search

CiscoISE / terraform-provider-ciscoise

Terraform Provider for Cisco ISE
https://registry.terraform.io/providers/CiscoISE/ciscoise/latest/docs
MIT License
9 stars 4 forks source link

No request_basic_pwd_auth parameter available in ciscoise_allowed_protocols resource in teap block #99

Closed KubaMazurkiewicz closed 11 months ago

KubaMazurkiewicz commented 1 year ago

Prerequisites

Describe the bug Following TF code is not working:

resource "ciscoise_allowed_protocols" "example" {
  provider = ciscoise
  parameters {

    allow_chap                   = "false"
    allow_eap_fast               = "false"
    allow_eap_md5                = "false"
    allow_eap_tls                = "true"
    allow_eap_ttls               = "false"
    allow_leap                   = "false"
    allow_ms_chap_v1             = "false"
    allow_ms_chap_v2             = "false"
    allow_pap_ascii              = "false"
    allow_peap                   = "false"
    allow_preferred_eap_protocol = "false"
    allow_teap                   = "true"
    allow_weak_ciphers_for_eap   = "false"
    description                  = "string"

    eap_tls {

      allow_eap_tls_auth_of_expired_certs     = "false"
      eap_tls_enable_stateless_session_resume = "false"
    }
    eap_tls_l_bit = "false"

    name                 = "Test01"
    process_host_lookup  = "false"
    require_message_auth = "false"
    teap {

      accept_client_cert_during_tunnel_est         = "false"
      allow_downgrade_msk                          = "false"
      allow_teap_eap_ms_chap_v2                    = "true"
      allow_teap_eap_ms_chap_v2_pwd_change         = "false"
      allow_teap_eap_ms_chap_v2_pwd_change_retries = 1
      allow_teap_eap_tls                           = "true"
      allow_teap_eap_tls_auth_of_expired_certs     = "false"
      enable_eap_chaining                          = "false"
      request_basic_pwd_auth                       = "false"
    }
    }
  }
}

I'm getting error:

➜  bugs_ise git:(allowed_protocols) ✗ terraform apply          
╷
│ Error: Unsupported argument
│ 
│   on main.tf line 40, in resource "ciscoise_allowed_protocols" "example":
│   40:       request_basic_pwd_auth                       = "false"
│ 
│ An argument named "request_basic_pwd_auth" is not expected here.

Looks like this parameter is mandatory, cause when I try following code (without this parameter) im getting this error:

code:

resource "ciscoise_allowed_protocols" "example" {
  provider = ciscoise
  parameters {

    allow_chap                   = "false"
    allow_eap_fast               = "false"
    allow_eap_md5                = "false"
    allow_eap_tls                = "true"
    allow_eap_ttls               = "false"
    allow_leap                   = "false"
    allow_ms_chap_v1             = "false"
    allow_ms_chap_v2             = "false"
    allow_pap_ascii              = "false"
    allow_peap                   = "false"
    allow_preferred_eap_protocol = "false"
    allow_teap                   = "true"
    allow_weak_ciphers_for_eap   = "false"
    description                  = "string"

    eap_tls {

      allow_eap_tls_auth_of_expired_certs     = "false"
      eap_tls_enable_stateless_session_resume = "false"
    }
    eap_tls_l_bit = "false"

    name                 = "Test01"
    process_host_lookup  = "false"
    require_message_auth = "false"
    teap {

      accept_client_cert_during_tunnel_est         = "false"
      allow_downgrade_msk                          = "false"
      allow_teap_eap_ms_chap_v2                    = "true"
      allow_teap_eap_ms_chap_v2_pwd_change         = "false"
      allow_teap_eap_ms_chap_v2_pwd_change_retries = 1
      allow_teap_eap_tls                           = "true"
      allow_teap_eap_tls_auth_of_expired_certs     = "false"
      enable_eap_chaining                          = "false"
      #request_basic_pwd_auth                       = "false"
    }
  }
}

error:

➜  bugs_ise git:(allowed_protcols) ✗ terraform apply

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # ciscoise_allowed_protocols.example will be created
  + resource "ciscoise_allowed_protocols" "example" {
      + id           = (known after apply)
      + item         = (known after apply)
      + last_updated = (known after apply)

