search

F5Networks / terraform-provider-bigip

Terraform resources that can configure F5 BIG-IP products
https://registry.terraform.io/providers/F5Networks/bigip/latest/docs
Mozilla Public License 2.0
103 stars 119 forks source link

Issue with clientssl profile when using parent/child (defauls-from) #902

Closed amolari closed 9 months ago

amolari commented 11 months ago

Environment

Summary

I create a parent clientssl profile which has the tm_options and cipher_group set. Then a child clientssl profile which refers to the parent with defaults_from and sets a couple of other attributes (sni_default +sni_require). The resulting configuration on the BIG-IP is fine, but all consecutive plans show me a change of cipher_group to "none" (not expected) which doesn't change the effective BIG-IP configuration (fortunately).

Steps To Reproduce

Here's the TF code:

resource "bigip_ltm_profile_client_ssl" "reproclientssl_mozilla_tls12_only" {
  name          = "/Common/reproclientssl_mozilla_tls12_only"
  defaults_from = "/Common/clientssl"
  cipher_group  = "/Common/mozilla-tls12-gt"
  tm_options = [
    "dont-insert-empty-fragments",
    "no-ssl",
    "no-sslv3",
    "no-dtls",
    "no-tlsv1",
    "no-tlsv1.1",
    "no-tlsv1.3",
    "single-dh-use",
  ]
}

resource "bigip_ltm_profile_client_ssl" "t1_pfportalmo" {
  name          = "/Common/reproclientssl_t1_pfportalmo"
  defaults_from = bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only.name
  sni_default   = "true"
  sni_require   = "true"
}

Expected Behavior

The cipher_group is set from the parent profile as expected.

Actual Behavior

1st Plan:

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only will be created
  + resource "bigip_ltm_profile_client_ssl" "reproclientssl_mozilla_tls12_only" {
      + alert_timeout                       = (known after apply)
      + allow_non_ssl                       = (known after apply)
      + authenticate                        = (known after apply)
      + authenticate_depth                  = (known after apply)
      + c3d_client_fallback_cert            = (known after apply)
      + c3d_drop_unknown_ocsp_status        = (known after apply)
      + c3d_ocsp                            = (known after apply)
      + ca_file                             = (known after apply)
      + cache_size                          = (known after apply)
      + cache_timeout                       = (known after apply)
      + cert                                = (known after apply)
      + cert_extension_includes             = (known after apply)
      + cert_life_span                      = (known after apply)
      + cert_lookup_by_ipaddr_port          = (known after apply)
      + chain                               = (known after apply)
      + cipher_group                        = "/Common/mozilla-tls12-gt"
      + ciphers                             = (known after apply)
      + client_cert_ca                      = (known after apply)
      + crl_file                            = (known after apply)
      + defaults_from                       = "/Common/clientssl"
      + forward_proxy_bypass_default_action = (known after apply)
      + full_path                           = (known after apply)
      + generation                          = (known after apply)
      + generic_alert                       = (known after apply)
      + handshake_timeout                   = (known after apply)
      + id                                  = (known after apply)
      + inherit_cert_keychain               = (known after apply)
      + key                                 = (known after apply)
      + mod_ssl_methods                     = (known after apply)
      + mode                                = (known after apply)
      + name                                = "/Common/reproclientssl_mozilla_tls12_only"
      + ocsp_stapling                       = "disabled"
      + partition                           = (known after apply)
      + passphrase                          = (sensitive value)
      + peer_cert_mode                      = (known after apply)
      + proxy_ca_cert                       = (known after apply)
      + proxy_ca_key                        = (known after apply)
      + proxy_ca_passphrase                 = (known after apply)
      + proxy_ssl                           = (known after apply)
      + proxy_ssl_passthrough               = (known after apply)
      + renegotiate_period                  = (known after apply)
      + renegotiate_size                    = (known after apply)
      + renegotiation                       = (known after apply)
      + retain_certificate                  = (known after apply)
      + secure_renegotiation                = (known after apply)
      + server_name                         = (known after apply)
      + session_mirroring                   = (known after apply)
      + session_ticket                      = (known after apply)
      + sni_default                         = (known after apply)
      + sni_require                         = (known after apply)
      + ssl_c3d                             = (known after apply)
      + ssl_forward_proxy                   = (known after apply)
      + ssl_forward_proxy_bypass            = (known after apply)
      + ssl_sign_hash                       = (known after apply)
      + strict_resume                       = (known after apply)
      + tm_options                          = [
          + "dont-insert-empty-fragments",
          + "no-dtls",
          + "no-ssl",
          + "no-sslv3",
          + "no-tlsv1",
          + "no-tlsv1.1",
          + "no-tlsv1.3",
          + "single-dh-use",
        ]
      + unclean_shutdown                    = (known after apply)
    }

