citrix / terraform-provider-citrixadc

Part of NetScaler Automation Toolkit | https://github.com/netscaler/automation-toolkit
https://registry.terraform.io/providers/citrix/citrixadc
Apache License 2.0
119 stars 58 forks source link

[Bug]: Issue 1113, 1147 ,1162 Still results in non working citrixadc_appfwsignatures #1214

Open kaiAsmOne opened 1 month ago

kaiAsmOne commented 1 month ago

Terraform Core Version

1.5.7

citrixadc Provider Version

1.40.1

Operating system

macOS

Affected Resource(s)

citrixadc_appfwsignatures

Equivalent NetScaler CLI Command

N/A

Expected Behavior

I am trying to modify the signature behaviour for an existing signature object in an already existing signature file ( as in GUI: Security / Citrix Web Application Firewall / Signatures/ modifying already existing waf_sig_app.company.com).

Netscaler have to provide the following functionallity if not the Signatures in WAF Engine is useless when

1: You cannot on an entire Signature category ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))

2: You cannot on a individual Signature / Rules to ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))

2: You cannot set a list of Signature Entries / Rules to ( set enabled = (enabled | disabled) ) && ( set action = (none | block | log | stats))

I have written terraform module for citrixadc_appfwsignatures as follows:

resource "citrixadc_appfwsignatures" "app_waf_signatures" { name = "wafsig${var.waf_profilename}" merge = var.waf_signature_merge == "" ? null : var.waf_signature_merge overwrite = var.waf_signature_overwrite == "" ? null : var.waf_signature_overwrite src = var.waf_signature_location == "" ? null : var.waf_signature_location preservedefactions = var.waf_signature_preservedefaction == "" ? null : var.waf_signature_preservedefaction autoenablenewsignatures = var.waf_signature_autoenablenewsignatures == "" ? null : var.waf_signature_autoenablenewsignatures ruleid = var.waf_signature_ruleid == "" ? null : var.waf_signature_ruleid category = var.waf_signature_category == "" ? null : var.waf_signature_category enabled = var.waf_signature_enabled == "" ? null : var.waf_signature_enabled action = var.waf_signature_action == "" ? null : var.waf_signature_action

}

I call this module from my Netscaler as follows:

module "netscaler-adc-waf-signatures-myapp_company_com" { source = "../modules/CitrixADC-Appfw-Signatures" waf_profilename = var.myapp_company_com_applicationname waf_signature_merge = true waf_signature_overwrite = true waf_signature_location = "local:wafsig${var.myapp_company_com_applicationname}" waf_signature_action = ["log", "stats"] waf_signature_enabled = "ON" waf_signature_ruleid = ["998418", "998419","998420","998420","998421","998422","998423","998424","998425","998426"] depends_on = [module.netscaler-adc-waf-myapp_company_com , module.app_myapp_company_com] }

Actual Behavior

│ Error: [ERROR] nitro-go: Failed to apply action on resource of type appfwsignatures, action=Import err=failed: 599 Netscaler specific error ({ "errorcode": 3197, "message": "Importing the resource failed", "severity": "ERROR" }) │ │ with module.netscaler-adc-waf-signatures-myapp_company_com.citrixadc_appfwsignatures.app_waf_signatures, │ on ../modules/CitrixADC-Appfw-Signatures/main.tf line 2, in resource "citrixadc_appfwsignatures" "app_waf_signatures": │ 2: resource "citrixadc_appfwsignatures" "app_waf_signatures" { │ ╵

Relevant Error/Panic Output Snippet


From ns.log logfile on the Netscaler

Oct 12 13:40:17 <local0.warn> 139.98.19.10  2024/10/12:11:40:17 GMT myadc-ext01 0-PPE-1 : default APPFW Message 0 0 :  "Failed to update information: '/var/tmp/_updates/waf_sig_myapp.company.com1728733217.8931', 'waf_sig_myapp.company.com'

### Terraform Configuration Files

variables.tf but not relevant for this issue

### Steps to Reproduce

Please observe data in Expected Behavior

### Debug Output

N/A

### Panic Output

N/A

### Important Factoids

_No response_

### References

_No response_
kaiAsmOne commented 1 month ago

I have been trying to reverse engineer how Netscaler handles signatures.

To me there seems to be a discrepancy between the Nitro API Documentation and actual features

Nitro documentation indicates the abillity to enable / disable individual signatures based on Category and Signature ID

Documentation:

https://developer-docs.netscaler.com/en-us/adc-nitro-api/13-1/configuration/appfw/appfwsignatures vs the actual features available on how to manage WAF Signatures.

My claim on this discrepancy is confirmed by two approaches.

1: Capture Network Traffic when modifying signatures using Netscaler Diag Capture traffic 2: The yaml file found locally on Netscaler /var/netscaler/nitro/nitro-oas/config/appfw/appfwsignatures.yaml

To my understanding there are only to viable approaches to handle signatures:

1: /nitro/v1/config/appfwsignatures?action=update

This only supports fetching new signatures from the https://s3.amazonaws.com/NSAppFwSignatures/SignaturesMapping.xml

2: /nitro/v1/config/appfwsignatures?action=Import

This only supports importing a new signature file. If you packet capture the result of a simple task as enable/disable a single signature rule the HTTP data shows that the entire signature file is edited at clientside and a new signtature file is then uploaded to the Netscler

The result of these limitations is that managing signatures on a Netscaler means you will have to locally on your own machine or on your DevOps Agent / runner-image within a pipeline edit the Signature .xml file and upload it to the Netscler after editing the XML file manually using awk or similar tools.

This approach does not align very well with a dynamic DevOps Architecture.

Please tell me i am wrong and show me how you can using terraform. Alternative two show me how this can be done using REST API ( i have been trying with postman) direcly to the Netscaler.

Using 1: Nitro Documentatiion on appfwsignatures 2: Terraforms citrixadc_appfwsignatures 3: Packet Captures

All indicates the NiTRO API Documentation and Terraform Documentation for citrixadc_appfwsignatures are not really achievable

kaiAsmOne commented 1 month ago

As per my understanding of investigating the Nitro API yaml files on the Netscaler i assume the feature requests will take time to implement.

in order to survive beeing heavily invested in several large Netscaler cluster in a Hybrid (Cloud and onPrem ) Environment i have started creating workarounds on how to work my way around the current limitations of the NITRO API (to my understanding)

If other people are stuggeling managing signatures i have created some scripts i currently run locally on my macOS until i am ready to put them into my DevOps Pipeline.

This might be helpful https://github.com/kaiAsmOne/Netscaler/