Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cannot add virtual_server condition based on Client SSL #2157

Closed
4 tasks done
qlux opened this issue Mar 15, 2024 · 3 comments
Closed
4 tasks done

Cannot add virtual_server condition based on Client SSL #2157

qlux opened this issue Mar 15, 2024 · 3 comments
Labels
declined Status: Will Not Implement

Comments

@qlux
Copy link

qlux commented Mar 15, 2024
edited
Loading

Community Guidelines

  • I have read and agree to the HashiCorp Community Guidelines .
  • Vote on this issue by adding a 👍 reaction to the original issue initial description to help the maintainers prioritize.
  • Do not leave "+1" or other comments that do not add relevant information or questions.
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment.

Terraform

v1.7.5

Terraform Provider

v3.5.0

VMware vSphere

v2.7.0

Description

When applying an HTTP_REQUEST_REWRITE with condition=http_ssl the following error pops regardless of the http_ssl type chosen:
e.g.

rule {
    display_name   = "Client-Cert"
    match_strategy = "ALL"
    phase          = "HTTP_REQUEST_REWRITE"

    action {
      http_request_header_rewrite {
        header_name = "SSL_CLIENT_CERT"
        header_value = "$_ssl_client_escaped_cert"
      }
    }
    condition {
      http_ssl {
        client_certificate_issuer_dn {
          issuer_dn = "test"
          match_type = "REGEX"
        }
      }
    }
  }

{
  value of property rules[0].match_conditions[0].session_reused is not one of the allowed values[IGNORE, REUSED, NEW]
}, 
{
  value of property rules[0].match_conditions[0].used_protocol is not one of the allowed values[SSL_V2, SSL_V3, TLS_V1, TLS_V1_1, TLS_V1_2]
}, 
{
  value of property rules[0].match_conditions[0].used_ssl_cipher is not one of the allowed values[TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_256_CBC_SHA, TLS_RSA_WITH_AES_128_CBC_SHA, TLS_RSA_WITH_3DES_EDE_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384, TLS_RSA_WITH_AES_128_CBC_SHA256, TLS_RSA_WITH_AES_128_GCM_SHA256, TLS_RSA_WITH_AES_256_CBC_SHA256, TLS_RSA_WITH_AES_256_GCM_SHA384, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA, TLS_ECDH_ECDSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_ECDSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_ECDSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_ECDSA_WITH_AES_256_GCM_SHA384, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA, TLS_ECDH_RSA_WITH_AES_128_CBC_SHA256, TLS_ECDH_RSA_WITH_AES_128_GCM_SHA256, TLS_ECDH_RSA_WITH_AES_256_CBC_SHA384, TLS_ECDH_RSA_WITH_AES_256_GCM_SHA384]
}

When adding those elements for testing,

rule {
    display_name   = "Client-Cert"
    match_strategy = "ALL"
    phase          = "HTTP_REQUEST_REWRITE"

    action {
      http_request_header_rewrite {
        header_name = "SSL_CLIENT_CERT"
        header_value = "$_ssl_client_escaped_cert"
      }
    }
    condition {
      http_ssl {
        session_reused = "IGNORE"
        used_ssl_cipher = "TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384"
        used_protocol = "SSL_V2"
        client_certificate_issuer_dn {
          issuer_dn = "test"
          match_type = "REGEX"
        }
      }
    }
  }

the error in the gist arises:

The same error pops if the condition is applied through the web ui and tf is applied afterwards with any condition.

Affected Resources or Data Sources

nsxt_policy_lb_virtual_server

Terraform Configuration

rule {
    display_name   = "Client-Cert"
    match_strategy = "ALL"
    phase          = "HTTP_REQUEST_REWRITE"

    action {
      http_request_header_rewrite {
        header_name = "SSL_CLIENT_CERT"
        header_value = "$_ssl_client_escaped_cert"
      }
    }
    condition {
      http_ssl {
        client_certificate_issuer_dn {
          issuer_dn = "test"
          match_type = "REGEX"
        }
      }
    }
  }

Debug Output

https://gist.github.com/qlux/0c67374b62d4d8a0c52566d26936eeb1

Panic Output

No response

Expected Behavior

http_ssl condition can be apply

Actual Behavior

Error on any http_ssl condition

Steps to Reproduce

Create LB, Virtual Server and apply

Environment Details

No response

Screenshots

No response

References

No response
@qlux qlux added bug Type: Bug needs-triage Status: Issue Needs Triage labels Mar 15, 2024
@github-actions GitHub Actions
Copy link

Hello, qlux! 🖐

Thank you for submitting an issue for this provider. The issue will now enter into the issue lifecycle.

If you want to contribute to this project, please review the contributing guidelines and information on submitting pull requests.

@tenthirtyam
Copy link
Collaborator

This should be opened on vmware/terraform-provider-nsxt.

@tenthirtyam tenthirtyam added declined Status: Will Not Implement and removed needs-triage Status: Issue Needs Triage bug Type: Bug labels Mar 15, 2024
@tenthirtyam tenthirtyam closed this as not planned Won't fix, can't repro, duplicate, stale Mar 15, 2024
@github-actions GitHub Actions
Copy link

I'm going to lock this issue because it has been closed for 30 days ⏳. This helps our maintainers find and focus on the active issues. If you have found a problem that seems similar to this, please open a new issue and complete the issue template so we can capture all the details necessary to investigate further.

@github-actions github-actions bot locked as resolved and limited conversation to collaborators Apr 16, 2024
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
declined Status: Will Not Implement
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@tenthirtyam @qlux