PaloAltoNetworks · kklimonda-cl · Nov 24, 2025
diff --git a/assets/terraform/examples/resources/panos_password_profile/import.sh b/assets/terraform/examples/resources/panos_password_profile/import.sh
@@ -0,0 +1,12 @@
+# A password profile can be imported by providing the following base64 encoded object as the ID
+# {
+#   location = {
+#     template = {
+#       name            = "my-template"
+#       panorama_device = "localhost.localdomain"
+#     }
+#   }
+#
+#   name = "example-password-profile"
+# }
+terraform import panos_password_profile.example $(echo '{"location":{"template":{"name":"my-template","panorama_device":"localhost.localdomain"}},"name":"example-password-profile"}' | base64)
diff --git a/assets/terraform/examples/resources/panos_password_profile/resource.tf b/assets/terraform/examples/resources/panos_password_profile/resource.tf
@@ -0,0 +1,12 @@
+resource "panos_password_profile" "example" {
+  location = { template = { name = "my-template" } }
+
+  name = "example-password-profile"
+
+  password_change = {
+    expiration_period                  = 90
+    expiration_warning_period          = 7
+    post_expiration_admin_login_count  = 3
+    post_expiration_grace_period       = 5
+  }
+}
diff --git a/assets/terraform/test/resource_password_profile_test.go b/assets/terraform/test/resource_password_profile_test.go
@@ -0,0 +1,81 @@
+package provider_test
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/hashicorp/terraform-plugin-testing/config"
+	"github.com/hashicorp/terraform-plugin-testing/helper/acctest"
+	"github.com/hashicorp/terraform-plugin-testing/helper/resource"
+	"github.com/hashicorp/terraform-plugin-testing/knownvalue"
+	"github.com/hashicorp/terraform-plugin-testing/statecheck"
+	"github.com/hashicorp/terraform-plugin-testing/tfjsonpath"
+)
+
+func TestAccPasswordProfile_Basic(t *testing.T) {
+	t.Parallel()
+
+	nameSuffix := acctest.RandStringFromCharSet(6, acctest.CharSetAlphaNum)
+	prefix := fmt.Sprintf("test-acc-%s", nameSuffix)
+
+	location := config.ObjectVariable(map[string]config.Variable{
+		"template": config.ObjectVariable(map[string]config.Variable{
+			"name": config.StringVariable(prefix),
+		}),
+	})
+
+	resource.Test(t, resource.TestCase{
+		PreCheck:                 func() { testAccPreCheck(t) },
+		ProtoV6ProviderFactories: testAccProviders,
+		Steps: []resource.TestStep{
+			{
+				Config: passwordProfile_Basic_Tmpl,
+				ConfigVariables: map[string]config.Variable{
+					"prefix":   config.StringVariable(prefix),
+					"location": location,
+				},
+				ConfigStateChecks: []statecheck.StateCheck{
+					statecheck.ExpectKnownValue(
+						"panos_password_profile.example",
+						tfjsonpath.New("name"),
+						knownvalue.StringExact(prefix),
+					),
+					statecheck.ExpectKnownValue(
+						"panos_password_profile.example",
+						tfjsonpath.New("password_change"),
+						knownvalue.ObjectExact(map[string]knownvalue.Check{
+							"expiration_period":                 knownvalue.Int64Exact(90),
+							"expiration_warning_period":         knownvalue.Int64Exact(7),
+							"post_expiration_admin_login_count": knownvalue.Int64Exact(3),
+							"post_expiration_grace_period":      knownvalue.Int64Exact(5),
+						}),
+					),
+				},
+			},
+		},
+	})
+}
+
+const passwordProfile_Basic_Tmpl = `
+variable "prefix" { type = string }
+variable "location" { type = any }
+
+resource "panos_template" "example" {
+  location = { panorama = {} }
+  name = var.prefix
+}
+
+resource "panos_password_profile" "example" {
+  depends_on = [panos_template.example]
+  location = var.location
+
+  name = var.prefix
+
+  password_change = {
+    expiration_period = 90
+    expiration_warning_period = 7
+    post_expiration_admin_login_count = 3
+    post_expiration_grace_period = 5
+  }
+}
+`
diff --git a/specs/device/profiles/password.yaml b/specs/device/profiles/password.yaml
@@ -0,0 +1,175 @@
+name: password-profile
+terraform_provider_config:
+  description: Password Profile
+  skip_resource: false
+  skip_datasource: false
+  resource_type: entry
+  resource_variants:
+  - singular
+  suffix: password_profile
+  plural_suffix: ''
+  plural_name: ''
+  plural_description: ''
+go_sdk_config:
+  skip: false
+  package:
+  - device
+  - profiles
+  - password
+panos_xpath:
+  path:
+  - password-profile
+  vars: []
+locations:
+- name: panorama
+  xpath:
+    path:
+    - config
+    - mgt-config
+    vars: []
+  description: Located in panorama.
