAccSnmptrapProfile_Basic_V3 (10.64s)
--- PASS: TestAccSnmptrapProfile_V3_AuthProto_SHA512 (9.22s)
--- PASS: TestAccEmailServerProfile_MultipleServers (9.79s)
--- PASS: TestAccDecryptionProfile_SslInboundProxy (9.11s)
--- PASS: TestAccSnmptrapProfile_Basic_V2c (9.39s)
--- PASS: TestAccDecryptionProfile_SshProxy (9.14s)
FAIL
FAIL    github.com/PaloAltoNetworks/terraform-provider-panos/test       22.255s

SHA-224 got rejected

[repl-dheeraj-v]

@kklimonda-cl any new comments or concerns?