default vr is created and assigned when configuring interfaces without vr

[Nothing4You]

Describe the bug

Running the panos_interface module and its related modules like panos_aggregate_interface for the first time creates a default vr, which gets associated with the interface.
It also causes the task to always be changed on every run.

Expected behavior

Virtual routers should be optional in Ansible when they're not required by the firewall.
A virtual router does not need to be specified (web shows None) to obtain a valid configuration when creating this configuration outside of Ansible.

Current behavior

See description.

Possible solution

I don't think it's safe to skip the vr assignment when vr_name is set to an empty string (equivalent to None when passed to the module) without breaking backwards compatibility.
I'm not sure if there's a good solution for this other than exposing this through a new parameter to explicitly not assign it to a vr.

Steps to reproduce

- name: Gather VRs
  paloaltonetworks.panos.panos_virtual_router:
    provider: "{{ provider }}"
    gathered_filter: "*"
    state: gathered
  register: routers

- name: List routers
  ansible.builtin.debug:
    msg: "{{ routers.gathered | community.general.json_query('[].{key: name, value: interface}') | ansible.builtin.items2dict }}"

- name: Create interface
  paloaltonetworks.panos.panos_interface:
    provider: "{{ provider }}"
    enable_dhcp: false
    if_name: ethernet1/5
    mode: layer3
    state: present
    vr_name: ""
    commit: false
  diff: true

- name: Gather VRs again
  paloaltonetworks.panos.panos_virtual_router:
    provider: "{{ provider }}"
    gathered_filter: "*"
    state: gathered
  register: routers

- name: List routers again
  ansible.builtin.debug:
    msg: "{{ routers.gathered | community.general.json_query('[].{key: name, value: interface}') | ansible.builtin.items2dict }}"

- name: Create interface
  paloaltonetworks.panos.panos_interface:
    provider: "{{ provider }}"
    enable_dhcp: false
    if_name: ethernet1/5
    mode: layer3
    state: present
    vr_name: ""
    commit: false
  diff: true

- name: Gather VRs again again
  paloaltonetworks.panos.panos_virtual_router:
    provider: "{{ provider }}"
    gathered_filter: "*"
    state: gathered
  register: routers

- name: List routers again again
  ansible.builtin.debug:
    msg: "{{ routers.gathered | community.general.json_query('[].{key: name, value: interface}') | ansible.builtin.items2dict }}"

Screenshots

Context

I'm trying to create an interface without vr assignment.
This interface will have subinterfaces on vlans with associated virtual routers, but the parent interface should not have a vr assigned.

I could not find a viable workaround for devices where the limit of virtual routers is already reached, as the entire task will fail due to it being unable to create a new default zone.

The only way to deal with this for now seems to be explicitly assigning the interfaces to a vr they don't really belong to.

Your Environment

• Collection: 2.19.1
• Python: 3.11.6
• Ansible: core 2.16.2
• PAN-OS Python Library & version:
  • pan-os-python==1.11.0
  • pan-python==0.17.0

[horiagunica]

Hello @Nothing4You !

This isn't really a bug - as the default value of that variable is default :

    vr_name:
        description:
            - Name of the virtual router; it must already exist.
        type: str
        default: "default"

If I understand correctly - you are creating the interfaces and then using them within aggregates and then associating that aggregate to the VR?

[Nothing4You]

I'm trying to create an interface that only holds subinterfaces and is not used directly, as I'm not using untagged traffic.
The interface has therefore no IP and no traffic is routed there.
There is no need for a virtual router on this interface, only on the subinterfaces with VLAN tags.