fix - networkgroup description missing, double apply

netascode · Apr 28, 2024 · cf54e9b · cf54e9b
1 parent 7d205ad
commit cf54e9b
Show file tree

Hide file tree

Showing 13 changed files with 13,177 additions and 2,176 deletions.
diff --git a/README.md b/README.md
@@ -311,7 +311,8 @@ module "fmc" {
 | [fmc_network_group_objects.networkgroup_l4](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/network_group_objects) | resource |
 | [fmc_network_group_objects.networkgroup_l5](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/network_group_objects) | resource |
 | [fmc_network_objects.network](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/network_objects) | resource |
-| [fmc_policy_devices_assignments.policy_assignment](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/policy_devices_assignments) | resource |
+| [fmc_policy_devices_assignments.access_policy_assignment](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/policy_devices_assignments) | resource |
+| [fmc_policy_devices_assignments.nat_policy_assignment](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/policy_devices_assignments) | resource |
 | [fmc_port_group_objects.portgroup](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/port_group_objects) | resource |
 | [fmc_port_objects.port](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/port_objects) | resource |
 | [fmc_prefilter_policy.prefilterpolicy](https://registry.terraform.io/providers/CiscoDevNet/fmc/latest/docs/resources/prefilter_policy) | resource |

diff --git a/fmc_access_rules.tf b/fmc_access_rules.tf
diff --git a/fmc_deploy.tf b/fmc_deploy.tf
@@ -12,7 +12,6 @@ locals {
     ]
   ])
 }
-
 resource "fmc_ftd_deploy" "ftd" {
   for_each = { for deploymemt in local.res_deploy : deploymemt.device => deploymemt }
   # Mandatory  
@@ -34,7 +33,8 @@ resource "fmc_ftd_deploy" "ftd" {
     fmc_icmpv4_objects.icmpv4,
     fmc_ips_policies.ips_policy,
     fmc_network_objects.network,
-    fmc_policy_devices_assignments.policy_assignment,
+    fmc_policy_devices_assignments.nat_policy_assignment,
+    fmc_policy_devices_assignments.access_policy_assignment,
     fmc_port_objects.port,
     fmc_prefilter_policy.prefilterpolicy,
     fmc_range_objects.range,

diff --git a/fmc_devices.tf b/fmc_devices.tf
@@ -129,6 +129,11 @@ resource "fmc_device_physical_interfaces" "physical_interface" {
   depends_on = [
     data.fmc_device_physical_interfaces.physical_interface
   ]
+  lifecycle {
+    ignore_changes = [
+      physical_interface_id
+    ]
+  }
 }
 
 ###
@@ -192,7 +197,7 @@ locals {
           gateway_id        = local.map_networkobjects[ipv4staticroute.gateway].id
           gateway_type      = local.map_networkobjects[ipv4staticroute.gateway].type
           gateway_name      = ipv4staticroute.gateway
-          interface_name    = ipv4staticroute.interface
+          interface_name    = try(local.map_ipv4_static_route_interfaces[domain.name][device.name][ipv4staticroute.interface], null)
           selected_networks = ipv4staticroute.selected_networks
         }
       ]
@@ -233,45 +238,69 @@ resource "fmc_staticIPv4_route" "ipv4staticroute" {
     fmc_device_subinterfaces.sub_interfaces,
     data.fmc_device_subinterfaces.sub_interfaces
   ]
+
 }
 
