Skip to content

[Bug]: WAF CSRF causing issue after first apply #1349

Description

@nogiiihhmk

Terraform Core Version

1.13.5

citrixadc Provider Version

1.45.0

Operating system

Mac OS

Affected Resource(s)

Resource citrixadc_appfwprofile_csrftag_binding

My Terraform code:

_resource "citrixadc_appfwprofile" "this" {
name = "testme"
type = ["HTML"]
csrftagaction = ["log", "stats", "learn", "block"]
}

resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
name = citrixadc_appfwprofile.this.name
csrftag = "i?^http://$"
csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$"
comment = "postbox1"
state = "ENABLED"
}

resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
name = citrixadc_appfwprofile.this.name
csrftag = "i?^http://$"
csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$"
comment = "postbox2"
state = "ENABLED"
}_

Nitro Output after first apply:

HTTP/1.0 200 OK
cache-control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
connection: Keep-Alive
content-encoding: gzip
content-length: 379
content-type: application/json; charset=utf-8
date: Thu, 29 Jan 2026 09:24:26 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
feature-policy: camera 'none'; microphone 'none'; geolocation 'none'
keep-alive: timeout=15, max=98
pragma: no-cache
referrer-policy: no-referrer
server: Apache
vary: Accept-Encoding
x-content-type-options: nosniff
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block

{
"errorcode": 0,
"message": "Done",
"severity": "NONE",
"appfwprofile_csrftag_binding": [
{
"name": "testme",
"csrftag": "i?^http://$",
"csrfformactionurl": "i?^https://(fbt\-){
0,
1
}sese\.hansemerkur\.de/postbox2$",
"state": "ENABLED",
"comment": "postbox2",
"stateflag": "536870926",
"isautodeployed": "NOTAUTODEPLOYED",
"alertonly": "OFF",
"resourceid": "16e31981aaa6bb11acaf0dea499cc7b5941de38e5b2b8c70b5919e4138191811"
},
{
"name": "testme",
"csrftag": "i?^http://$",
"csrfformactionurl": "i?^https://(fbt\-){
0,
1
}sese\.hansemerkur\.de/postbox1$",
"state": "ENABLED",
"comment": "postbox1",
"stateflag": "536870926",
"isautodeployed": "NOTAUTODEPLOYED",
"alertonly": "OFF",
"resourceid": "f35d57d838e43815e940591577dbdcb3694fcba87f7a9a297ca7dbeadcab43e1"
}
]
}

Terraform output after first apply:


│ Error: Provider produced inconsistent result after apply

│ When applying changes to citrixadc_appfwprofile_csrftag_binding.postbox1, provider "provider["registry.terraform.io/citrix/citrixadc"]" produced an unexpected
│ new value: Root object was present, but now absent.

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.


│ Error: Provider produced inconsistent result after apply

│ When applying changes to citrixadc_appfwprofile_csrftag_binding.postbox2, provider "provider["registry.terraform.io/citrix/citrixadc"]" produced an unexpected
│ new value: Root object was present, but now absent.

│ This is a bug in the provider, which should be reported in the provider's own issue tracker.

Terraform plan after first "failed" apply:
_Terraform will perform the following actions:

citrixadc_appfwprofile_csrftag_binding.postbox1 will be created

  • resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {
    • alertonly = (known after apply)
    • comment = "postbox1"
    • csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$"
    • csrftag = "i?^http://$"
    • id = (known after apply)
    • isautodeployed = (known after apply)
    • name = "testme"
    • resourceid = (known after apply)
    • ruletype = (known after apply)
    • state = "ENABLED"
      }

citrixadc_appfwprofile_csrftag_binding.postbox2 will be created

  • resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {
    • alertonly = (known after apply)
    • comment = "postbox2"
    • csrfformactionurl = "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$"
    • csrftag = "i?^http://$"
    • id = (known after apply)
    • isautodeployed = (known after apply)
    • name = "testme"
    • resourceid = (known after apply)
    • ruletype = (known after apply)
    • state = "ENABLED"
      }

Plan: 2 to add, 0 to change, 0 to destroy._

Terraform apply after first "failed" apply:
citrixadc_appfwprofile_csrftag_binding.postbox1: Creating...
citrixadc_appfwprofile_csrftag_binding.postbox2: Creating...

│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })

│ with citrixadc_appfwprofile_csrftag_binding.postbox1,
│ on main.tf line 7, in resource "citrixadc_appfwprofile_csrftag_binding" "postbox1":
│ 7: resource "citrixadc_appfwprofile_csrftag_binding" "postbox1" {



│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })

│ with citrixadc_appfwprofile_csrftag_binding.postbox2,
│ on main.tf line 15, in resource "citrixadc_appfwprofile_csrftag_binding" "postbox2":
│ 15: resource "citrixadc_appfwprofile_csrftag_binding" "postbox2" {

Issue:

  • comparison between TF and Infrastructure is not done using all attributes of a citrixadc_appfwprofile_csrftag_binding. And therefor terraform is producing error ""Resource already exist". Please include all attributes above for comparison.

Equivalent NetScaler CLI Command

bind appfw profile testme -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "i?^http://$" "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox1$" -comment postbox1 -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW
bind appfw profile testme -isRegex NOTREGEX -isRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -isRegex NOTREGEX -location FORMFIELD -isValueRegex NOTREGEX -CSRFTag "i?^http://$" "i?^https://(fbt\-){0,1}sese\.hansemerkur\.de/postbox2$" -comment postbox2 -state ENABLED -isAutoDeployed NOTAUTODEPLOYED -RuleType ALLOW

Expected Behavior

Expected is:

  • Terraform will create two csrftag relaxation rules.
  • Changing the params using terraform has to reflect the changes in infrastructure
  • Terraform destroy will remove the resources from infrastructure

Actual Behavior

After first apply the relaxations are created in the infrastructure, but with "... Error: Provider produced inconsistent result after apply ...".

Second apply is producing:

│ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" })

Every apply after second apply will also not work with same

Relevant Error/Panic Output Snippet

Terraform Configuration Files

main.tf.txt

Steps to Reproduce

first Terraform apply: "... This is a bug in the provider, which should be reported in the provider's own issue tracker. ..."
second++ Terraform apply: "... │ Error: [ERROR] nitro-go: Failed to update resource of type appfwprofile_csrftag_binding, err=failed: 409 Conflict ({ "errorcode": 273, "message": "Resource already exists", "severity": "ERROR" }) ..."

Debug Output

No response

Panic Output

No response

Important Factoids

No response

References

No response

Metadata

Metadata

Assignees

No one assigned

    Labels

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions