version 0.0.9

netascode · Aug 9, 2024 · 8136159 · 8136159
1 parent 97c2f69
commit 8136159
Show file tree

Hide file tree

Showing 13 changed files with 1,448 additions and 1,415 deletions.
diff --git a/README.md b/README.md
@@ -331,6 +331,7 @@ module "fmc" {
 | [fmc_url_objects.url](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/url_objects) | resource |
 | [local_sensitive_file.defaults](https://registry.terraform.io/providers/hashicorp/local/latest/docs/resources/sensitive_file) | resource |
 | [fmc_access_policies.accesspolicy](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/data-sources/access_policies) | data source |
+| [fmc_device_cluster.cluster](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/data-sources/device_cluster) | data source |
 | [fmc_device_physical_interfaces.physical_interface](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/data-sources/device_physical_interfaces) | data source |
 | [fmc_device_subinterfaces.sub_interfaces](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/data-sources/device_subinterfaces) | data source |
 | [fmc_device_vni.vni](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/data-sources/device_vni) | data source |

diff --git a/defaults/defaults.yaml b/defaults/defaults.yaml
@@ -14,39 +14,42 @@ defaults:
           metric_value: 1
         vnis:
           description: "VNI Interface"
-      clusters:
-        ccl_prefix: 10.10.3.0/27
-        vni_prefix: 10.10.4.0/27
-      prefilter_policies:
-        action: "ANALYZE_TUNNELS"
-      access_policies:
-        default_action: "BLOCK"
-        log_begin: false
-        log_end: false
-        send_events_to_fmc: false
-        access_rules:
-          enable_syslog: false
-          enabled: true
-      ftd_nat_policies:
-        ftd_auto_nat_rules:
-          fall_through: false
-          ipv6: false
-          net_to_net: false
-          no_proxy_arp: false
-          perform_route_lookup: false
-          translate_dns: false
-          translated_network_is_destination_interface: true
-        ftd_manual_nat_rules:
-          enabled: true
-          fall_through: false
-          interface_in_original_destination: false
-          interface_in_translated_source: true
-          ipv6: false
-          net_to_net: false
-          no_proxy_arp: false
-          perform_route_lookup: false
-          translate_dns: false
-          unidirectional: false
+        clusters:
+          ccl_prefix: 10.10.3.0/27
+          vni_prefix: 10.10.4.0/27
+      policies:    
+        prefilter_policies:
+          action: "ANALYZE_TUNNELS"
+        network_analysis_policies:
+          snort_engine: "SNORT2"          
+        access_policies:
+          default_action: "BLOCK"
+          log_begin: false
+          log_end: false
+          send_events_to_fmc: false
+          access_rules:
+            enable_syslog: false
+            enabled: true
+        ftd_nat_policies:
+          ftd_auto_nat_rules:
+            fall_through: false
+            ipv6: false
+            net_to_net: false
+            no_proxy_arp: false
+            perform_route_lookup: false
+            translate_dns: false
+            translated_network_is_destination_interface: true
+          ftd_manual_nat_rules:
+            enabled: true
+            fall_through: false
+            interface_in_original_destination: false
+            interface_in_translated_source: true
+            ipv6: false
+            net_to_net: false
+            no_proxy_arp: false
+            perform_route_lookup: false
+            translate_dns: false
+            unidirectional: false
       objects:
         fqdns:
           dns_resolution: "IPV4_AND_IPV6"
@@ -66,5 +69,4 @@ defaults:
             logging: "DISABLED"
             log_interval: 300
             log_level: "INFORMATIONAL"
-      network_analysis_policies:
-        snort_engine: "SNORT2"
+
diff --git a/fmc_access_rules.tf b/fmc_access_rules.tf
diff --git a/fmc_deploy.tf b/fmc_deploy.tf
@@ -4,10 +4,10 @@
 locals {
   res_deploy = flatten([
     for domains in local.domains : [
-      for object in try(domains.devices, []) : {
+      for object in try(domains.devices.devices, []) : {
         device                = object.name
-        deploy_ignore_warning = try(object.deploy_ignore_warning, local.defaults.fmc.domains.devices.deploy_ignore_warning, null)
-        deploy_force          = try(object.deploy_force, local.defaults.fmc.domains.devices.deploy_force, null)
+        deploy_ignore_warning = try(object.deploy_ignore_warning, local.defaults.fmc.domains.devices.devices.deploy_ignore_warning, null)
+        deploy_force          = try(object.deploy_force, local.defaults.fmc.domains.devices.devices.deploy_force, null)
       } if try(object.deploy, false) && var.manage_deployment
     ]
   ])

