[Bug]: citrixadc_appfwprofile_crosssitescripting_binding not working when changing values

[nogiiihhmk]

Terraform Core Version

Terraform v1.9.0 on darwin_arm64

citrixadc Provider Version

1.39.0

Operating system

Mac OS Sonoma 14.5 (23F79)

Affected Resource(s)

citrixadc_appfwprofile_crosssitescripting_binding

Equivalent NetScaler CLI Command

CLI for adding crossitescripting relaxation rule via GUI:
bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting name "https://url" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute value -isValueRegex NOTREGEX -comment comment -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW

CLI for changing that crossitescripting relaxation rule via GUI:
unbind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -location FORMFIELD -location FORMFIELD -crossSiteScripting name "https://url" -location FORMFIELD -valueType Attribute value -RuleType ALLOW
"bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting namexxx "https://url" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute valuexxx -isValueRegex NOTREGEX -comment comment -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -resourceId 8cd78c2da17fd13cd7d21d0006bfd9b705c73fe4a95d32f28fc8fbe6e2289ea4 -RuleType ALLOW

What terrraform does when adding a crossitescripting relaxation rule:
bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting name "https://url" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute value -isValueRegex NOTREGEX -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW

What terrraform does when chaning a crossitescripting relaxation rule:
Jul 3 14:50:22 <local0.info> 172.31.3.151 07/03/2024:12:50:22 GMT vacnstfi31 0-PPE-0 : default API CMD_EXECUTED 23602308 0 : User svc_adc_terraform - ADM_User NONE - Remote_ip 172.31.120.161 - Command "bind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -crossSiteScripting namexxx "https://urlxxx" -isRegex NOTREGEX -location FORMFIELD -valueType Attribute valuexxx -isValueRegex NOTREGEX -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW" - Status "Success"

Jul 3 14:50:22 <local0.info> 172.31.3.151 07/03/2024:12:50:22 GMT vacnstfi31 0-PPE-0 : default API CMD_EXECUTED 23602336 0 : User svc_adc_terraform - ADM_User NONE - Remote_ip 172.31.120.161 - Command "unbind appfw profile appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf -location FORMFIELD -location FORMFIELD -crossSiteScripting name "https://url" -location FORMFIELD -RuleType ALLOW" - Status "ERROR: No such CrossSiteScripting check"

Jul 3 14:50:23 <local0.info> 172.31.3.151 07/03/2024:12:50:23 GMT vacnstfi31 0-PPE-0 : default SNMP TRAP_SENT 0 0 : netScalerConfigChange (nsUserName = "svc_adc_terraform", configurationCmd = "unbind appfw profile appfw-profile-tf-tfi-fbt-...", authorizationStatus = authorized, commandExecutionStatus = failed, nsClientIPAddr = 172.31.120.161, commandFailureReason = "ERROR: No such CrossSiteScripting check", nsPartitionName = default)

--> terraform log: │ Error: [INFO] delete failed: 599 Netscaler specific error ({ "errorcode": 3128, "message": "No such CrossSiteScripting check", "severity": "ERROR" })

In nitro.log:
Jul 3 14:52:37 <local5.info> vacnstfi31 httpd: [23369] Netscaler_ip 172.31.3.151 - User svc_adc_terraform -ADM_User NONE - Remote_ip 172.31.120.161 - Method DELETE - Command { "params": { "filter": [ ], "format": "json" } }{ "appfwprofile_crosssitescripting_binding": { "name": "appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf", "crosssitescripting": "name", "formactionurl": "https://url", "location": "FORMFIELD" } }

Jul 3 14:52:37 <local5.info> vacnstfi31 httpd: [23369] Netscaler_ip 172.31.3.151 - User svc_adc_terraform - ADM_User NONE - Remote_ip 172.31.120.161 - Method DELETE - Command { "params": { "filter": [ ], "format": "json" } }{ "appfwprofile_crosssitescripting_binding": { "name": "appfw-profile-tf-tfi-fbt-smaragd-tcm-webcheck-htmlwaf", "crosssitescripting": "name", "formactionurl": "https://url", "location": "FORMFIELD" } } - Status "{ "errorcode": 3128, "message": "No such CrossSiteScripting check", "severity": "ERROR" }"

Expected Behavior

Just like with my previous bug. When changing a value in a CrossSiteScripting relaxation rule via terraform I expect that there is a rule reflecting the new value, and not the old value.

Actual Behavior

What I see is that after changing a rule both the old and the new rule is bound to the waf. Deletion (unbind) is not working because there is an issue with setting sufficent parameters for deletion.

Relevant Error/Panic Output Snippet

No response

Terraform Configuration Files

waf/main.tf snippet:

crosssitescripting

_resource "citrixadc_appfwprofile_crosssitescripting_binding" "this" {
for_each = {
for r in var.crosssitescripting.rules : r.crosssitescripting => r
}

name = citrixadc_appfwprofile.this.name
crosssitescripting = each.value.crosssitescripting
isregex_xss = each.value.isregex_xss
formactionurl_xss = each.value.formactionurl_xss
as_scan_location_xss = each.value.as_scan_location_xss
as_value_type_xss = each.value.as_value_type_xss
as_value_expr_xss = each.value.as_value_expr_xss
isvalueregex_xss = each.value.isvalueregex_xss
comment = each.value.comment
state = each.value.state
}_

variables.tf snippet:
_# crosssitescripting
variable "crosssitescripting" {
type = object({
options = optional(object({
enabled = optional(bool, true)
actions = optional(list(string), ["block", "log", "stats", "learn"])
crosssitescriptingtransformunsafehtml = optional(string, "OFF")
crosssitescriptingcheckcompleteurls = optional(string, "OFF")
}), {})
rules = list(object({
crosssitescripting = string # The web form field name.
isregex_xss = optional(string, "NOTREGEX") #Is the web form field name a regular expression?. Possible values: [ REGEX, NOTREGEX ]
formactionurl_xss = string # The web form action URL.
as_scan_location_xss = optional(string, "FORMFIELD") # (Optional) Location of cross-site scripting exception - form field, header, cookie or URL. Possible values: [ FORMFIELD, HEADER, COOKIE, URL ]
as_value_type_xss = optional(string, null) # Optional) The web form value type. Possible values: [ Tag, Attribute, Pattern ]
as_value_expr_xss = optional(string, "") # (Optional) The web form value expression.
isvalueregex_xss = optional(string, "NOTREGEX") # (Optional) Is the web form field value a regular expression?. Possible values: [ REGEX, NOTREGEX ]
comment = optional(string, "")
state = optional(string, "ENABLED")
}))
})
description = "crosssitescripting settings and relaxations."

validation {
error_message = "action for crosssitescripting can only contain block and or log and or stats and or learn."
condition = alltrue([for a in var.crosssitescripting.options.actions : contains(["block", "log", "stats", "learn"], a)])
}
validation {
error_message = "enabled can only be ENABLED or DISABLED for all rules."
condition = alltrue([
for r in var.crosssitescripting.rules : contains(["ENABLED", "DISABLED"], r.state)
])
}
}_

Steps to Reproduce

do some initial deployment of citrixadc_appfwprofile_crosssitescripting_binding. Then apply and change values in tf for that ressource. You will see what is being described in Actual Behavior

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

[nogiiihhmk]

Please check all relaxation types of more complex type against this issue. I assume this issue is also happening for cmdinjection and all the corresponding json, xml checks.