Skip to content

Commit

Permalink
fix managing Default policy_sets and rules
Browse files Browse the repository at this point in the history
  • Loading branch information
kuba-mazurkiewicz committed Oct 22, 2024
1 parent e746f55 commit 2d54975
Show file tree
Hide file tree
Showing 3 changed files with 107 additions and 14 deletions.
6 changes: 6 additions & 0 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -73,15 +73,18 @@ module "ise" {
| [ise_allowed_protocols_tacacs.allowed_protocols_tacacs](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/allowed_protocols_tacacs) | resource |
| [ise_authorization_profile.authorization_profile](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/authorization_profile) | resource |
| [ise_certificate_authentication_profile.certificate_authentication_profile](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/certificate_authentication_profile) | resource |
| [ise_device_admin_authentication_rule.default_device_admin_authentication_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource |
| [ise_device_admin_authentication_rule.device_admin_authentication_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource |
| [ise_device_admin_authentication_rule_update_rank.device_admin_authentication_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule_update_rank) | resource |
| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource |
| [ise_device_admin_authorization_exception_rule_update_rank.device_admin_authorization_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule_update_rank) | resource |
| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource |
| [ise_device_admin_authorization_global_exception_rule_update_rank.device_admin_authorization_global_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule_update_rank) | resource |
| [ise_device_admin_authorization_rule.default_device_admin_authorization_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource |
| [ise_device_admin_authorization_rule.device_admin_authorization_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource |
| [ise_device_admin_authorization_rule_update_rank.device_admin_authorization_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule_update_rank) | resource |
| [ise_device_admin_condition.device_admin_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_condition) | resource |
| [ise_device_admin_policy_set.default_device_admin_policy_set](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource |
| [ise_device_admin_policy_set.device_admin_policy_set](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource |
| [ise_device_admin_policy_set_update_rank.device_admin_policy_set_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set_update_rank) | resource |
| [ise_device_admin_time_and_date_condition.device_admin_time_and_date_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_time_and_date_condition) | resource |
Expand All @@ -91,16 +94,19 @@ module "ise" {
| [ise_identity_source_sequence.identity_source_sequences](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/identity_source_sequence) | resource |
| [ise_internal_user.internal_user](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/internal_user) | resource |
| [ise_license_tier_state.license_tier_state](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/license_tier_state) | resource |
| [ise_network_access_authentication_rule.default_network_access_authentication_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authentication_rule) | resource |
| [ise_network_access_authentication_rule.network_access_authentication_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authentication_rule) | resource |
| [ise_network_access_authentication_rule_update_rank.network_access_authentication_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authentication_rule_update_rank) | resource |
| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource |
| [ise_network_access_authorization_exception_rule_update_rank.network_access_authorization_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule_update_rank) | resource |
| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource |
| [ise_network_access_authorization_global_exception_rule_update_rank.network_access_authorization_global_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule_update_rank) | resource |
| [ise_network_access_authorization_rule.default_network_access_authorization_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource |
| [ise_network_access_authorization_rule.network_access_authorization_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource |
| [ise_network_access_authorization_rule_update_rank.network_access_authorization_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule_update_rank) | resource |
| [ise_network_access_condition.network_access_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_condition) | resource |
| [ise_network_access_dictionary.network_access_dictionary](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_dictionary) | resource |
| [ise_network_access_policy_set.default_network_access_policy_set](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource |
| [ise_network_access_policy_set.network_access_policy_set](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource |
| [ise_network_access_policy_set_update_rank.network_access_policy_set_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set_update_rank) | resource |
| [ise_network_access_time_and_date_condition.network_access_time_and_date_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_time_and_date_condition) | resource |
Expand Down
58 changes: 51 additions & 7 deletions ise_device_admin.tf
Original file line number Diff line number Diff line change
Expand Up @@ -206,7 +206,7 @@ locals {
}

resource "ise_device_admin_policy_set" "device_admin_policy_set" {
for_each = { for ps in local.device_admin_policy_sets : ps.name => ps }
for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.name != "Default" }

condition_type = each.value.condition_type
condition_is_negate = each.value.condition_is_negate
Expand All @@ -226,15 +226,31 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set" {
depends_on = [ise_allowed_protocols_tacacs.allowed_protocols_tacacs, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups]
}

resource "ise_device_admin_policy_set" "default_device_admin_policy_set" {
for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.name == "Default" }

is_proxy = each.value.is_proxy
name = each.value.name
service_name = each.value.service_name
state = each.value.state
default = true

depends_on = [ise_device_admin_policy_set.device_admin_policy_set]
}

resource "ise_device_admin_policy_set_update_rank" "device_admin_policy_set_update_rank" {
for_each = { for ps in local.device_admin_policy_sets_with_ranks : ps.name => ps }
for_each = { for ps in local.device_admin_policy_sets_with_ranks : ps.name => ps if ps.name != "Default" }

policy_set_id = ise_device_admin_policy_set.device_admin_policy_set[each.key].id
rank = each.value.generated_rank
}

locals {
device_admin_policy_set_ids = { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set[ps.name].id }
device_admin_policy_set_ids = merge(
{ for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set[ps.name].id if ps.name != "Default" },
{ for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.default_device_admin_policy_set[ps.name].id if ps.name == "Default" }
)


device_admin_authentication_rules = flatten([
for ps in try(local.ise.device_administration.policy_sets, []) : [
Expand Down Expand Up @@ -289,7 +305,7 @@ locals {
}

resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule" {
for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule }
for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
name = each.value.name
Expand All @@ -311,8 +327,23 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul
depends_on = [ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups]
}

resource "ise_device_admin_authentication_rule" "default_device_admin_authentication_rule" {
for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.name == "Default" }

