search

CiscoDevNet / terraform-provider-fmc

Terraform Provider for FMC
https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs
Mozilla Public License 2.0
16 stars 31 forks source link

Access rule doesn't work if both section and category are provided #165

Open emorr-utmck opened 2 months ago

emorr-utmck commented 2 months ago

When attempting to create an access rule that has both a section and a category assigned, an error is returned. This is because it isn't properly passing the URL parameters, after adding the section it tries adding the category using ? instead of &. The code needs to be modified to check the initialSet variable

Example code:

terraform {
  required_providers {
    fmc = {
      source  = "CiscoDevNet/fmc"
      version = "1.4.8"
    }
  }
}

provider "fmc" {
  fmc_host                 = var.fmc_host
  fmc_insecure_skip_verify = var.fmc_insecure_skip_verify
  fmc_password             = var.fmc_password
  fmc_username             = var.fmc_username
}

resource "fmc_access_policies" "access_policy" {
  default_action                    = "block"
  default_action_log_begin          = true
  default_action_send_events_to_fmc = true
  name                              = "Terraform Test"
}

resource "fmc_access_policies_category" "category" {
  access_policy_id = fmc_access_policies.access_policy.id
  name             = "Games"
}

resource "fmc_port_objects" "Minecraft" {
  name     = "Minecraft"
  port     = 25565
  protocol = "TCP"
}

resource "fmc_access_rules" "allow_Minecraft" {
  acp      = fmc_access_policies.access_policy.id
  action   = "allow"
  category = fmc_access_policies_category.category.name
  enabled  = true
  name     = "Allow Minecraft"
  section  = "mandatory"
  destination_ports {
    destination_port {
      id   = fmc_port_objects.Minecraft.id
      type = fmc_port_objects.Minecraft.type
    }
  }
}

Output:

│ Error: Error in access rule
│
│   with fmc_access_rules.allow_Minecraft,
│   on main.tf line 35, in resource "fmc_access_rules" "allow_Minecraft":
│   35: resource "fmc_access_rules" "allow_Minecraft" {
│
│ creating access rules: https://<REDACTED>/api/fmc_config/v1/domain/e276abec-e0f2-11e3-8169-6d9ed49b625f/policy/accesspolicies/2CF89B2F-1F0A-0ed3-0000-678608891459/accessrules?section=mandatory?category=Games - wrong status code: 400, error category: FRAMEWORK, error severity: ERROR, error messages: [{Only mandatory and default are the allowed option in     
│ parameter section}], {"name":"Allow
│ Minecraft","type":"AccessRule","action":"ALLOW","enableSyslog":false,"enabled":true,"sendEventsToFMC":false,"logFiles":false,"logBegin":false,"logEnd":false,"sourceZones":{"objects":null},"destinationZones":{"objects":null},"sourceNetworks":{"objects":null},"destinationNetworks":{"objects":null},"sourcePorts":{"objects":null},"destinationPorts":{"objects":[{"id":"2CF89B2F-1F0A-0ed3-0000-678608891442","type":"ProtocolPortObject"}]},"urls":{"objects":null},"destinationDynamicObjects":{"objects":null},"sourceDynamicObjects":{"objects":null},"sourceSecurityGroupTags":{"objects":null},"destinationSecurityGroupTags":{"objects":null}}

Notice that the url params are ?section=mandatory?category=Games