search

CiscoISE / terraform-provider-ciscoise

Terraform Provider for Cisco ISE
https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs
MIT License
9 stars 4 forks source link

Resource 'ciscoise_network_access_policy_set' returns 400 error #67

Closed aussietexan closed 1 year ago

aussietexan commented 1 year ago

Environment: ISE version and patch: ISE 3.1 patch 4 Terraform version: 1.3.1 ISE provider version: 0.6.10-beta OS version: MacOS 12.6

Describe the bug When using the 'ciscoise_network_access_policy_set' resource to create a Policy Set with a nested AND block, the following 400 error is returned.

As there is no example of this type of configuration, I'm not sure if this is a bug in the TF resource or if my example code is written incorrectly.

Error

│ Error: Failure when executing CreateNetworkAccessPolicySet
│ 
│   with ciscoise_network_access_policy_set.wired-mm-test,
│   on policy.tf line 274, in resource "ciscoise_network_access_policy_set" "wired-mm-test":
│  274: resource "ciscoise_network_access_policy_set" "wired-mm-test" {
│ 
│ error with operation CreateNetworkAccessPolicySet
│ {
│   "message" : "request has bad input format in the body",
│   "code" : 400
│ }

TF code example

resource "ciscoise_network_access_policy_set" "wired-mm-test" {
  provider = ciscoise.ise31-2
  depends_on = [
    ciscoise_network_device_group.ndg_mm
  ]
  parameters {

    condition {
      condition_type = "andBlock"
      is_negate = "false"
      children {
        dictionary_name  = "Radius"
        attribute_name  = "NAS-Port-Type"
        operator = "equals"
        attribute_value = "Ethernet"
      }
      children {
        dictionary_name  = "DEVICE"
        attribute_name  = "Deployment Stage"
        operator = "equals"
        attribute_value = "Deployment Stage#Monitor Mode"
      }
    }
    default     = "false"
    description = "Wired Monitor Mode TEST"
    is_proxy    = "false"
    name         = "Wired_MM_TEST"
    rank         = 0
    service_name = ciscoise_allowed_protocols.mab-eaptls.item[0].name
    state        = "enabled"
  }
}

API GET response for the same Policy Set configured from the GUI

{
    "version": "1.0.0",
    "response": {
        "default": false,
        "id": "b8731cac-dba3-43bc-ac2b-f3205e01e8c1",
        "name": "Wired_MM",
        "description": null,
        "hitCounts": 0,
        "rank": 0,
        "state": "enabled",
        "condition": {
            "link": null,
            "conditionType": "ConditionAndBlock",
            "isNegate": false,
            "children": [
                {
                    "link": null,
                    "conditionType": "ConditionAttributes",
                    "isNegate": false,
                    "dictionaryName": "Radius",
                    "attributeName": "NAS-Port-Type",
                    "operator": "equals",
                    "dictionaryValue": null,
                    "attributeValue": "Ethernet"
                },
                {
                    "link": null,
                    "conditionType": "ConditionAttributes",
                    "isNegate": false,
                    "dictionaryName": "DEVICE",
                    "attributeName": "Deployment Stage",
                    "operator": "equals",
                    "dictionaryValue": null,
                    "attributeValue": "Deployment Stage#Monitor Mode"
                }
            ]
        },
        "serviceName": "MAB_EAP-TLS",
        "isProxy": false,
        "link": {
            "rel": "self",
            "href": "https://ise31-2.ise.domain.com/api/v1/policy/network-access/policy-set/b8731cac-dba3-43bc-ac2b-f3205e01e8c1",
            "type": "application/json"
        }
    }
}
aussietexan commented 1 year ago

Hi @fmunozmiranda. I tried creating the above Policy Set after updating to the 0.6.11-beta using the following code block and it still throws a 400 error.

TF Code

resource "ciscoise_network_access_policy_set" "wired-mm-test" {
  provider = ciscoise.ise31-2
  depends_on = [
    ciscoise_network_device_group.ndg_mm
  ]
  parameters {
    default     = "false"
    name         = "Wired_MM_TEST"
    description = "Wired Monitor Mode TEST"
    rank         = 0
    is_proxy    = "false"
    service_name = "MAB_EAP-TLS"
    state        = "enabled"
    condition {
      condition_type = "andBlock"
      is_negate = "false"
      children {
        condition_type = "ConditionAttrs"
        is_negate = "false"
        dictionary_name  = "Radius"
        attribute_name  = "NAS-Port-Type"
        operator = "equals"
        attribute_value = "Ethernet"
      }
      children {
        condition_type = "ConditionAttrs"
        is_negate = "false"
        dictionary_name  = "DEVICE"
        attribute_name  = "Deployment Stage"
        operator = "equals"
        attribute_value = "Deployment Stage#Monitor Mode"
      }
    }
  }
}

If the code format/syntax I am using is not correct, can you suggest what my TF resource block should look like to create the same same policy set as per this API request body that returns a 201 Created response?

API Body

{
        "default": false,
        "name": "Wired_MM",
        "description": null,
        "rank": 0,
        "state": "enabled",
        "condition": {
            "link": null,
            "conditionType": "ConditionAndBlock",
            "isNegate": false,
            "children": [
                {
                    "link": null,
                    "conditionType": "ConditionAttributes",
                    "isNegate": false,
                    "dictionaryName": "Radius",
                    "attributeName": "NAS-Port-Type",
                    "operator": "equals",
                    "dictionaryValue": null,
                    "attributeValue": "Ethernet"
                },
                {
                    "link": null,
                    "conditionType": "ConditionAttributes",
                    "isNegate": false,
                    "dictionaryName": "DEVICE",
                    "attributeName": "Deployment Stage",
                    "operator": "equals",
                    "dictionaryValue": null,
                    "attributeValue": "Deployment Stage#Monitor Mode"
                }
            ]
        },
        "serviceName": "MAB_EAP-TLS",
        "isProxy": false
    }
fmunozmiranda commented 1 year ago

Hey @aussietexan, I think the problem is in your condition_type values it seems that accepted values are:

ConditionAttributes
ConditionAndBlock
ConditionOrBlock

Could you tested with those changes?

aussietexan commented 1 year ago

Hi @fmunozmiranda , I tested using those values and the resource worked. Please update the documentation as per Issue #68

fmunozmiranda commented 1 year ago

I will update documentation in next realese, thanks for report it @aussietexan .