I create a parent clientssl profile which has the tm_options and cipher_group set. Then a child clientssl profile which refers to the parent with defaults_from and sets a couple of other attributes (sni_default +sni_require).
The resulting configuration on the BIG-IP is fine, but all consecutive plans show me a change of cipher_group to "none" (not expected) which doesn't change the effective BIG-IP configuration (fortunately).
$ terraform apply
bigip_ltm_profile_client_ssl.reproclientssl_mozilla_tls12_only: Refreshing state... [id=/Common/reproclientssl_mozilla_tls12_only]
bigip_ltm_profile_client_ssl.t1_pfportalmo: Refreshing state... [id=/Common/reproclientssl_t1_pfportalmo]
Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
~ update in-place
Terraform will perform the following actions:
# bigip_ltm_profile_client_ssl.t1_pfportalmo will be updated in-place
~ resource "bigip_ltm_profile_client_ssl" "t1_pfportalmo" {
~ cipher_group = "/Common/mozilla-tls12-gt" -> "none"
id = "/Common/reproclientssl_t1_pfportalmo"
name = "/Common/reproclientssl_t1_pfportalmo"
# (7 unchanged attributes hidden)
}
Plan: 0 to add, 1 to change, 0 to destroy.
Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.
Enter a value: yes
bigip_ltm_profile_client_ssl.t1_pfportalmo: Modifying... [id=/Common/reproclientssl_t1_pfportalmo]
bigip_ltm_profile_client_ssl.t1_pfportalmo: Modifications complete after 0s [id=/Common/reproclientssl_t1_pfportalmo]
Apply complete! Resources: 0 added, 1 changed, 0 destroyed.
On the BIGIP nothing as changed and the state is the same as previously.
If we would set the cipher_group value again in the child profile, the plan would show no changes, but this is not what we want to do.
Environment
Summary
I create a parent clientssl profile which has the tm_options and cipher_group set. Then a child clientssl profile which refers to the parent with
defaults_from
and sets a couple of other attributes (sni_default
+sni_require
). The resulting configuration on the BIG-IP is fine, but all consecutive plans show me a change ofcipher_group
to "none" (not expected) which doesn't change the effective BIG-IP configuration (fortunately).Steps To Reproduce
Here's the TF code:
Expected Behavior
The
cipher_group
is set from the parent profile as expected.Actual Behavior
1st Plan:
1st Apply:
On the BIGIP the config is as expected (settings on child profile are correctly carried from the parent) The state is good too:
without any change, I do a Plan/apply again:
On the BIGIP nothing as changed and the state is the same as previously.
If we would set the
cipher_group
value again in the child profile, the plan would show no changes, but this is not what we want to do.