Destroyed resource 'ciscoise_trusted_certificate_import' does not delete the certificate from ISE

[aussietexan]

Environment:

ISE version and patch: ISE 3.1 patch 3
Terraform version: 1.2.3
ISE provider version: 0.6.8-beta
OS version: MacOS 12.6

Describe the bug Using the resource 'ciscoise_trusted_certificate_import' with the required parameters works as expected to imported a CA certificate into the ISE Trusted Certificates store. When executing 'terraform destroy' however, only the terraform state is destroyed. The destroy operation does not delete the certificate from ISE, even though there are no dependencies on that certificate. The admin is forced to login to the ISE GUI and manually delete the certificate.

Deleting the certificate via the OpenAPI using the {id} parameter used by the API works correctly. https://developer.cisco.com/docs/identity-services-engine/v1/#!certificate-openapi

Expected behavior When destroying the resource, the DELETE API should be called to delete the certificate from ISE using the {id} parameter tracked by the TF state.

API 200 Response { "response": { "message": "Trusted certificate deleted successfully" }, "version": "1.0.1" }

[fmunozmiranda]

@aussietexan Could you please active debug and pass me answer please?

To active debug please export this env variables:

set -x ISE_DEBUG 'true'
set -x TF_LOG 'DEBUG'

[aussietexan]

Hi Francisco,

Please find attached the output from ‘terraform destroy’ after enabling those debug env variables.

Please let me know if you need any additional info.

Thanks, Greg

From: Francisco Muñoz Miranda @.> Date: Tuesday, 11 October 2022 at 11:51 am To: CiscoISE/terraform-provider-ciscoise @.> Cc: greg aussietexan.com @.>, Author @.> Subject: Re: [CiscoISE/terraform-provider-ciscoise] Destroyed resource 'ciscoise_trusted_certificate_import' does not delete the certificate from ISE (Issue #59)

Could you please active debug and pass me answer please?

To active debug:

set -x ISE_DEBUG 'true'

set -x TF_LOG 'DEBUG'

— Reply to this email directly, view it on GitHubhttps://github.com/CiscoISE/terraform-provider-ciscoise/issues/59#issuecomment-1273952676, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUVNKME2XLPNYLXO57SSH4TWCS22HANCNFSM6AAAAAARBYU2YU. You are receiving this because you authored the thread.Message ID: @.***>

@. ise-certificate]$ @. ise-certificate]$ set -x ISE_DEBUG 'true' @.*** ise-certificate]$ set -x TF_LOG 'DEBUG'

• set -x TF_LOG DEBUG @.*** ise-certificate]$ tf destroy
• terraform destroy ciscoise_trusted_certificate_import.root-ca-ise31-2: Refreshing state... [id=1665454628] ciscoise_system_certificate_import.admin-cert-ise31-2: Refreshing state... [id=1665454629]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

• destroy

Terraform will perform the following actions:

ciscoise_system_certificate_import.admin-cert-ise31-2 will be destroyed

• resource "ciscoise_system_certificate_import" "admin-cert-ise31-2" {

  • id = "1665454629" -> null

  • item = [

    • {
      • id = "14953597-2028-4bed-9237-e4f8f7d06760"
      • message = "System certificate was added successfully"
      • status = "Success" }, ] -> null

  • last_updated = "1665454629" -> null

  • parameters {

    • admin = "false" -> null
    • allow_extended_validity = "true" -> null
    • allow_out_of_date_cert = "false" -> null
    • allow_portal_tag_transfer_for_same_subject = "true" -> null
    • allow_replacement_of_certificates = "true" -> null
    • allow_replacement_of_portal_group_tag = "true" -> null
    • allow_role_transfer_for_same_subject = "true" -> null
    • allow_sha1_certificates = "false" -> null
    • allow_wild_card_certificates = "true" -> null

    • data = <<-EOT -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE----- EOT -> null
    • eap = "false" -> null
    • ims = "false" -> null
    • name = "TUI Wildcard Admin cert" -> null
    • password = (sensitive value)
    • portal = "false" -> null
    • portal_group_tag = "Default Portal certificate Group" -> null

    • private_key_data = <<-EOT -----BEGIN ENCRYPTED PRIVATE KEY-----

      -----END ENCRYPTED PRIVATE KEY----- EOT -> null
    • pxgrid = "false" -> null
    • radius = "false" -> null
    • saml = "false" -> null
    • validate_certificate_extensions = "false" -> null } }

  ciscoise_trusted_certificate_import.root-ca-ise31-2 will be destroyed

• resource "ciscoise_trusted_certificate_import" "root-ca-ise31-2" {

  • id = "1665454628" -> null

  • item = [

    • {
      • id = "3d45c019-1134-48bf-a5f4-da751196cb6f"
      • message = "Trust certificate was added successfully"
      • status = "Success" }, ] -> null

