search

CiscoDevNet / terraform-provider-ise

Terraform Cisco ISE Provider
https://registry.terraform.io/providers/CiscoDevNet/ise/latest
Mozilla Public License 2.0
4 stars 1 forks source link

Import on ise_network_access_authentication_rule resource returns error "Cannot import non-existent remote object" #30

Closed grg1bbs closed 7 months ago

grg1bbs commented 7 months ago

ISE version = 3.2 p4 Terraform version = 1.6.6 Provider version = 0.1.10

When trying to create an authentication policy with nested conditions, terraform threw a Client Error stating:

│ Error: Client Error
│ 
│   with ise_network_access_authentication_rule.mm_authc_eaptls,
│   on policyset_mm.tf line 66, in resource "ise_network_access_authentication_rule" "mm_authc_eaptls":
│   66: resource "ise_network_access_authentication_rule" "mm_authc_eaptls" {
│ 
│ Failed to configure object (PUT), got error: HTTP Request failed: StatusCode 400, Message: , {
│   "message" : "rule.condition.children[0].id, must not be null",
│   "code" : 400
│ }

To determine if the syntax was incorrect, I tried creating the AuthC Policy manually via the GUI and importing the object into state, but terraform threw the following error:

│ Error: Cannot import non-existent remote object
│ 
│ While attempting to import an existing object to "ise_network_access_authentication_rule.mm_authc_eaptls", the provider detected that no object
│ exists with the given id. Only pre-existing objects can be imported; check that the id is correct and that it is associated with the provider's
│ configured region or endpoint, or use "terraform apply" to create a new remote object for this resource.

Terraform resource block code:

resource "ise_network_access_authentication_rule" "mm_authc_eaptls" {
  name                 = "Dot1x EAP-TLS"
  policy_set_id        = "0a38ed78-0d1f-4d77-8456-6668c59d0949"
  if_auth_fail         = "REJECT"
  if_process_fail      = "DROP"
  if_user_not_found    = "REJECT"
}

Import command:

tf import ise_network_access_authentication_rule.mm_authc_eaptls "5422a8ed-e744-4ce9-9062-94ddc73006ab"

Output from GET API call with 200 OK response {{baseUrl}}/network-access/policy-set/0a38ed78-0d1f-4d77-8456-6668c59d0949/authentication/5422a8ed-e744-4ce9-9062-94ddc73006ab

{
    "version": "1.0.0",
    "response": {
        "rule": {
            "default": false,
            "id": "5422a8ed-e744-4ce9-9062-94ddc73006ab",
            "name": "Dot1x EAP-TLS",
            "hitCounts": 0,
            "rank": 0,
            "state": "enabled",
            "condition": {
                "link": null,
                "conditionType": "ConditionAndBlock",
                "isNegate": false,
                "children": [
                    {
                        "link": null,
                        "conditionType": "ConditionReference",
                        "isNegate": false,
                        "name": "Wired_802.1X",
                        "id": "5653cef6-8d36-4f67-818c-a9561a63e616",
                        "description": "A condition to match 802.1X based authentication requests from switches, according to the corresponding 802.1x attributes defined in the device profile."
                    },
                    {
                        "link": null,
                        "conditionType": "ConditionAttributes",
                        "isNegate": false,
                        "dictionaryName": "Network Access",
                        "attributeName": "EapAuthentication",
                        "operator": "equals",
                        "dictionaryValue": null,
                        "attributeValue": "EAP-TLS"
                    }
                ]
            }
        },
        "identitySourceName": "ISS_AD_Cert",
        "ifAuthFail": "REJECT",
        "ifUserNotFound": "REJECT",
        "ifProcessFail": "DROP",
        "link": {
            "rel": "self",
            "href": "https://ise32-3.ise.trappedunderise.com/api/v1/policy/network-access/policy-set/0a38ed78-0d1f-4d77-8456-6668c59d0949/authentication/5422a8ed-e744-4ce9-9062-94ddc73006ab",
            "type": "application/json"
        }
    }
}
danischm commented 7 months ago

Could you please share the resource config you used in the first place?

grg1bbs commented 7 months ago

This is the resource block I tried using to begin with that throws the client error (with var and references replaced with actual values)

## Get id for built-in Condition - Wired_802.1X
data "ise_network_access_condition" "wired_dot1x" {
  name = "Wired_802.1X"
}

## Create Wired_MM AuthC Policy - Dot1x EAP-TLS
resource "ise_network_access_authentication_rule" "mm_authc_eaptls" {
  depends_on = [
    ise_network_access_policy_set.ps_wired_mm
  ]
  name                 = "Dot1x EAP-TLS"
  rank                 = 0
  state                = "enabled"
  identity_source_name = "ISS_AD_Cert"
  if_auth_fail         = "REJECT"
  if_process_fail      = "DROP"
  if_user_not_found    = "REJECT"
  policy_set_id        = "0a38ed78-0d1f-4d77-8456-6668c59d0949"
  default              = "false"
  condition_is_negate  = "false"
  condition_type       = "ConditionAndBlock"
  children = [{
    is_negate      = "false"
    condition_type = "ConditionReference"
    condition_id   = data.ise_network_access_condition.wired_dot1x.id
    },
    {
      is_negate       = "false"
      condition_type  = "ConditionAttributes"
      dictionary_name = "Network Access"
      attribute_name  = "EapAuthentication"
      operator        = "equals"
      attribute_value = "EAP-TLS"
    }
  ]
}
danischm commented 7 months ago

The child condition should look like this:

  {
    is_negate      = "false"
    condition_type = "ConditionReference"
    id   = data.ise_network_access_condition.wired_dot1x.id
  }

id instead of condition_id. There seems to be an issue with schema validation of nested elements because TF does not complain about condition_id being an unsupported attributed, even though it is not allowed according to the schema.

Import operations for nested objects is currently not supported as it only supports a single value (id) as input, whereas we would need two IDs (policy set and rule) in this case. We would need to introduce some kind of separator to allow two ids being used in a single field which is currently not implemented.

danischm commented 7 months ago

Added option to import nested objects: https://github.com/CiscoDevNet/terraform-provider-ise/commit/2c9d8d27350f31593574d881c2f9bd8a8e3106df

grg1bbs commented 7 months ago

Thanks @danischm for the clarification. I can confirm that the resource creation worked with the 'id' attribute.

I was confused by the 'condition_id' in the documentation. The doco might need some clarification on where 'condition_id' would be used as opposed to 'id'

danischm commented 7 months ago

The attribute is named condition_id if the "root" condition is referring to an existing condition. If we refer to an existing condition from a nested element (under children) it is named just id. I believe the documentation is correct, though it is difficult to read with nested elements.

danischm commented 7 months ago

Added support to import nested objects in v0.1.11 release.