search

CiscoISE / terraform-provider-ciscoise

Terraform Provider for Cisco ISE
https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs
MIT License
10 stars 4 forks source link

destroy for ciscoise_device_administration_authentication_rules fails if it's default rule #35

Closed chetanph closed 2 years ago

chetanph commented 2 years ago

Prerequisites

Describe the bug Example code creates a new policy set first and then want to use "Internal Users" as ID store for Default Authentication Rule.

resource "ciscoise_device_administration_policy_set" "asa" {
  parameters {
    rank        = 0
    state       = "enabled"
    name        = "ASA Firewalls"
    description = "ASA Firewalls"
    condition {
      condition_type  = "ConditionAttributes"
      is_negate       = "false"
      dictionary_name = "DEVICE"
      attribute_name  = "Device Type"
      operator        = "startsWith"
      attribute_value = "All Device Types"
    }
    service_name = "Default Device Admin"
  }
}

locals {
  // "id:=05d9d6fd-f30b-45f2-900f-577948283817\\name:=ASA Firewalls"
  policy_set_asa = jsondecode(
    replace(
      replace(
        replace(
          replace(
            ciscoise_device_administration_policy_set.asa.id, "\\", "\", \"" # separator
          ), ":=", "\": \""                                                  # attribute: value
        ), "/^/", "{\""                                                      # start of string
      ), "/$/", "\"}"                                                        # end of string
    )
  )
}

output "policy_set_asa_id" {
  value = local.policy_set_asa.id
}

resource "ciscoise_device_administration_authentication_rules" "policy_set_asa_authc_rule_default" {
  parameters {
    policy_id            = local.policy_set_asa.id
    identity_source_name = "Internal Users"
    if_auth_fail         = "REJECT"
    if_process_fail      = "DROP"
    if_user_not_found    = "REJECT"
    rule {
      name    = "Default"
      state   = "enabled"
      default = "true"
    }
  }
}

Apply works as expected.

Destroy for the rule fails with this error:

╷
│ Error: Failure when executing DeleteDeviceAdminAuthenticationRuleByID
│ 
│ error with operation DeleteDeviceAdminAuthenticationRuleById
│ {
│   "code" : "400",
│   "message" : "Failed to handle API - Network Access Authentication Rule : Attempted to delete default Rule"
│ }
╵

Have to manually do this first:

terraform state rm ciscoise_device_administration_authentication_rules.policy_set_asa_authc_rule_default

And then run terraform destroy again to destroy the policy set.

Expected behavior Destroy should not fail. It may be possible to skip deletion for the rule if default = true since destroy of policy set will remove it anyway.

Screenshots

Screen Shot 2022-05-12 at 5 20 43 PM

Environment (please complete the following information):

terraform -version
Terraform v1.1.9
on darwin_amd64
+ provider registry.terraform.io/ciscoise/ciscoise v0.6.0-beta

Additional context N/A

fmunozmiranda commented 2 years ago

Hey @chetanph , there's a new version (v0.6.1-beta) of terraform-provider-ciscoise, try again with that version and let know us if works for you.

chetanph commented 2 years ago

Hi @fmunozmiranda, this issue is cleared as well. Destroy worked fine without any errors. Appreciate your help!!

fmunozmiranda commented 2 years ago

Happy to help @chetanph.