RFE: add HSTS support in resource bigip_ltm_profile_http

[amolari]

Is your feature request related to a problem? Please describe.

The resource bigip_ltm_profile_http currently doesn't support attributes to configure the HSTS settings.

Describe the solution you'd like

We want to be able to configure HTTP profiles with specific settings for HSTS:

• Mode
• Maximum Age
• Include Subdomains
• Preload

Describe alternatives you've considered

Current workaround is to use iRules

Additional context

K40243113: Overview of the HTTP profile

[pgouband]

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1249.

[amolari]

@RavinderReddyF5 @pgouband Hi, testing v1.20.0 for this feature... the results are not good. You've mixed up Mode and Preload here: https://github.com/F5Networks/terraform-provider-bigip/blob/6825bae5b8bb293d7298ea228accc02be3889c6f/bigip/resource_bigip_ltm_profile_http.go#L491-L495

If I have my profile configured with this:

  http_strict_transport_security {
    mode = "enabled"
    # preload = "disabled" -- default
    # include_subdomains = "enabled" --default
    maximum_age = 160704
  }

Then my plan/apply will be stuck/repeat to this:

  # bigip_ltm_profile_http.http_full will be updated in-place
  ~ resource "bigip_ltm_profile_http" "http_full" {
        id                         = "/Common/http-full"
        name                       = "/Common/http-full"
        # (5 unchanged attributes hidden)

      - http_strict_transport_security {
          - include_subdomains = "enabled" -> null
          - maximum_age        = 160704 -> null
          - mode               = "disabled" -> null
          - preload            = "enabled" -> null
        }
      + http_strict_transport_security {
          + include_subdomains = "enabled"
          + maximum_age        = 160704
          + mode               = "enabled"
          + preload            = "disabled"
        }

        # (1 unchanged block hidden)
    }

result => on the BIGIP, the result is the opposite that what I want as it shows mode=disabled and preload=enabled

Further remarks/questions:

1. why use a value string "enabled" / "disabled" where booleans true / false would make sense?
2. why set a default value in the bigip configuration? If I do not set the value for an attribute in my TF code, it should not be set (hence having its default value) in the BIGIP profile. Example here with the code above: I have not set include_subdomains. Looking at the UI, I will have the checkbox on the right enabled (with include_subdomains=enabled) although I haven't set it (and didn't need to, as its default value is "enabled")

[amolari]

@RavinderReddyF5 @pgouband Additional issue with v1.20.0... If I comment out my config block:

#  http_strict_transport_security {
#    mode = "enabled"
#    #preload = "disabled" --default
#    #include_subdomains = "enabled" --default
#    maximum_age = 160704
#  }

Then run the plan it looks like it will be changed

  # bigip_ltm_profile_http.http_full will be updated in-place
  ~ resource "bigip_ltm_profile_http" "http_full" {
        id                         = "/Common/http-full"
        name                       = "/Common/http-full"
        # (5 unchanged attributes hidden)

      - http_strict_transport_security {
          - include_subdomains = "enabled" -> null
          - maximum_age        = 160704 -> null
          - mode               = "disabled" -> null
          - preload            = "enabled" -> null
        }

        # (1 unchanged block hidden)
    }

Apply shows also the change and further plans do not show any changes. Howerver, looking at the http profile on the BIGIP, the settings are still present.

[pgouband]

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1346.

[pgouband]

Hi @amolari,

You can use the following line to get back to default value: preload = "default-value"

Terraform ressources are following tmsh design so it's working as expected.

[prateekramani]

Hi @amolari,

• true / false can't be used in place of "enabled" / "disabled", as that's how API's are expecting the values
• Mix up Mode and Preload is Fixed
• for every setting in HSTS (include_subdomains, preload, mode, maximum_age) If no string is specified during Create, then default value will be assigned by BigIp, If block/entity is commented (or not passed) during the update call, then no changes would be applied and previous value will persist. In order to put default value, we need to pass the corresponding default value explicitly.