name = each.value.name
state = each.value.state
policy_set_id = each.value.policy_set_id
default = true
identity_source_name = each.value.identity_source_name
if_auth_fail = each.value.if_auth_fail
if_process_fail = each.value.if_process_fail
if_user_not_found = each.value.if_user_not_found

depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule]
}

resource "ise_device_admin_authentication_rule_update_rank" "device_admin_authentication_rule_update_rank" {
for_each = { for rule in local.device_admin_authentication_rules_with_ranks : rule.key => rule }
for_each = { for rule in local.device_admin_authentication_rules_with_ranks : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
rule_id = ise_device_admin_authentication_rule.device_admin_authentication_rule[each.value.key].id
Expand Down Expand Up @@ -383,7 +414,7 @@ locals {
}

resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule" {
for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule }
for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
name = each.value.name
Expand All @@ -403,8 +434,21 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule"
depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups]
}

resource "ise_device_admin_authorization_rule" "default_device_admin_authorization_rule" {
for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.name == "Default" }

name = each.value.name
state = each.value.state
policy_set_id = each.value.policy_set_id
default = true
profile = each.value.profile
command_sets = each.value.command_sets

depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule]
}

resource "ise_device_admin_authorization_rule_update_rank" "device_admin_authorization_rule_update_rank" {
for_each = { for rule in local.device_admin_authorization_rules_with_ranks : rule.key => rule }
for_each = { for rule in local.device_admin_authorization_rules_with_ranks : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
rule_id = ise_device_admin_authorization_rule.device_admin_authorization_rule[each.value.key].id
Expand Down
57 changes: 50 additions & 7 deletions ise_network_access.tf
Original file line number Diff line number Diff line change
Expand Up @@ -319,7 +319,7 @@ locals {
}

resource "ise_network_access_policy_set" "network_access_policy_set" {
for_each = { for ps in local.network_access_policy_sets : ps.name => ps }
for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.name != "Default" }

condition_type = each.value.condition_type
condition_is_negate = each.value.condition_is_negate
Expand All @@ -339,15 +339,30 @@ resource "ise_network_access_policy_set" "network_access_policy_set" {
depends_on = [ise_authorization_profile.authorization_profile, ise_allowed_protocols.allowed_protocols, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups]
}

resource "ise_network_access_policy_set" "default_network_access_policy_set" {
for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.name == "Default" }

is_proxy = each.value.is_proxy
name = each.value.name
service_name = each.value.service_name
state = each.value.state
default = true

depends_on = [ise_network_access_policy_set.network_access_policy_set]
}

resource "ise_network_access_policy_set_update_rank" "network_access_policy_set_update_rank" {
for_each = { for ps in local.network_access_policy_sets_with_ranks : ps.name => ps }
for_each = { for ps in local.network_access_policy_sets_with_ranks : ps.name => ps if ps.name != "Default" }

policy_set_id = ise_network_access_policy_set.network_access_policy_set[each.key].id
rank = each.value.generated_rank
}

locals {
network_access_policy_set_ids = { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set[ps.name].id }
network_access_policy_set_ids = merge(
{ for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set[ps.name].id if ps.name != "Default" },
{ for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.default_network_access_policy_set[ps.name].id if ps.name == "Default" }
)

network_access_authentication_rules = flatten([
for ps in try(local.ise.network_access.policy_sets, []) : [
Expand Down Expand Up @@ -402,7 +417,7 @@ locals {
}

resource "ise_network_access_authentication_rule" "network_access_authentication_rule" {
for_each = { for rule in local.network_access_authentication_rules : rule.key => rule }
for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
name = each.value.name
Expand All @@ -424,8 +439,23 @@ resource "ise_network_access_authentication_rule" "network_access_authentication
depends_on = [ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups]
}

resource "ise_network_access_authentication_rule" "default_network_access_authentication_rule" {
for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.name == "Default" }

name = each.value.name
state = each.value.state
policy_set_id = each.value.policy_set_id
default = true
identity_source_name = each.value.identity_source_name
if_auth_fail = each.value.if_auth_fail
if_process_fail = each.value.if_process_fail
if_user_not_found = each.value.if_user_not_found

depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule]
}

resource "ise_network_access_authentication_rule_update_rank" "network_access_authentication_rule_update_rank" {
for_each = { for rule in local.network_access_authentication_rules_with_ranks : rule.key => rule }
for_each = { for rule in local.network_access_authentication_rules_with_ranks : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
rule_id = ise_network_access_authentication_rule.network_access_authentication_rule[each.value.key].id
Expand Down Expand Up @@ -484,7 +514,7 @@ locals {
}

resource "ise_network_access_authorization_rule" "network_access_authorization_rule" {
for_each = { for rule in local.network_access_authorization_rules : rule.key => rule }
for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
name = each.value.name
Expand All @@ -504,8 +534,21 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r
depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups]
}

resource "ise_network_access_authorization_rule" "default_network_access_authorization_rule" {
for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.name == "Default" }

name = each.value.name
state = each.value.state
policy_set_id = each.value.policy_set_id
default = true
profiles = each.value.profiles
security_group = each.value.security_group

depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule]
}

resource "ise_network_access_authorization_rule_update_rank" "network_access_authorization_rule_update_rank" {
for_each = { for rule in local.network_access_authorization_rules_with_ranks : rule.key => rule }
for_each = { for rule in local.network_access_authorization_rules_with_ranks : rule.key => rule if rule.name != "Default" }

policy_set_id = each.value.policy_set_id
rule_id = ise_network_access_authorization_rule.network_access_authorization_rule[each.value.key].id
Expand Down

0 comments on commit 2d54975

Please sign in to comment.