Minor fixes for brownfield import (#20)

netascode · Nov 18, 2024 · 5b89f1f · 5b89f1f
1 parent 0223271
commit 5b89f1f
Show file tree

Hide file tree

Showing 6 changed files with 63 additions and 35 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.1.3 (unreleased)
+
+- Fix update-in-place during import in `ise_user_identity_group`, `ise_endpoint_identity_group` and `network_device_group`
+- Fix update-in-place during `ise_device_admin_condition`, `ise_device_admin_time_and_date_condition` and `ise_device_admin_policy_set`
+- Fix update-in-place during `ise_network_access_condition`, `ise_network_access_time_and_date_condition` and `ise_network_access_policy_set`
+
 ## 0.1.2
 
 - Add `parent_group` attribute to `user_identity_group`

diff --git a/defaults/defaults.yaml b/defaults/defaults.yaml
@@ -4,6 +4,8 @@ defaults:
       licenses:
         status: ENABLED
     network_resources:
+      network_device_groups:
+        description: ""
       network_devices:
         profile_name: Cisco
         ips:
@@ -29,8 +31,12 @@ defaults:
           send_configuration_to_device_using: DISABLE_ALL
           include_when_deploying_sgt_updates: false
     identity_management:
+      endpoint_identity_groups:
+        system_defined: false
+        description: ""
       user_identity_groups:
         parent_group: NAC Group:NAC:IdentityGroups:User Identity Groups
+        description: ""
       internal_users:
         enabled: true
         change_password: true

diff --git a/ise_device_admin.tf b/ise_device_admin.tf
@@ -26,7 +26,7 @@ resource "ise_device_admin_condition" "device_admin_condition" {
   operator         = try(each.value.operator, local.defaults.ise.device_administration.policy_elements.conditions.operator, null)
   description      = try(each.value.description, local.defaults.ise.device_administration.policy_elements.conditions.description, null)
   name             = each.key
-  children = [for c in try(each.value.children, []) : {
+  children = length(try(each.value.children, [])) == 0 ? null : [for c in try(each.value.children, []) : {
     attribute_name   = try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null)
     attribute_value  = try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null)
     dictionary_name  = try(c.dictionary_name, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_name, null)
@@ -36,7 +36,7 @@ resource "ise_device_admin_condition" "device_admin_condition" {
     operator         = try(c.operator, local.defaults.ise.device_administration.policy_elements.conditions.operator, null)
     name             = try(c.name, null)
     id               = try(c.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) == "ConditionReference" ? data.ise_device_admin_condition.device_admin_condition_circular[c.name].id : null
-    children = [for c2 in try(c.children, []) : {
+    children = length(try(c.children, [])) == 0 ? null : [for c2 in try(c.children, []) : {
       attribute_name   = try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null)
       attribute_value  = try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null)
       dictionary_name  = try(c2.dictionary_name, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_name, null)
@@ -173,7 +173,7 @@ locals {
       name                       = ps.name
       service_name               = try(ps.service_name, local.defaults.ise.device_administration.policy_sets.service_name)
       state                      = try(ps.state, local.defaults.ise.device_administration.policy_sets.state)
-      default                    = ps.name == "Default" ? true : null
+      default                    = ps.name == "Default" ? true : false
       rank                       = try(ps.rank, local.defaults.ise.device_administration.policy_sets.rank, null)
       children = try([for i in ps.condition.children : {
         attribute_name   = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null)
@@ -259,7 +259,7 @@ locals {
         policy_set_id              = local.device_admin_policy_set_ids[ps.name]
         name                       = rule.name
         rank                       = try(rule.rank, local.defaults.ise.device_administration.policy_sets.authentication_rules.rank, null)
-        default                    = rule.name == "Default" ? true : null
+        default                    = rule.name == "Default" ? true : false
         state                      = try(rule.state, local.defaults.ise.device_administration.policy_sets.authentication_rules.state, null)
         condition_type             = rule.name == "Default" ? null : try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.type, null)
         condition_id               = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null)
@@ -370,7 +370,7 @@ locals {
         policy_set_id              = local.device_admin_policy_set_ids[ps.name]
         name                       = rule.name
         rank                       = try(rule.rank, local.defaults.ise.device_administration.policy_sets.authorization_rules.rank, null)
-        default                    = rule.name == "Default" ? true : null
+        default                    = rule.name == "Default" ? true : false
         state                      = try(rule.state, local.defaults.ise.device_administration.policy_sets.authorization_rules.state, null)
         condition_type             = rule.name == "Default" ? null : try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null)
         condition_id               = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null)

