Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Destroy on dnacenter_sda_fabric_authentication_profile not possible #127

Open
3 tasks done
pamosima opened this issue Jan 19, 2023 · 15 comments
Open
3 tasks done

Destroy on dnacenter_sda_fabric_authentication_profile not possible #127

pamosima opened this issue Jan 19, 2023 · 15 comments
Assignees
@zapodeanu
Labels
developer

Comments

@pamosima
Copy link

Prerequisites

  • Have you tested the operation in the API directly?
  • Do you have the latest Terraform provider version?
  • Review the compatibility matrix before opening an issue.

Describe the bug
Destroy on dnacenter_sda_fabric_authentication_profile not possible. As there is as well an error on the API:

{
"status": "failed",
"description": "Cannot unselect the selected authentication profile.",
"taskId": "f83e755e-1559-4fdf-a7bc-620c4bdd8666",
"taskStatusUrl": "/dna/intent/api/v1/task/f83e755e-1559-4fdf-a7bc-620c4bdd8666",
"executionStatusUrl": "/dna/intent/api/v1/dnacaap/management/execution-status/20de3a60-6e71-4982-9786-e3e0a6e549f7",
"executionId": "20de3a60-6e71-4982-9786-e3e0a6e549f7",
"response": {
"failureReason": "Unknown Error: An unexpected condition was encountered. Please try after the system is restored."
}
}

Expected behavior
Delation of authentication profile is not possible. So it should only remove the ressource state.

Screenshots

Error: Failure when executing DeleteDefaultAuthenticationProfileFromSdaFabric

error with operation DeleteDefaultAuthenticationProfileFromSdaFabric
{
"status" : "failed",
"description" : "Cannot unselect the selected authentication profile.",
"taskId" : "a530734b-2254-424b-8fd9-030a2a9736c8",
"taskStatusUrl" : "/dna/intent/api/v1/task/a530734b-2254-424b-8fd9-030a2a9736c8",
"executionStatusUrl" : "/dna/intent/api/v1/dnacaap/management/execution-status/1b568cfd-6191-4f50-897e-416258463dee",
"executionId" : "1b568cfd-6191-4f50-897e-416258463dee"
}

Environment (please complete the following information):

  • Cisco DNA Center version and patch: 2.3.4.3
  • Terraform version: 1.3.7
  • Cisco DNA Center provider version: 1.0.16-beta
  • OS Version: MacOS 13.1

Additional context
This could be ignored and just remove the state. As there is no option to delete the auth profile from GUI. But fabric site can not be destroyed if the auth profile is still in the state.
@mschedrin
Copy link

I have encountered this issue too. I suppose that better action on resource destruction would be to select default authentication profile in dnac and remove state. In this case terraform effectively rolls back it's own activity to original resource state.
Even better solution would be to implement delete action in DNAC API that will set authentcation profile to default value.

@fmunozmiranda
Copy link
Collaborator

@zapodeanu , in your opinion, what would be the expected behavior of deleting a SDA Fabric Authentication Profile?

@zapodeanu
Copy link

@mschedrin If this is still an issue with the API, please open a TAC case

@zapodeanu zapodeanu assigned mschedrin and unassigned zapodeanu Jun 23, 2023
@mschedrin
Copy link

This is not directly an API issue. Current provider implementation does not support destruction of `dnacenter_sda_fabric_authentication_profile´. @fmunozmiranda asked your opinion about what is the better way to destroy the resource using DNAC API. If you don't have any preferences, then I suggest implementing my suggestion in previous comment:

I suppose that better action on resource destruction would be to select default authentication profile in dnac and remove state. In this case terraform effectively rolls back it's own activity to original resource state.

Cleaner implementation would be to implement API endpoint for removing of sda fabric authentication profile. Is something that you can register as feature request for DNAC API @zapodeanu?

@mschedrin mschedrin removed their assignment Jul 12, 2023
@mschedrin
Copy link

mschedrin commented Jul 12, 2023
edited
Loading

I don't have permission to reassign the issue back to @zapodeanu. Probably @fmunozmiranda can make it for me?

@mschedrin
Copy link

I suppose this API call should do the job:
image

@zapodeanu
Copy link

That is correct. The API would be able to delete an auth profile. Are we attempting to remove an auth profile while in use for host onboarding? @mschedrin

@mschedrin
Copy link

Not sure what are use cases for this operation during normal operations, but when running terraform destroy command it is supposed to clean up all the resources/configurations that had been earlier created by terraform, hence we need to remove auth profile configuration and return it to factory defaults.
@fmunozmiranda do you need any more details for implementing this?

@wastorga
Copy link
Collaborator

The resource dnacenter_sda_fabric_authentication_profile uses the API DELETE /dna/intent/api/v1/business/sda/authentication-profile.

We verify that the API operation does not return an unsuccessful status; if it is unsuccessful, we do not tell Terraform to remove the state; instead, we throw an error, and the user should look to see what is happening and decide what to do accordingly. If DNA Center says the operation was successful, we tell Terraform to remove the state.

The issue reported by the user had the following message from the DELETE API's execution details:

 "description" : "Cannot unselect the selected authentication profile.",

The question I have is if the DELETE API works by itself or if it is required for another API to be involved to allow it to work.
Since the procedure for the two scenarios is different.

Could you help me with this question, @zapodeanu ?

@mschedrin
Copy link

Currently I can not verify whether deletion of dnacenter_sda_fabric_authentication_profile resource uses API correctly as creation of this resource does not work either #189.

@zapodeanu
Copy link

zapodeanu commented Jul 31, 2023
edited
Loading

I have tested the delete Auth template last week and I asked engineering for verification why it failed.
I will update as soon as I hear back from them.

@wastorga wastorga mentioned this issue Jul 31, 2023
Closed
3 tasks
@mschedrin
Copy link

@zapodeanu, have you heard anything from engineering team yet?

@zapodeanu
Copy link

zapodeanu commented Aug 21, 2023
edited
Loading

@mschedrin Yes, I did. There is no concept of deleting the default authentication templates from Cisco DNA Center. The current templates - closed, open, low impact or none can not be deleted. We could update a fabric with a PUT to change from using open to none, but we can not delete the template. The delete API does not provide any capabilities today. I do not know if it did in the past, however, at this time the API call will fail as there is no support for delete fabric auth template operation.

@DNACENSolutions
Copy link

This should be the last operation on fabric site, if the fabric site is in use this operation should be avoided. The templates can not be completed deleted but the delete operation sets it to default 'none'. If the previous state was none, there will be no change. The error was a defect, which was fixed in 2.3.5.0 + releases with CDET: CSCwd34563.

@mschedrin
Copy link

@DNACENSolutions I cannot open the bug you referenced, it's not public. What has been fixed, has delete method been implemented?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@zapodeanu zapodeanu

Labels
developer
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
7 participants
@jbogarin @mschedrin @pamosima @zapodeanu @wastorga @fmunozmiranda @DNACENSolutions