Resource "ciscoise_network_access_authorization_rules" does not support nested children blocks

[AgnieszkaChudy]

Prerequisites

• [X] Have you tested the operation in the API directly?
• [X] Do you have the latest Terraform provider version?
• [X] Review the compatibility matrix before opening an issue.

Describe the bug network_access_authorization_rules doesn't support nested children conditions

I want to create following network_access_authorization_rules:

resource "ciscoise_network_access_authorization_rules" "SIKT_Wireless_SPHF" {
  provider = ciscoise
  parameters {

    profile = ["SIKT_auth-client-sphf"]
    rule {
      default = false
      rank    = 1
      state   = "enabled"
      name    = "SIKT_Wireless_SPHF"

      condition {

        condition_type = "ConditionAndBlock"
        is_negate      = "false"

        children {
          condition_type = "ConditionReference"
          is_negate      = false
          id             = "6c0f9060-4dd5-4245-ab5a-673f8ea4d656"
        }

        children {
          condition_type  = "ConditionAttributes"
          is_negate       = false
          dictionary_name = "SIKT_AD"
          attribute_name  = "ExternalGroups"
          operator        = "equals"
          attribute_value = "sikt/Users/Domain Computers"
        }

        children {
          condition_type = "ConditionReference"
          is_negate      = false
          id             = "50390202-ae30-4da6-ae43-e2bd051636db"
        }

        children {
          condition_type  = "ConditionAttributes"
          is_negate       = false
          dictionary_name = "SIKT_AD"
          attribute_name  = "distinguishedName"
          operator        = "contains"
          attribute_value = "OU=SP,DC=sikt"
        }

        children {
          condition_type = "ConditionOrBlock"
          is_negate      = false

          children {
            condition_type  = "ConditionAttributes"
            is_negate       = false
            dictionary_name = "Radius"
            attribute_name  = "Called-Station-ID"
            operator        = "equals"
            attribute_value = "Gjovik-sykehus"
          }

          children {
            condition_type  = "ConditionAttributes"
            is_negate       = false
            dictionary_name = "Radius"
            attribute_name  = "Called-Station-ID"
            operator        = "equals"
            attribute_value = "Lillehammer-Sykehus"
          }

        }
      }
    }
  }
}

But when I do terraform plan I am receiving errors for multiple unsupported arguments:

terraform plan     

│ Error: Unsupported block type
│ 
│   on main.tf line 53, in resource "ciscoise_network_access_authorization_rules" "SIKT_Wireless_SPHF":
│   53:           children {
│ 
│ Blocks of type "children" are not expected here.
╵
╷
│ Error: Unsupported block type
│ 
│   on main.tf line 62, in resource "ciscoise_network_access_authorization_rules" "SIKT_Wireless_SPHF":
│   62:           children {
│ 
│ Blocks of type "children" are not expected here.

In API directly it works with following curl command:

curl -X POST "https://10.48.190.181:443/api/v1/policy/network-access/policy-set/7db169ea-7a9c-49b4-8f7e-1bb8d73f0a4e/authorization" -H "accept: application/json" -H "Content-Type: application/json" -d "{\"rule\":{\"default\":false,\"name\":\"Test1\",\"hitCounts\":0,\"rank\":0,\"state\":\"enabled\",\"condition\":{\"link\":null,\"conditionType\":\"ConditionAndBlock\",\"isNegate\":false,\"children\":[{\"link\":null,\"conditionType\":\"ConditionReference\",\"isNegate\":false,\"name\":\"Condition_10\",\"id\":\"7a8584d6-2ecd-4980-9ef9-573cb7fbe163\",\"description\":null},{\"link\":null,\"conditionType\":\"ConditionAttributes\",\"isNegate\":false,\"dictionaryName\":\"SIKT_AD\",\"attributeName\":\"ExternalGroups\",\"operator\":\"equals\",\"dictionaryValue\":null,\"attributeValue\":\"sikt/Users/Domain Computers\"},{\"link\":null,\"conditionType\":\"ConditionReference\",\"isNegate\":false,\"name\":\"Condition_11\",\"id\":\"ad1ba671-46f1-443e-a795-c960390202e3\",\"description\":\"Condtion_11\"},{\"link\":null,\"conditionType\":\"ConditionAttributes\",\"isNegate\":false,\"dictionaryName\":\"SIKT_AD\",\"attributeName\":\"distinguishedName\",\"operator\":\"contains\",\"dictionaryValue\":null,\"attributeValue\":\"OU=SP,DC=no\"},{\"link\":null,\"conditionType\":\"ConditionOrBlock\",\"isNegate\":false,\"children\":[{\"link\":null,\"conditionType\":\"ConditionAttributes\",\"isNegate\":false,\"dictionaryName\":\"Radius\",\"attributeName\":\"Called-Station-ID\",\"operator\":\"equals\",\"dictionaryValue\":null,\"attributeValue\":\"Gjovik-sykehus\"},{\"link\":null,\"conditionType\":\"ConditionAttributes\",\"isNegate\":false,\"dictionaryName\":\"Radius\",\"attributeName\":\"Called-Station-ID\",\"operator\":\"equals\",\"dictionaryValue\":null,\"attributeValue\":\"Lillehammer-Sykehus\"}]}]}},\"profile\":[\"Blackhole_Wireless_Access\"],\"securityGroup\":\"Auditors\",\"link\":{\"rel\":\"self\",\"href\":\"https://10.48.190.181/api/v1/policy/network-access/policy-set/7db169ea-7a9c-49b4-8f7e-1bb8d73f0a4e/authorization/bdd58466-f75d-4ee9-a1f3-0335aab4256b\",\"type\":\"application/json\"}}"

I'm getting 201 response.

Environment (please complete the following information):

• ISE version and patch: ISE version and patch: 3.1.0.518 patch 7
• Terraform version: v1.5.3
• ISE provider version: 0.6.22-beta
• OS version: MacOS 13.5 darwin_arm64

[ashpilman-bnz]

This works great in 0.6.22-beta, but seems to be broken again in 0.7.0-beta and 0.8.0-beta. Exactly same symptoms and scenarios as mentioned above by @AgnieszkaChudy, running ISE version 3.2 patch 4, works fine using API and works fine using the provider 0.6.22-beta.

[fmunozmiranda]

Hi @AgnieszkaChudy could you please retry it with last version of ISE provider and update us if bug still there?

[fmunozmiranda]

If we don´t get answer, this issue will be closed in next 24 hours.