ciscoise_identity_group does not work as expected

[chetanph]

Prerequisites

• [x] Have you tested the operation in the API directly?
• [x] Do you have the latest Terraform provider version?

Describe the bug

1. ciscoise_identity_group resource creation works as expected

locals {
  root_id_group = "NAC Group:NAC:IdentityGroups:User Identity Groups"
}

resource "ciscoise_identity_group" "fw_admin" {
  parameters {
    description = "ASA Firewall Admin"
    name        = "ASA_Firewall_Admin"
    parent      = join(":", [local.root_id_group, "Employee"])
  }
}

2. At next terraform apply, the provider tries to update the resource and receives an error from ISE.

$ terraform apply -auto-approve
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # ciscoise_identity_group.fw_admin will be updated in-place
  ~ resource "ciscoise_identity_group" "fw_admin" {
        id   = "id:=82054690-d23b-11ec-989c-2ab8e3d60603\\name:=ASA_Firewall_Admin"
        # (1 unchanged attribute hidden)

      ~ parameters {
          - id          = "82054690-d23b-11ec-989c-2ab8e3d60603" -> null
            name        = "ASA_Firewall_Admin"
            # (2 unchanged attributes hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.
2022-05-12T16:40:39.814-0500 [INFO]  backend/local: apply calling Apply
2022-05-12T16:40:39.814-0500 [DEBUG] Building and walking apply graph for NormalMode plan
2022-05-12T16:40:39.815-0500 [DEBUG] ProviderTransformer: "ciscoise_identity_group.fw_admin" (*terraform.NodeApplyableResourceInstance) needs provider["registry.terraform.io/ciscoise/ciscoise"]
2022-05-12T16:40:39.815-0500 [DEBUG] ProviderTransformer: "ciscoise_identity_group.fw_admin (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/ciscoise/ciscoise"]
2022-05-12T16:40:39.815-0500 [DEBUG] ReferenceTransformer: "ciscoise_identity_group.fw_admin (expand)" references: []
2022-05-12T16:40:39.815-0500 [DEBUG] ReferenceTransformer: "local.root_id_group (expand)" references: []
2022-05-12T16:40:39.815-0500 [DEBUG] ReferenceTransformer: "ciscoise_identity_group.fw_admin" references: [local.root_id_group (expand)]
2022-05-12T16:40:39.815-0500 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/ciscoise/ciscoise\"]" references: []
2022-05-12T16:40:39.816-0500 [DEBUG] Starting graph walk: walkApply
2022-05-12T16:40:39.816-0500 [DEBUG] created provider logger: level=debug
2022-05-12T16:40:39.816-0500 [INFO]  provider: configuring client automatic mTLS
2022-05-12T16:40:39.827-0500 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta args=[.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta]
2022-05-12T16:40:39.830-0500 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta pid=60183
2022-05-12T16:40:39.830-0500 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta
2022-05-12T16:40:39.850-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: configuring server automatic mTLS: timestamp=2022-05-12T16:40:39.850-0500
2022-05-12T16:40:39.860-0500 [DEBUG] provider.terraform-provider-ciscoise_v0.6.0-beta: plugin address: address=/var/folders/rj/hymfyrbs71s52cz1k76wnygw0000gn/T/plugin710059464 network=unix timestamp=2022-05-12T16:40:39.860-0500
2022-05-12T16:40:39.860-0500 [DEBUG] provider: using plugin: version=5
ciscoise_identity_group.fw_admin: Modifying... [id=id:=82054690-d23b-11ec-989c-2ab8e3d60603\name:=ASA_Firewall_Admin]
2022-05-12T16:40:39.972-0500 [INFO]  Starting apply for ciscoise_identity_group.fw_admin
2022-05-12T16:40:39.972-0500 [DEBUG] ciscoise_identity_group.fw_admin: applying the planned Update change
2022-05-12T16:40:39.973-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:40:39 [DEBUG] Beginning IDentityGroup update for id=[id:=82054690-d23b-11ec-989c-2ab8e3d60603\name:=ASA_Firewall_Admin]: timestamp=2022-05-12T16:40:39.973-0500
2022-05-12T16:40:39.973-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:40:39 [DEBUG] Selecting method. Method 1 [true]: timestamp=2022-05-12T16:40:39.973-0500
2022-05-12T16:40:39.973-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:40:39 [DEBUG] Selecting method. Method 2 [true]: timestamp=2022-05-12T16:40:39.973-0500
2022-05-12T16:40:39.973-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:40:39 [DEBUG] ID used for update operation 82054690-d23b-11ec-989c-2ab8e3d60603: timestamp=2022-05-12T16:40:39.973-0500
2022-05-12T16:40:39.973-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:40:39 [DEBUG] request sent => {"IdentityGroup":{"name":"ASA_Firewall_Admin","description":"ASA Firewall Admin","parent":"NAC Group:NAC:IdentityGroups:User Identity Groups:Employee"}}: timestamp=2022-05-12T16:40:39.973-0500
2022-05-12T16:40:40.272-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:40:40 [DEBUG] resty response for update operation => {
  "ERSResponse" : {
    "operation" : "PUT-update-identitygroup",
    "messages" : [ {
      "title" : "Validation Error - Illegal values: [The identity group parent could not be found : NAC Group:NAC:IdentityGroups:User Identity Groups:Employee]",
      "type" : "ERROR",
      "code" : "Application resource validation exception"
    } ],
    "link" : {
      "rel" : "related",
      "href" : "https://mapper.cisco.com:9060/ers/config/identitygroup/82054690-d23b-11ec-989c-2ab8e3d60603",
      "type" : "application/xml"
    }
  }
}: timestamp=2022-05-12T16:40:40.271-0500
2022-05-12T16:40:40.297-0500 [ERROR] vertex "ciscoise_identity_group.fw_admin" error: Failure when executing UpdateIDentityGroupByID
╷
│ Error: Failure when executing UpdateIDentityGroupByID
│ 
│   with ciscoise_identity_group.fw_admin,
│   on user_id_groups.tf line 5, in resource "ciscoise_identity_group" "fw_admin":
│    5: resource "ciscoise_identity_group" "fw_admin" {
│ 
│ error with operation UpdateIdentityGroupById
│ {
│   "ERSResponse" : {
│     "operation" : "PUT-update-identitygroup",
│     "messages" : [ {
│       "title" : "Validation Error - Illegal values: [The identity group parent could not be found : NAC Group:NAC:IdentityGroups:User Identity Groups:Employee]",
│       "type" : "ERROR",
│       "code" : "Application resource validation exception"
│     } ],
│     "link" : {
│       "rel" : "related",
│       "href" : "https://mapper.cisco.com:9060/ers/config/identitygroup/82054690-d23b-11ec-989c-2ab8e3d60603",
│       "type" : "application/xml"
│     }
│   }
│ }
╵
2022-05-12T16:40:40.325-0500 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-05-12T16:40:40.328-0500 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta pid=60183
2022-05-12T16:40:40.328-0500 [DEBUG] provider: plugin exited

