search

CiscoDevNet / terraform-provider-ise

Terraform Cisco ISE Provider
https://registry.terraform.io/providers/CiscoDevNet/ise/latest
Mozilla Public License 2.0
4 stars 1 forks source link

Provider does not apply configuration to ISE when using the FQDN URL #23

Closed grg1bbs closed 7 months ago

grg1bbs commented 8 months ago

When using the ISE FQDN in the url value for the provider block, the TF apply appears to complete, but the configuration is not actually applied to the ISE instance. If the url value is changed to the IP address of the ISE instance, the configuration is applied to ISE correctly.

Terraform version = 1.6.6 Platforms tested = MacOS Sonoma & Ubuntu 22.04.3 LTS ISE version = 3.2 patch 4

Terraform output:

❯ tf apply --auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # ise_allowed_protocols.mab_eaptls will be created
  + resource "ise_allowed_protocols" "mab_eaptls" {
      + allow_chap                              = false
      + allow_eap_fast                          = false
      + allow_eap_md5                           = false
      + allow_eap_tls                           = true
      + allow_eap_ttls                          = false
      + allow_leap                              = false
      + allow_ms_chap_v1                        = false
      + allow_ms_chap_v2                        = false
      + allow_pap_ascii                         = false
      + allow_peap                              = false
      + allow_preferred_eap_protocol            = false
      + allow_teap                              = false
      + allow_weak_ciphers_for_eap              = false
      + eap_tls_allow_auth_of_expired_certs     = false
      + eap_tls_enable_stateless_session_resume = true
      + eap_tls_l_bit                           = false
      + eap_tls_session_ticket_percentage       = 10
      + eap_tls_session_ticket_ttl              = 5
      + eap_tls_session_ticket_ttl_unit         = "HOURS"
      + id                                      = (known after apply)
      + name                                    = "MAB_EAP-TLS"
      + process_host_lookup                     = true
      + require_message_auth                    = false
    }

Plan: 1 to add, 0 to change, 0 to destroy.
ise_allowed_protocols.mab_eaptls: Creating...
ise_allowed_protocols.mab_eaptls: Creation complete after 1s [id=66a18aa0-b027-11ee-b966-ead89af9fdb3]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

ISE config screenshot

Screenshot 2024-01-11 at 1 42 52 pm

Terraform code example: I'm using a single flat TF file for basic testing

terraform {
  required_version = ">= 1.3.9"
  required_providers {
    ise = {
      source  = "CiscoDevNet/ise"
      version = "0.1.8"
    }
  }
}

provider "ise" {
  username = "ersadmin1"
  password = "cisco123"
  url      = "https://ise32-3.ise.trappedunderise.com"
}

resource "ise_allowed_protocols" "mab_eaptls" {
  name                                    = "MAB_EAP-TLS"
  description                             = ""
  process_host_lookup                     = "true"
  allow_pap_ascii                         = "false"
  allow_chap                              = "false"
  allow_ms_chap_v1                        = "false"
  allow_ms_chap_v2                        = "false"
  allow_eap_md5                           = "false"
  allow_eap_tls                           = "true"
  allow_leap                              = "false"
  allow_peap                              = "false"
  allow_eap_fast                          = "false"
  allow_eap_ttls                          = "false"
  allow_teap                              = "false"
  allow_preferred_eap_protocol            = "false"
  eap_tls_l_bit                           = "false"
  allow_weak_ciphers_for_eap              = "false"
  require_message_auth                    = "false"

  eap_tls_allow_auth_of_expired_certs     = false
  eap_tls_enable_stateless_session_resume = true
  eap_tls_session_ticket_ttl              = 5
  eap_tls_session_ticket_ttl_unit         = "HOURS"
  eap_tls_session_ticket_percentage       = 10
}
kuba-mazurkiewicz commented 8 months ago

Hey @grg1bbs I've checked your issue and I was not able to replicate that. For me changing IP to FQDN worked. Terraform created allowed_protocols object and I can see this MAB_EAP_TLS in GUI of my ISE

Debug logs:

2024-01-11T18:10:51.621+0100 [DEBUG] provider.terraform-provider-ise_v0.1.8: 2024/01/11 18:10:51 [DEBUG] HTTP Request: POST, https://ise02.lab01.local/ers/config/allowedprotocols, {{"AllowedProtocols":{"name":"MAB_EAP-TLS","description":"","processHostLookup":true,"allowPapAscii":false,"allowChap":false,"allowMsChapV1":false,"allowMsChapV2":false,"allowEapMd5":false,"allowLeap":false,"allowEapTls":true,"allowEapTtls":false,"allowEapFast":false,"allowPeap":false,"allowTeap":false,"allowPreferredEapProtocol":false,"eapTlsLBit":false,"allowWeakCiphersForEap":false,"requireMessageAuth":false,"eapTls":{"allowEapTlsAuthOfExpiredCerts":false,"eapTlsEnableStatelessSessionResume":true,"eapTlsSessionTicketTtl":5,"eapTlsSessionTicketTtlUnits":"HOURS","eapTlsSessionTicketPrecentage":10}}}}

06_15_28

I used exact config you provided and I have same ISE version 3.2 with patch 4.

Terraform output you provided was captured when you were using FQDN as url ?

grg1bbs commented 7 months ago

Interesting. After changing my MacOS & Ubuntu TF code back to using the FQDN after verifying with the IP address, the apply works fine. I also spun up my fedora instance and used the same code for the first time using the FQDN, and the configuration applied. I can't replicate this issue anymore, so I'm closing this issue.