Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

F5 Bigip Cipher Rules and Cipher Groups #654

Closed
gtkterraform opened this issue Jun 28, 2022 · 5 comments · Fixed by #882, #885, #903 or #907
Closed

F5 Bigip Cipher Rules and Cipher Groups #654

gtkterraform opened this issue Jun 28, 2022 · 5 comments · Fixed by #882, #885, #903 or #907
Milestone
v1.20.0

Comments

@gtkterraform
Copy link

There is no way I can create ltm cipher groups nor cipher rules , is this something i can expect in a week or two .
@trinaths
Copy link
Collaborator

trinaths commented Jul 6, 2022

Suggest use AS3 with TF for configuring CipherRules and Cipher Groups.

@trinaths trinaths closed this as completed Jul 6, 2022
This was referenced Oct 11, 2023
Merged
Merged
@RavinderReddyF5 RavinderReddyF5 added this to the v1.20.0 milestone Oct 11, 2023
@amolari
Copy link

amolari commented Oct 17, 2023

@RavinderReddyF5 @pgouband
Testing the feature with v1.20.0 and the results are not good.

I have the following code:

resource "bigip_ltm_cipher_rule" "test_cipher_rule" {
  name                 = "/Common/test_cipher_rule"
  cipher               = "TLS13-AES128-GCM-SHA256:TLS13-AES256-GCM-SHA384"
  dh_groups            = "P256:P384:FFDHE2048:FFDHE3072:FFDHE4096"
  signature_algorithms = "DEFAULT"
}

resource "bigip_ltm_cipher_group" "test-cipher-group" {
  name = "/Common/test-cipher-group-01"
  allow = ["/Common/f5-aes"]
  require = ["/Common/f5-quic"]
  ordering = "speed"
}

Plan result looks good:

Terraform will perform the following actions:

  # bigip_ltm_cipher_group.test-cipher-group will be created
  + resource "bigip_ltm_cipher_group" "test-cipher-group" {
      + allow    = [
          + "/Common/f5-aes",
        ]
      + id       = (known after apply)
      + name     = "/Common/test-cipher-group-01"
      + ordering = "speed"
      + require  = [
          + "/Common/f5-quic",
        ]
    }

Plan: 1 to add, 0 to change, 0 to destroy.

Apply went well and on the UI, the config reflects my TF code.

Then I change my code for the cipher_group to:

resource "bigip_ltm_cipher_group" "test-cipher-group" {
  name = "/Common/test-cipher-group-01"
  allow = [resource.bigip_ltm_cipher_rule.test_cipher_rule.name]
}

Plan result (not OK because the ordering should be set back to its default value="DEFAULT"):

Terraform will perform the following actions:

  # bigip_ltm_cipher_group.test-cipher-group will be updated in-place
  ~ resource "bigip_ltm_cipher_group" "test-cipher-group" {
      ~ allow    = [
          - "/Common/f5-aes",
          + "/Common/test_cipher_rule",
        ]
        id       = "/Common/test-cipher-group-01"
        name     = "/Common/test-cipher-group-01"
      ~ require  = [
          - "/Common/f5-quic",
        ]
        # (1 unchanged attribute hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Result after apply on the UI is not OK:

  1. the allowed cipher has been successfully changed from f5-aes to test_cipher_rule but the require (restrict) still has the f5-quic configured
  2. the ordering is still "Speed" and not "DEFAULT" (as my previous remark)

If I run te plan again, it detects that the f5-quic has to be removed:

Terraform will perform the following actions:

  # bigip_ltm_cipher_group.test-cipher-group will be updated in-place
  ~ resource "bigip_ltm_cipher_group" "test-cipher-group" {
        id       = "/Common/test-cipher-group-01"
        name     = "/Common/test-cipher-group-01"
      ~ require  = [
          - "/Common/f5-quic",
        ]
        # (2 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.