3. ciscoise_identity_group destroy does not send DELETE request to ISE

$ terraform destroy -auto-approve

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  - destroy

Terraform will perform the following actions:

  # ciscoise_identity_group.fw_admin will be destroyed
  - resource "ciscoise_identity_group" "fw_admin" {
      - id   = "id:=82054690-d23b-11ec-989c-2ab8e3d60603\\name:=ASA_Firewall_Admin" -> null
      - item = [
          - {
              - description = "ASA Firewall Admin"
              - id          = "82054690-d23b-11ec-989c-2ab8e3d60603"
              - link        = [
                  - {
                      - href = "https://mapper.cisco.com:9060/ers/config/identitygroup/82054690-d23b-11ec-989c-2ab8e3d60603"
                      - rel  = "self"
                      - type = "application/json"
                    },
                ]
              - name        = "ASA_Firewall_Admin"
              - parent      = "NAC Group:NAC:IdentityGroups:User Identity Groups:Employee"
            },
        ] -> null

      - parameters {
          - description = "ASA Firewall Admin" -> null
          - id          = "82054690-d23b-11ec-989c-2ab8e3d60603" -> null
          - name        = "ASA_Firewall_Admin" -> null
          - parent      = "NAC Group:NAC:IdentityGroups:User Identity Groups:Employee" -> null
        }
    }