      + parameters {
          + allow_chap                   = "false"
          + allow_eap_fast               = "false"
          + allow_eap_md5                = "false"
          + allow_eap_tls                = "true"
          + allow_eap_ttls               = "false"
          + allow_leap                   = "false"
          + allow_ms_chap_v1             = "false"
          + allow_ms_chap_v2             = "false"
          + allow_pap_ascii              = "false"
          + allow_peap                   = "false"
          + allow_preferred_eap_protocol = "false"
          + allow_teap                   = "true"
          + allow_weak_ciphers_for_eap   = "false"
          + description                  = "string"
          + eap_tls_l_bit                = "false"
          + id                           = (known after apply)
          + link                         = (known after apply)
          + name                         = "Test01"
          + preferred_eap_protocol       = (known after apply)
          + process_host_lookup          = "false"
          + require_message_auth         = "false"

          + eap_tls {
              + allow_eap_tls_auth_of_expired_certs     = "false"
              + eap_tls_enable_stateless_session_resume = "false"
              + eap_tls_session_ticket_precentage       = (known after apply)
              + eap_tls_session_ticket_ttl              = (known after apply)
              + eap_tls_session_ticket_ttl_units        = (known after apply)
            }

          + teap {
              + accept_client_cert_during_tunnel_est         = "false"
              + allow_downgrade_msk                          = "false"
              + allow_teap_eap_ms_chap_v2                    = "true"
              + allow_teap_eap_ms_chap_v2_pwd_change         = "false"
              + allow_teap_eap_ms_chap_v2_pwd_change_retries = 1
              + allow_teap_eap_tls                           = "true"
              + allow_teap_eap_tls_auth_of_expired_certs     = "false"
              + enable_eap_chaining                          = "false"
            }
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

ciscoise_allowed_protocols.example: Creating...
╷
│ Error: Failure when executing CreateAllowedProtocol
│ 
│   with ciscoise_allowed_protocols.example,
│   on main.tf line 1, in resource "ciscoise_allowed_protocols" "example":
│    1: resource "ciscoise_allowed_protocols" "example" {
│ 
│ error with operation CreateAllowedProtocol
│ {
│   "ERSResponse" : {
│     "operation" : "POST-create-allowedprotocols",
│     "messages" : [ {
│       "title" : "Validation Error - Mandatory fields missing: [Teap is allowed but the following field is missing: RequestBasicPwdAuth]",
│       "type" : "ERROR",
│       "code" : "Application resource validation exception"
│     } ],
│     "link" : {
│       "rel" : "related",
│       "href" : "https://10.48.190.181:9060/ers/config/allowedprotocols",
│       "type" : "application/xml"
│     }
│   }
│ }

Expected behavior In ERS API I can create allowed_protocols with requestBasicPwdAuth

POST: https://10.48.190.181/ers/config/allowedprotocols

Body:

{
  "AllowedProtocols": {
    "name": "Test01",
    "description": "string",
    "teap": {
      "allowTeapEapMsChapV2": true,
      "allowTeapEapMsChapV2PwdChange": false,
      "allowTeapEapMsChapV2PwdChangeRetries": 1,
      "allowTeapEapTls": true,
      "allowTeapEapTlsAuthOfExpiredCerts": false,
      "acceptClientCertDuringTunnelEst": false,
      "enableEapChaining": false,
      "allowDowngradeMsk": false,
      "requestBasicPwdAuth" : false
    },
    "eapTls": {
      "allowEapTlsAuthOfExpiredCerts" : "false",
      "eapTlsEnableStatelessSessionResume" : "false"
    },
    "processHostLookup": false,
    "allowPapAscii": false,
    "allowChap": false,
    "allowMsChapV1": false,
    "allowMsChapV2": false,
    "allowEapMd5": false,
    "allowLeap": false,
    "allowEapTls": true,
    "allowEapTtls": false,
    "allowEapFast": false,
    "allowPeap": false,
    "allowTeap": true,
    "allowPreferredEapProtocol": false,
    "eapTlsLBit": false,
    "allowWeakCiphersForEap": false,
    "requireMessageAuth": false
  }
}

Result: 201 Created

Environment (please complete the following information):

Additional context Add any other context about the problem here.

fmunozmiranda commented 1 year ago

@KubaMazurkiewicz, The parameter was included in the new version, you could help us to communicate with cisco, this in order for this parameter to be included in the documentation, since it does not appear.

