Open pamosima opened 1 year ago
mschedrin
commented
1 year ago I have encountered this issue too. I suppose that better action on resource destruction would be to select default authentication profile in dnac and remove state. In this case terraform effectively rolls back it's own activity to original resource state. Even better solution would be to implement delete action in DNAC API that will set authentcation profile to default value.
fmunozmiranda
commented
1 year ago @zapodeanu , in your opinion, what would be the expected behavior of deleting a SDA Fabric Authentication Profile?
zapodeanu
commented
1 year ago @mschedrin If this is still an issue with the API, please open a TAC case
mschedrin
commented
1 year ago This is not directly an API issue. Current provider implementation does not support destruction of `dnacenter_sda_fabric_authentication_profile´. @fmunozmiranda asked your opinion about what is the better way to destroy the resource using DNAC API. If you don't have any preferences, then I suggest implementing my suggestion in previous comment:
I suppose that better action on resource destruction would be to select default authentication profile in dnac and remove state. In this case terraform effectively rolls back it's own activity to original resource state.
Cleaner implementation would be to implement API endpoint for removing of sda fabric authentication profile. Is something that you can register as feature request for DNAC API @zapodeanu?
mschedrin
commented
1 year ago I don't have permission to reassign the issue back to @zapodeanu. Probably @fmunozmiranda can make it for me?
mschedrin
commented
1 year ago I suppose this API call should do the job:
zapodeanu
commented
1 year ago That is correct. The API would be able to delete an auth profile. Are we attempting to remove an auth profile while in use for host onboarding? @mschedrin
mschedrin
commented
1 year ago Not sure what are use cases for this operation during normal operations, but when running terraform destroy command it is supposed to clean up all the resources/configurations that had been earlier created by terraform, hence we need to remove auth profile configuration and return it to factory defaults.
@fmunozmiranda do you need any more details for implementing this?
wastorga
commented
1 year ago The resource dnacenter_sda_fabric_authentication_profile uses the API DELETE /dna/intent/api/v1/business/sda/authentication-profile.
We verify that the API operation does not return an unsuccessful status; if it is unsuccessful, we do not tell Terraform to remove the state; instead, we throw an error, and the user should look to see what is happening and decide what to do accordingly. If DNA Center says the operation was successful, we tell Terraform to remove the state.
The issue reported by the user had the following message from the DELETE API's execution details:
"description" : "Cannot unselect the selected authentication profile.",The question I have is if the DELETE API works by itself or if it is required for another API to be involved to allow it to work. Since the procedure for the two scenarios is different.
Could you help me with this question, @zapodeanu ?
mschedrin
commented
1 year ago Currently I can not verify whether deletion of dnacenter_sda_fabric_authentication_profile resource uses API correctly as creation of this resource does not work either #189.
zapodeanu
commented
1 year ago I have tested the delete Auth template last week and I asked engineering for verification why it failed. I will update as soon as I hear back from them.
mschedrin
commented
1 year ago @zapodeanu, have you heard anything from engineering team yet?
zapodeanu
commented
1 year ago @mschedrin Yes, I did. There is no concept of deleting the default authentication templates from Cisco DNA Center. The current templates - closed, open, low impact or none can not be deleted. We could update a fabric with a PUT to change from using open to none, but we can not delete the template. The delete API does not provide any capabilities today. I do not know if it did in the past, however, at this time the API call will fail as there is no support for delete fabric auth template operation.
DNACENSolutions
commented
1 year ago This should be the last operation on fabric site, if the fabric site is in use this operation should be avoided. The templates can not be completed deleted but the delete operation sets it to default 'none'. If the previous state was none, there will be no change. The error was a defect, which was fixed in 2.3.5.0 + releases with CDET: CSCwd34563.
mschedrin
commented
12 months ago @DNACENSolutions I cannot open the bug you referenced, it's not public. What has been fixed, has delete method been implemented?
Prerequisites
Describe the bug Destroy on dnacenter_sda_fabric_authentication_profile not possible. As there is as well an error on the API:
{ "status": "failed", "description": "Cannot unselect the selected authentication profile.", "taskId": "f83e755e-1559-4fdf-a7bc-620c4bdd8666", "taskStatusUrl": "/dna/intent/api/v1/task/f83e755e-1559-4fdf-a7bc-620c4bdd8666", "executionStatusUrl": "/dna/intent/api/v1/dnacaap/management/execution-status/20de3a60-6e71-4982-9786-e3e0a6e549f7", "executionId": "20de3a60-6e71-4982-9786-e3e0a6e549f7", "response": { "failureReason": "Unknown Error: An unexpected condition was encountered. Please try after the system is restored." } }
Expected behavior Delation of authentication profile is not possible. So it should only remove the ressource state.
Screenshots
Error: Failure when executing DeleteDefaultAuthenticationProfileFromSdaFabric
error with operation DeleteDefaultAuthenticationProfileFromSdaFabric { "status" : "failed", "description" : "Cannot unselect the selected authentication profile.", "taskId" : "a530734b-2254-424b-8fd9-030a2a9736c8", "taskStatusUrl" : "/dna/intent/api/v1/task/a530734b-2254-424b-8fd9-030a2a9736c8", "executionStatusUrl" : "/dna/intent/api/v1/dnacaap/management/execution-status/1b568cfd-6191-4f50-897e-416258463dee", "executionId" : "1b568cfd-6191-4f50-897e-416258463dee" }
Environment (please complete the following information):
Additional context This could be ignored and just remove the state. As there is no option to delete the auth profile from GUI. But fabric site can not be destroyed if the auth profile is still in the state.