Closed grg1bbs closed 7 months ago
If you want to modify an existing rule you would first need to import the rule. If you want to do it all in a single plan you could do something like this:
data "ise_network_access_policy_set" "default" {
name = "Default"
}
data "ise_network_access_authorization_rule" "default" {
policy_set_id = data.ise_network_access_policy_set.default.id
name = "Default"
}
resource "ise_network_access_authorization_rule" "default" {
policy_set_id = data.ise_network_access_policy_set.default.id
name = "Default"
default = true
rank = 11
state = "enabled"
profiles = [
"PermitAccess"
]
}
import {
to = ise_network_access_authorization_rule.default
id = "${data.ise_network_access_policy_set.default.id},${data.ise_network_access_authorization_rule.default.id}"
}
Hi @danischm, that does work but then it creates an issue if/when the resources is deleted by removing the block and/or running 'terraform destroy' as the Default rule cannot be deleted. It throws a 400 error and the destroy process is killed.
│ Error: Client Error
│
│ Failed to delete object (DELETE), got error: HTTP Request failed: StatusCode 400, Message: , {
│ "code" : "400",
│ "message" : "Failed to handle API request - Network Access Authorization Rule : Attempted to delete default Rule"
│ }
Is there maybe another special resource that can be created for updating default rules like this that will mitigate this issue (or something that can be done in the code for this resource)?
This is how they addressed this same issue in the original provider if that helps at all. https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs/resources/network_access_authorization_rules_update
Added an enhancement in v0.1.12 to ignore error messages when attempting to delete default rules and/or policy sets.
Hi @danischm. I'm not sure if this is a working solution with a large number of resources being created.
If I am simply using the small sample code blocks or adding them onto existing resources, the import action seems to work okay. With the code I'm building to create a number of network access and device admin policy sets, the import block does not appear to check for the listed dependencies and throws an error.
Plan: 52 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid import id argument
│
│ on networkaccess_policyset_mm.tf line 216, in import:
│ 216: id = "${data.ise_network_access_policy_set.ps_wired_mm.id},${data.ise_network_access_authorization_rule.mm_authz_default.id}"
│
│ The import block "id" argument depends on resource attributes that cannot be determined until apply, so Terraform cannot plan to
│ import this resource.
I'm not sure, but it could be related to this issue: https://github.com/hashicorp/terraform/issues/31906
ISE version = 3.2 p4 Terraform version = 1.6.6 Provider version = 0.1.11
Issue Description Resource 'ise_network_access_authorization_rule' throws an error when trying to update the existing Default AuthZ Policy. When referencing the rule ID, terraform throws an error "Invalid Configuration for Read-Only Attribute". If the ID attribute is removed, it tries to create a new Auth Policy, and throws a "Client Error"
Code example for update (PUT) operation
Resulting Error
Code example with 'id' attribute removed and resulting error
Example API PUT call body with resulting 200 OK {{baseUrl}}/network-access/policy-set/:policyId/authorization/:ruleId