Another issue: if I remove (through the UI) that cipher_group and run a plan, I crash the provider:

Stack trace from the terraform-provider-bigip_v1.20.0 plugin:

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x20 pc=0x9f42e0]

goroutine 796 [running]:
github.com/F5Networks/terraform-provider-bigip/bigip.resourceBigipLtmCipherGroupRead({0xfa6960?, 0xc00008b7a0?}, 0xc000da0500, {0xe2a8c0?, 0xc00050ba80})
        github.com/F5Networks/terraform-provider-bigip/bigip/resource_bigip_ltm_cipher_group.go:114 +0x180
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).read(0xc0004490a0, {0xfa6960, 0xc00008b7a0}, 0xd?, {0xe2a8c0, 0xc00050ba80})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.25.0/helper/schema/resource.go:724 +0x12e
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*Resource).RefreshWithoutUpgrade(0xc0004490a0, {0xfa6960, 0xc00008b7a0}, 0xc000688c30, {0xe2a8c0, 0xc00050ba80})
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.25.0/helper/schema/resource.go:1015 +0x585
github.com/hashicorp/terraform-plugin-sdk/v2/helper/schema.(*GRPCProviderServer).ReadResource(0xc0003a4c00, {0xfa6960?, 0xc00008b680?}, 0xc0006f4880)
        github.com/hashicorp/terraform-plugin-sdk/v2@v2.25.0/helper/schema/grpc_provider.go:613 +0x4a5
github.com/hashicorp/terraform-plugin-go/tfprotov5/tf5server.(*server).ReadResource(0xc000000500, {0xfa6960?, 0xc00008aed0?}, 0xc00067e600)
        github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/tf5server/server.go:748 +0x4b1
github.com/hashicorp/terraform-plugin-go/tfprotov5/internal/tfplugin5._Provider_ReadResource_Handler({0xdecf80?, 0xc000000500}, {0xfa6960, 0xc00008aed0}, 0xc000772a80, 0x0)
        github.com/hashicorp/terraform-plugin-go@v0.14.3/tfprotov5/internal/tfplugin5/tfplugin5_grpc.pb.go:349 +0x170
google.golang.org/grpc.(*Server).processUnaryRPC(0xc0003bc000, {0xfaa500, 0xc0002ce820}, 0xc00014b7a0, 0xc000444840, 0x1513e10, 0x0)
        google.golang.org/grpc@v1.53.0/server.go:1336 +0xd23
google.golang.org/grpc.(*Server).handleStream(0xc0003bc000, {0xfaa500, 0xc0002ce820}, 0xc00014b7a0, 0x0)
        google.golang.org/grpc@v1.53.0/server.go:1704 +0xa2f
google.golang.org/grpc.(*Server).serveStreams.func1.2()
        google.golang.org/grpc@v1.53.0/server.go:965 +0x98
created by google.golang.org/grpc.(*Server).serveStreams.func1
        google.golang.org/grpc@v1.53.0/server.go:963 +0x28a

Error: The terraform-provider-bigip_v1.20.0 plugin crashed!

This is always indicative of a bug within the plugin. It would be immensely
helpful if you could report the crash with the plugin's maintainers so that it
can be fixed. The output above should help diagnose the issue.

@amolari
Copy link

amolari commented Oct 17, 2023

@RavinderReddyF5 @pgouband
Additional issue with the documentation (https://registry.terraform.io/providers/F5Networks/bigip/latest/docs):
the documentation for the resource bigip_ltm_cipher_group is under
bigip provider > Resources
it should be (along with the properly placed bigip_ltm_cipher_rule) under
bigip provider > Local Traffic Manager(LTM) > Resources

@pgouband
Copy link
Collaborator

Hi,

Thanks for reporting. Added to the backlog and internal tracking ID for this request is: INFRAANO-1348.

@pgouband pgouband reopened this Oct 18, 2023
@pgouband
Copy link
Collaborator

Hi @amolari,

There is no default value in cipher groups or rules so not adding the parameter can be a revert to default value action.
If you want to set ordering to default you need to add ordering parameter in your declaration.
Same if you want to remove the element in require.

If it's not working as you expect, I suggest testing AS3.

urohit011 added a commit to urohit011/terraform-provider-bigip that referenced this issue Nov 10, 2023
@urohit011
Added Fix For issue F5Networks#654
38aa7b7
@urohit011 urohit011 mentioned this issue Nov 10, 2023
Merged
RavinderReddyF5 added a commit that referenced this issue Nov 20, 2023
@RavinderReddyF5
Merge pull request #903 from urohit011/cipherGrpFix
bffe3a8 
Added Fix For issue #654
@RavinderReddyF5 RavinderReddyF5 mentioned this issue Nov 20, 2023
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
v1.20.0
5 participants
@trinaths @amolari @pgouband @RavinderReddyF5 @gtkterraform