destroy the policy doesn't trigger the config removal

[christung16]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Terraform Version

DCNM version

• V 1.2.6

Affected Resource(s)

• dcnm_policy

Terraform Configuration Files

# Copy-paste your Terraform configurations here - for large Terraform configs,
# please use a service like Dropbox and share a link to the ZIP file. For
# security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp
resource "dcnm_policy" "customer_bgp_rs" {
    for_each = {
        for port in local.switch_port : "${port.switch_key}.${port.port_key}" => port
        if lookup (port.port_value, "name", null) != "rs-1" && lookup (port.port_value, "name", null) != null
    }
    serial_number = data.dcnm_inventory.rs["rs-1"].serial_number
    template_name = "hkix_bgp_ipv4_peering"
    template_props = {
        "BGP_PEER_AS" = each.value.port_value.asn
        "BGP_PEER_NAME" = each.value.port_value.name
        "BGP_PEER_IP" = each.value.port_value.peer_ip
    }
    description = format("BGP Base policy for %s", each.value.port_value.name)
    entity_type = "DEVICE"
    entity_name = each.value.port_value.name
    priority = 500
    depends_on = [
        dcnm_network.this
    ]    
}

Debug Output

Panic Output

Expected Behavior

I have a BGP peering template, and the above dcnm_policy resource will generate the BGP peering configuration. When I destroy the policy, it should trigger the relative config removal.

When using NDFC UI to delete the same policy, it will trigger the config removal according.

Actual Behavior

When destroy the policy, it only delete the policy in NDFC. It doesn't trigger the config removal. Therefore, the config still remain in the device while NDFC 's policy is deleted.

By sniff the NDFC UI, when delete the policy, it actually use the following REST, it seems that this rest api can trigger the NDFC to remove the relative configuration accordingly.

