Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: APPFW citrixadc_appfwprofile_csrftag_binding not working for changes #1175

Open
nogiiihhmk opened this issue Jul 3, 2024 · 0 comments
Open

[Bug]: APPFW citrixadc_appfwprofile_csrftag_binding not working for changes #1175

nogiiihhmk opened this issue Jul 3, 2024 · 0 comments
Labels
bug

Comments

@nogiiihhmk
Copy link

Terraform Core Version

Terraform v1.9.0 on darwin_arm64

citrixadc Provider Version

1.39.0

Operating system

Mac OS Sonoma 14.5 (23F79)

Affected Resource(s)

citrixadc_appfwprofile_csrftag_binding

Equivalent NetScaler CLI Command

Via GUI bind:
"bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "https://formoriginurl" "https://formactionurl" -comment comment -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW"
Via GUI change:
unbind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -location FORMFIELD -location FORMFIELD -CSRFTag "https://formoriginurl" "https://formactionurl" -RuleType ALLOW
bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "https://formoriginurl2" "https://formactionurl2" -comment comment -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -resourceId 35cdd92f1ac8002870c33243ee0827b7b305c8547748a9306b8366c3555182ba -RuleType ALLOW

Via Terraform initial add:
bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "/csrftag1" "https://csrfformactionurl1
Via Terraform change:
bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "/csrftag2" "https://csrfformactionurl2

--> MISSING unbind for initial csrftag relaxation. So in Netscaler we have two relexations: csrfformactionurl1 AND csrfformactionurl2. There is no unbind in ns.log

Expected Behavior

When changing values with citrixadc_appfwprofile_csrftag_binding I would expect that the old values in waf csrftag relexation rule are "overwritten" with the new one and that there is only one rule present with the new and changed values. Not old and new values in two rules.

Actual Behavior

When Changing csrftag relexation rules values in waf have to be changed (unbind the old rule, bind the new one) and it cannot be like the old one remains and the new one is also added. Just like the in the gui when changing csrftag relexation.

Seems like terraform provider is not "seeing" that there is already a csrftag relexation. With this behaviour we cannot change any csrftag relexation ever.

Relevant Error/Panic Output Snippet

- none

Terraform Configuration Files

variable csrftag:

csrftag

variable "csrftag" {
type = object({
options = optional(object({
enabled = optional(bool, true)
actions = optional(list(string), ["block", "log", "stats", "learn"])
}), {})
rules = list(object({
csrftag = string #(Required) The web form originating URL.
csrfformactionurl = string #(Optional) The web form action URL.
comment = optional(string, "")
state = optional(string, "ENABLED")
}))
})
description = "CSRF Tag settings and relaxations."

validation {
error_message = "action for csrftag can only contain block and or log and or stats and or learn."
condition = alltrue([for a in var.csrftag.options.actions : contains(["block", "log", "stats", "learn"], a)])
}
validation {
error_message = "enabled can only be ENABLED or DISABLED for all rules."
condition = alltrue([
for r in var.csrftag.rules : contains(["ENABLED", "DISABLED"], r.state)
])
}
}

resource csrftag:
resource "citrixadc_appfwprofile_csrftag_binding" "this" {
for_each = {
for r in var.csrftag.rules : r.csrftag => r
}

name = citrixadc_appfwprofile.this.name
csrftag = each.value.csrftag
csrfformactionurl = each.value.csrfformactionurl
comment = each.value.comment
state = each.value.state
}

Steps to Reproduce

add a csrftag relexation rule using.citrixadc_appfwprofile_csrftag_binding with initial values. Then change the value(s) in terraform vars. After applying with the new value(s) there are two relexation rules: with the old one and the new values.

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response
@nogiiihhmk nogiiihhmk added the bug label Jul 3, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@nogiiihhmk