diff --git a/README.md b/README.md index 35159f0..ad9dfe3 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,8 @@ fmc: module "fmc" { source = "netascode/nac-fmc/fmc" version = ">= 0.1.0" + + yaml_files = ["fmc.yaml", "existing.yaml"] } ``` diff --git a/examples/network_groups/README.md b/examples/network_groups/README.md index dc0a067..361ad82 100644 --- a/examples/network_groups/README.md +++ b/examples/network_groups/README.md @@ -73,6 +73,8 @@ fmc: module "fmc" { source = "netascode/nac-fmc/fmc" version = ">= 0.1.0" + + yaml_files = ["fmc.yaml", "existing.yaml"] } ``` \ No newline at end of file diff --git a/examples/network_groups/main.tf b/examples/network_groups/main.tf index 327701d..bfef659 100644 --- a/examples/network_groups/main.tf +++ b/examples/network_groups/main.tf @@ -1,4 +1,6 @@ module "fmc" { source = "netascode/nac-fmc/fmc" version = ">= 0.1.0" + + yaml_files = ["fmc.yaml", "existing.yaml"] } diff --git a/fmc_access_rules.tf b/fmc_access_rules.tf index 1a7ed69..2cc92fa 100755 --- a/fmc_access_rules.tf +++ b/fmc_access_rules.tf @@ -1,3 +1,21 @@ +### +# ACCESS RULE +### +locals { + res_accessrules = flatten([ + for domain in local.domains : [ + for accesspolicy in try(domain.access_policies, {}) : [ + for accessrule in try(accesspolicy.access_rules, {}) : { + key = replace("${accesspolicy.name}_${accessrule.name}", " ", "") + acp = accesspolicy.name + idx = index(accesspolicy.access_rules, accessrule) + data = accessrule + } + ] + ] + ]) +} + resource "fmc_access_rules" "access_rule_0" { for_each = { for rule in local.res_accessrules : rule.key => rule if rule.idx == 0 } # Mandatory diff --git a/fmc_accesspolicy.tf b/fmc_accesspolicy.tf deleted file mode 100644 index 690d89a..0000000 --- a/fmc_accesspolicy.tf +++ /dev/null @@ -1,72 +0,0 @@ -### -# ACCESS POLICY -### -locals { - res_accesspolicies = flatten([ - for domains in local.domains : [ - for object in try(domains.access_policies, {}) : object if !contains(local.data_accesspolicies, object.name) - ] - ]) -} - -resource "fmc_access_policies" "accesspolicy" { - for_each = { for accesspolicy in local.res_accesspolicies : accesspolicy.name => accesspolicy } - - # Mandatory - name = each.value.name - - # Optional - description = try(each.value.description, local.defaults.fmc.domains.access_policies.description, null) - default_action = try(each.value.default_action, local.defaults.fmc.domains.access_policies.default_action, null) - default_action_base_intrusion_policy_id = try(local.map_ipspolicies[each.value.base_ips_policy].id, local.map_ipspolicies[local.defaults.fmc.domains.access_policies.base_ips_policy].id, null) - default_action_send_events_to_fmc = try(each.value.send_events_to_fmc, local.defaults.fmc.domains.access_policies.send_events_to_fmc, null) - default_action_log_begin = try(each.value.log_begin, local.defaults.fmc.domains.access_policies.log_begin, null) - default_action_log_end = try(each.value.log_end, local.defaults.fmc.domains.access_policies.log_end, null) - default_action_syslog_config_id = try(each.value.syslog_config_id, local.defaults.fmc.domains.access_policies.syslog_config_id, null) -} - -### -# ACCESS POLICY CATEGORY -### -locals { - res_accesspolicies_category = flatten([ - for domain in local.domains : [ - for accesspolicy in try(domain.access_policies, {}) : [ - for accesspolicy_category in try(accesspolicy.categories, {}) : { - key = "${accesspolicy.name}/${accesspolicy_category}" - acp = local.map_accesspolicies[accesspolicy.name].id - data = accesspolicy_category - } - ] - ] - ]) -} - -resource "fmc_access_policies_category" "accesspolicy_category" { - for_each = { for accesspolicy_category in local.res_accesspolicies_category : accesspolicy_category.key => accesspolicy_category } - - # Mandatory - name = each.value.data - access_policy_id = each.value.acp -} - -### -# ACCESS RULE -### -locals { - res_accessrules = flatten([ - for domain in local.domains : [ - for accesspolicy in try(domain.access_policies, {}) : [ - for accessrule in try(accesspolicy.access_rules, {}) : { - key = replace("${accesspolicy.name}_${accessrule.name}", " ", "") - acp = accesspolicy.name - idx = index(accesspolicy.access_rules, accessrule) - data = accessrule - } - ] - ] - ]) - -} - - diff --git a/fmc_deploy.tf b/fmc_deploy.tf index 0bed9a4..ab44c5e 100755 --- a/fmc_deploy.tf +++ b/fmc_deploy.tf @@ -12,6 +12,7 @@ locals { ] ]) } + resource "fmc_ftd_deploy" "ftd" { for_each = { for deploymemt in local.res_deploy : deploymemt.device => deploymemt } # Mandatory diff --git a/fmc_device.tf b/fmc_devices.tf similarity index 68% rename from fmc_device.tf rename to fmc_devices.tf index effc2da..a15c513 100644 --- a/fmc_device.tf +++ b/fmc_devices.tf @@ -178,3 +178,100 @@ resource "fmc_device_subinterfaces" "sub_interfaces" { priority = try(each.value.data.priority, null) security_zone_id = try(local.map_securityzones[each.value.data.security_zone].id, null) } + +### +# IPV4 STATIC ROUTE +### +locals { + res_ipv4staticroutes = flatten([ + for domain in local.domains : [ + for device in try(domain.devices, []) : [ + for ipv4staticroute in try(device.ipv4_static_routes, []) : { + key = "${device.name}/${ipv4staticroute.name}" + device_id = local.map_devices[device.name].id + gateway_id = local.map_networkobjects[ipv4staticroute.gateway].id + gateway_type = local.map_networkobjects[ipv4staticroute.gateway].type + gateway_name = ipv4staticroute.gateway + interface_name = ipv4staticroute.interface + selected_networks = ipv4staticroute.selected_networks + } + ] + ] + ]) +} + +resource "fmc_staticIPv4_route" "ipv4staticroute" { + for_each = { for ipv4staticroute in local.res_ipv4staticroutes : ipv4staticroute.key => ipv4staticroute } + + # Mandatory + device_id = each.value.device_id + interface_name = each.value.interface_name + metric_value = try(each.value.metric_value, local.defaults.fmc.domains.devices.ipv4_static_routes.metric_value) + + gateway { + object { + id = each.value.gateway_id + type = each.value.gateway_type + name = each.value.gateway_name + } + } + + dynamic "selected_networks" { + for_each = { for obj in each.value.selected_networks : obj => obj } + content { + id = try(local.map_networkobjects[selected_networks.value].id, null) + type = try(local.map_networkobjects[selected_networks.value].type, null) + } + } + + # Optional + is_tunneled = try(each.value.tunneled, local.defaults.fmc.domains.devices.ipv4_static_routes.tunneled, null) + + depends_on = [ + fmc_device_physical_interfaces.physical_interface, + data.fmc_device_physical_interfaces.physical_interface, + fmc_device_subinterfaces.sub_interfaces, + data.fmc_device_subinterfaces.sub_interfaces + ] +} + +### +# POLICY ASSIGNMENT +### +locals { + res_policyassignments = concat( + flatten([ + for domain in local.domains : [ + for device in try(domain.devices, []) : { + device = device.name + policy = device.nat_policy + type = "NAT" + } if contains(keys(device), "nat_policy") + ] + ]), + flatten([ + for domain in local.domains : [ + for device in try(domain.devices, []) : { + device = device.name + policy = device.access_policy + type = "ACP" + } if(contains(keys(device), "access_policy") && contains(local.data_devices, device.name)) + ] + ]) + ) +} + +resource "fmc_policy_devices_assignments" "policy_assignment" { + for_each = { for policyassignment in local.res_policyassignments : "${policyassignment.device}/${policyassignment.type}" => policyassignment } + + # Mandatory + target_devices { + id = local.map_devices[each.value.device].id + type = local.map_devices[each.value.device].type + } + + policy { + id = try(local.map_accesspolicies[each.value.policy].id, local.map_natpolicies[each.value.policy].id) + type = try(local.map_accesspolicies[each.value.policy].type, local.map_natpolicies[each.value.policy].type) + } +} diff --git a/existing.tf b/fmc_existing.tf similarity index 100% rename from existing.tf rename to fmc_existing.tf diff --git a/fmc_externalattributes.tf b/fmc_externalattributes.tf deleted file mode 100644 index 06212d1..0000000 --- a/fmc_externalattributes.tf +++ /dev/null @@ -1,44 +0,0 @@ -### -# DYNAMIC OBJECTS -### -locals { - res_dynamicobjects = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.dynamic_objects, []) : object if !contains(local.data_dynamicobjects, object.name) - ] - ]) -} - -resource "fmc_dynamic_objects" "dynamicobject" { - for_each = { for dynobj in local.res_dynamicobjects : dynobj.name => dynobj } - - # Mandatory - name = each.value.name - object_type = try(each.value.object_type, local.defaults.fmc.domains.objects.dynamic_objects.object_type) - - # Optional - description = try(each.value.description, local.defaults.fmc.domains.objects.dynamic_objects.description, null) -} - -### -# SGT -### -locals { - res_sgts = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.sgts, []) : object if !contains(local.data_sgts, object.name) - ] - ]) -} - -resource "fmc_sgt_objects" "sgt" { - for_each = { for sgt in local.res_sgts : sgt.name => sgt } - - # Mandatory - name = each.value.name - tag = each.value.tag - - # Optional - type = "SecurityGroupTag" - description = try(each.value.description, local.defaults.fmc.domains.objects.sgts.description, null) -} diff --git a/fmc_ftdmanualnatrule.tf b/fmc_ftd_manual_nat_rules.tf similarity index 99% rename from fmc_ftdmanualnatrule.tf rename to fmc_ftd_manual_nat_rules.tf index b919f7b..5154ee6 100755 --- a/fmc_ftdmanualnatrule.tf +++ b/fmc_ftd_manual_nat_rules.tf @@ -1,3 +1,21 @@ +### +# FTD MANUAL NAT RULE +### +locals { + res_ftdmanualnatrules = flatten([ + for domain in local.domains : [ + for natpolicy in try(domain.ftd_nat_policies, []) : [ + for ftdmanualnatrule in try(natpolicy.ftd_manual_nat_rules, []) : { + key = replace("${natpolicy.name}_${ftdmanualnatrule.name}", " ", "") + nat_policy = natpolicy.name + idx = index(natpolicy.ftd_manual_nat_rules, ftdmanualnatrule) + data = ftdmanualnatrule + } + ] + ] + ]) +} + resource "fmc_ftd_manualnat_rules" "manualnat_rules_0" { for_each = { for rule in local.res_ftdmanualnatrules : rule.key => rule if rule.idx == 0 } # Mandatory diff --git a/fmc_ipspolicy.tf b/fmc_ipspolicy.tf deleted file mode 100644 index 25d6a8d..0000000 --- a/fmc_ipspolicy.tf +++ /dev/null @@ -1,25 +0,0 @@ -### -# IPS POLICY -### -locals { - res_ipspolicies = flatten([ - for domains in local.domains : [ - for object in try(domains.ips_policies, []) : object - ] - ]) -} - -resource "fmc_ips_policies" "ips_policy" { - for_each = { for ipspolicy in local.res_ipspolicies : ipspolicy.name => ipspolicy } - - # Mandatory - name = each.value.name - - # Optional - inspection_mode = try(each.value.inspection_mode, local.defaults.fmc.domains.ips_policies.inspection_mode, null) - basepolicy_id = try(data.fmc_ips_policies.ips_policy[each.value.base_policy].id, null) - - depends_on = [ - data.fmc_ips_policies.ips_policy - ] -} diff --git a/fmc_ipv4routing.tf b/fmc_ipv4routing.tf deleted file mode 100644 index 2a8520c..0000000 --- a/fmc_ipv4routing.tf +++ /dev/null @@ -1,55 +0,0 @@ -### -# IPV4 STATIC ROUTE -### -locals { - res_ipv4staticroutes = flatten([ - for domain in local.domains : [ - for device in try(domain.devices, []) : [ - for ipv4staticroute in try(device.ipv4_static_routes, []) : { - key = "${device.name}/${ipv4staticroute.name}" - device_id = local.map_devices[device.name].id - gateway_id = local.map_networkobjects[ipv4staticroute.gateway].id - gateway_type = local.map_networkobjects[ipv4staticroute.gateway].type - gateway_name = ipv4staticroute.gateway - interface_name = ipv4staticroute.interface - selected_networks = ipv4staticroute.selected_networks - } - ] - ] - ]) -} - -resource "fmc_staticIPv4_route" "ipv4staticroute" { - for_each = { for ipv4staticroute in local.res_ipv4staticroutes : ipv4staticroute.key => ipv4staticroute } - - # Mandatory - device_id = each.value.device_id - interface_name = each.value.interface_name - metric_value = try(each.value.metric_value, local.defaults.fmc.domains.devices.ipv4_static_routes.metric_value) - - gateway { - object { - id = each.value.gateway_id - type = each.value.gateway_type - name = each.value.gateway_name - } - } - - dynamic "selected_networks" { - for_each = { for obj in each.value.selected_networks : obj => obj } - content { - id = try(local.map_networkobjects[selected_networks.value].id, null) - type = try(local.map_networkobjects[selected_networks.value].type, null) - } - } - - # Optional - is_tunneled = try(each.value.tunneled, local.defaults.fmc.domains.devices.ipv4_static_routes.tunneled, null) - - depends_on = [ - fmc_device_physical_interfaces.physical_interface, - data.fmc_device_physical_interfaces.physical_interface, - fmc_device_subinterfaces.sub_interfaces, - data.fmc_device_subinterfaces.sub_interfaces - ] -} diff --git a/fmc_networkobject.tf b/fmc_objects.tf similarity index 67% rename from fmc_networkobject.tf rename to fmc_objects.tf index b873c05..dfc86fd 100644 --- a/fmc_networkobject.tf +++ b/fmc_objects.tf @@ -1,3 +1,48 @@ +### +# DYNAMIC OBJECTS +### +locals { + res_dynamicobjects = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.dynamic_objects, []) : object if !contains(local.data_dynamicobjects, object.name) + ] + ]) +} + +resource "fmc_dynamic_objects" "dynamicobject" { + for_each = { for dynobj in local.res_dynamicobjects : dynobj.name => dynobj } + + # Mandatory + name = each.value.name + object_type = try(each.value.object_type, local.defaults.fmc.domains.objects.dynamic_objects.object_type) + + # Optional + description = try(each.value.description, local.defaults.fmc.domains.objects.dynamic_objects.description, null) +} + +### +# SGT +### +locals { + res_sgts = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.sgts, []) : object if !contains(local.data_sgts, object.name) + ] + ]) +} + +resource "fmc_sgt_objects" "sgt" { + for_each = { for sgt in local.res_sgts : sgt.name => sgt } + + # Mandatory + name = each.value.name + tag = each.value.tag + + # Optional + type = "SecurityGroupTag" + description = try(each.value.description, local.defaults.fmc.domains.objects.sgts.description, null) +} + ### # HOST ### @@ -341,4 +386,161 @@ resource "fmc_network_group_objects" "networkgroup_l5" { fmc_network_group_objects.networkgroup_l3, fmc_network_group_objects.networkgroup_l4 ] -} \ No newline at end of file +} + +### +# PORT +### +locals { + res_ports = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.ports, []) : object if !contains(local.data_ports, object.name) + ] + ]) +} + +resource "fmc_port_objects" "port" { + for_each = { for port in local.res_ports : port.name => port } + + # Mandatory + name = each.value.name + port = each.value.port + protocol = each.value.protocol + + # Optional + overridable = try(each.value.overridable, local.defaults.fmc.domains.objects.ports.overridable, null) +} + +### +# ICMPv4 +### +locals { + res_icmpv4s = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.icmp_v4s, []) : object + ] + ]) +} + +resource "fmc_icmpv4_objects" "icmpv4" { + for_each = { for icmpv4 in local.res_icmpv4s : icmpv4.name => icmpv4 } + + # Mandatory + name = each.value.name + icmp_type = each.value.icmp_type + + # Optional + code = try(each.value.code, local.defaults.fmc.domains.objects.icmp_v4s.code, null) +} + +### +# PORT GROUP +### +locals { + res_portgroups = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.port_groups, []) : object + ] + ]) +} + +resource "fmc_port_group_objects" "portgroup" { + for_each = { for portgrp in local.res_portgroups : portgrp.name => portgrp } + + # Mandatory + name = each.value.name + + dynamic "objects" { + for_each = { for obj in try(each.value.objects, {}) : + obj => obj + } + content { + id = local.map_ports[objects.value].id + type = local.map_ports[objects.value].type + } + } + + # Optional + description = try(each.value.description, local.defaults.fmc.domains.objects.port_groups.description, null) +} + +### +# URL +### +locals { + res_urls = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.urls, []) : object if !contains(local.data_urls, object.name) + ] + ]) +} + +resource "fmc_url_objects" "url" { + for_each = { for url in local.res_urls : url.name => url } + + # Mandatory + name = each.value.name + url = each.value.url + + # Optional + description = try(each.value.description, local.defaults.fmc.domains.objects.urls.description, null) +} + +### +# URL GROUPS +### +locals { + res_urlgroups = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.url_groups, []) : object + ] + ]) +} + +resource "fmc_url_object_group" "urlgroup" { + for_each = { for urlgrp in local.res_urlgroups : urlgrp.name => urlgrp } + + # Mandatory + name = each.value.name + + dynamic "objects" { + for_each = { for obj in try(each.value.objects, {}) : + obj => obj + } + content { + id = local.map_urls[objects.value].id + type = local.map_urls[objects.value].type + } + } + + dynamic "literals" { + for_each = { for obj in try(each.value.literals, {}) : + obj => obj + } + content { + url = literals.value + } + } + + # Optional + description = try(each.value.description, local.defaults.fmc.domains.objects.url_groups.description, null) +} + +### +# SECURITY ZONE +### +locals { + res_securityzones = flatten([ + for domains in local.domains : [ + for object in try(domains.objects.security_zones, []) : object if !contains(local.data_securityzones, object.name) + ] + ]) +} + +resource "fmc_security_zone" "securityzone" { + for_each = { for securityzone in local.res_securityzones : securityzone.name => securityzone } + + # Mandatory + name = each.value.name + interface_mode = try(each.value.interface_type, local.defaults.fmc.domains.objects.security_zones.interface_type) +} diff --git a/fmc_ftdnatpolicy.tf b/fmc_policies.tf similarity index 57% rename from fmc_ftdnatpolicy.tf rename to fmc_policies.tf index b5331c5..9ed32fe 100644 --- a/fmc_ftdnatpolicy.tf +++ b/fmc_policies.tf @@ -1,3 +1,83 @@ +### +# ACCESS POLICY +### +locals { + res_accesspolicies = flatten([ + for domains in local.domains : [ + for object in try(domains.access_policies, {}) : object if !contains(local.data_accesspolicies, object.name) + ] + ]) +} + +resource "fmc_access_policies" "accesspolicy" { + for_each = { for accesspolicy in local.res_accesspolicies : accesspolicy.name => accesspolicy } + + # Mandatory + name = each.value.name + + # Optional + description = try(each.value.description, local.defaults.fmc.domains.access_policies.description, null) + default_action = try(each.value.default_action, local.defaults.fmc.domains.access_policies.default_action, null) + default_action_base_intrusion_policy_id = try(local.map_ipspolicies[each.value.base_ips_policy].id, local.map_ipspolicies[local.defaults.fmc.domains.access_policies.base_ips_policy].id, null) + default_action_send_events_to_fmc = try(each.value.send_events_to_fmc, local.defaults.fmc.domains.access_policies.send_events_to_fmc, null) + default_action_log_begin = try(each.value.log_begin, local.defaults.fmc.domains.access_policies.log_begin, null) + default_action_log_end = try(each.value.log_end, local.defaults.fmc.domains.access_policies.log_end, null) + default_action_syslog_config_id = try(each.value.syslog_config_id, local.defaults.fmc.domains.access_policies.syslog_config_id, null) +} + +### +# ACCESS POLICY CATEGORY +### +locals { + res_accesspolicies_category = flatten([ + for domain in local.domains : [ + for accesspolicy in try(domain.access_policies, {}) : [ + for accesspolicy_category in try(accesspolicy.categories, {}) : { + key = "${accesspolicy.name}/${accesspolicy_category}" + acp = local.map_accesspolicies[accesspolicy.name].id + data = accesspolicy_category + } + ] + ] + ]) +} + +resource "fmc_access_policies_category" "accesspolicy_category" { + for_each = { for accesspolicy_category in local.res_accesspolicies_category : accesspolicy_category.key => accesspolicy_category } + + # Mandatory + name = each.value.data + access_policy_id = each.value.acp +} + +### +# PREFILTER POLICY +### +locals { + res_prefilterpolicies = flatten([ + for domains in local.domains : [ + for object in try(domains.prefilter_policies, {}) : object + ] + ]) +} + +resource "fmc_prefilter_policy" "prefilterpolicy" { + for_each = { for prefpolicy in local.res_prefilterpolicies : prefpolicy.name => prefpolicy } + + # Mandatory + name = each.value.name + + # Optional + default_action { + #log_end = try(each.value.log_end, null) # Not supported by provider + log_begin = try(each.value.log_begin, null) + send_events_to_fmc = try(each.value.send_events_to_fmc, null) + action = try(each.value.action, local.defaults.fmc.domains.prefilter_policies.action, "ANALYZE_TUNNELS") + } + + description = try(each.value.description, local.defaults.fmc.domains.prefilter_policies.description, null) +} + ### # FTD NAT POLICY ### @@ -113,19 +193,27 @@ resource "fmc_ftd_autonat_rules" "ftdautonatrule" { } ### -# FTD MANUAL NAT RULE +# IPS POLICY ### locals { - res_ftdmanualnatrules = flatten([ - for domain in local.domains : [ - for natpolicy in try(domain.ftd_nat_policies, []) : [ - for ftdmanualnatrule in try(natpolicy.ftd_manual_nat_rules, []) : { - key = replace("${natpolicy.name}_${ftdmanualnatrule.name}", " ", "") - nat_policy = natpolicy.name - idx = index(natpolicy.ftd_manual_nat_rules, ftdmanualnatrule) - data = ftdmanualnatrule - } - ] + res_ipspolicies = flatten([ + for domains in local.domains : [ + for object in try(domains.ips_policies, []) : object ] ]) -} \ No newline at end of file +} + +resource "fmc_ips_policies" "ips_policy" { + for_each = { for ipspolicy in local.res_ipspolicies : ipspolicy.name => ipspolicy } + + # Mandatory + name = each.value.name + + # Optional + inspection_mode = try(each.value.inspection_mode, local.defaults.fmc.domains.ips_policies.inspection_mode, null) + basepolicy_id = try(data.fmc_ips_policies.ips_policy[each.value.base_policy].id, null) + + depends_on = [ + data.fmc_ips_policies.ips_policy + ] +} diff --git a/fmc_policyassignment.tf b/fmc_policyassignment.tf deleted file mode 100644 index 04009e8..0000000 --- a/fmc_policyassignment.tf +++ /dev/null @@ -1,40 +0,0 @@ -### -# POLICY ASSIGNMENT -### -locals { - res_policyassignments = concat( - flatten([ - for domain in local.domains : [ - for device in try(domain.devices, []) : { - device = device.name - policy = device.nat_policy - type = "NAT" - } if contains(keys(device), "nat_policy") - ] - ]), - flatten([ - for domain in local.domains : [ - for device in try(domain.devices, []) : { - device = device.name - policy = device.access_policy - type = "ACP" - } if(contains(keys(device), "access_policy") && contains(local.data_devices, device.name)) - ] - ]) - ) -} - -resource "fmc_policy_devices_assignments" "policy_assignment" { - for_each = { for policyassignment in local.res_policyassignments : "${policyassignment.device}/${policyassignment.type}" => policyassignment } - - # Mandatory - target_devices { - id = local.map_devices[each.value.device].id - type = local.map_devices[each.value.device].type - } - - policy { - id = try(local.map_accesspolicies[each.value.policy].id, local.map_natpolicies[each.value.policy].id) - type = try(local.map_accesspolicies[each.value.policy].type, local.map_natpolicies[each.value.policy].type) - } -} diff --git a/fmc_port.tf b/fmc_port.tf deleted file mode 100644 index dba0644..0000000 --- a/fmc_port.tf +++ /dev/null @@ -1,75 +0,0 @@ -### -# PORT -### -locals { - res_ports = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.ports, []) : object if !contains(local.data_ports, object.name) - ] - ]) -} - -resource "fmc_port_objects" "port" { - for_each = { for port in local.res_ports : port.name => port } - - # Mandatory - name = each.value.name - port = each.value.port - protocol = each.value.protocol - - # Optional - overridable = try(each.value.overridable, local.defaults.fmc.domains.objects.ports.overridable, null) -} - -### -# ICMPv4 -### -locals { - res_icmpv4s = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.icmp_v4s, []) : object - ] - ]) -} - -resource "fmc_icmpv4_objects" "icmpv4" { - for_each = { for icmpv4 in local.res_icmpv4s : icmpv4.name => icmpv4 } - - # Mandatory - name = each.value.name - icmp_type = each.value.icmp_type - - # Optional - code = try(each.value.code, local.defaults.fmc.domains.objects.icmp_v4s.code, null) -} - -### -# PORT GROUP -### -locals { - res_portgroups = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.port_groups, []) : object - ] - ]) -} - -resource "fmc_port_group_objects" "portgroup" { - for_each = { for portgrp in local.res_portgroups : portgrp.name => portgrp } - - # Mandatory - name = each.value.name - - dynamic "objects" { - for_each = { for obj in try(each.value.objects, {}) : - obj => obj - } - content { - id = local.map_ports[objects.value].id - type = local.map_ports[objects.value].type - } - } - - # Optional - description = try(each.value.description, local.defaults.fmc.domains.objects.port_groups.description, null) -} diff --git a/fmc_prefilterpolicy.tf b/fmc_prefilterpolicy.tf deleted file mode 100644 index 26a4097..0000000 --- a/fmc_prefilterpolicy.tf +++ /dev/null @@ -1,27 +0,0 @@ -### -# PREFILTER POLICY -### -locals { - res_prefilterpolicies = flatten([ - for domains in local.domains : [ - for object in try(domains.prefilter_policies, {}) : object - ] - ]) -} - -resource "fmc_prefilter_policy" "prefilterpolicy" { - for_each = { for prefpolicy in local.res_prefilterpolicies : prefpolicy.name => prefpolicy } - - # Mandatory - name = each.value.name - - # Optional - default_action { - #log_end = try(each.value.log_end, null) # Not supported by provider - log_begin = try(each.value.log_begin, null) - send_events_to_fmc = try(each.value.send_events_to_fmc, null) - action = try(each.value.action, local.defaults.fmc.domains.prefilter_policies.action, "ANALYZE_TUNNELS") - } - - description = try(each.value.description, local.defaults.fmc.domains.prefilter_policies.description, null) -} diff --git a/fmc_securityzone.tf b/fmc_securityzone.tf deleted file mode 100644 index d06cfe0..0000000 --- a/fmc_securityzone.tf +++ /dev/null @@ -1,18 +0,0 @@ -### -# SECURITY ZONE -### -locals { - res_securityzones = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.security_zones, []) : object if !contains(local.data_securityzones, object.name) - ] - ]) -} - -resource "fmc_security_zone" "securityzone" { - for_each = { for securityzone in local.res_securityzones : securityzone.name => securityzone } - - # Mandatory - name = each.value.name - interface_mode = try(each.value.interface_type, local.defaults.fmc.domains.objects.security_zones.interface_type) -} diff --git a/fmc_smartlicense.tf b/fmc_system.tf similarity index 100% rename from fmc_smartlicense.tf rename to fmc_system.tf diff --git a/fmc_url.tf b/fmc_url.tf deleted file mode 100644 index a65b521..0000000 --- a/fmc_url.tf +++ /dev/null @@ -1,61 +0,0 @@ -### -# URL -### -locals { - res_urls = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.urls, []) : object if !contains(local.data_urls, object.name) - ] - ]) -} - -resource "fmc_url_objects" "url" { - for_each = { for url in local.res_urls : url.name => url } - - # Mandatory - name = each.value.name - url = each.value.url - - # Optional - description = try(each.value.description, local.defaults.fmc.domains.objects.urls.description, null) -} - -### -# URL GROUPS -### -locals { - res_urlgroups = flatten([ - for domains in local.domains : [ - for object in try(domains.objects.url_groups, []) : object - ] - ]) -} - -resource "fmc_url_object_group" "urlgroup" { - for_each = { for urlgrp in local.res_urlgroups : urlgrp.name => urlgrp } - - # Mandatory - name = each.value.name - - dynamic "objects" { - for_each = { for obj in try(each.value.objects, {}) : - obj => obj - } - content { - id = local.map_urls[objects.value].id - type = local.map_urls[objects.value].type - } - } - - dynamic "literals" { - for_each = { for obj in try(each.value.literals, {}) : - obj => obj - } - content { - url = literals.value - } - } - - # Optional - description = try(each.value.description, local.defaults.fmc.domains.objects.url_groups.description, null) -} diff --git a/main.tf b/main.tf index 681d069..e524a4e 100644 --- a/main.tf +++ b/main.tf @@ -2,4 +2,315 @@ locals { fmc = try(local.model.fmc, {}) domains = try(local.fmc.domains, {}) data_existing = try(local.model.existing, {}) + + # + # Create maps for combined set of _data and _resources objects + # + map_networkobjects_l1 = merge({ + for objecthost1 in local.res_hosts : + objecthost1.name => { + id = fmc_host_objects.host[objecthost1.name].id + type = fmc_host_objects.host[objecthost1.name].type + } + }, + { + for objecthost2 in local.data_hosts : + objecthost2 => { + id = data.fmc_host_objects.host[objecthost2].id + type = data.fmc_host_objects.host[objecthost2].type + } + }, + { + for objectnet1 in local.res_networks : + objectnet1.name => { + id = fmc_network_objects.network[objectnet1.name].id + type = fmc_network_objects.network[objectnet1.name].type + } + }, + { + for objectnet2 in local.data_networks : + objectnet2 => { + id = data.fmc_network_objects.network[objectnet2].id + type = data.fmc_network_objects.network[objectnet2].type + } + }, + { + for objectran1 in local.res_ranges : + objectran1.name => { + id = fmc_range_objects.range[objectran1.name].id + #type = fmc_range_objects.range["${objectran1.name}"].type + type = "Range" # TF provider does not include 'type' field for range resource + } + }, + # no data.fmc_range_objects in the provider + #{ + #for objectran2 in local.data_ranges : + # (objectran2) => { + # id = data.fmc_range_objects.range["${objectran2}"].id + # #type = data.fmc_range_objects.range["${objectran2}"].type + # type = "Range" + # } + #}, + { + for objectnetgr1 in local.data_networkgroups : + objectnetgr1 => { + id = data.fmc_network_group_objects.networkgroup[objectnetgr1].id + type = data.fmc_network_group_objects.networkgroup[objectnetgr1].type + } + }, + { + for fqdn in local.res_fqdns : + fqdn.name => { + id = fmc_fqdn_objects.fqdn[fqdn.name].id + #type = fmc_fqdn_objects.fqdn["${fqdn.name}"].type + type = "FQDN" # TF provider does not include 'type' field for fqdn resource + } + } + ) + + map_networkobjects_l2 = merge(local.map_networkobjects_l1, + { + for