terraform-provider-bigip
terraform-provider-bigip copied to clipboard
Published
20 hours ago •
F5Networks
F5Networks
bigip_ltm_policy; operand 'ssl-extension' is not available during event 'request'. during apply
Environment
- TMOS/Bigip Version: BIG-IP 15.1.5 Build 0.0.10 Final
- Terraform Version: 1.1.7
- Terraform bigip provider Version: 1.14.0
Summary
I'm trying to roll-out a new Policy with some rules and conditions. To me nothing really fancy and the plan states perfectly what should be done. Then the apply fails with to following error;
bigip_ltm_policy.import: Creating...
╷
│ Error: HTTP 400 :: {"code":400,"message":"010716ff:3: Policy '/modules-test-d-app1-az1/Drafts/import-rule', rule 'Rule-01'; operand 'ssl-extension' is not available during event 'request'.","errorStack":[],"apiError":3}
│
│ with bigip_ltm_policy.import,
│ on main.tf line 31, in resource "bigip_ltm_policy" "import":
│ 31: resource "bigip_ltm_policy" "import" {
│
╵
I think this is due to some selective process when creating the rule. A similar issue has been found and fixed for Ansible; https://github.com/F5Networks/f5-ansible/issues/1675
Steps To Reproduce
Essential TF code:
resource "bigip_ltm_policy" "import" {
name = "/modules-test-d-app1-az1/import-rule"
strategy = "first-match"
requires = ["client-ssl", "tcp"]
controls = ["forwarding"]
rule {
name = "Rule-01"
condition {
ssl_extension = true
server_name = true
ends_with = true
values = [
"domain1.net",
"domain2.nl"
]
}
condition {
tcp = true
matches = true
values = [
"10.0.0.0/8",
"20.0.0.0/8",
]
}
action {
forward = true
pool = "/modules-test-d-app1-az1/pool-application-31600-tcp"
ssl_client_hello = true
}
}
rule {
name = "Rule-02"
condition {
ssl_extension = true
server_name = true
ends_with = true
values = [
"domain3.net",
"domain4.nl"
]
}
condition {
tcp = true
matches = true
values = [
"30.0.0.0/8",
"40.0.0.0/8",
]
}
action {
forward = true
pool = "/modules-test-d-app1-az1/pool-application-31600-tcp"
ssl_client_hello = true
}
}
rule {
name = "lastrule-deny"
action {
shutdown = true
ssl_client_hello = true
}
}
}
The output of terraform plan;
Terraform will perform the following actions:
# bigip_ltm_policy.import will be created
+ resource "bigip_ltm_policy" "import" {
+ controls = [
+ "forwarding",
]
+ id = (known after apply)
+ name = "/modules-test-d-app1-az1/import-rule"
+ requires = [
+ "client-ssl",
+ "tcp",
]
+ strategy = "best-match"
+ rule {
+ name = "Rule-01"
+ action {
+ forward = true
+ pool = "/modules-test-d-app1-az1/pool-application-31600-tcp"
+ ssl_client_hello = true
}
+ condition {
+ ends_with = true
+ server_name = true
+ ssl_extension = true
+ values = [
+ "domain1.net",
+ "domain2.nl",
]
}
+ condition {
+ matches = true
+ tcp = true
+ values = [
+ "10.0.0.0/8",
+ "20.0.0.0/8",
]
}
}
+ rule {
+ name = "Rule-02"
+ action {
+ forward = true
+ pool = "/modules-test-d-app1-az1/pool-application-31600-tcp"
+ ssl_client_hello = true
}
+ condition {
+ ends_with = true
+ server_name = true
+ ssl_extension = true
+ values = [
+ "domain3.net",
+ "domain4.nl",
]
}
+ condition {
+ matches = true
+ tcp = true
+ values = [
+ "30.0.0.0/8",
+ "40.0.0.0/8",
]
}
}
+ rule {
+ name = "lastrule-deny"
+ action {
+ forward = false
+ shutdown = true
+ ssl_client_hello = true
}
}
}
Plan: 1 to add, 0 to change, 0 to destroy.
For readability I've removed all the (known after apply) properties as they have no impact on the issue.
Expected Behavior
The apply to succeed.
Actual Behavior
See the summary
@koektrommel here is config used some minor fixes
resource "bigip_ltm_policy" "import" {
name = "/Common/import-rule"
strategy = "first-match"
requires = ["tcp", "client-ssl"]
controls = ["forwarding"]
rule {
name = "Rule-01"
condition {
ssl_extension = true
ssl_client_hello = true
server_name = true
ends_with = true
values = [
"domain1.net",
"domain2.nl"
]
}
condition {
tcp = true
matches = true
address = true
client_accepted = true
values = [
"10.0.0.0/8",
"20.0.0.0/8",
]
}
action {
forward = true
connection = false
pool = bigip_ltm_pool.k8s_prod.name
ssl_client_hello = true
}
}
rule {
name = "Rule-02"
condition {
ssl_extension = true
ssl_client_hello = true
server_name = true
ends_with = true
values = [
"domain3.net",
"domain4.nl"
]
}
condition {
tcp = true
matches = true
address = true
client_accepted = true
values = [
"30.0.0.0/8",
"40.0.0.0/8",
]
}
action {
forward = true
connection = false
pool = bigip_ltm_pool.k8s_prod.name
ssl_client_hello = true
}
}
rule {
name = "lastrule-deny"
action {
shutdown = true
ssl_client_hello = true
}
}
}
@RavinderReddyF5
With the release of 1.15.2 the ltm policy is succesfuly created with the above adjustments of the config. Also inserting a new rule in between rule is working.
Thanks for fixing this! This is of great help for us!