Cannot disable a rule_set

Enable = false should disable the rule-set

Error on "terraform apply":

Error: not-acceptable:
│ Token: input_validation_error
│ Message: Input validation failed. Details: {The property '#/ip_tables_rules' of type null did not match the following type: array in schema sec_policy_rule_sets_put.schema.json}

Steps to reproduce

resource "illumio-core_rule_set" "example" {
description = "asdf"
enabled = false
name = "RS-TF-CORE-SERVICES-DEV"

scopes {
label {
href = illumio-core_label.app_core_services.href
}
label {
href = illumio-core_label.env_dev.href
}
}
}

System Information

Behavior in terraform when provisioning a rule with the same label as the scope results in the rule being ignored

1. It would be nice to have a warning in TF if there is something in a rule that would cuase it to be ignored due to scope
2. It would be better if the creation would fail if we know that the rule will be ignored.

illumio-core_firewall_settings does not read settings on create.

On create it should read the current settings.

It does not read the settings, for example:
containers_inherit_host_policy_scopes {
label {
href = illumio-core_label.app_tomcat.href
}

Hello,

Is it possible to adapte the provision code as a ressource ? When you try to work with multiple cluster tihs script does not work.

Regards

Steps to reproduce this bug:

1. Run terraform apply on this:

resource "illumio-core_pairing_keys" "terraform_pairing_key_1" {
pairing_profile_href = "/orgs/1/pairing_profiles/32"
token_count = 3
}

2. Again run terraform apply for the following config:

resource "illumio-core_pairing_keys" "terraform_pairing_key_1" {
pairing_profile_href = "/orgs/1/pairing_profiles/10"
token_count = 3
}

3. The provider will throw an error, i.e.,

Error: [illumio-core_pairing_keys] Can not change pairing_profile_href once set
   on pairing_key.tf line 1, in resource "illumio-core_pairing_keys" "terraform_pairing_key_1":
   1: resource "illumio-core_pairing_keys" "terraform_pairing_key_1" {

4. Again run terraform apply for the same config it won't throw the error. It will accept the invalid state as a valid state.

Expected Outcome:
The last terraform apply should throw the error and the state should remain consistent

Unable to change a property of a managed _workload.

Expected Result

Description value should be changed.

resource "illumio-core_managed_workload" "example" {
name = "Win10CMD"
description = "test"
}

Actual Result

│ Error: not-acceptable:
│ Token: input_validation_error
│ Message: Input validation failed. Details: {The property '#/' contains additional properties ["interfaces"] outside of the schema when none are allowed in schema workloads_with_ven_put.schema.json}

Steps to reproduce

1- import managed workload
2- change a property (for example description)

System Information

PCE 22.5.2

Provisioning is not applied successfully on the virtual service resource creation if non-provisioned service is included in the virtual service resource configuration. This results in both service and virtual service unprovisioned. This also affects the service binding resource as it needs an active virtual service href.

Example TF Config:

resource "illumio-core_service" "service_1" {
	name = "service 1234321"
	windows_services {
		proto = 6
	}
}
resource "illumio-core_virtual_service" "virtual_service_1" {
	name = "virtual service 1234321"
	apply_to = "host_only"
	service{
		href = illumio-core_service.service_1.href
	}
}
resource "illumio-core_workload" "workload_1" {
		name = "workload 1234321"
}
resource "illumio-core_service_binding" "service_binding_1" {
	virtual_service {
		href = replace(illumio-core_virtual_service.virtual_service_1.href, "draft", "active")
	}
	workload {
		href = illumio-core_workload.workload_1.href
	}
}

The Error thrown when terraform apply is executed:

Error: not-acceptable:
Token: invalid_uri
Message: Invalid URI: {/orgs/1/sec_policy/active/virtual_services/4abf00fe-5f68-46a4-8731-3bdd8351a77f}


  on test.tf line 32, in resource "illumio-core_service_binding" "service_binding_1":
  32: resource "illumio-core_service_binding" "service_binding_1" {

This is due to the unprovisioned virtual service referenced in the service binding resource block.

Expected Outcome:
terraform apply should not throw any type of error when executed and the virtual service resource should be provisioned at the time of creation.

Getting a message about syslog.

Error: not-acceptable:
│ Token: method_not_allowed_on_saas_cluster
│ Message: Configuring PCE syslog service is not allowed on SAAS cluster

resource "illumio-core_organization_settings" "example" {
audit_event_retention_seconds = 2592000
audit_event_min_severity = "informational"
format = "JSON"
}

In a rule, provider exclusion is not configured in the PCE.

In a rule, provider exclusion should be configured in the PCE.

When a provider exception is configured, a provider label is configured, instead of being excluded.

resource "illumio-core_security_rule" "web_dev_inbound2" {
rule_set_href = illumio-core_rule_set.web_apps.href

enabled = true

resolve_labels_as {
consumers = ["workloads"]
providers = ["workloads"]
}

consumers {
ip_list {
href = illumio-core_ip_list.lab_internal.href
}
exclusion = true
}

providers {
label {
href = illumio-core_label.role_tomcat.href
}
}

ingress_services {
port = 113
proto = 6
}
}

System Information

PCE 22.5.2

resource "illumio-core_pairing_profile" "terraform_pairing_profile_1" {
name = "terraform_pairing_profile_1"
enabled = true

labels{
  href = illumio-core_label.terraform_app_label.href
}

labels{
  href = illumio-core_label.terraform_loc_label.href
}

labels{
  href = illumio-core_label.terraform_env_label.href
}

allowed_uses_per_key = "unlimited"
key_lifespan = "50"
env_label_lock = true
loc_label_lock = true
role_label_lock = false
app_label_lock = true
log_traffic = false
log_traffic_lock = true
enforcement_mode = "full"
enforcement_mode_lock = true
visibility_level = "flow_summary"
visibility_level_lock = true