  • last_updated = "1665454628" -> null

  • parameters {

    • allow_basic_constraint_cafalse = "true" -> null
    • allow_out_of_date_cert = "false" -> null
    • allow_sha1_certificates = "false" -> null

    • data = <<-EOT -----BEGIN CERTIFICATE-----

      -----END CERTIFICATE----- EOT -> null
    • description = "TUI Root CA cert" -> null
    • name = "1#TUI Root CA cert" -> null
    • trust_for_certificate_based_admin_auth = "false" -> null
    • trust_for_cisco_services_auth = "false" -> null
    • trust_for_client_auth = "true" -> null
    • trust_for_ise_auth = "true" -> null
    • validate_certificate_extensions = "false" -> null } }

Plan: 0 to add, 0 to change, 2 to destroy.

Do you really want to destroy all resources? Terraform will destroy all your managed infrastructure, as shown above. There is no undo. Only 'yes' will be accepted to confirm.

Enter a value: yes

ciscoise_system_certificate_import.admin-cert-ise31-2: Destroying... [id=1665454629] ciscoise_system_certificate_import.admin-cert-ise31-2: Destruction complete after 0s ciscoise_trusted_certificate_import.root-ca-ise31-2: Destroying... [id=1665454628] ciscoise_trusted_certificate_import.root-ca-ise31-2: Destruction complete after 0s

Destroy complete! Resources: 2 destroyed.

[fmunozmiranda]

Hey @aussietexan , as you can see in documentation, this is not a complete resource, it just do import action, you can't handle it as a conventional resource:

Documentation:

https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs/resources/trusted_certificate_import

May be you can handle it with this resource, try it and let us know if it works for you:

Resource:

https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs/resources/trusted_certificate

[aussietexan]

Hi Francisco,

I did see the text in the ‘trusted_certificate’ documentation stating “This resource deletes a Trust Certificate from Trusted Certificate Store based on a given ID.” It’s not clear, however, how this resource can be used to trigger the DELETE API call.

Is there a ‘delete’ option for the ‘status’ parameter or how would the delete be done?

Thanks, Greg

From: Francisco Muñoz Miranda @.> Date: Wednesday, 12 October 2022 at 3:16 am To: CiscoISE/terraform-provider-ciscoise @.> Cc: greg aussietexan.com @.>, Mention @.> Subject: Re: [CiscoISE/terraform-provider-ciscoise] Destroyed resource 'ciscoise_trusted_certificate_import' does not delete the certificate from ISE (Issue #59)

Hey @aussietexanhttps://github.com/aussietexan , as you can see in documentation, this is not a complete resource, it just do import action, you can't handle it as a conventional resource:

Documentation:

https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs/resources/trusted_certificate_import

May be you can handle it with this resource, try it and let us know if it works for you:

Resource:

https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs/resources/trusted_certificate

— Reply to this email directly, view it on GitHubhttps://github.com/CiscoISE/terraform-provider-ciscoise/issues/59#issuecomment-1274949455, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AUVNKMGA4IXX3H4QMTVNJNLWCWHE3ANCNFSM6AAAAAARBYU2YU. You are receiving this because you were mentioned.Message ID: @.***>

[fmunozmiranda]

Here's a work arround:

resource "ciscoise_trusted_certificate_import" "example" {
  provider = ciscoise
  lifecycle {
    create_before_destroy = true
  }
  parameters {
    allow_basic_constraint_cafalse         = "false"
    allow_out_of_date_cert                 = "false"
    allow_sha1_certificates                = "false"
    data                                   = file("./file.pem")
    description                            = "string"
    name                                   = "Test"
    trust_for_certificate_based_admin_auth = "false"
    trust_for_cisco_services_auth          = "false"
    trust_for_client_auth                  = "false"
    trust_for_ise_auth                     = "false"
    validate_certificate_extensions        = "false"
  }
}

resource "ciscoise_trusted_certificate" "example" {
  provider = ciscoise
  parameters {
    id = ciscoise_trusted_certificate_import.example.item[0].id
    name                                   = "Test"
  }
}

With this you can handle certificates. Try it and tell us if it works for you.

[aussietexan]

Hi @fmunozmiranda. I tested adding the "ciscoise_trusted_certificate" resource block (with the 0.6.9-beta version) and confirmed that the 'terraform destroy' does indeed delete the certificate from the ISE node.