Closed grg1bbs closed 7 months ago
Could you please share the resource config you used in the first place?
This is the resource block I tried using to begin with that throws the client error (with var and references replaced with actual values)
## Get id for built-in Condition - Wired_802.1X
data "ise_network_access_condition" "wired_dot1x" {
name = "Wired_802.1X"
}
## Create Wired_MM AuthC Policy - Dot1x EAP-TLS
resource "ise_network_access_authentication_rule" "mm_authc_eaptls" {
depends_on = [
ise_network_access_policy_set.ps_wired_mm
]
name = "Dot1x EAP-TLS"
rank = 0
state = "enabled"
identity_source_name = "ISS_AD_Cert"
if_auth_fail = "REJECT"
if_process_fail = "DROP"
if_user_not_found = "REJECT"
policy_set_id = "0a38ed78-0d1f-4d77-8456-6668c59d0949"
default = "false"
condition_is_negate = "false"
condition_type = "ConditionAndBlock"
children = [{
is_negate = "false"
condition_type = "ConditionReference"
condition_id = data.ise_network_access_condition.wired_dot1x.id
},
{
is_negate = "false"
condition_type = "ConditionAttributes"
dictionary_name = "Network Access"
attribute_name = "EapAuthentication"
operator = "equals"
attribute_value = "EAP-TLS"
}
]
}
The child condition should look like this:
{
is_negate = "false"
condition_type = "ConditionReference"
id = data.ise_network_access_condition.wired_dot1x.id
}
id
instead of condition_id
. There seems to be an issue with schema validation of nested elements because TF does not complain about condition_id
being an unsupported attributed, even though it is not allowed according to the schema.
Import operations for nested objects is currently not supported as it only supports a single value (id) as input, whereas we would need two IDs (policy set and rule) in this case. We would need to introduce some kind of separator to allow two ids being used in a single field which is currently not implemented.
Added option to import nested objects: https://github.com/CiscoDevNet/terraform-provider-ise/commit/2c9d8d27350f31593574d881c2f9bd8a8e3106df
Thanks @danischm for the clarification. I can confirm that the resource creation worked with the 'id' attribute.
I was confused by the 'condition_id' in the documentation. The doco might need some clarification on where 'condition_id' would be used as opposed to 'id'
The attribute is named condition_id
if the "root" condition is referring to an existing condition. If we refer to an existing condition from a nested element (under children
) it is named just id
. I believe the documentation is correct, though it is difficult to read with nested elements.
Added support to import nested objects in v0.1.11 release.
ISE version = 3.2 p4 Terraform version = 1.6.6 Provider version = 0.1.10
When trying to create an authentication policy with nested conditions, terraform threw a Client Error stating:
To determine if the syntax was incorrect, I tried creating the AuthC Policy manually via the GUI and importing the object into state, but terraform threw the following error:
Terraform resource block code:
Import command:
Output from GET API call with 200 OK response {{baseUrl}}/network-access/policy-set/0a38ed78-0d1f-4d77-8456-6668c59d0949/authentication/5422a8ed-e744-4ce9-9062-94ddc73006ab