diff --git a/ise_identity_management.tf b/ise_identity_management.tf
@@ -18,7 +18,7 @@ locals {
   user_identity_groups_children = flatten([for p in try(local.ise.identity_management.user_identity_groups, []) : [
     for c in try(p.children, []) : {
       name        = try(c.name, null)
-      description = try(c.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
+      description = try(c.description, local.defaults.ise.identity_management.user_identity_groups.description, null)
       parent      = "${local.defaults.ise.identity_management.user_identity_groups.parent_group}:${p.name}"
     }
   ]])
@@ -39,7 +39,7 @@ locals {
     for c in try(p.children, []) : [
       for c2 in try(c.children, []) : {
         name        = try(c2.name, null)
-        description = try(c2.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
+        description = try(c2.description, local.defaults.ise.identity_management.user_identity_groups.description, null)
         parent      = "${local.defaults.ise.identity_management.user_identity_groups.parent_group}:${p.name}:${c.name}"
       }
     ]
@@ -62,7 +62,7 @@ locals {
       for c2 in try(c.children, []) : [
         for c3 in try(c2.children, []) : {
           name        = try(c3.name, null)
-          description = try(c3.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
+          description = try(c3.description, local.defaults.ise.identity_management.user_identity_groups.description, null)
           parent      = "${local.defaults.ise.identity_management.user_identity_groups.parent_group}:${p.name}:${c.name}:${c2.name}"
         }
       ]
@@ -87,7 +87,7 @@ locals {
         for c3 in try(c2.children, []) : [
           for c4 in try(c3.children, []) : {
             name        = try(c4.name, null)
-            description = try(c4.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
+            description = try(c4.description, local.defaults.ise.identity_management.user_identity_groups.description, null)
             parent      = "${local.defaults.ise.identity_management.user_identity_groups.parent_group}:${p.name}:${c.name}:${c2.name}:${c3.name}"
           }
         ]
@@ -114,7 +114,7 @@ locals {
           for c4 in try(c3.children, []) : [
             for c5 in try(c4.children, []) : {
               name        = try(c5.name, null)
-              description = try(c5.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
+              description = try(c5.description, local.defaults.ise.identity_management.user_identity_groups.description, null)
               parent      = "${local.defaults.ise.identity_management.user_identity_groups.parent_group}:${p.name}:${c.name}:${c2.name}:${c3.name}:${c4.name}"
             }
           ]
@@ -180,14 +180,17 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group_0" {
   name                              = each.key
   parent_endpoint_identity_group_id = try(data.ise_endpoint_identity_group.endpoint_identity_group[each.value.parent_group].id, null)
   description                       = try(each.value.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
+  system_defined                    = try(each.value.system_defined, local.defaults.ise.identity_management.endpoint_identity_groups.system_defined, null)
 }
 
 locals {
   endpoint_identity_groups_children = flatten([for p in try(local.ise.identity_management.endpoint_identity_groups, []) : [
     for c in try(p.children, []) : {
-      name        = try(c.name, null)
-      description = try(c.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
-      parent      = try(p.name, null)
+      name           = try(c.name, null)
+      description    = try(c.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
+      system_defined = try(c.system_defined, local.defaults.ise.identity_management.endpoint_identity_groups.system_defined, null)
+
+      parent = try(p.name, null)
     }
   ]])
 }
@@ -198,6 +201,7 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group_1" {
   name                              = each.key
   parent_endpoint_identity_group_id = try(ise_endpoint_identity_group.endpoint_identity_group_0[each.value.parent].id, null)
   description                       = each.value.description
+  system_defined                    = each.value.system_defined
 
