WIP: feat(specs): Add panorama_firewall_device resource

assets/terraform/examples/resources/panos_qos_policy/import.sh

@@ -0,0 +1,16 @@
+# The entire QoS policy can be imported by providing the following base64 encoded object as the ID
+# {
+#     location = {
+#         device_group = {
+#         name = "example-device-group"
+#         rulebase = "pre-rulebase"
+#         panorama_device = "localhost.localdomain"
+#         }
+#     }
+#
+#
+#     names = [
+#         "qos-rule-1", <- the first rule in the policy
+#     ]
+# }
+terraform import panos_qos_policy.example $(echo '{"location":{"device_group":{"name":"example-device-group","panorama_device":"localhost.localdomain","rulebase":"pre-rulebase"}},"names":["qos-rule-1"]}' | base64)

assets/terraform/examples/resources/panos_qos_policy/resource.tf

@@ -0,0 +1,59 @@
+# Manages the entire QoS policy
+resource "panos_qos_policy" "example" {
+  location = {
+    device_group = {
+      name = panos_device_group.example.name
+    }
+  }
+
+  rules = [
+    {
+      name        = "qos-rule-1"
+      description = "QoS rule for high priority traffic"
+
+      source_zones          = ["trust"]
+      source_addresses      = ["any"]
+      destination_zones     = ["untrust"]
+      destination_addresses = ["any"]
+      applications          = ["ssl"]
+      services              = ["application-default"]
+
+      action = {
+        class = "4"
+      }
+
+      dscp_tos = {
+        codepoints = [
+          {
+            name = "ef-marking"
+            ef = {
+              codepoint = "ef"
+            }
+          }
+        ]
+      }
+    },
+    {
+      name = "qos-rule-2"
+
+      source_zones          = ["any"]
+      source_addresses      = ["any"]
+      destination_zones     = ["any"]
+      destination_addresses = ["any"]
+      applications          = ["any"]
+      services              = ["any"]
+
+      action = {
+        class = "1"
+      }
+    }
+  ]
+}
+
+resource "panos_device_group" "example" {
+  location = {
+    panorama = {}
+  }
+
+  name = "example-device-group"
+}

assets/terraform/examples/resources/panos_qos_policy_rules/import.sh

@@ -0,0 +1,18 @@
+# A set of QoS rules can be imported by providing the following base64 encoded object as the ID
+# {
+#     location = {
+#         device_group = {
+#         name = "example-device-group"
+#         rulebase = "pre-rulebase"
+#         panorama_device = "localhost.localdomain"
+#         }
+#     }
+#
+#     position = { where = "after", directly = true, pivot = "existing-rule" }
+#
+#     names = [
+#         "qos-rule-8",
+#         "qos-rule-9"
+#     ]
+# }
+terraform import panos_qos_policy_rules.example $(echo '{"location":{"device_group":{"name":"example-device-group","panorama_device":"localhost.localdomain","rulebase":"pre-rulebase"}},"names":["qos-rule-8","qos-rule-9"],"position":{"directly":true,"pivot":"existing-rule","where":"after"}}' | base64)

assets/terraform/examples/resources/panos_qos_policy_rules/resource.tf

@@ -0,0 +1,90 @@
+# Manage a group of QoS policy rules.
+
+## Place the rule group at the top
+resource "panos_qos_policy_rules" "example-1" {
+  location = {
+    device_group = {
+      name = panos_device_group.example.name
+    }
+  }
+
+  position = {
+    where = "first" # first, last, after, before
+  }
+
+  rules = [
+    {
+      name        = "qos-rule-1"
+      description = "High priority VoIP traffic"
+
+      source_zones          = ["trust"]
+      source_addresses      = ["any"]
+      destination_zones     = ["untrust"]
+      destination_addresses = ["any"]
+      applications          = ["sip", "h323"]
+      services              = ["application-default"]
+
+      action = {
+        class = "7"
+      }
+
+      dscp_tos = {
+        codepoints = [
+          {
+            name = "ef-marking"
+            ef = {
+              codepoint = "ef"
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
+
+## Place the rule group directly after an existing rule
+resource "panos_qos_policy_rules" "example-2" {
+  location = {
+    device_group = {
+      name = panos_device_group.example.name
+    }
+  }
+
+  position = { where = "after", directly = true, pivot = "existing-rule" }
+
+  rules = [for k in ["web", "database", "default"] :
+    {
+      name = "qos-${k}"
+
+      source_zones          = ["any"]
+      source_addresses      = ["any"]
+      destination_zones     = ["any"]
+      destination_addresses = ["any"]
+      applications          = ["any"]
+      services              = ["any"]
+
+      action = {
+        class = k == "web" ? "5" : k == "database" ? "4" : "1"
+      }
+
+      dscp_tos = {
+        codepoints = [
+          {
+            name = "${k}-codepoint"
+            af = {
+              codepoint = k == "web" ? "af21" : k == "database" ? "af31" : "af11"
+            }
+          }
+        ]
+      }
+    }
+  ]
+}
+
+resource "panos_device_group" "example" {
+  location = {
+    panorama = {}
+  }
+
+  name = "example-device-group"
+}

