search

CiscoDevNet / terraform-provider-ise

Terraform Cisco ISE Provider
https://registry.terraform.io/providers/CiscoDevNet/ise/latest
Mozilla Public License 2.0
4 stars 1 forks source link

Resource 'ise_network_access_authorization_rule' does not allow update of existing rule #33

Closed grg1bbs closed 7 months ago

grg1bbs commented 7 months ago

ISE version = 3.2 p4 Terraform version = 1.6.6 Provider version = 0.1.11

Issue Description Resource 'ise_network_access_authorization_rule' throws an error when trying to update the existing Default AuthZ Policy. When referencing the rule ID, terraform throws an error "Invalid Configuration for Read-Only Attribute". If the ID attribute is removed, it tries to create a new Auth Policy, and throws a "Client Error"

Code example for update (PUT) operation

## Get ID for Default AuthZ Policy rule
data "ise_network_access_authorization_rule" "mm_authz_default" {
  policy_set_id = ise_network_access_policy_set.ps_wired_mm.id
  name = "Default"
}

## Update Wired_MM Default AuthZ Policy Rule to replace 'DenyAccess' with 'MM-AuthZ-Default' AuthZ Profile

resource "ise_network_access_authorization_rule" "mm_authz_default" {
    policy_set_id = ise_network_access_policy_set.ps_wired_mm.id
    id        = data.ise_network_access_authorization_rule.mm_authz_default.id
    profiles = [
      "MM-AuthZ-Default"
    ]
      name    = data.ise_network_access_authorization_rule.mm_authz_default.name
      rank    = data.ise_network_access_authorization_rule.mm_authz_default.rank
      state   = "enabled"
      default = true
    }

Resulting Error

tf validate
╷
│ Error: Invalid Configuration for Read-Only Attribute
│ 
│   with ise_network_access_authorization_rule.mm_authz_default,
│   on policyset_mm.tf line 209, in resource "ise_network_access_authorization_rule" "mm_authz_default":
│  209:     id        = data.ise_network_access_authorization_rule.mm_authz_default.id
│ 
│ Cannot set value for this attribute as the provider has marked it as read-only. Remove the configuration line setting the value.
│ 
│ Refer to the provider documentation or contact the provider developers for additional information about configurable and read-only attributes that
│ are supported.

Code example with 'id' attribute removed and resulting error

resource "ise_network_access_authorization_rule" "mm_authz_default" {
    policy_set_id = ise_network_access_policy_set.ps_wired_mm.id
    profiles = [
      "MM-AuthZ-Default"
    ]
      name    = data.ise_network_access_authorization_rule.mm_authz_default.name
      rank    = data.ise_network_access_authorization_rule.mm_authz_default.rank
      state   = "enabled"
      default = true
    }

Terraform will perform the following actions:

  # ise_network_access_authorization_rule.mm_authz_default will be created
  + resource "ise_network_access_authorization_rule" "mm_authz_default" {
      + default       = true
      + id            = (known after apply)
      + name          = "Default"
      + policy_set_id = "0a38ed78-0d1f-4d77-8456-6668c59d0949"
      + profiles      = [
          + "MM-AuthZ-Default",
        ]
      + rank          = 2
      + state         = "enabled"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
ise_network_access_authorization_rule.mm_authz_default: Creating...
ise_network_access_authorization_rule.mm_authz_default: Still creating... [10s elapsed]
╷
│ Error: Client Error
│ 
│   with ise_network_access_authorization_rule.mm_authz_default,
│   on policyset_mm.tf line 203, in resource "ise_network_access_authorization_rule" "mm_authz_default":
│  203: resource "ise_network_access_authorization_rule" "mm_authz_default" {
│ 
│ Failed to configure object (POST), got error: HTTP Request failed: StatusCode 400, Message: , {
│   "code" : "400",
│   "message" : "Failed to handle API request - Network Access Authorization Rule : Default rule setting cannot be modified"
│ }

Example API PUT call body with resulting 200 OK {{baseUrl}}/network-access/policy-set/:policyId/authorization/:ruleId

{
    "rule": {
        "name": "Default",
        "rank": 2,
        "state": "enabled",
        "default": true
    },
    "profile": [
        "MM-AuthZ-Default"
    ]
}
danischm commented 7 months ago

If you want to modify an existing rule you would first need to import the rule. If you want to do it all in a single plan you could do something like this:

data "ise_network_access_policy_set" "default" {
  name = "Default"
}

data "ise_network_access_authorization_rule" "default" {
  policy_set_id = data.ise_network_access_policy_set.default.id
  name          = "Default"
}

resource "ise_network_access_authorization_rule" "default" {
  policy_set_id = data.ise_network_access_policy_set.default.id
  name          = "Default"
  default       = true
  rank          = 11
  state         = "enabled"
  profiles = [
    "PermitAccess"
  ]
}

import {
  to = ise_network_access_authorization_rule.default
  id = "${data.ise_network_access_policy_set.default.id},${data.ise_network_access_authorization_rule.default.id}"
}
grg1bbs commented 7 months ago

Hi @danischm, that does work but then it creates an issue if/when the resources is deleted by removing the block and/or running 'terraform destroy' as the Default rule cannot be deleted. It throws a 400 error and the destroy process is killed.

│ Error: Client Error
│ 
│ Failed to delete object (DELETE), got error: HTTP Request failed: StatusCode 400, Message: , {
│   "code" : "400",
│   "message" : "Failed to handle API request - Network Access Authorization Rule : Attempted to delete default Rule"
│ }

Is there maybe another special resource that can be created for updating default rules like this that will mitigate this issue (or something that can be done in the code for this resource)?

This is how they addressed this same issue in the original provider if that helps at all. https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs/resources/network_access_authorization_rules_update

danischm commented 7 months ago

https://github.com/CiscoDevNet/terraform-provider-ise/commit/20ade73cf54bed0c15b6a0812a56e4ffbe9c6873

danischm commented 7 months ago

Added an enhancement in v0.1.12 to ignore error messages when attempting to delete default rules and/or policy sets.

grg1bbs commented 7 months ago

Hi @danischm. I'm not sure if this is a working solution with a large number of resources being created.

If I am simply using the small sample code blocks or adding them onto existing resources, the import action seems to work okay. With the code I'm building to create a number of network access and device admin policy sets, the import block does not appear to check for the listed dependencies and throws an error.

Plan: 52 to add, 0 to change, 0 to destroy.
╷
│ Error: Invalid import id argument
│ 
│   on networkaccess_policyset_mm.tf line 216, in import:
│  216:   id = "${data.ise_network_access_policy_set.ps_wired_mm.id},${data.ise_network_access_authorization_rule.mm_authz_default.id}"
│ 
│ The import block "id" argument depends on resource attributes that cannot be determined until apply, so Terraform cannot plan to
│ import this resource.

I'm not sure, but it could be related to this issue: https://github.com/hashicorp/terraform/issues/31906