Plan: 0 to add, 0 to change, 1 to destroy.
2022-05-12T16:42:39.859-0500 [INFO]  backend/local: apply calling Apply
2022-05-12T16:42:39.859-0500 [DEBUG] Building and walking apply graph for DestroyMode plan
2022-05-12T16:42:39.860-0500 [DEBUG] ProviderTransformer: "ciscoise_identity_group.fw_admin (destroy)" (*terraform.NodeDestroyResourceInstance) needs provider["registry.terraform.io/ciscoise/ciscoise"]
2022-05-12T16:42:39.860-0500 [DEBUG] ProviderTransformer: "ciscoise_identity_group.fw_admin (expand)" (*terraform.nodeExpandApplyableResource) needs provider["registry.terraform.io/ciscoise/ciscoise"]
2022-05-12T16:42:39.860-0500 [DEBUG] ReferenceTransformer: "ciscoise_identity_group.fw_admin (expand)" references: []
2022-05-12T16:42:39.860-0500 [DEBUG] ReferenceTransformer: "local.root_id_group (expand)" references: []
2022-05-12T16:42:39.860-0500 [DEBUG] ReferenceTransformer: "provider[\"registry.terraform.io/ciscoise/ciscoise\"]" references: []
2022-05-12T16:42:39.860-0500 [DEBUG] pruneUnusedNodes: ciscoise_identity_group.fw_admin (expand) is no longer needed, removing
2022-05-12T16:42:39.860-0500 [DEBUG] pruneUnusedNodes: local.root_id_group (expand) is no longer needed, removing
2022-05-12T16:42:39.860-0500 [DEBUG] Starting graph walk: walkDestroy
2022-05-12T16:42:39.861-0500 [DEBUG] created provider logger: level=debug
2022-05-12T16:42:39.861-0500 [INFO]  provider: configuring client automatic mTLS
2022-05-12T16:42:39.871-0500 [DEBUG] provider: starting plugin: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta args=[.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta]
2022-05-12T16:42:39.877-0500 [DEBUG] provider: plugin started: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta pid=60502
2022-05-12T16:42:39.877-0500 [DEBUG] provider: waiting for RPC address: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta
2022-05-12T16:42:39.903-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: configuring server automatic mTLS: timestamp=2022-05-12T16:42:39.903-0500
2022-05-12T16:42:39.914-0500 [DEBUG] provider.terraform-provider-ciscoise_v0.6.0-beta: plugin address: address=/var/folders/rj/hymfyrbs71s52cz1k76wnygw0000gn/T/plugin3625987468 network=unix timestamp=2022-05-12T16:42:39.914-0500
2022-05-12T16:42:39.915-0500 [DEBUG] provider: using plugin: version=5
ciscoise_identity_group.fw_admin: Destroying... [id=id:=82054690-d23b-11ec-989c-2ab8e3d60603\name:=ASA_Firewall_Admin]
2022-05-12T16:42:40.047-0500 [INFO]  Starting apply for ciscoise_identity_group.fw_admin
2022-05-12T16:42:40.047-0500 [DEBUG] ciscoise_identity_group.fw_admin: applying the planned Delete change
2022-05-12T16:42:40.047-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:42:40 [DEBUG] Beginning IDentityGroup delete for id=[id:=82054690-d23b-11ec-989c-2ab8e3d60603\name:=ASA_Firewall_Admin]: timestamp=2022-05-12T16:42:40.047-0500
2022-05-12T16:42:40.047-0500 [INFO]  provider.terraform-provider-ciscoise_v0.6.0-beta: 2022/05/12 16:42:40 [DEBUG] Missing IDentityGroup delete on Cisco ISE. It will only be delete it on Terraform id=[id:=82054690-d23b-11ec-989c-2ab8e3d60603\name:=ASA_Firewall_Admin]: timestamp=2022-05-12T16:42:40.047-0500
ciscoise_identity_group.fw_admin: Destruction complete after 0s
2022-05-12T16:42:40.065-0500 [DEBUG] provider.stdio: received EOF, stopping recv loop: err="rpc error: code = Unavailable desc = transport is closing"
2022-05-12T16:42:40.068-0500 [DEBUG] provider: plugin process exited: path=.terraform/providers/registry.terraform.io/ciscoise/ciscoise/0.6.0-beta/darwin_amd64/terraform-provider-ciscoise_v0.6.0-beta pid=60502
2022-05-12T16:42:40.068-0500 [DEBUG] provider: plugin exited

Destroy complete! Resources: 1 destroyed.

Expected behavior

1. The provider should not try to update the resource when there is no change. And even if it does, it should not result in API error.
2. resource destroy should generate a DELETE request to ISE and the group should actually be deleted from ISE.

Screenshots Provided above

Environment (please complete the following information):

• ISE version and patch: 3.1 patch 3

terraform -version
Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/ciscoise/ciscoise v0.6.0-beta

• OS version: macOS Big Sur

Additional context N/A

[jbogarin]

After checking with the team, it turns out that we have an error on the Terraform resource for identity groups. DELETE is not supported in the API and we implemented the feature in Terraform.

We will remove the delete and change how the identity group resource works.

We will let you know once it is done

[chetanph]

Appreciate the update, thank you!

[ogenstad]

I don't use this provider but also ran into the issue of DELETE not existing. Spoke with someone on the ISE development team about it and it seemed like an oversight that would be fixed. However if you can open a TAC case with this it would probably get higher priority as they would see that more customers are impacted.

[jbogarin]

For the moment, DELETE is not supported and as mentioned by @ogenstad raising an issue with TAC might expedite the process of inclusion in the next release of ISE.