search

netascode / terraform-ise-nac-ise

Terraform Cisco ISE Network-as-Code Module
https://registry.terraform.io/modules/netascode/nac-ise/ise
Apache License 2.0
3 stars 1 forks source link

Client Error on network_access_policy_set module with nested conditions due to missing dictionaryName #5

Closed grg1bbs closed 9 months ago

grg1bbs commented 9 months ago

When creating a Policy Set with nested conditions, TF throws a Client Error due to missing dictionaryName values. The values exist in the YAML, but the terraform plan does not show the 'dictionary_name' or 'dictionary_value' attributes.

Depending on the dictionary and condition being configured, the dictionary_value is not always null.

Example YAML code

ise:
  network_access:
    policy_sets:
      - name: Wired MM
        description: Wired Monitor Mode
        condition:
          type: ConditionAndBlock
          children:
          - type: ConditionAttributes
            dictionary_name: Radius
            attribute_name: NAS-Port-Type
            operator: equals
            dictionary_value: null
            attribute_value: Ethernet
          - type: ConditionAttributes
            dictionary_name: DEVICE
            attribute_name: Deployment Stage
            operator: equals
            dictionary_value: null
            attribute_value: Deployment Stage#Monitor Mode
        service_name: MAB_Dot1x

Plan & Client Error

Terraform will perform the following actions:

  # module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"] will be created
  + resource "ise_network_access_policy_set" "network_access_policy_set_0" {
      + children            = [
          + {
              + attribute_name  = "NAS-Port-Type"
              + attribute_value = "Ethernet"
              + condition_type  = "ConditionAttributes"
              + is_negate       = false
              + operator        = "equals"
            },
          + {
              + attribute_name  = "Deployment Stage"
              + attribute_value = "Deployment Stage#Monitor Mode"
              + condition_type  = "ConditionAttributes"
              + is_negate       = false
              + operator        = "equals"
            },
        ]
      + condition_is_negate = false
      + condition_type      = "ConditionAndBlock"
      + description         = "Wired Monitor Mode"
      + id                  = (known after apply)
      + is_proxy            = false
      + name                = "Wired MM"
      + service_name        = "MAB_Dot1x"
      + state               = "enabled"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"]: Creating...
module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"]: Still creating... [10s elapsed]
module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"]: Still creating... [20s elapsed]
╷
│ Error: Client Error
│ 
│   with module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"],
│   on .terraform/modules/ise/ise_network_access.tf line 311, in resource "ise_network_access_policy_set" "network_access_policy_set_0":
│  311: resource "ise_network_access_policy_set" "network_access_policy_set_0" {
│ 
│ Failed to configure object (POST), got error: HTTP Request failed: StatusCode 400, Message: , {
│   "message" : "condition.children[1].dictionaryName, must not be null, condition.children[0].dictionaryName, must not be null",
│   "code" : 400
│ }

Example TF code

resource "ise_network_access_policy_set" "ps_wired_mm" {
  name                = var.ps_wired_mm_name
  description         = "Wired Monitor Mode"
  rank                = 0
  service_name        = ise_allowed_protocols.mab_dot1x.name
  state               = "enabled"
  is_proxy            = false
  condition_is_negate = false
  condition_type      = "ConditionAndBlock"
  children = [
    {
      condition_type  = "ConditionAttributes"
      is_negate       = false
      dictionary_name = "Radius"
      attribute_name  = "NAS-Port-Type"
      operator        = "equals"
      attribute_value = "Ethernet"
    },
    {
      condition_type  = "ConditionAttributes"
      is_negate       = false
      dictionary_name = "DEVICE"
      attribute_name  = ise_network_device_group.ndg_deployment_stage.root_group
      operator        = "equals"
      attribute_value = "Deployment Stage#Monitor Mode"
    },
  ]
}
grg1bbs commented 9 months ago

When testing the Device Admin policy set config, I found the example of defining the dictionary_name in the attribute_name. I confirmed that this method works in my Network Access Policy Set block.

The documentation should make it clear how to define these settings.

Example updated code

    policy_sets:
      - name: Wired MM
        description: Wired Monitor Mode
        condition:
          type: ConditionAndBlock
          children:
          - type: ConditionAttributes
            attribute_name: Radius:NAS-Port-Type
            operator: equals
            attribute_value: Ethernet
          - type: ConditionAttributes
            attribute_name: DEVICE:Deployment Stage
            operator: equals
            attribute_value: Deployment Stage#Monitor Mode
        service_name: MAB_Dot1x
grg1bbs commented 9 months ago

Confirmed fixed with the separation of the dictionary_name attribute in the latest branch