diff --git a/fmc_devices.tf b/fmc_devices.tf
@@ -4,7 +4,7 @@
 locals {
   res_devices = flatten([
     for domains in local.domains : [
-      for object in try(domains.devices, []) : object if !contains(local.data_devices, object.name)
+      for object in try(domains.devices.devices, []) : object if !contains(local.data_devices, object.name)
     ]
   ])
 }
@@ -23,8 +23,8 @@ resource "fmc_devices" "device" {
 
   # Optional  
   license_caps     = try(each.value.licenses)
-  nat_id           = try(each.value.nat_id, local.defaults.fmc.domains.devices.nat_id, null)
-  performance_tier = try(each.value.performance_tier, local.defaults.fmc.domains.devices.performance_tier, null)
+  nat_id           = try(each.value.nat_id, local.defaults.fmc.domains.devices.devices.nat_id, null)
+  performance_tier = try(each.value.performance_tier, local.defaults.fmc.domains.devices.devices.performance_tier, null)
 
   lifecycle {
     ignore_changes = [regkey, access_policy]
@@ -37,7 +37,7 @@ resource "fmc_devices" "device" {
 locals {
   res_clusters = flatten([
     for domains in local.domains : [
-      for cluster in try(domains.clusters, []) : {
+      for cluster in try(domains.devices.clusters, []) : {
         name          = cluster.name
         ccl_prefix    = cluster.ccl_prefix
         vni_prefix    = cluster.vni_prefix
@@ -104,6 +104,7 @@ resource "fmc_device_cluster" "cluster" {
 ###
 # PHYSICAL INTERFACE Standalone/Cluster
 ###
+
 resource "fmc_device_physical_interfaces" "physical_interface" {
   for_each = { for physicalinterface in local.map_interfaces : physicalinterface.key => physicalinterface if physicalinterface.resource }
 
@@ -128,7 +129,8 @@ resource "fmc_device_physical_interfaces" "physical_interface" {
   description            = try(each.value.data.description, local.defaults.fmc.domains.devices.physical_interfaces.description, null)
 
   depends_on = [
-    data.fmc_device_physical_interfaces.physical_interface
+    data.fmc_device_physical_interfaces.physical_interface,
+    fmc_device_cluster.cluster
   ]
   lifecycle {
     ignore_changes = [
@@ -230,7 +232,7 @@ resource "fmc_device_vtep" "vtep" {
 locals {
   res_vni_interfaces = flatten([
     for domain in local.domains : [
-      for device in try(domain.devices, []) : [
+      for device in try(domain.devices.devices, []) : [
         for vni in try(device.vnis, []) : {
           key       = "${device.name}/${vni.name}/${vni.vni_id}"
           device_id = local.map_devices[device.name].id
@@ -286,7 +288,7 @@ locals {
           gateway_id        = local.map_networkobjects[ipv4staticroute.gateway].id
           gateway_type      = local.map_networkobjects[ipv4staticroute.gateway].type
           gateway_name      = ipv4staticroute.gateway
-          interface_name    = try(local.map_ipv4_static_route_interfaces[domain.name][device.name][ipv4staticroute.interface], null)
+          interface_name    = ipv4staticroute.interface
           selected_networks = ipv4staticroute.selected_networks
         }
       ]
@@ -329,67 +331,3 @@ resource "fmc_staticIPv4_route" "ipv4staticroute" {
   ]
 
