search

CiscoISE / terraform-provider-ciscoise

Terraform Provider for Cisco ISE
https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs
MIT License
9 stars 4 forks source link

SGT is removed even if used #49

Open RyanMBess opened 1 year ago

RyanMBess commented 1 year ago

If you delete an SGT via the API it does not check if the SGT is used within ISE, it will just delete it. This is not the case if you attempt to delete the SGT via the GUI. The GUI wont let you delete the SGT if it's used within ISE.

Please update code to check if the SGT is used before deleting.

einarnn commented 1 year ago

@RyanMBess, this behavior is actually a deliberate design decision for the external API. When an authorized client asks for an SGT to be deleted, ISE will do so, as well as update the policy matrix to delete any cells that have the deleted SGT as either a row identifier or a column identifier. Without this behaviour a client would need to first delete all cell references before an SGT could be deleted. These guard rails are appropriate for the GUI, but not for an API.

An API client can change if an SGT is used in the matrix using queries like:

curl "https://ise.your.domain/ers/config/egressmatrixcell?filter=sgtDstName.EQ.Auditors" \
     -H 'Accept: application/json' \
     -u 'USER:PASSWORD'

curl "https://ise.your.domain/ers/config/egressmatrixcell?filter=sgtSrcName.EQ.Auditors" \
     -H 'Accept: application/json' \
     -u 'USER:PASSWORD'

These will tell you how many columns & rows your SGT is used in if you only want to delete unused SGTs.

RyanMBess commented 1 year ago

@einarnn Thanks for your response. I've been thinking about the design decision and understand the choice. Is this design decision the same for any object created via the API with Terraform? Example, if I create a network location and I delete the network location, would it also then delete the switches assigned to that network location?

I'll need to mock up some other scenarios like this where i create the SGT via the API. I also create the Policy config via the API that assigns endpoints to a given Policy. Thus i have the SGT referenced in 2 different config files (1 that created the SGT and the 2nd that uses the SGT as part of a Policy assignment). I wonder what will happen if after I delete the SGT from the config that created it and then re-run the config that assigns the SGT in a policy. Struggling to understand how to use these tools for true IAC or if these sorts of tools are just one time batch script like stuff to put configs into the system in bulk....