curl 'https://10.74.175.40/appcenter/cisco/ndfc/api/v1/lan-fabric/rest/control/policies/POLICY-325890/bulk' \
  -X 'PUT' \
  -H 'Accept: application/json, text/plain, */*' \
  -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \
  -H 'AuthCookie: eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlYThtZjRkNXJnYWo0NTRyYXpvanllNGphNGxrMGJ4IiwidHlwIjoiSldUIn0.eyJhdnBhaXIiOiJzaGVsbDpkb21haW5zPWFsbC9hZG1pbi8iLCJjbHVzdGVyIjoiNmU2NDJkMzItMmQzMi0yZDMxLTY4MDAtMDAwMDAwMDAwMDAwIiwiY3NyZi10b2tlbiI6ImQ0NGI3MjYwYzVkYzRhNzk4YTBhMmExZjcxY2E1ODg5ZGZiODM4MjMyYzJlNGNkM2I2NmZlMTUyMTVjZjdhODQiLCJleHAiOjE2NjEwODAyMTEsImlhdCI6MTY2MTA3OTAxMSwiaWQiOiI0OGQxMDViZGZiYzQ5YTVmY2YzOWExMGI5NjEzODZlNjFkZmU0MDA4NWNiMDMxNWQ4MThiNzYxYzU3MzVkYWZhIiwiaXNzIjoibmQiLCJpc3MtaG9zdCI6IjEwLjc0LjE3NS40MCIsInJiYWMiOlt7ImRvbWFpbiI6ImFsbCIsInJvbGVzIjpbWyJhZG1pbiIsIldyaXRlUHJpdiJdLFsiYXBwLXVzZXIiLCJSZWFkUHJpdiJdXSwicm9sZXNSIjoxNjc3NzIxNiwicm9sZXNXIjoxfV0sInNlc3Npb25pZCI6IkFMczlkcndnOFBrNWVhdnhIaz1FTndIWiIsInVpLWxvZ2luIjp0cnVlLCJ1c2VyZmxhZ3MiOjAsInVzZXJpZCI6MjUwMDIsInVzZXJuYW1lIjoiYWRtaW4iLCJ1c2VydHlwZSI6ImxvY2FsIn0.ZEOIEZt6bMqwvLknIv7V6oT7qnPGfijGk7JStCLZz1SeijPS_8u3S6vGC9JpETJXqhizNy4VtojrBLGKIobVHA2_24vEZExEVQVe7rUaXbKBLWtGZNOGgZ91O0ItmshyN9sWMJGLSgxsMd3jCF3dYAD4A-b9uVfyRS5PybCpOVqL7Gh8b6BMfF-XhuTJLhhZRQHaS5yPG1rgdiJxIdAk8wbpf0Af3DQeTLjiVk2GKoHGig0JYijiVGLmwzGde61P1P3NZeGNG8i6ikpp1ksE1TKyIrhUY_86G0lN-L6-YivwSvVJqGVHKyqy0VoJF215TkcMZgDMLJbUgxgVWEhbTA' \
  -H 'Cache-Control: no-cache' \
  -H 'Connection: keep-alive' \
  -H 'Content-Type: application/json' \
  -H 'Cookie: AuthCookie=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlYThtZjRkNXJnYWo0NTRyYXpvanllNGphNGxrMGJ4IiwidHlwIjoiSldUIn0.eyJhdnBhaXIiOiJzaGVsbDpkb21haW5zPWFsbC9hZG1pbi8iLCJjbHVzdGVyIjoiNmU2NDJkMzItMmQzMi0yZDMxLTY4MDAtMDAwMDAwMDAwMDAwIiwiY3NyZi10b2tlbiI6ImQ0NGI3MjYwYzVkYzRhNzk4YTBhMmExZjcxY2E1ODg5ZGZiODM4MjMyYzJlNGNkM2I2NmZlMTUyMTVjZjdhODQiLCJleHAiOjE2NjEwODAyMTEsImlhdCI6MTY2MTA3OTAxMSwiaWQiOiI0OGQxMDViZGZiYzQ5YTVmY2YzOWExMGI5NjEzODZlNjFkZmU0MDA4NWNiMDMxNWQ4MThiNzYxYzU3MzVkYWZhIiwiaXNzIjoibmQiLCJpc3MtaG9zdCI6IjEwLjc0LjE3NS40MCIsInJiYWMiOlt7ImRvbWFpbiI6ImFsbCIsInJvbGVzIjpbWyJhZG1pbiIsIldyaXRlUHJpdiJdLFsiYXBwLXVzZXIiLCJSZWFkUHJpdiJdXSwicm9sZXNSIjoxNjc3NzIxNiwicm9sZXNXIjoxfV0sInNlc3Npb25pZCI6IkFMczlkcndnOFBrNWVhdnhIaz1FTndIWiIsInVpLWxvZ2luIjp0cnVlLCJ1c2VyZmxhZ3MiOjAsInVzZXJpZCI6MjUwMDIsInVzZXJuYW1lIjoiYWRtaW4iLCJ1c2VydHlwZSI6ImxvY2FsIn0.ZEOIEZt6bMqwvLknIv7V6oT7qnPGfijGk7JStCLZz1SeijPS_8u3S6vGC9JpETJXqhizNy4VtojrBLGKIobVHA2_24vEZExEVQVe7rUaXbKBLWtGZNOGgZ91O0ItmshyN9sWMJGLSgxsMd3jCF3dYAD4A-b9uVfyRS5PybCpOVqL7Gh8b6BMfF-XhuTJLhhZRQHaS5yPG1rgdiJxIdAk8wbpf0Af3DQeTLjiVk2GKoHGig0JYijiVGLmwzGde61P1P3NZeGNG8i6ikpp1ksE1TKyIrhUY_86G0lN-L6-YivwSvVJqGVHKyqy0VoJF215TkcMZgDMLJbUgxgVWEhbTA' \
  -H 'Expires: 0' \
  -H 'Origin: https://10.74.175.40' \
  -H 'Pragma: no-cache' \
  -H 'Referer: https://10.74.175.40/appcenter/cisco/ndfc/ui/lan-fabric/fabrics' \
  -H 'Sec-Fetch-Dest: empty' \
  -H 'Sec-Fetch-Mode: cors' \
  -H 'Sec-Fetch-Site: same-origin' \
  -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36' \
  -H 'X-Csrf-Token: d44b7260c5dc4a798a0a2a1f71ca5889dfb838232c2e4cd3b66fe15215cf7a84' \
  -H 'sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"' \
  -H 'sec-ch-ua-mobile: ?0' \
  -H 'sec-ch-ua-platform: "Windows"' \
  --data-raw $'[{"id":325890,"policyId":"POLICY-325890","description":"BGP Base policy for facebook","serialNumber":"9MQ1CP7ZFCJ","switchName":"rs-1","ipAddress":"10.74.174.32","entityType":"DEVICE","entityName":"facebook","templateName":"hkix_bgp_ipv4_peering","templateContentType":"TEMPLATE_CLI","nvPairs":{"BGP_PEER_AS":"32934","BGP_PEER_IP":"123.255.90.79","BGP_PEER_NAME":"facebook"},"generatedConfig":"router bgp 4635\\n neighbor 123.255.90.79 remote-as 32934\\n neighbor 123.255.90.79 description facebook \\n neighbor 123.255.90.79 version 4\\n neighbor 123.255.90.79 ha-mode graceful-restart\\n \u0021\\n address-family ipv4\\n  neighbor 123.255.90.79 activate\\n  neighbor 123.255.90.79 send-community both\\n  neighbor 123.255.90.79 announce rpki state\\n  neighbor 123.255.90.79 soft-reconfiguration inbound\\n  neighbor 123.255.90.79 prefix-list facebook in\\n\\n\\n","autoGenerated":false,"deleted":true,"priority":500,"status":"NA","statusOn":1661079740179,"createdOn":1661079740179,"modifiedOn":1661079740179,"fabricName":"chris-external-fabric-terraform","resourcesLinked":"","editable":true}]' \
  --compressed \
  --insecure ;