 }
-
-###
-# POLICY ASSIGNMENT
-###
-locals {
-  res_natpolicyassignments = flatten([
-    for nat_policy in local.res_ftdnatpolicies : {
-      "name" = nat_policy.name
-      "objects" = compact(flatten([
-        for domain in local.domains : [
-          for device in try(domain.devices, []) : contains(keys(device), "nat_policy") && try(device.nat_policy, null) == nat_policy.name ? device.name : null
-        ]
-      ]))
-    }
-  ])
-
-  res_acppolicyassignments = flatten([
-    for acp_policy in local.res_accesspolicies : {
-      "name" = acp_policy.name
-      "objects" = compact(flatten([
-        for domain in local.domains : [
-          for device in try(domain.devices, []) : contains(keys(device), "access_policy") && device.access_policy == acp_policy.name && contains(local.data_devices, device.name) ? device.name : null
-        ]
-      ]))
-    }
-  ])
-
-}
-
-resource "fmc_policy_devices_assignments" "nat_policy_assignment" {
-  for_each = { for nat in local.res_natpolicyassignments : nat.name => nat if length(nat.objects) > 0 }
-
-  # Mandatory
-  dynamic "target_devices" {
-    for_each = { for device in each.value.objects : device => device }
-    content {
-      id   = try(local.map_devices[target_devices.value].id, null)
-      type = try(local.map_devices[target_devices.value].type, null)
-    }
-  }
-  policy {
-    id   = try(local.map_natpolicies[each.value.name].id, null)
-    type = try(local.map_natpolicies[each.value.name].type, null)
-  }
-}
-
-resource "fmc_policy_devices_assignments" "access_policy_assignment" {
-  for_each = { for acp in local.res_acppolicyassignments : acp.name => acp if length(acp.objects) > 0 }
-
-
-  # Mandatory
-  dynamic "target_devices" {
-    for_each = { for device in each.value.objects : device => device }
-    content {
-      id   = try(local.map_devices[target_devices.value].id, null)
-      type = try(local.map_devices[target_devices.value].type, null)
-    }
-  }
-
-  policy {
-    id   = try(local.map_accesspolicies[each.value.name].id, null)
-    type = try(local.map_accesspolicies[each.value.name].type, null)
-  }
-}
diff --git a/fmc_existing.tf b/fmc_existing.tf
@@ -3,13 +3,14 @@
 ###
 
 locals {
-  data_smart_license             = contains(keys(local.data_existing.fmc), "smart_license") ? [local.data_existing.fmc.smart_license] : []
-  data_devices                   = [for obj in try(local.data_existing.fmc.domains[0].devices, []) : obj.name]
-  data_clusters                  = [for obj in try(local.data_existing.fmc.domains[0].clusters, []) : obj.name]
-  data_accesspolicies            = [for obj in try(local.data_existing.fmc.domains[0].access_policies, []) : obj.name]
-  data_ftdnatpolicies            = [for obj in try(local.data_existing.fmc.domains[0].ftd_nat_policies, []) : obj.name]
-  data_ipspolicies               = [for obj in try(local.data_existing.fmc.domains[0].ips_policies, []) : obj.name]
-  data_filepolicies              = [for obj in try(local.data_existing.fmc.domains[0].file_policies, []) : obj.name]
+  data_smart_license             = contains(keys(try(local.data_existing.fmc.system, {})), "smart_license") ? [local.data_existing.fmc.system.smart_license] : []
+  data_syslog_alerts             = [for obj in try(local.data_existing.fmc.system.syslog_alerts, []) : obj.name]
+  data_devices                   = [for obj in try(local.data_existing.fmc.domains[0].devices.devices, []) : obj.name]
+  data_clusters                  = [for obj in try(local.data_existing.fmc.domains[0].devices.clusters, []) : obj.name]
+  data_accesspolicies            = [for obj in try(local.data_existing.fmc.domains[0].policies.access_policies, []) : obj.name]
+  data_ftdnatpolicies            = [for obj in try(local.data_existing.fmc.domains[0].policies.ftd_nat_policies, []) : obj.name]
+  data_ipspolicies               = [for obj in try(local.data_existing.fmc.domains[0].policies.ips_policies, []) : obj.name]
+  data_filepolicies              = [for obj in try(local.data_existing.fmc.domains[0].policies.file_policies, []) : obj.name]
   data_network_analysis_policies = [for obj in try(local.data_existing.fmc.domains[0].network_analysis_policies, []) : obj.name]
   data_hosts                     = [for obj in try(local.data_existing.fmc.domains[0].objects.hosts, []) : obj.name]
   data_networks                  = [for obj in try(local.data_existing.fmc.domains[0].objects.networks, []) : obj.name]
@@ -20,15 +21,14 @@ locals {
   #data_icmpv_4s                  = []
   data_securityzones         = [for obj in try(local.data_existing.fmc.domains[0].objects.security_zones, []) : obj.name]
   data_urls                  = [for obj in try(local.data_existing.fmc.domains[0].objects.urls, []) : obj.name]
-  data_syslog_alerts         = [for obj in try(local.data_existing.fmc.domains[0].syslog_alerts, []) : obj.name]
   data_sgts                  = [for obj in try(local.data_existing.fmc.domains[0].objects.sgts, []) : obj.name]
   data_dynamicobjects        = [for obj in try(local.data_existing.fmc.domains[0].objects.dynamic_objects, []) : obj.name]
   data_time_ranges           = [for obj in try(local.data_existing.fmc.domains[0].objects.time_ranges, []) : obj.name]
   data_standard_access_lists = [for obj in try(local.data_existing.fmc.domains[0].objects.standard_access_lists, []) : obj.name]
   data_extended_access_lists = [for obj in try(local.data_existing.fmc.domains[0].objects.extended_access_lists, []) : obj.name]
 
