search

CiscoISE / terraform-provider-ciscoise

Terraform Provider for Cisco ISE
https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs
MIT License
10 stars 4 forks source link

Idempotence issue with 'ciscoise_active_directory' resource #62

Closed aussietexan closed 2 years ago

aussietexan commented 2 years ago

Environment:

ISE version and patch: ISE 3.1 patch 3
Terraform version: 1.3.1
ISE provider version: 0.6.9-beta
OS version: MacOS 12.6

Describe the bug Using the resource 'ciscoise_active_directory' with the required parameters works as expected to create an AD Join Point, but any subsequent 'terraform apply' operation results in the below error. Even running 'terraform apply' directly after the initial resource creation with no changes to the terraform code results in the same error.

Error

Terraform will perform the following actions:

  # ciscoise_active_directory.tui-ad will be updated in-place
  ~ resource "ciscoise_active_directory" "tui-ad" {
        id   = "id:=75b691f0-4e9b-11ed-beb0-56d4acca1b2a\\name:=TUI-AD"
        # (1 unchanged attribute hidden)

      ~ parameters {
            id                         = "75b691f0-4e9b-11ed-beb0-56d4acca1b2a"
            name                       = "TUI-AD"
            # (4 unchanged attributes hidden)

          ~ ad_attributes {
              + attributes {}
            }

          ~ adgroups {
              + groups {}
            }

            # (1 unchanged block hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.
ciscoise_active_directory.tui-ad: Modifying... [id=id:=75b691f0-4e9b-11ed-beb0-56d4acca1b2a\name:=TUI-AD]
╷
│ Error: Failure when executing LoadGroupsFromDomain
│ 
│   with ciscoise_active_directory.tui-ad,
│   on ad_join.tf line 23, in resource "ciscoise_active_directory" "tui-ad":
│   23: resource "ciscoise_active_directory" "tui-ad" {
│ 
│ error with operation LoadGroupsFromDomain
│ {
│   "ERSResponse" : {
│     "operation" : "PUT-ADD_GROUPS-activedirectory",
│     "messages" : [ {
│       "title" : "Validation Error - Mandatory fields missing: [Attribute name can not be null or empty, Group name can not be null or empty, Group sid can not be null or empty]",
│       "type" : "ERROR",
│       "code" : "Application resource validation exception"
│     } ],
│     "link" : {
│       "rel" : "related",
│       "href" : "https://192.168.222.54:9060/ers/config/activedirectory/75b691f0-4e9b-11ed-beb0-56d4acca1b2a/addGroups",
│       "type" : "application/xml"
│     }
│   }
│ }

Code block

resource "ciscoise_active_directory" "tui-ad" {
  provider = ciscoise.ise31-2
  parameters {

    ad_attributes {

      attributes {}
    }
    ad_scopes_names = "Default_Scope"
    adgroups {

      groups { }
    }
    description              = ""
    domain                   = var.domain_name
    name                     = var.join_point_name
  }
}

Expected behavior Terraform state should take care of the idempotence, so 'terraform apply' should only update resources as needed.

fmunozmiranda commented 2 years ago

Hey @aussietexan if your parameter has no data, yo may don't put it, this may solve your problem:

resource "ciscoise_active_directory" "tui-ad" {
  provider = ciscoise
  parameters {

    ad_attributes {

      # attributes {}
    }
    ad_scopes_names = "Default_Scope"
    adgroups {

      # groups {}
    }
    description              = ""
    domain                   = var.domain_name
    name                     = var.join_point_name
  }
}

You can do it like this too:

resource "ciscoise_active_directory" "tui-ad" {
  provider = ciscoise
  parameters {

    # ad_attributes {

    #   # attributes {}
    # }
    ad_scopes_names = "Default_Scope"
    # adgroups {

    #   # groups {}
    # }
    description              = ""
    domain                   = var.domain_name
    name                     = var.join_point_name
  }
}
aussietexan commented 2 years ago

Hi @fmunozmiranda. Commenting out the groups field does fix the idempotence issue.

However, I've also found that the 'ciscoise_active_directory_get_groups_by_domain_info' data source does not appear to capture the group name correctly. Please tell me if I'm missing something.

TF code blocks

data "ciscoise_active_directory_get_groups_by_domain_info" "get_ad_groups" {
  provider = ciscoise.ise31-2
  id       = ciscoise_active_directory.tui-ad.parameters[0].id
  additional_data {

    name  = "domain"
    value = var.domain_name
  }
  additional_data {

    name  = "filter"
    value = "*Domain Computers*"
  }
}

output "ad_groups" {
  value = data.ciscoise_active_directory_get_groups_by_domain_info.get_ad_groups
}

Output

ad_groups = {
  "additional_data" = tolist([
    {
      "name" = "domain"
      "value" = "domain.com"
    },
    {
      "name" = "filter"
      "value" = "*Domain Computers*"
    },
  ])
  "id" = "1666148433"
  "item" = tolist([
    {
      "groups" = tolist([
        {
          "group_name" = ""
          "sid" = "S-1-5-21-3064845550-2309088537-4239914413-515"
          "type" = "GLOBAL"
        },
      ])
    },
  ])
}

API call response for '/ers/config/activedirectory/{{ad_id}}/getGroupsByDomain'

{
    "ERSActiveDirectoryGroups": {
        "groups": [
            {
                "name": "domain.com/Users/Domain Computers",
                "sid": "S-1-5-21-3064845550-2309088537-4239914413-515",
                "type": "GLOBAL"
            }
        ]
    }
}
fmunozmiranda commented 2 years ago

@aussietexan , could you please try it again with 0.6.10-beta a tell us if it now works for you?

aussietexan commented 2 years ago

Hi @fmunozmiranda. The updated code fixes the data source output and I was able to reference those values in another resource block. Thanks for the quick turnaround!

fmunozmiranda commented 2 years ago

Thank you for reporting, it helps us improve.