search

PaloAltoNetworks / terraform-provider-sase

Terraform provider for SASE API
Apache License 2.0
1 stars 2 forks source link

IKE Gateway Preshared Key Causes unexpected error when using special characters #4

Open ancoleman opened 1 year ago

ancoleman commented 1 year ago

Describe the bug

When setting a the _pre_shared_key_ settings

pre_shared_key  = {
      key = "!!@@@MyPSK12345!!!!@@@"
    }

The resource fails to create with this error:

╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to sase_ike_gateways.this, provider "provider[\"registry.terraform.io/paloaltonetworks-local/sase\"]" produced an unexpected new value: .authentication.pre_shared_key.key: was
│ cty.StringVal("!!@@@MyPSK12345!!!!@@@"), but now cty.StringVal("-AQ==hxniU8FeNwPT34PHlIgQl31prAs=0caOIj5PeUq5aiNUYGQxWAz3/p0UbF5SSb8i/2BW+4g=").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.
╵

Expected behavior

Due to the nature of a pre shared key, the string value should be able to support special characters easily.

Current behavior

Please revert to the bug summary for the current error behavior.

Possible solution

Steps to reproduce

resource "sase_ike_gateways" "this" {
  folder = "Remote Networks"
  name = "terraform-ike-1"
  authentication = {
    allow_id_payload_mismatch    = false
    certificate_profile          = ""
    local_certificate            = null
    strict_validation_revocation = false
    use_management_as_source     = false
    pre_shared_key               = {
      key = "!!@@@MyPSK12345!!!!@@@"
    }
  }
  peer_address = {
    dynamic_value = null
    fdqn = ""
    ip = "81.107.85.199"
  }
  protocol = {
    ikev1 = {
      dpd = {
        enable = true
      }
      ike_crypto_profile = ""
    }
    ikev2 = {
      dpd = {
        enable = true
      }
      ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto"
    }
  }
}
(venv) (base) acoleman@M-KGYXTTH2MF remote_networks % terraform apply --auto-approve
╷
│ Warning: Provider development overrides are in effect
│ 
│ The following provider development overrides are set in the CLI configuration:
│  - paloaltonetworks-local/sase in /Users/acoleman/Documents/Projects/PracticeDevelopment/github/terraform-provider-sase
│ 
│ The behavior may therefore not match any released version of the provider and applying changes may cause the state to become incompatible with published releases.
╵

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:
  + create

Terraform will perform the following actions:

  # sase_ike_gateways.this will be created
  + resource "sase_ike_gateways" "this" {
      + authentication = {
          + allow_id_payload_mismatch    = false
          + pre_shared_key               = {
              + key = "!!@@@MyPSK12345!!!!@@@"
            }
          + strict_validation_revocation = false
          + use_management_as_source     = false
        }
      + folder         = "Remote Networks"
      + id             = (known after apply)
      + name           = "terraform-ike-1"
      + object_id      = (known after apply)
      + peer_address   = {
          + ip = "81.107.85.199"
        }
      + protocol       = {
          + ikev1   = {
              + dpd = {
                  + enable = true
                }
            }
          + ikev2   = {
              + dpd                = {
                  + enable = true
                }
              + ike_crypto_profile = "PaloAlto-Networks-IKE-Crypto"
            }
          + version = "ikev2-preferred"
        }
    }

Plan: 1 to add, 0 to change, 0 to destroy.
sase_ike_gateways.this: Creating...
╷
│ Error: Provider produced inconsistent result after apply
│ 
│ When applying changes to sase_ike_gateways.this, provider "provider[\"registry.terraform.io/paloaltonetworks-local/sase\"]" produced an unexpected new value: .authentication.pre_shared_key.key: was
│ cty.StringVal("!!@@@MyPSK12345!!!!@@@"), but now cty.StringVal("-AQ==hxniU8FeNwPT34PHlIgQl31prAs=0caOIj5PeUq5aiNUYGQxWAz3/p0UbF5SSb8i/2BW+4g=").
│ 
│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Screenshots

Context

Your Environment

shinmog commented 1 year ago

Oh boy, here we go....

Looks like pre_shared_key is plain text when sent in, but they're passing back an encrypted / encoded value instead of what the user has actually configured.

Please raise this issue with eng internally (maybe just slack for now?).

Do you always get the same string back when Read() / terraform apply runs, or is the value in pre_shared_key changing?

ancoleman commented 1 year ago

@shinmog is there a fix going in for this, since our discussion with the team?