+  validators: []
+  required: false
+  read_only: false
+- name: ngfw
+  xpath:
+    path:
+    - config
+    - mgt-config
+    vars: []
+  description: Located within device-level configuration
+  devices:
+  - ngfw
+  validators: []
+  required: false
+  read_only: false
+- name: template
+  xpath:
+    path:
+    - config
+    - devices
+    - $panorama_device
+    - template
+    - $template
+    - config
+    - mgt-config
+    vars:
+    - name: panorama_device
+      description: Specific Panorama device
+      required: false
+      default: localhost.localdomain
+      validators: []
+      type: entry
+    - name: template
+      description: Specific Panorama template
+      required: true
+      validators: []
+      type: entry
+  description: A management configuration object located within a specific template
+  devices:
+  - panorama
+  validators: []
+  required: false
+  read_only: false
+- name: template-stack
+  xpath:
+    path:
+    - config
+    - devices
+    - $panorama_device
+    - template-stack
+    - $template_stack
+    - config
+    - mgt-config
+    vars:
+    - name: panorama_device
+      description: Specific Panorama device
+      required: false
+      default: localhost.localdomain
+      validators: []
+      type: entry
+    - name: template_stack
+      description: The template stack
+      required: true
+      validators: []
+      type: entry
+  description: A management configuration object located within a specific template
+  devices:
+  - panorama
+  validators: []
+  required: false
+  read_only: false
+entries:
+- name: name
+  description: ''
+  validators: []
+spec:
+  params:
+  - name: password-change
+    type: object
+    profiles:
+    - xpath:
+      - password-change
+    validators: []
+    spec:
+      params:
+      - name: expiration-period
+        type: int64
+        profiles:
+        - xpath:
+          - expiration-period
+        validators:
+        - type: length
+          spec:
+            min: 0
+            max: 365
+        spec:
+          default: 0
+        description: Password expiry days
+        required: false
+      - name: expiration-warning-period
+        type: int64
+        profiles:
+        - xpath:
+          - expiration-warning-period
+        validators:
+        - type: length
+          spec:
+            min: 0
+            max: 30
+        spec:
+          default: 0
+        description: Password expiry warning period
+        required: false
+      - name: post-expiration-admin-login-count
+        type: int64
+        profiles:
+        - xpath:
+          - post-expiration-admin-login-count
+        validators:
+        - type: length
+          spec:
+            min: 0
+            max: 3
+        spec:
+          default: 0
+        description: Password post-expiry admin login count
+        required: false
+      - name: post-expiration-grace-period
+        type: int64
+        profiles:
+        - xpath:
+          - post-expiration-grace-period
+        validators:
+        - type: length
+          spec:
+            min: 0
+            max: 30
+        spec:
+          default: 0
+        description: Password post-expiry grace period
+        required: false
+      variants: []
+    description: ''
+    required: false
+  variants: []