 ###
 # POLICY ASSIGNMENT
 ###
 locals {
-  res_policyassignments = concat(
-    flatten([
-      for domain in local.domains : [
-        for device in try(domain.devices, []) : {
-          device = device.name
-          policy = device.nat_policy
-          type   = "NAT"
-        } if contains(keys(device), "nat_policy")
-      ]
-    ]),
-    flatten([
-      for domain in local.domains : [
-        for device in try(domain.devices, []) : {
-          device = device.name
-          policy = device.access_policy
-          type   = "ACP"
-        } if(contains(keys(device), "access_policy") && contains(local.data_devices, device.name))
-      ]
-    ])
-  )
+  res_natpolicyassignments = flatten([
+    for nat_policy in local.res_ftdnatpolicies : {
+      "name" = nat_policy.name
+      "objects" = compact(flatten([
+        for domain in local.domains : [
+          for device in try(domain.devices, []) : contains(keys(device), "nat_policy") && device.nat_policy == nat_policy.name ? device.name : null
+        ]
+      ]))
+    }
+  ])
+
+  res_acppolicyassignments = flatten([
+    for acp_policy in local.res_accesspolicies : {
+      "name" = acp_policy.name
+      "objects" = compact(flatten([
+        for domain in local.domains : [
+          for device in try(domain.devices, []) : contains(keys(device), "access_policy") && device.access_policy == acp_policy.name && contains(local.data_devices, device.name) ? device.name : null
+        ]
+      ]))
+    }
+  ])
+
 }
 
-resource "fmc_policy_devices_assignments" "policy_assignment" {
-  for_each = { for policyassignment in local.res_policyassignments : "${policyassignment.device}/${policyassignment.type}" => policyassignment }
+resource "fmc_policy_devices_assignments" "nat_policy_assignment" {
+  for_each = { for nat in local.res_natpolicyassignments : nat.name => nat if length(nat.objects) > 0 }
 
   # Mandatory
-  target_devices {
-    id   = local.map_devices[each.value.device].id
-    type = local.map_devices[each.value.device].type
+  dynamic "target_devices" {
+    for_each = { for device in each.value.objects : device => device }
+    content {
+      id   = try(local.map_devices[target_devices.value].id, null)
+      type = try(local.map_devices[target_devices.value].type, null)
+    }
+  }
+  policy {
+    id   = try(local.map_natpolicies[each.value.name].id, null)
+    type = try(local.map_natpolicies[each.value.name].type, null)
+  }
+}
+
+resource "fmc_policy_devices_assignments" "access_policy_assignment" {
+  for_each = { for acp in local.res_acppolicyassignments : acp.name => acp if length(acp.objects) > 0 }
+
+
+  # Mandatory
+  dynamic "target_devices" {
+    for_each = { for device in each.value.objects : device => device }
+    content {
+      id   = try(local.map_devices[target_devices.value].id, null)
+      type = try(local.map_devices[target_devices.value].type, null)
+    }
   }
 
   policy {
-    id   = try(local.map_accesspolicies[each.value.policy].id, local.map_natpolicies[each.value.policy].id)
-    type = try(local.map_accesspolicies[each.value.policy].type, local.map_natpolicies[each.value.policy].type)
+    id   = try(local.map_accesspolicies[each.value.name].id, null)
+    type = try(local.map_accesspolicies[each.value.name].type, null)
   }
 }
diff --git a/fmc_objects.tf b/fmc_objects.tf
@@ -255,6 +255,8 @@ resource "fmc_network_group_objects" "networkgroup_l1" {
       type  = can(regex("/", literals.value)) ? "Network" : "Host"
     }
   }
+  # Optional
+  description = try(each.value.description, local.defaults.fmc.domains.objects.networkgroups.description, null)
 
   lifecycle {
     create_before_destroy = false
@@ -284,12 +286,17 @@ resource "fmc_network_group_objects" "networkgroup_l2" {
       type  = can(regex("/", literals.value)) ? "Network" : "Host"
     }
   }
-  lifecycle {
-    create_before_destroy = false
-  }
+  # Optional
+  description = try(each.value.description, local.defaults.fmc.domains.objects.networkgroups.description, null)
   depends_on = [
     fmc_network_group_objects.networkgroup_l1
   ]
+  lifecycle {
+    create_before_destroy = false
+    replace_triggered_by = [
+      fmc_network_group_objects.networkgroup_l1
+    ]
+  }
 }
 
