L3out OSPF Interface Profile auth limitation

[ogorczow]

There is existing limitation on both APIC and REST API for OSPF auth key value:
<error code="1" text="Invalid Configuration OSPF md5 Authentication key size limited to 16 Characters"/>
<error code="1" text="Invalid Configuration OSPF Authentication key size limited to 8 Characters"/>

This limitation is not mentioned in our ACI documentation, nor apic-mim-ref-api. However, OSPF RFC uses 16 bytes md5 authKey, so I think the limitation comes from there.

We do not have this validation on terraform side - this allows user to input long password for:

• Creating new object via terraform - Error is raised:

│ Error: The post rest request failed
│ 
│   with module.aci.module.aci_l3out_interface_profile_manual["infra/multipodL3Out/LNodeP_141/LIfP_141"].aci_rest_managed.ospfRsIfPol[0],
│   on .terraform/modules/aci/modules/terraform-aci-l3out-interface-profile/main.tf line 163, in resource "aci_rest_managed" "ospfRsIfPol":
│  163: resource "aci_rest_managed" "ospfRsIfPol" {
│ 
│ Code: 400 Response: [map[error:map[attributes:map[code:102 text:configured object ((Dn0)) not found Dn0=uni/tn-infra/out-multipodL3Out/lnodep-LNodeP_141/lifp-LIfP_141/ospfIfP/rsIfPol, ]]]], err:
│ %!s(<nil>). Please report this issue to the provider developers.

• Updating object or importing into aac (it exists on APIC already) - terraform will inform that deployment is successful. In terraform debug log, request fails with similar error code as above which is miss-leading if parameter was configured.

If OSPF auth key is not valid and in case of updating OSPF parameters, then error occurs leading into uncanny behavior/infinite loop where terraform for each "terraform apply" tries to configure object with "success" that generates an error in debug log without configuring any of ospfIfP parameters on ACI fabric.

authKey is added into rest call (via terraform) if authKey or InterfacePolicy are provided. If authKey is wrong, it leads to REST failure and no update is happening together for other parameters with authKey like authKeyId, InterfacePolicyName and authType.

Also worth to mention since lifecycle limitation exists, once user missconfigures authKey then user locks itself from modyfing OSPF values until authKey is removed from tfstate -> thus raising this PR

If auth Type is simple max char is 8, if md5/none max char is 16

Behavior for aci releases is slightly different but it's not relevenat:
-aci 4.x (object do not exist on the apic) terraform fails to create OSPF interface profile with authKey that is too long
-aci 4.x (objects exists on APIC) allows to update OSPF interface profile with authKey that is too long, but in principle it doesn't make sense, it shouldn't be allowed
-aci 5.x and 6.x do not allow too long authKey - neither creation(terraform error) neither update (REST failure in debug).

There is also 2nd blind spot not addressed in this PR:

resource "aci_rest_managed" "ospfIfP" {
  count      = var.ospf_authentication_key != "" || var.ospf_interface_policy != "" ? 1 : 0

Since we create resource when authKey is defined or OSPF interface Policy is defined we have a blind spot case when we don't provide auth_key and we have auth_type md5 or simple:

              interface_profiles:
                - name: 'LIfP_112'
                  ospf:
                    ospf_interface_profile_name: ospf-auth-key
                    auth_type: simple
                    auth_key_id: 2
                    policy: OSPF-P2P

In such a case authKey is default (empty), which leads to ospfIfP call fail and only OSPF policy is updated as this is part of another API call. Terraform will reply with successful result and will try endlessly update auth_key, auth_type, auth_key_id and ospf_interface_profile_name without success.

However this behavior is not consistent when running terraform against ACI 4.x and 5.x:
-aci 5.x and 6.x do not allow empty authKey -> new validation rule on APIC "Invalid Configuration OSPF Authentication key cannot be empty" which is raised in terraform debug
-aci 4.x allows to modify and create OSPF interface profile with empty authKey -> thus no fix in this PR. Maybe its something to fix after ACI 4.x EoL?