  # bigip_ltm_profile_client_ssl.t1_pfportalmo will be created
  + resource "bigip_ltm_profile_client_ssl" "t1_pfportalmo" {
      + alert_timeout                       = (known after apply)
      + allow_non_ssl                       = (known after apply)
      + authenticate                        = (known after apply)
      + authenticate_depth                  = (known after apply)
      + c3d_client_fallback_cert            = (known after apply)
      + c3d_drop_unknown_ocsp_status        = (known after apply)
      + c3d_ocsp                            = (known after apply)
      + ca_file                             = (known after apply)
      + cache_size                          = (known after apply)
      + cache_timeout                       = (known after apply)
      + cert                                = (known after apply)
      + cert_extension_includes             = (known after apply)
      + cert_life_span                      = (known after apply)
      + cert_lookup_by_ipaddr_port          = (known after apply)
      + chain                               = (known after apply)
      + cipher_group                        = "none"
      + ciphers                             = (known after apply)
      + client_cert_ca                      = (known after apply)
      + crl_file                            = (known after apply)
      + defaults_from                       = "/Common/reproclientssl_mozilla_tls12_only"
      + forward_proxy_bypass_default_action = (known after apply)
      + full_path                           = (known after apply)
      + generation                          = (known after apply)
      + generic_alert                       = (known after apply)
      + handshake_timeout                   = (known after apply)
      + id                                  = (known after apply)
      + inherit_cert_keychain               = (known after apply)
      + key                                 = (known after apply)
      + mod_ssl_methods                     = (known after apply)
      + mode                                = (known after apply)
      + name                                = "/Common/reproclientssl_t1_pfportalmo"
      + ocsp_stapling                       = "disabled"
      + partition                           = (known after apply)
      + passphrase                          = (sensitive value)
      + peer_cert_mode                      = (known after apply)
      + proxy_ca_cert                       = (known after apply)
      + proxy_ca_key                        = (known after apply)
      + proxy_ca_passphrase                 = (known after apply)
      + proxy_ssl                           = (known after apply)
      + proxy_ssl_passthrough               = (known after apply)
      + renegotiate_period                  = (known after apply)
      + renegotiate_size                    = (known after apply)
      + renegotiation                       = (known after apply)
      + retain_certificate                  = (known after apply)
      + secure_renegotiation                = (known after apply)
      + server_name                         = (known after apply)
      + session_mirroring                   = (known after apply)
      + session_ticket                      = (known after apply)
      + sni_default                         = "true"
      + sni_require                         = "true"
      + ssl_c3d                             = (known after apply)
      + ssl_forward_proxy                   = (known after apply)
      + ssl_forward_proxy_bypass            = (known after apply)
      + ssl_sign_hash                       = (known after apply)
      + strict_resume                       = (known after apply)
      + tm_options                          = (known after apply)
      + unclean_shutdown                    = (known after apply)
    }

Plan: 2 to add, 0 to change, 0 to destroy.

1st Apply:

bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only: Creating...
bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only: Creation complete after 1s [id=/Common/reproclientssl_mozilla_tls12_only]
bigip_ltm_profile_client_ssl.t1_pfportalmo: Creating...
bigip_ltm_profile_client_ssl.t1_pfportalmo: Creation complete after 1s [id=/Common/reproclientssl_t1_pfportalmo]

Apply complete! Resources: 2 added, 0 changed, 0 destroyed.

On the BIGIP the config is as expected (settings on child profile are correctly carried from the parent) The state is good too:

$ terraform state show bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only
# bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only:
resource "bigip_ltm_profile_client_ssl" "reproclientssl_mozilla_tls12_only" {
    cert_extension_includes = []
    cipher_group            = "/Common/mozilla-tls12-gt"
    defaults_from           = "/Common/clientssl"
    id                      = "/Common/reproclientssl_mozilla_tls12_only"
    name                    = "/Common/reproclientssl_mozilla_tls12_only"
    ocsp_stapling           = "disabled"
    partition               = "Common"
    tm_options              = [
        "dont-insert-empty-fragments",
        "no-dtls",
        "no-ssl",
        "no-sslv3",
        "no-tlsv1",
        "no-tlsv1.1",
        "no-tlsv1.3",
        "single-dh-use",
    ]
}
$ terraform state show bigip_ltm_profile_client_ssl.t1_pfportalmo
# bigip_ltm_profile_client_ssl.t1_pfportalmo:
resource "bigip_ltm_profile_client_ssl" "t1_pfportalmo" {
    cert_extension_includes = []
    cipher_group            = "/Common/mozilla-tls12-gt"
    defaults_from           = "/Common/reproclientssl_mozilla_tls12_only"
    id                      = "/Common/reproclientssl_t1_pfportalmo"
    name                    = "/Common/reproclientssl_t1_pfportalmo"
    ocsp_stapling           = "disabled"
    partition               = "Common"
    sni_default             = "true"
    sni_require             = "true"
    tm_options              = [
        "dont-insert-empty-fragments",
        "no-dtls",
        "no-ssl",
        "no-sslv3",
        "no-tlsv1",
        "no-tlsv1.1",
        "no-tlsv1.3",
        "single-dh-use",
    ]
}

without any change, I do a Plan/apply again:

$ terraform apply
bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only: Refreshing state... [id=/Common/reproclientssl_mozilla_tls12_only]
bigip_ltm_profile_client_ssl.t1_pfportalmo: Refreshing state... [id=/Common/reproclientssl_t1_pfportalmo]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # bigip_ltm_profile_client_ssl.t1_pfportalmo will be updated in-place
  ~ resource "bigip_ltm_profile_client_ssl" "t1_pfportalmo" {
      ~ cipher_group            = "/Common/mozilla-tls12-gt" -> "none"
        id                      = "/Common/reproclientssl_t1_pfportalmo"
        name                    = "/Common/reproclientssl_t1_pfportalmo"
        # (7 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Do you want to perform these actions?
  Terraform will perform the actions described above.
  Only 'yes' will be accepted to approve.

  Enter a value: yes

bigip_ltm_profile_client_ssl.t1_pfportalmo: Modifying... [id=/Common/reproclientssl_t1_pfportalmo]
bigip_ltm_profile_client_ssl.t1_pfportalmo: Modifications complete after 0s [id=/Common/reproclientssl_t1_pfportalmo]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

On the BIGIP nothing as changed and the state is the same as previously.

If we would set the cipher_group value again in the child profile, the plan would show no changes, but this is not what we want to do.

pgouband commented 11 months ago

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1371.