}

resource "illumio-core_pairing_keys" "terraform_pairing_key_1" {
pairing_profile_href = illumio-core_pairing_profile.terraform_pairing_profile_1.href
token_count = 3
}

running terraform destroy results in

Error: not-found: /orgs/1/pairing_profiles/33/pairing_keys

This is due to dependent deletion of pairing_keys pairing_profile. The provider needs to check to see if the key exists before delete.

resource "illumio-core_pairing_profile" "terraform_pairing_profile_1" {
name = "terraform_pairing_profile_1"
enabled = true

labels{
  href = illumio-core_label.terraform_app_label.href
}

labels{
  href = illumio-core_label.terraform_loc_label.href
}

labels{
  href = illumio-core_label.terraform_env_label.href
}

allowed_uses_per_key = "unlimited"
key_lifespan = "50"
env_label_lock = true
loc_label_lock = true
role_label_lock = false
app_label_lock = true
log_traffic = false
log_traffic_lock = true
enforcement_mode = "full"
enforcement_mode_lock = true
visibility_level = "flow_summary"
visibility_level_lock = true

}

resource "illumio-core_security_rule" "terraform_postgres_rule" {
rule_set_href = illumio-core_rule_set.terraform_rs1.href

enabled = true

resolve_labels_as {
consumers = ["workloads"]
providers = ["workloads"]
}

consumers {
actors = "ams"
}

consumers {
ip_list {
href = illumio-core_ip_list.terraform_pce_ip_list.href
}
}

consumers {
workload {
href = illumio-core_workload.terraform_workload_1.href
}
}

ingress_services {
href = illumio-core_service.terraform_postgres.href
}

providers {
workload {
href = illumio-core_workload.terraform_db0_pce.href
}
}

providers {
label {
href = illumio-core_label.terraform_role_label.href
}
}
}

Results in ruleset and rule being created properly but subsequent apply results in

Terraform will perform the following actions:

illumio-core_rule_set.terraform_rs1 will be updated in-place

~ resource "illumio-core_rule_set" "terraform_rs1" {
id = "/orgs/1/sec_policy/draft/rule_sets/86"
name = "terraform-rs1"
# (8 unchanged attributes hidden)

  - rules {
      - created_at         = "2021-06-18T05:31:02.310Z" -> null
      - created_by         = {
          - "href" = "/users/1"
        } -> null
      - deleted_by         = {} -> null
      - enabled            = true -> null
      - href               = "/orgs/1/sec_policy/draft/rule_sets/86/sec_rules/87" -> null
      - machine_auth       = false -> null
      - sec_connect        = false -> null
      - stateless          = false -> null
      - unscoped_consumers = false -> null
      - update_type        = "create" -> null
      - updated_at         = "2021-06-18T05:31:02.348Z" -> null
      - updated_by         = {
          - "href" = "/users/1"
        } -> null

      - consumers {
          - ip_list {
              - href = "/orgs/1/sec_policy/draft/ip_lists/155" -> null
            }
        }
      - consumers {

          - workload {
              - href = "/orgs/1/workloads/6b5849c8-76f8-48d7-9cb4-da1a07e22c47" -> null
            }
        }
      - consumers {
          - actors = "ams" -> null
        }

      - ingress_services {
          - href = "/orgs/1/sec_policy/draft/services/72" -> null
        }

      - providers {

          - label {
              - href = "/orgs/1/labels/186" -> null
            }
        }
      - providers {

          - workload {
              - href = "/orgs/1/workloads/d6819eee-532a-4f72-bb8d-f41efa876c17" -> null
            }
        }

      - resolve_labels_as {
          - consumers = [
              - "workloads",
            ] -> null
          - providers = [
              - "workloads",
            ] -> null
        }
    }

    # (1 unchanged block hidden)
}

Plan: 0 to add, 1 to change, 0 to destroy.

This is due to refresh of the rule_set state including the rule inline and terraform will delete the rule on subsequent apply. READ of rule_set needs to include ?representation=rule_set_scopes for consistency.

Getting error when updating workload_settings.
The resource gets created ok in the state file on "apply".

Actual Result

Error: not-acceptable:
│ Token: input_validation_error
│ Message: Input validation failed. Details: {The property '#/workload_disconnected_timeout_seconds/0' contains additional properties ["ven_type"] outside of the schema when none are allowed in schema settings_workload.schema.json#}
│
│
│ with illumio-core_workload_settings.example,
│ on resource.tf line 1, in resource "illumio-core_workload_settings" "example":
│ 1: resource "illumio-core_workload_settings" "example" {

resource "illumio-core_workload_settings" "example" {
workload_disconnected_timeout_seconds {
value = 3599
}

workload_goodbye_timeout_seconds {
value = 900
}
}

System Information

Hi,

Using the container_cluster_workload_profile ressource we can create a pairing profile for a namespace.

Doing this manually from PCE-UI display a paring-key to annotate the namespace.

How to retrive this key with terraform provider?

Hello,

If we search a ruleset name like "TEST". It will search all ruleset which contains "TEST". We we have multiple ruleset which contains "TEST", It will take the first one.

Use case

data "illumio-core_rule_sets" "rule_sets" {
name=var.security_rule[0].rulesets[0].rule_set_name
}

It could be nice to have the choice of the regex like :

data "illumio-core_rule_sets" "rule_sets" {
name=var.security_rule[0].rulesets[0].rule_set_name
filter = exact_match
}

OR

data "illumio-core_rule_sets" "rule_sets" {
name=var.security_rule[0].rulesets[0].rule_set_name
filter = contains
}