 resource "fmc_network_group_objects" "networkgroup_l3" {
@@ -314,13 +321,20 @@ resource "fmc_network_group_objects" "networkgroup_l3" {
       type  = can(regex("/", literals.value)) ? "Network" : "Host"
     }
   }
-  lifecycle {
-    create_before_destroy = false
-  }
+
+  # Optional
+  description = try(each.value.description, local.defaults.fmc.domains.objects.networkgroups.description, null)
   depends_on = [
     fmc_network_group_objects.networkgroup_l1,
     fmc_network_group_objects.networkgroup_l2
   ]
+  lifecycle {
+    create_before_destroy = false
+    replace_triggered_by = [
+      fmc_network_group_objects.networkgroup_l1,
+      fmc_network_group_objects.networkgroup_l2
+    ]
+  }
 }
 
 resource "fmc_network_group_objects" "networkgroup_l4" {
@@ -345,14 +359,22 @@ resource "fmc_network_group_objects" "networkgroup_l4" {
       type  = can(regex("/", literals.value)) ? "Network" : "Host"
     }
   }
-  lifecycle {
-    create_before_destroy = false
-  }
+
+  # Optional
+  description = try(each.value.description, local.defaults.fmc.domains.objects.networkgroups.description, null)
   depends_on = [
     fmc_network_group_objects.networkgroup_l1,
     fmc_network_group_objects.networkgroup_l2,
     fmc_network_group_objects.networkgroup_l3
   ]
+  lifecycle {
+    create_before_destroy = false
+    replace_triggered_by = [
+      fmc_network_group_objects.networkgroup_l1,
+      fmc_network_group_objects.networkgroup_l2,
+      fmc_network_group_objects.networkgroup_l3
+    ]
+  }
 }
 
 resource "fmc_network_group_objects" "networkgroup_l5" {
@@ -377,15 +399,24 @@ resource "fmc_network_group_objects" "networkgroup_l5" {
       type  = can(regex("/", literals.value)) ? "Network" : "Host"
     }
   }
-  lifecycle {
-    create_before_destroy = false
-  }
+
+  # Optional
+  description = try(each.value.description, local.defaults.fmc.domains.objects.networkgroups.description, null)
   depends_on = [
     fmc_network_group_objects.networkgroup_l1,
     fmc_network_group_objects.networkgroup_l2,
     fmc_network_group_objects.networkgroup_l3,
     fmc_network_group_objects.networkgroup_l4
   ]
+  lifecycle {
+    create_before_destroy = false
+    replace_triggered_by = [
+      fmc_network_group_objects.networkgroup_l1,
+      fmc_network_group_objects.networkgroup_l2,
+      fmc_network_group_objects.networkgroup_l3,
+      fmc_network_group_objects.networkgroup_l4
+    ]
+  }
 }
 
 ###

diff --git a/fmc_policies.tf b/fmc_policies.tf
@@ -31,7 +31,7 @@ resource "fmc_access_policies" "accesspolicy" {
 locals {
   res_accesspolicies_category = flatten([
     for domain in local.domains : [
-      for accesspolicy in try(domain.access_policies, {}) : [
+      for accesspolicy in try(domain.access_policies, []) : [
         for accesspolicy_category in try(accesspolicy.categories, {}) : {
           key  = "${accesspolicy.name}/${accesspolicy_category}"
           acp  = local.map_accesspolicies[accesspolicy.name].id
@@ -105,7 +105,7 @@ resource "fmc_ftd_nat_policies" "ftdnatpolicy" {
 locals {
   res_ftdautonatrules = flatten([
     for domain in local.domains : [
-      for natpolicy in try(domain.ftd_nat_policies, {}) : [
+      for natpolicy in try(domain.ftd_nat_policies, []) : [
         for ftdautonatrule in try(natpolicy.ftd_auto_nat_rules, {}) : {
           key        = "${natpolicy.name}/${ftdautonatrule.name}"
           nat_policy = local.map_natpolicies[natpolicy.name].id
@@ -159,7 +159,7 @@ resource "fmc_ftd_autonat_rules" "ftdautonatrule" {
   }
 
   dynamic "pat_options" {
-    for_each = can(each.value.data.pat_options) ? ["1"] : []
+    for_each = try(length(each.value.data.pat_options), 0) != 0 ? ["1"] : []
     content {
       extended_pat_table    = try(each.value.data.pat_options.extended_pat_table, null)
       include_reserve_ports = try(each.value.data.pat_options.include_reserve_ports, null)