   data_sub_interfaces = flatten([
-    for device in try(local.data_existing.fmc.domains[0].devices, []) : [
+    for device in try(local.data_existing.fmc.domains[0].devices.devices, []) : [
       for physicalinterface in try(device.physical_interfaces, []) : [
         for subinterface in try(physicalinterface.subinterfaces, []) : {
           key               = "${device.name}/${physicalinterface.interface}/${subinterface.id}"
@@ -41,15 +41,15 @@ locals {
   ])
 
   data_sub_interfces_list = flatten([
-    for device in try(local.data_existing.fmc.domains[0].devices, []) : [
+    for device in try(local.data_existing.fmc.domains[0].devices.devices, []) : [
       for physicalinterface in try(device.physical_interfaces, []) : [
         for subinterface in try(physicalinterface.subinterfaces, []) : "${device.name}/${physicalinterface.interface}/${subinterface.id}"
       ]
     ]
   ])
 
   data_vni_interfaces = flatten([
-    for device in try(local.data_existing.fmc.domains[0].devices, []) : [
+    for device in try(local.data_existing.fmc.domains[0].devices.devices, []) : [
       for vni in try(device.vnis, []) : {
         key       = "${device.name}/${vni.name}/${vni.vni_id}"
         device_id = local.map_devices[device.name].id
@@ -59,12 +59,15 @@ locals {
   ])
 
   data_vni_interfaces_list = flatten([
-    for device in try(local.data_existing.fmc.domains[0].devices, []) : [
+    for device in try(local.data_existing.fmc.domains[0].devices.devices, []) : [
       for vni in try(device.vnis, []) : "${device.name}/${vni.name}/${vni.vni_id}"
     ]
   ])
 
 }
+###
+#   Data sources
+###
 
 data "fmc_smart_license" "smart_license" {
   for_each = toset(local.data_smart_license)
@@ -176,17 +179,17 @@ data "fmc_devices" "device" {
   name = each.key
 }
 
-# data "fmc_device_cluster" "cluster" {
-#   for_each = toset(local.data_clusters)
+data "fmc_device_cluster" "cluster" {
+  for_each = toset(local.data_clusters)
 
-#   name = each.key
-# }
+  name = each.key
+}
 
 data "fmc_device_physical_interfaces" "physical_interface" {
   for_each = local.map_interfaces
 
   device_id = each.value.device_id
-  name      = each.value.data.interface
+  name      = each.value.physicalinterface
 
   depends_on = [
     fmc_devices.device,
@@ -230,5 +233,3 @@ data "fmc_syslog_alerts" "syslog_alert" {
 
   name = each.key
 }
-
-#