Please try again with the new version.

kuba-mazurkiewicz commented 1 year ago

@fmunozmiranda looks like there is an issue in ERS API for 3.1 ISE version. (CSCwd34564 ISE 3.1: Cannot create Allowed Protocols with TEAP using ERS API due to 'RequestBasicPwdAuth' error)

Even though you added this parameter in new terraform provider version state handling doesn't work as expected, becauseterraform is refreshing state of object using GET request and in GET response this requestBasicPwdAuth parameter under teap is not existing:

~~~ RESPONSE ~~~
STATUS       : 200
PROTO        : HTTP/1.1
RECEIVED AT  : 2023-07-28T12:10:37.666838+02:00
TIME DURATION: 272.423167ms
HEADERS      :
   Cache-Control: no-cache, no-store, must-revalidate
   Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
   Content-Type: application/json;charset=utf-8
   Date: Fri, 28 Jul 2023 09:57:34 GMT
   Etag: "106F59067EFDE573965D40CA00C9C832"
   Expires: Thu, 01 Jan 1970 00:00:00 GMT
   Pragma: no-cache
   Server:
   Set-Cookie: JSESSIONIDSSO=DA17D2A15FB498564B4A4E28A3E6E409; Path=/; Secure; HttpOnly, APPSESSIONID=F4E31CDF75BA92BBFFF7B6F94D58627F; Path=/ers; Secure; HttpOnly
   Strict-Transport-Security: max-age=31536000; includeSubDomains
   X-Content-Security-Policy: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
   X-Content-Type-Options: nosniff
   X-Frame-Options: SAMEORIGIN
   X-Webkit-Csp: default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval'; style-src 'self' 'unsafe-inline'; img-src 'self' data:;
   X-Xss-Protection: 1; mode=block
BODY         :
{
   "AllowedProtocols": {
      "id": "0f9ec0d0-2d2b-11ee-bf2c-ca44e3c393f8",
      "name": "Test22",
      "description": "string",
      "eapTls": {
         "allowEapTlsAuthOfExpiredCerts": false,
         "eapTlsEnableStatelessSessionResume": false
      },
      "teap": {
         "allowTeapEapMsChapV2": true,
         "allowTeapEapMsChapV2PwdChange": false,
         "allowTeapEapMsChapV2PwdChangeRetries": 1,
         "allowTeapEapTls": true,
         "allowTeapEapTlsAuthOfExpiredCerts": true,
         "acceptClientCertDuringTunnelEst": false,
         "enableEapChaining": true,
         "allowDowngradeMsk": true
      },
      "processHostLookup": false,
      "allowPapAscii": false,
      "allowChap": false,
      "allowMsChapV1": false,
      "allowMsChapV2": false,
      "allowEapMd5": false,
      "allowLeap": false,
      "allowEapTls": true,
      "allowEapTtls": false,
      "allowEapFast": false,
      "allowPeap": false,
      "allowTeap": true,
      "allowPreferredEapProtocol": false,
      "eapTlsLBit": false,
      "allowWeakCiphersForEap": false,
      "requireMessageAuth": false,
      "link": {
         "rel": "self",
         "href": https://10.48.190.181:9060/ers/config/allowedprotocols/0f9ec0d0-2d2b-11ee-bf2c-ca44e3c393f8,
         "type": "application/json"
      }
   }
}

So everytime i do terraform plan it will show that there would be change in this parameter:

✗ terraform plan 
ciscoise_allowed_protocols.example: Refreshing state... [id=id:=c96b93f0-37ab-11ee-bf2c-ca44e3c393f8\name:=Test02]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # ciscoise_allowed_protocols.example will be updated in-place
  ~ resource "ciscoise_allowed_protocols" "example" {
        id           = "id:=c96b93f0-37ab-11ee-bf2c-ca44e3c393f8\\name:=Test02"
        # (2 unchanged attributes hidden)

      ~ parameters {
            id                           = "c96b93f0-37ab-11ee-bf2c-ca44e3c393f8"
            name                         = "Test02"
            # (18 unchanged attributes hidden)

          ~ teap {
              + request_basic_pwd_auth                       = "false"
                # (8 unchanged attributes hidden)
            }

            # (1 unchanged block hidden)
        }
    }

Plan: 0 to add, 1 to change, 0 to destroy.

I have no idea what this RequestBasicPwdAuth parameter is, cause I cannot configure this parameter via GUI.

When I was digging more into API it turns out that this issue CSCwd34564 was fixed in 3.2 version of ISE, and in teap there is no need to use this parameter. Of course allowed_protocols in TF doesn’t work with 3.2 cause there is some new mandatory parameter in ERS API called FiveG which is not in TF provider schema.

Which brings the same topic as in issue 98 that there should be terraform provider release for 3.2 ISE version specially now since 3.2 was marked by Cisco as suggested release, and there are substantial changes in API.

KubaMazurkiewicz commented 11 months ago

Since in 3.2 request_basic_pwd_auth was removed im closing this issue.