assets/terraform/test/resource_firewall_device_test.go

@@ -0,0 +1,165 @@
+package provider_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+)
+
+func TestAccFirewallDevice_Basic(t *testing.T) {
+	t.Parallel()
+
+	// Generate a serial number matching PAN-OS format: 00 + 13 digits
+	suffix := acctest.RandStringFromCharSet(13, "0123456789")
+	serialNumber := fmt.Sprintf("00%s", suffix)
+
+	location := config.ObjectVariable(map[string]config.Variable{
+		"panorama": config.ObjectVariable(map[string]config.Variable{}),
+	})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: firewallDevice_Basic_Tmpl,
+				ConfigVariables: map[string]config.Variable{
+					"serial_number": config.StringVariable(serialNumber),
+					"location":      location,
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("name"),
+						knownvalue.StringExact(serialNumber),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("auto_push"),
+						knownvalue.Bool(true),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("disable_config_backup"),
+						knownvalue.Bool(false),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("hostname"),
+						knownvalue.StringExact("fw.example.com"),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("ip"),
+						knownvalue.StringExact("192.0.2.1"),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("to_sw_version"),
+						knownvalue.StringExact("11.0.0"),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("vsys"),
+						knownvalue.Null(),
+					),
+				},
+			},
+		},
+	})
+}
+
+const firewallDevice_Basic_Tmpl = `
+variable "serial_number" { type = string }
+variable "location" { type = any }
+
+resource "panos_firewall_device" "example" {
+  location = var.location
+  name = var.serial_number
+
+  auto_push = true
+  disable_config_backup = false
+  hostname = "fw.example.com"
+  ip = "192.0.2.1"
+  to_sw_version = "11.0.0"
+}
+`
+
+func TestAccFirewallDevice_Vsys(t *testing.T) {
+	t.Parallel()
+
+	// Generate a serial number matching PAN-OS format: 00 + 13 digits
+	suffix := acctest.RandStringFromCharSet(13, "0123456789")
+	serialNumber := fmt.Sprintf("00%s", suffix)
+
+	location := config.ObjectVariable(map[string]config.Variable{
+		"panorama": config.ObjectVariable(map[string]config.Variable{}),
+	})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: firewallDevice_Vsys_Tmpl,
+				ConfigVariables: map[string]config.Variable{
+					"serial_number": config.StringVariable(serialNumber),
+					"location":      location,
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("name"),
+						knownvalue.StringExact(serialNumber),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_firewall_device.example",
+						tfjsonpath.New("vsys"),
+						knownvalue.ListExact([]knownvalue.Check{
+							knownvalue.ObjectExact(map[string]knownvalue.Check{
+								"name": knownvalue.StringExact("vsys1"),
+								"tags": knownvalue.ListExact([]knownvalue.Check{
+									knownvalue.StringExact("tag1"),
+									knownvalue.StringExact("tag2"),
+								}),
+							}),
+							knownvalue.ObjectExact(map[string]knownvalue.Check{
+								"name": knownvalue.StringExact("vsys2"),
+								"tags": knownvalue.ListExact([]knownvalue.Check{
+									knownvalue.StringExact("tag3"),
+								}),
+							}),
+						}),
+					),
+				},
+			},
+		},
+	})
+}
+
+const firewallDevice_Vsys_Tmpl = `
+variable "serial_number" { type = string }
+variable "location" { type = any }
+
+resource "panos_firewall_device" "example" {
+  location = var.location
+  name = var.serial_number
+
+  vsys = [
+    {
+      name = "vsys1"
+      tags = ["tag1", "tag2"]
+    },
+    {
+      name = "vsys2"
+      tags = ["tag3"]
+    }
+  ]
+}
+`