Steps to Reproduce

1. terraform apply
2. terraform destroy

Important Factoids

References

• 0000

[dsx1123]

Do you mind share your terraform provider version and you DCNM/NDFC version, this issue should have been fixed in latest provider.

Thanks, Shangxin

On Aug 21, 2022, at 4:52 AM, christung16 @.***> wrote:

 Community Note

Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request If you are interested in working on this issue or have submitted a pull request, please leave a comment Terraform Version

DCNM version

V 1.2.6 Affected Resource(s)

dcnm_policy Terraform Configuration Files

Copy-paste your Terraform configurations here - for large Terraform configs,

please use a service like Dropbox and share a link to the ZIP file. For

security, you can also encrypt the files using our GPG public key: https://keybase.io/hashicorp

resource "dcnm_policy" "customer_bgp_rs" { for_each = { for port in local.switch_port : "${port.switch_key}.${port.port_key}" => port if lookup (port.port_value, "name", null) != "rs-1" && lookup (port.port_value, "name", null) != null } serial_number = data.dcnm_inventory.rs["rs-1"].serial_number template_name = "hkix_bgp_ipv4_peering" template_props = { "BGP_PEER_AS" = each.value.port_value.asn "BGP_PEER_NAME" = each.value.port_value.name "BGP_PEER_IP" = each.value.port_value.peer_ip } description = format("BGP Base policy for %s", each.value.port_value.name) entity_type = "DEVICE" entity_name = each.value.port_value.name priority = 500 depends_on = [ dcnm_network.this ]
} Debug Output

Panic Output

Expected Behavior

I have a BGP peering template, and the above dcnm_policy resource will generate the BGP peering configuration. When I destroy the policy, it should trigger the relative config removal.

When using NDFC UI to delete the same policy, it will trigger the config removal according.

Actual Behavior

When destroy the policy, it only delete the policy in NDFC. It doesn't trigger the config removal. Therefore, the config still remain in the device while NDFC 's policy is deleted.