   depends_on = [ise_endpoint_identity_group.endpoint_identity_group_0]
 }
@@ -206,9 +210,10 @@ locals {
   endpoint_identity_groups_children_children = flatten([for p in try(local.ise.identity_management.endpoint_identity_groups, []) : [
     for c in try(p.children, []) : [
       for c2 in try(c.children, []) : {
-        name        = try(c2.name, null)
-        description = try(c2.description, local.defaults.ise.identity_management.endpoint_identity_groups.children.description, null)
-        parent      = try(c.name, null)
+        name           = try(c2.name, null)
+        description    = try(c2.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
+        system_defined = try(c2.system_defined, local.defaults.ise.identity_management.endpoint_identity_groups.system_defined, null)
+        parent         = try(c.name, null)
       }
     ]
   ]])
@@ -220,6 +225,7 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group_2" {
   name                              = each.key
   parent_endpoint_identity_group_id = try(ise_endpoint_identity_group.endpoint_identity_group_1[each.value.parent].id, null)
   description                       = each.value.description
+  system_defined                    = each.value.system_defined
 
   depends_on = [ise_endpoint_identity_group.endpoint_identity_group_1]
 }
@@ -229,9 +235,10 @@ locals {
     for c in try(p.children, []) : [
       for c2 in try(c.children, []) : [
         for c3 in try(c2.children, []) : {
-          name        = try(c3.name, null)
-          description = try(c3.description, local.defaults.ise.identity_management.endpoint_identity_groups.children.description, null)
-          parent      = try(c2.name, null)
+          name           = try(c3.name, null)
+          description    = try(c3.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
+          system_defined = try(c3.system_defined, local.defaults.ise.identity_management.endpoint_identity_groups.system_defined, null)
+          parent         = try(c2.name, null)
         }
       ]
     ]
@@ -244,6 +251,7 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group_3" {
   name                              = each.key
   parent_endpoint_identity_group_id = try(ise_endpoint_identity_group.endpoint_identity_group_2[each.value.parent].id, null)
   description                       = each.value.description
+  system_defined                    = each.value.system_defined
 
   depends_on = [ise_endpoint_identity_group.endpoint_identity_group_2]
 }
@@ -254,9 +262,10 @@ locals {
       for c2 in try(c.children, []) : [
         for c3 in try(c2.children, []) : [
           for c4 in try(c3.children, []) : {
-            name        = try(c4.name, null)
-            description = try(c4.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
-            parent      = try(c3.name, null)
+            name           = try(c4.name, null)
+            description    = try(c4.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
+            system_defined = try(c4.system_defined, local.defaults.ise.identity_management.endpoint_identity_groups.system_defined, null)
+            parent         = try(c3.name, null)
           }
         ]
       ]
@@ -270,6 +279,7 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group_4" {
   name                              = each.key
   parent_endpoint_identity_group_id = try(ise_endpoint_identity_group.endpoint_identity_group_3[each.value.parent].id, null)
   description                       = each.value.description
+  system_defined                    = each.value.system_defined
 
   depends_on = [ise_endpoint_identity_group.endpoint_identity_group_3]
 }
@@ -281,9 +291,11 @@ locals {
         for c3 in try(c2.children, []) : [
           for c4 in try(c3.children, []) : [
             for c5 in try(c4.children, []) : {
-              name        = try(c5.name, null)
-              description = try(c5.description, local.defaults.ise.identity_management.user_identity_groups.children.description, null)
-              parent      = try(c4.name, null)
+              name           = try(c5.name, null)
+              description    = try(c5.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
+              parent         = try(c4.name, null)
+              system_defined = try(c5.system_defined, local.defaults.ise.identity_management.endpoint_identity_groups.system_defined, null)
+
             }
           ]
         ]
@@ -298,6 +310,7 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group_5" {
   name                              = each.key
   parent_endpoint_identity_group_id = try(ise_endpoint_identity_group.endpoint_identity_group_4[each.value.parent].id, null)
   description                       = each.value.description
+  system_defined                    = each.value.system_defined
 
   depends_on = [ise_endpoint_identity_group.endpoint_identity_group_4]
 }