objectnetgr1 in local.res_networkgroups_l1 : + objectnetgr1.name => { + id = fmc_network_group_objects.networkgroup_l1[objectnetgr1.name].id + type = fmc_network_group_objects.networkgroup_l1[objectnetgr1.name].type + } + } + ) + + map_networkobjects_l3 = merge(local.map_networkobjects_l2, + { + for objectnetgr1 in local.res_networkgroups_l2 : + objectnetgr1.name => { + id = fmc_network_group_objects.networkgroup_l2[objectnetgr1.name].id + type = fmc_network_group_objects.networkgroup_l2[objectnetgr1.name].type + } + } + ) + + map_networkobjects_l4 = merge(local.map_networkobjects_l3, + { + for objectnetgr1 in local.res_networkgroups_l3 : + objectnetgr1.name => { + id = fmc_network_group_objects.networkgroup_l3[objectnetgr1.name].id + type = fmc_network_group_objects.networkgroup_l3[objectnetgr1.name].type + } + } + ) + + map_networkobjects_l5 = merge(local.map_networkobjects_l4, + { + for objectnetgr1 in local.res_networkgroups_l4 : + objectnetgr1.name => { + id = fmc_network_group_objects.networkgroup_l4[objectnetgr1.name].id + type = fmc_network_group_objects.networkgroup_l4[objectnetgr1.name].type + } + } + ) + + map_networkobjects = merge(local.map_networkobjects_l5, + { + for objectnetgr1 in local.res_networkgroups_l5 : + objectnetgr1.name => { + id = fmc_network_group_objects.networkgroup_l5[objectnetgr1.name].id + type = fmc_network_group_objects.networkgroup_l5[objectnetgr1.name].type + } + } + ) + + map_interfaces = merge(concat( + flatten([ + for domain in local.domains : [ + for device in try(domain.devices, []) : { + for physicalinterface in try(device.physical_interfaces, []) : "${device.name}/${physicalinterface.interface}" => { + key = "${device.name}/${physicalinterface.interface}" + device_id = local.map_devices[device.name].id + device_name = device.name + data = physicalinterface + resource = true + } + } + ] + ]), + flatten([ + for device in try(local.data_existing.fmc.domains[0].devices, []) : { + for physicalinterface in try(device.physical_interfaces, []) : "${device.name}/${physicalinterface.interface}" => { + key = "${device.name}/${physicalinterface.interface}" + device_id = local.map_devices[device.name].id + device_name = device.name + data = physicalinterface + resource = false + } + } + ]) + )... + ) + + map_securityzones = merge({ + for securityzone in local.res_securityzones : + securityzone.name => { + id = fmc_security_zone.securityzone[securityzone.name].id + type = fmc_security_zone.securityzone[securityzone.name].type + } + }, + { + for securityzone in local.data_securityzones : + securityzone => { + id = data.fmc_security_zones.securityzone[securityzone].id + type = data.fmc_security_zones.securityzone[securityzone].type + } + } + ) + + map_ports = merge({ + for port in local.res_ports : + port.name => { + id = fmc_port_objects.port[port.name].id + type = fmc_port_objects.port[port.name].type + } + }, + { + for port in local.data_ports : + port => { + id = data.fmc_port_objects.port[port].id + type = data.fmc_port_objects.port[port].type + } + }, + { + for portgroup in local.data_portgroups : + portgroup => { + id = data.fmc_port_group_objects.portgroup[portgroup].id + #type = data.fmc_port_group_objects.portgroup[portgroup].type + type = "PortObjectGroup" + } + }, + { + for icmpv4 in local.res_icmpv4s : + icmpv4.name => { + id = fmc_icmpv4_objects.icmpv4[icmpv4.name].id + type = fmc_icmpv4_objects.icmpv4[icmpv4.name].type + } + } + ) + + map_accesspolicies = merge({ + for accesspolicy in local.res_accesspolicies : + accesspolicy.name => { + id = fmc_access_policies.accesspolicy[accesspolicy.name].id + type = fmc_access_policies.accesspolicy[accesspolicy.name].type + } + }, + { + for accesspolicy in local.data_accesspolicies : + accesspolicy => { + id = data.fmc_access_policies.accesspolicy[accesspolicy].id + type = data.fmc_access_policies.accesspolicy[accesspolicy].type + } + } + ) + + map_devices = merge({ + for device in local.res_devices : + device.name => { + id = fmc_devices.device[device.name].id + type = fmc_devices.device[device.name].type + } + }, + { + for device in local.data_devices : + device => { + id = data.fmc_devices.device[device].id + type = data.fmc_devices.device[device].type + } + } + ) + + map_ipspolicies = merge({ + for ipspolicy in local.res_ipspolicies : + ipspolicy.name => { + id = fmc_ips_policies.ips_policy[ipspolicy.name].id + type = fmc_ips_policies.ips_policy[ipspolicy.name].type + } + }, + { + for ipspolicy in local.data_ipspolicies : + ipspolicy => { + id = data.fmc_ips_policies.ips_policy[ipspolicy].id + type = data.fmc_ips_policies.ips_policy[ipspolicy].type + } + } + ) + + map_natpolicies = merge({ + for natpolicy in local.res_ftdnatpolicies : + natpolicy.name => { + id = fmc_ftd_nat_policies.ftdnatpolicy[natpolicy.name].id + type = fmc_ftd_nat_policies.ftdnatpolicy[natpolicy.name].type + } + }, + { + for natpolicy in local.data_ftdnatpolicies : + natpolicy => { + id = data.fmc_ftd_nat_policies.ftdnatpolicy[natpolicy].id + type = data.fmc_ftd_nat_policies.ftdnatpolicy[natpolicy].type + } + } + ) + + map_urls = merge({ + for url in local.res_urls : + url.name => { + id = fmc_url_objects.url[url.name].id + type = fmc_url_objects.url[url.name].type + } + }, + { + for url in local.data_urls : + url => { + id = data.fmc_url_objects.url[url].id + type = data.fmc_url_objects.url[url].type + } + } + ) + + map_urlgroups = merge({ + for url in local.res_urlgroups : + url.name => { + id = fmc_url_object_group.urlgroup[url.name].id + type = fmc_url_object_group.urlgroup[url.name].type + } + } + ) + + map_sgts = merge({ + for sgt in local.res_sgts : + sgt.name => { + id = fmc_sgt_objects.sgt[sgt.name].id + type = fmc_sgt_objects.sgt[sgt.name].type + } + }, + { + for sgt in local.data_sgts : + sgt => { + id = data.fmc_sgt_objects.sgt[sgt].id + type = data.fmc_sgt_objects.sgt[sgt].type + } + } + ) + + map_dynamicobjects = merge({ + for dynobj in local.res_dynamicobjects : + dynobj.name => { + id = fmc_dynamic_objects.dynamicobject[dynobj.name].id + type = fmc_dynamic_objects.dynamicobject[dynobj.name].type + } + }, + { + for dynobj in local.data_dynamicobjects : + dynobj => { + id = data.fmc_dynamic_objects.dynamicobject[dynobj].id + type = data.fmc_dynamic_objects.dynamicobject[dynobj].type + } + } + ) } \ No newline at end of file diff --git a/merge_objects.tf b/merge_objects.tf deleted file mode 100644 index 3e33e70..0000000 --- a/merge_objects.tf +++ /dev/null @@ -1,313 +0,0 @@ -# -# Create maps for combined set of _data and _resources objects -# -locals { - - map_networkobjects_l1 = merge({ - for objecthost1 in local.res_hosts : - objecthost1.name => { - id = fmc_host_objects.host[objecthost1.name].id - type = fmc_host_objects.host[objecthost1.name].type - } - }, - { - for objecthost2 in local.data_hosts : - objecthost2 => { - id = data.fmc_host_objects.host[objecthost2].id - type = data.fmc_host_objects.host[objecthost2].type - } - }, - { - for objectnet1 in local.res_networks : - objectnet1.name => { - id = fmc_network_objects.network[objectnet1.name].id - type = fmc_network_objects.network[objectnet1.name].type - } - }, - { - for objectnet2 in local.data_networks : - objectnet2 => { - id = data.fmc_network_objects.network[objectnet2].id - type = data.fmc_network_objects.network[objectnet2].type - } - }, - { - for objectran1 in local.res_ranges : - objectran1.name => { - id = fmc_range_objects.range[objectran1.name].id - #type = fmc_range_objects.range["${objectran1.name}"].type - type = "Range" # TF provider does not include 'type' field for range resource - } - }, - # no data.fmc_range_objects in the provider - #{ - #for objectran2 in local.data_ranges : - # (objectran2) => { - # id = data.fmc_range_objects.range["${objectran2}"].id - # #type = data.fmc_range_objects.range["${objectran2}"].type - # type = "Range" - # } - #}, - { - for objectnetgr1 in local.data_networkgroups : - objectnetgr1 => { - id = data.fmc_network_group_objects.networkgroup[objectnetgr1].id - type = data.fmc_network_group_objects.networkgroup[objectnetgr1].type - } - }, - { - for fqdn in local.res_fqdns : - fqdn.name => { - id = fmc_fqdn_objects.fqdn[fqdn.name].id - #type = fmc_fqdn_objects.fqdn["${fqdn.name}"].type - type = "FQDN" # TF provider does not include 'type' field for fqdn resource - } - } - ) - - map_networkobjects_l2 = merge(local.map_networkobjects_l1, - { - for objectnetgr1 in local.res_networkgroups_l1 : - objectnetgr1.name => { - id = fmc_network_group_objects.networkgroup_l1[objectnetgr1.name].id - type = fmc_network_group_objects.networkgroup_l1[objectnetgr1.name].type - } - } - ) - - map_networkobjects_l3 = merge(local.map_networkobjects_l2, - { - for objectnetgr1 in local.res_networkgroups_l2 : - objectnetgr1.name => { - id = fmc_network_group_objects.networkgroup_l2[objectnetgr1.name].id - type = fmc_network_group_objects.networkgroup_l2[objectnetgr1.name].type - } - } - ) - - map_networkobjects_l4 = merge(local.map_networkobjects_l3, - { - for objectnetgr1 in local.res_networkgroups_l3 : - objectnetgr1.name => { - id = fmc_network_group_objects.networkgroup_l3[objectnetgr1.name].id - type = fmc_network_group_objects.networkgroup_l3[objectnetgr1.name].type - } - } - ) - - map_networkobjects_l5 = merge(local.map_networkobjects_l4, - { - for objectnetgr1 in local.res_networkgroups_l4 : - objectnetgr1.name => { - id = fmc_network_group_objects.networkgroup_l4[objectnetgr1.name].id - type = fmc_network_group_objects.networkgroup_l4[objectnetgr1.name].type - } - } - ) - - map_networkobjects = merge(local.map_networkobjects_l5, - { - for objectnetgr1 in local.res_networkgroups_l5 : - objectnetgr1.name => { - id = fmc_network_group_objects.networkgroup_l5[objectnetgr1.name].id - type = fmc_network_group_objects.networkgroup_l5[objectnetgr1.name].type - } - } - ) - - map_interfaces = merge(concat( - flatten([ - for domain in local.domains : [ - for device in try(domain.devices, []) : { - for physicalinterface in try(device.physical_interfaces, []) : "${device.name}/${physicalinterface.interface}" => { - key = "${device.name}/${physicalinterface.interface}" - device_id = local.map_devices[device.name].id - device_name = device.name - data = physicalinterface - resource = true - } - } - ] - ]), - flatten([ - for device in try(local.data_existing.fmc.domains[0].devices, []) : { - for physicalinterface in try(device.physical_interfaces, []) : "${device.name}/${physicalinterface.interface}" => { - key = "${device.name}/${physicalinterface.interface}" - device_id = local.map_devices[device.name].id - device_name = device.name - data = physicalinterface - resource = false - } - } - ]) - )... - ) - - map_securityzones = merge({ - for securityzone in local.res_securityzones : - securityzone.name => { - id = fmc_security_zone.securityzone[securityzone.name].id - type = fmc_security_zone.securityzone[securityzone.name].type - } - }, - { - for securityzone in local.data_securityzones : - securityzone => { - id = data.fmc_security_zones.securityzone[securityzone].id - type = data.fmc_security_zones.securityzone[securityzone].type - } - } - ) - - map_ports = merge({ - for port in local.res_ports : - port.name => { - id = fmc_port_objects.port[port.name].id - type = fmc_port_objects.port[port.name].type - } - }, - { - for port in local.data_ports : - port => { - id = data.fmc_port_objects.port[port].id - type = data.fmc_port_objects.port[port].type - } - }, - { - for portgroup in local.data_portgroups : - portgroup => { - id = data.fmc_port_group_objects.portgroup[portgroup].id - #type = data.fmc_port_group_objects.portgroup[portgroup].type - type = "PortObjectGroup" - } - }, - { - for icmpv4 in local.res_icmpv4s : - icmpv4.name => { - id = fmc_icmpv4_objects.icmpv4[icmpv4.name].id - type = fmc_icmpv4_objects.icmpv4[icmpv4.name].type - } - } - ) - - map_accesspolicies = merge({ - for accesspolicy in local.res_accesspolicies : - accesspolicy.name => { - id = fmc_access_policies.accesspolicy[accesspolicy.name].id - type = fmc_access_policies.accesspolicy[accesspolicy.name].type - } - }, - { - for accesspolicy in local.data_accesspolicies : - accesspolicy => { - id = data.fmc_access_policies.accesspolicy[accesspolicy].id - type = data.fmc_access_policies.accesspolicy[accesspolicy].type - } - } - ) - - map_devices = merge({ - for device in local.res_devices : - device.name => { - id = fmc_devices.device[device.name].id - type = fmc_devices.device[device.name].type - } - }, - { - for device in local.data_devices : - device => { - id = data.fmc_devices.device[device].id - type = data.fmc_devices.device[device].type - } - } - ) - - map_ipspolicies = merge({ - for ipspolicy in local.res_ipspolicies : - ipspolicy.name => { - id = fmc_ips_policies.ips_policy[ipspolicy.name].id - type = fmc_ips_policies.ips_policy[ipspolicy.name].type - } - }, - { - for ipspolicy in local.data_ipspolicies : - ipspolicy => { - id = data.fmc_ips_policies.ips_policy[ipspolicy].id - type = data.fmc_ips_policies.ips_policy[ipspolicy].type - } - } - ) - - map_natpolicies = merge({ - for natpolicy in local.res_ftdnatpolicies : - natpolicy.name => { - id = fmc_ftd_nat_policies.ftdnatpolicy[natpolicy.name].id - type = fmc_ftd_nat_policies.ftdnatpolicy[natpolicy.name].type - } - }, - { - for natpolicy in local.data_ftdnatpolicies : - natpolicy => { - id = data.fmc_ftd_nat_policies.ftdnatpolicy[natpolicy].id - type = data.fmc_ftd_nat_policies.ftdnatpolicy[natpolicy].type - } - } - ) - - map_urls = merge({ - for url in local.res_urls : - url.name => { - id = fmc_url_objects.url[url.name].id - type = fmc_url_objects.url[url.name].type - } - }, - { - for url in local.data_urls : - url => { - id = data.fmc_url_objects.url[url].id - type = data.fmc_url_objects.url[url].type - } - } - ) - - map_urlgroups = merge({ - for url in local.res_urlgroups : - url.name => { - id = fmc_url_object_group.urlgroup[url.name].id - type = fmc_url_object_group.urlgroup[url.name].type - } - } - ) - - map_sgts = merge({ - for sgt in local.res_sgts : - sgt.name => { - id = fmc_sgt_objects.sgt[sgt.name].id - type = fmc_sgt_objects.sgt[sgt.name].type - } - }, - { - for sgt in local.data_sgts : - sgt => { - id = data.fmc_sgt_objects.sgt[sgt].id - type = data.fmc_sgt_objects.sgt[sgt].type - } - } - ) - - map_dynamicobjects = merge({ - for dynobj in local.res_dynamicobjects : - dynobj.name => { - id = fmc_dynamic_objects.dynamicobject[dynobj.name].id - type = fmc_dynamic_objects.dynamicobject[dynobj.name].type - } - }, - { - for dynobj in local.data_dynamicobjects : - dynobj => { - id = data.fmc_dynamic_objects.dynamicobject[dynobj].id - type = data.fmc_dynamic_objects.dynamicobject[dynobj].type - } - } - ) -} diff --git a/templates/auto_generate.tf b/templates/auto_generate.tf index ba773bb..9348514 100644 --- a/templates/auto_generate.tf +++ b/templates/auto_generate.tf @@ -10,7 +10,7 @@ locals { ### resource "local_file" "access_rule" { content = replace( - templatefile("./fmc_tpl_accessrule.tftpl", local.template_data), + templatefile("./fmc_access_rules.tftpl", local.template_data), "/(?m)(?s)(^( )*[\r\n])/", "" ) filename = "../fmc_access_rules.tf" @@ -21,10 +21,10 @@ resource "local_file" "access_rule" { ### resource "local_file" "ftdmanualnatrule" { content = replace( - templatefile("./fmc_tpl_ftdmanualnatrule.tftpl", local.template_data), + templatefile("./fmc_ftd_manual_nat_rulea.tftpl", local.template_data), "/(?m)(?s)(^( )*[\r\n])/", "" ) - filename = "../fmc_ftdmanualnatrule.tf" + filename = "../fmc_ftd_manual_nat_rules.tf" } ### @@ -32,7 +32,7 @@ resource "local_file" "ftdmanualnatrule" { ### resource "local_file" "deploy" { content = replace( - templatefile("./fmc_tpl_deploy.tftpl", local.template_data), + templatefile("./fmc_deploy.tftpl", local.template_data), "/(?m)(?s)(^( )*[\r\n])/", "" ) filename = "../fmc_deploy.tf" diff --git a/templates/fmc_tpl_accessrule.tftpl b/templates/fmc_access_rules.tftpl similarity index 93% rename from templates/fmc_tpl_accessrule.tftpl rename to templates/fmc_access_rules.tftpl index 5a4557a..b4740fb 100644 --- a/templates/fmc_tpl_accessrule.tftpl +++ b/templates/fmc_access_rules.tftpl @@ -1,3 +1,21 @@ +### +# ACCESS RULE +### +locals { + res_accessrules = flatten([ + for domain in local.domains : [ + for accesspolicy in try(domain.access_policies, {}) : [ + for accessrule in try(accesspolicy.access_rules, {}) : { + key = replace("${accesspolicy.name}_${accessrule.name}", " ", "") + acp = accesspolicy.name + idx = index(accesspolicy.access_rules, accessrule) + data = accessrule + } + ] + ] + ]) +} + %{~ for index in range(0, number_of_rules) ~} resource "fmc_access_rules" "access_rule_${index}" { for_each = { for rule in local.res_accessrules : rule.key => rule if rule.idx == ${index} } diff --git a/templates/fmc_tpl_deploy.tftpl b/templates/fmc_deploy.tftpl similarity index 99% rename from templates/fmc_tpl_deploy.tftpl rename to templates/fmc_deploy.tftpl index 7eccd9d..f4f985f 100644 --- a/templates/fmc_tpl_deploy.tftpl +++ b/templates/fmc_deploy.tftpl @@ -11,8 +11,6 @@ locals { } if try(object.deploy, false) && var.manage_deployment ] ]) - - } resource "fmc_ftd_deploy" "ftd" { diff --git a/templates/fmc_tpl_ftdmanualnatrule.tftpl b/templates/fmc_ftd_manual_nat_rules.tftpl similarity index 91% rename from templates/fmc_tpl_ftdmanualnatrule.tftpl rename to templates/fmc_ftd_manual_nat_rules.tftpl index 6707f70..494c114 100644 --- a/templates/fmc_tpl_ftdmanualnatrule.tftpl +++ b/templates/fmc_ftd_manual_nat_rules.tftpl @@ -1,3 +1,21 @@ +### +# FTD MANUAL NAT RULE +### +locals { + res_ftdmanualnatrules = flatten([ + for domain in local.domains : [ + for natpolicy in try(domain.ftd_nat_policies, []) : [ + for ftdmanualnatrule in try(natpolicy.ftd_manual_nat_rules, []) : { + key = replace("${natpolicy.name}_${ftdmanualnatrule.name}", " ", "") + nat_policy = natpolicy.name + idx = index(natpolicy.ftd_manual_nat_rules, ftdmanualnatrule) + data = ftdmanualnatrule + } + ] + ] + ]) +} + %{~ for index in range(0, number_of_rules) ~} resource "fmc_ftd_manualnat_rules" "manualnat_rules_${index}" { for_each = { for rule in local.res_ftdmanualnatrules : rule.key => rule if rule.idx == ${index} }