By sniff the NDFC UI, when delete the policy, it actually use the following REST, it seems that this rest api can trigger the NDFC to remove the relative configuration accordingly.

curl 'https://10.74.175.40/appcenter/cisco/ndfc/api/v1/lan-fabric/rest/control/policies/POLICY-325890/bulk' \ -X 'PUT' \ -H 'Accept: application/json, text/plain, /' \ -H 'Accept-Language: en-GB,en-US;q=0.9,en;q=0.8' \ -H 'AuthCookie: eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlYThtZjRkNXJnYWo0NTRyYXpvanllNGphNGxrMGJ4IiwidHlwIjoiSldUIn0.eyJhdnBhaXIiOiJzaGVsbDpkb21haW5zPWFsbC9hZG1pbi8iLCJjbHVzdGVyIjoiNmU2NDJkMzItMmQzMi0yZDMxLTY4MDAtMDAwMDAwMDAwMDAwIiwiY3NyZi10b2tlbiI6ImQ0NGI3MjYwYzVkYzRhNzk4YTBhMmExZjcxY2E1ODg5ZGZiODM4MjMyYzJlNGNkM2I2NmZlMTUyMTVjZjdhODQiLCJleHAiOjE2NjEwODAyMTEsImlhdCI6MTY2MTA3OTAxMSwiaWQiOiI0OGQxMDViZGZiYzQ5YTVmY2YzOWExMGI5NjEzODZlNjFkZmU0MDA4NWNiMDMxNWQ4MThiNzYxYzU3MzVkYWZhIiwiaXNzIjoibmQiLCJpc3MtaG9zdCI6IjEwLjc0LjE3NS40MCIsInJiYWMiOlt7ImRvbWFpbiI6ImFsbCIsInJvbGVzIjpbWyJhZG1pbiIsIldyaXRlUHJpdiJdLFsiYXBwLXVzZXIiLCJSZWFkUHJpdiJdXSwicm9sZXNSIjoxNjc3NzIxNiwicm9sZXNXIjoxfV0sInNlc3Npb25pZCI6IkFMczlkcndnOFBrNWVhdnhIaz1FTndIWiIsInVpLWxvZ2luIjp0cnVlLCJ1c2VyZmxhZ3MiOjAsInVzZXJpZCI6MjUwMDIsInVzZXJuYW1lIjoiYWRtaW4iLCJ1c2VydHlwZSI6ImxvY2FsIn0.ZEOIEZt6bMqwvLknIv7V6oT7qnPGfijGk7JStCLZz1SeijPS_8u3S6vGC9JpETJXqhizNy4VtojrBLGKIobVHA2_24vEZExEVQVe7rUaXbKBLWtGZNOGgZ91O0ItmshyN9sWMJGLSgxsMd3jCF3dYAD4A-b9uVfyRS5PybCpOVqL7Gh8b6BMfF-XhuTJLhhZRQHaS5yPG1rgdiJxIdAk8wbpf0Af3DQeTLjiVk2GKoHGig0JYijiVGLmwzGde61P1P3NZeGNG8i6ikpp1ksE1TKyIrhUY_86G0lN-L6-YivwSvVJqGVHKyqy0VoJF215TkcMZgDMLJbUgxgVWEhbTA' \ -H 'Cache-Control: no-cache' \ -H 'Connection: keep-alive' \ -H 'Content-Type: application/json' \ -H 'Cookie: AuthCookie=eyJhbGciOiJSUzI1NiIsImtpZCI6ImRlYThtZjRkNXJnYWo0NTRyYXpvanllNGphNGxrMGJ4IiwidHlwIjoiSldUIn0.eyJhdnBhaXIiOiJzaGVsbDpkb21haW5zPWFsbC9hZG1pbi8iLCJjbHVzdGVyIjoiNmU2NDJkMzItMmQzMi0yZDMxLTY4MDAtMDAwMDAwMDAwMDAwIiwiY3NyZi10b2tlbiI6ImQ0NGI3MjYwYzVkYzRhNzk4YTBhMmExZjcxY2E1ODg5ZGZiODM4MjMyYzJlNGNkM2I2NmZlMTUyMTVjZjdhODQiLCJleHAiOjE2NjEwODAyMTEsImlhdCI6MTY2MTA3OTAxMSwiaWQiOiI0OGQxMDViZGZiYzQ5YTVmY2YzOWExMGI5NjEzODZlNjFkZmU0MDA4NWNiMDMxNWQ4MThiNzYxYzU3MzVkYWZhIiwiaXNzIjoibmQiLCJpc3MtaG9zdCI6IjEwLjc0LjE3NS40MCIsInJiYWMiOlt7ImRvbWFpbiI6ImFsbCIsInJvbGVzIjpbWyJhZG1pbiIsIldyaXRlUHJpdiJdLFsiYXBwLXVzZXIiLCJSZWFkUHJpdiJdXSwicm9sZXNSIjoxNjc3NzIxNiwicm9sZXNXIjoxfV0sInNlc3Npb25pZCI6IkFMczlkcndnOFBrNWVhdnhIaz1FTndIWiIsInVpLWxvZ2luIjp0cnVlLCJ1c2VyZmxhZ3MiOjAsInVzZXJpZCI6MjUwMDIsInVzZXJuYW1lIjoiYWRtaW4iLCJ1c2VydHlwZSI6ImxvY2FsIn0.ZEOIEZt6bMqwvLknIv7V6oT7qnPGfijGk7JStCLZz1SeijPS_8u3S6vGC9JpETJXqhizNy4VtojrBLGKIobVHA2_24vEZExEVQVe7rUaXbKBLWtGZNOGgZ91O0ItmshyN9sWMJGLSgxsMd3jCF3dYAD4A-b9uVfyRS5PybCpOVqL7Gh8b6BMfF-XhuTJLhhZRQHaS5yPG1rgdiJxIdAk8wbpf0Af3DQeTLjiVk2GKoHGig0JYijiVGLmwzGde61P1P3NZeGNG8i6ikpp1ksE1TKyIrhUY_86G0lN-L6-YivwSvVJqGVHKyqy0VoJF215TkcMZgDMLJbUgxgVWEhbTA' \ -H 'Expires: 0' \ -H 'Origin: https://10.74.175.40' \ -H 'Pragma: no-cache' \ -H 'Referer: https://10.74.175.40/appcenter/cisco/ndfc/ui/lan-fabric/fabrics' \ -H 'Sec-Fetch-Dest: empty' \ -H 'Sec-Fetch-Mode: cors' \ -H 'Sec-Fetch-Site: same-origin' \ -H 'User-Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/104.0.0.0 Safari/537.36' \ -H 'X-Csrf-Token: d44b7260c5dc4a798a0a2a1f71ca5889dfb838232c2e4cd3b66fe15215cf7a84' \ -H 'sec-ch-ua: "Chromium";v="104", " Not A;Brand";v="99", "Google Chrome";v="104"' \ -H 'sec-ch-ua-mobile: ?0' \ -H 'sec-ch-ua-platform: "Windows"' \ --data-raw $'[{"id":325890,"policyId":"POLICY-325890","description":"BGP Base policy for facebook","serialNumber":"9MQ1CP7ZFCJ","switchName":"rs-1","ipAddress":"10.74.174.32","entityType":"DEVICE","entityName":"facebook","templateName":"hkix_bgp_ipv4_peering","templateContentType":"TEMPLATE_CLI","nvPairs":{"BGP_PEER_AS":"32934","BGP_PEER_IP":"123.255.90.79","BGP_PEER_NAME":"facebook"},"generatedConfig":"router bgp 4635\n neighbor 123.255.90.79 remote-as 32934\n neighbor 123.255.90.79 description facebook \n neighbor 123.255.90.79 version 4\n neighbor 123.255.90.79 ha-mode graceful-restart\n \u0021\n address-family ipv4\n neighbor 123.255.90.79 activate\n neighbor 123.255.90.79 send-community both\n neighbor 123.255.90.79 announce rpki state\n neighbor 123.255.90.79 soft-reconfiguration inbound\n neighbor 123.255.90.79 prefix-list facebook in\n\n\n","autoGenerated":false,"deleted":true,"priority":500,"status":"NA","statusOn":1661079740179,"createdOn":1661079740179,"modifiedOn":1661079740179,"fabricName":"chris-external-fabric-terraform","resourcesLinked":"","editable":true}]' \ --compressed \ --insecure ; Steps to Reproduce

terraform apply terraform destroy Important Factoids

References

0000

— Reply to this email directly, view it on GitHub, or unsubscribe. You are receiving this because you are subscribed to this thread.

[christung16]

NDFC: 2.2(1h) Terraform provider: Terraform v1.2.6 on linux_amd64

• provider registry.terraform.io/ciscodevnet/dcnm v1.2.3