From 91a2fe2b7b3c1233430b00c3925c9dbc971c0347 Mon Sep 17 00:00:00 2001 From: kuba-mazurkiewicz Date: Thu, 17 Oct 2024 00:05:10 +0200 Subject: [PATCH] Modify update rank on device admin and network access resources --- CHANGELOG.md | 2 +- README.md | 198 +--- ise_device_admin.tf | 2444 ++++------------------------------------- ise_network_access.tf | 1992 ++++----------------------------- 4 files changed, 427 insertions(+), 4209 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 2517b71..0627e0e 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,6 @@ ## 0.1.2 (unreleased) -- Modify network_access_authentication_rules update rank +- Modify update rank on device admin and network access resources - Fix active directory group optional - Added endpoints resource support - Added support for default user identity groups assignment under internal users diff --git a/README.md b/README.md index d733ae4..1daf1f5 100644 --- a/README.md +++ b/README.md @@ -73,107 +73,17 @@ module "ise" { | [ise_allowed_protocols_tacacs.allowed_protocols_tacacs](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/allowed_protocols_tacacs) | resource | | [ise_authorization_profile.authorization_profile](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/authorization_profile) | resource | | [ise_certificate_authentication_profile.certificate_authentication_profile](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/certificate_authentication_profile) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authentication_rule.device_admin_authentication_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | -| [ise_device_admin_authorization_rule.device_admin_authorization_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | +| [ise_device_admin_authentication_rule.device_admin_authentication_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule) | resource | +| [ise_device_admin_authentication_rule_update_rank.device_admin_authentication_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authentication_rule_update_rank) | resource | +| [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule) | resource | +| [ise_device_admin_authorization_exception_rule_update_rank.device_admin_authorization_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_exception_rule_update_rank) | resource | +| [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule) | resource | +| [ise_device_admin_authorization_global_exception_rule_update_rank.device_admin_authorization_global_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_global_exception_rule_update_rank) | resource | +| [ise_device_admin_authorization_rule.device_admin_authorization_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule) | resource | +| [ise_device_admin_authorization_rule_update_rank.device_admin_authorization_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_authorization_rule_update_rank) | resource | | [ise_device_admin_condition.device_admin_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_condition) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | -| [ise_device_admin_policy_set.device_admin_policy_set_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | +| [ise_device_admin_policy_set.device_admin_policy_set](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource | +| [ise_device_admin_policy_set_update_rank.device_admin_policy_set_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set_update_rank) | resource | | [ise_device_admin_time_and_date_condition.device_admin_time_and_date_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_time_and_date_condition) | resource | | [ise_downloadable_acl.downloadable_acl](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/downloadable_acl) | resource | | [ise_endpoint.endpoint](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/endpoint) | resource | @@ -183,88 +93,16 @@ module "ise" { | [ise_license_tier_state.license_tier_state](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/license_tier_state) | resource | | [ise_network_access_authentication_rule.network_access_authentication_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authentication_rule) | resource | | [ise_network_access_authentication_rule_update_rank.network_access_authentication_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authentication_rule_update_rank) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | -| [ise_network_access_authorization_rule.network_access_authorization_rule_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | +| [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule) | resource | +| [ise_network_access_authorization_exception_rule_update_rank.network_access_authorization_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_exception_rule_update_rank) | resource | +| [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule) | resource | +| [ise_network_access_authorization_global_exception_rule_update_rank.network_access_authorization_global_exception_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_global_exception_rule_update_rank) | resource | +| [ise_network_access_authorization_rule.network_access_authorization_rule](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule) | resource | +| [ise_network_access_authorization_rule_update_rank.network_access_authorization_rule_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authorization_rule_update_rank) | resource | | [ise_network_access_condition.network_access_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_condition) | resource | | [ise_network_access_dictionary.network_access_dictionary](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_dictionary) | resource | -| [ise_network_access_policy_set.network_access_policy_set_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_1](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_10](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_11](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_12](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_13](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_14](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_15](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_16](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_17](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_18](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_19](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_2](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_3](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_4](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_5](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_6](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_7](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_8](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | -| [ise_network_access_policy_set.network_access_policy_set_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | +| [ise_network_access_policy_set.network_access_policy_set](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set) | resource | +| [ise_network_access_policy_set_update_rank.network_access_policy_set_update_rank](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_policy_set_update_rank) | resource | | [ise_network_access_time_and_date_condition.network_access_time_and_date_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_time_and_date_condition) | resource | | [ise_network_device.network_device](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_device) | resource | | [ise_network_device_group.network_device_group_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_device_group) | resource | diff --git a/ise_device_admin.tf b/ise_device_admin.tf index e264ae3..4c30c73 100644 --- a/ise_device_admin.tf +++ b/ise_device_admin.tf @@ -197,296 +197,16 @@ locals { }], null) } ] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_0" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if(ps.rank == 0 || ps.rank == null) } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_allowed_protocols_tacacs.allowed_protocols_tacacs, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_1" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 1 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_0, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_2" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 2 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_3" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 3 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_4" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 4 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_5" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 5 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_6" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 6 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_5, ise_active_directory_add_groups.active_directory_groups] -} -resource "ise_device_admin_policy_set" "device_admin_policy_set_7" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 7 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_8" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 8 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_9" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 9 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_10" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 10 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_11" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 11 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_12" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 12 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_11, ise_active_directory_add_groups.active_directory_groups] + device_admin_policy_sets_with_ranks = [ + for idx, ps in local.device_admin_policy_sets : merge(ps, { + generated_rank = idx + }) + ] } -resource "ise_device_admin_policy_set" "device_admin_policy_set_13" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 13 } +resource "ise_device_admin_policy_set" "device_admin_policy_set" { + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -501,167 +221,21 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_13" { service_name = each.value.service_name state = each.value.state default = each.value.default - rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_12, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_allowed_protocols_tacacs.allowed_protocols_tacacs, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_device_admin_policy_set" "device_admin_policy_set_14" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 14 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children +resource "ise_device_admin_policy_set_update_rank" "device_admin_policy_set_update_rank" { + for_each = { for ps in local.device_admin_policy_sets_with_ranks : ps.name => ps } - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_13, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = ise_device_admin_policy_set.device_admin_policy_set[each.key].id + rank = each.value.generated_rank } -resource "ise_device_admin_policy_set" "device_admin_policy_set_15" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 15 } +locals { + device_admin_policy_set_ids = { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set[ps.name].id } - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_16" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 16 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_17" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 17 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_18" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 18 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_policy_set" "device_admin_policy_set_19" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 19 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_18, ise_active_directory_add_groups.active_directory_groups] -} - -locals { - device_admin_policy_set_ids = merge( - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_0[ps.name].id if ps.rank == 0 || ps.rank == null }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_1[ps.name].id if ps.rank == 1 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_2[ps.name].id if ps.rank == 2 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_3[ps.name].id if ps.rank == 3 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_4[ps.name].id if ps.rank == 4 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_5[ps.name].id if ps.rank == 5 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_6[ps.name].id if ps.rank == 6 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_7[ps.name].id if ps.rank == 7 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_8[ps.name].id if ps.rank == 8 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_9[ps.name].id if ps.rank == 9 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_10[ps.name].id if ps.rank == 10 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_11[ps.name].id if ps.rank == 11 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_12[ps.name].id if ps.rank == 12 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_13[ps.name].id if ps.rank == 13 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_14[ps.name].id if ps.rank == 14 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_15[ps.name].id if ps.rank == 15 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_16[ps.name].id if ps.rank == 16 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_17[ps.name].id if ps.rank == 17 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_18[ps.name].id if ps.rank == 18 }, - { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_19[ps.name].id if ps.rank == 19 }, - ) device_admin_authentication_rules = flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authentication_rules, []) : { @@ -703,1657 +277,23 @@ locals { id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) }], null) }], null) - } - ] - ]) -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_0" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_1" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 1 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_2" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 2 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_3" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 3 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_4" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 4 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_5" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 5 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_6" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 6 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_7" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 7 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_8" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 8 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_9" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 9 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_10" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 10 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_11" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 11 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_12" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 12 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_11, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_13" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 13 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_12, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_14" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 14 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_13, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_15" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 15 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_16" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 16 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_17" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 17 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_18" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 18 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_19" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 19 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_18, ise_active_directory_add_groups.active_directory_groups] -} - -# Workaround for ISE API issue where deleting a TACACS profile or command set immediately after deleting an object using it fails -resource "time_sleep" "device_admin_policy_object_wait" { - count = (length(try(local.ise.device_administration.policy_elements.tacacs_profiles, [])) > 0 || length(try(local.ise.device_administration.policy_elements.tacacs_command_sets, [])) > 0) ? 1 : 0 - - destroy_duration = "5s" - - depends_on = [ - ise_tacacs_profile.tacacs_profile, - ise_tacacs_command_set.tacacs_command_set, - ] -} - -locals { - device_admin_authorization_rules = flatten([ - for ps in try(local.ise.device_administration.policy_sets, []) : [ - for rule in try(ps.authorization_rules, []) : { - key = format("%s/%s", ps.name, rule.name) - policy_set_id = local.device_admin_policy_set_ids[ps.name] - name = rule.name - rank = try(rule.rank, local.defaults.ise.device_administration.policy_sets.authorization_rules.rank, null) - default = rule.name == "Default" ? true : null - state = try(rule.state, local.defaults.ise.device_administration.policy_sets.authorization_rules.state, null) - condition_type = rule.name == "Default" ? null : try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) - condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) - condition_is_negate = rule.name == "Default" ? null : try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) - condition_attribute_name = rule.name == "Default" ? null : try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) - condition_attribute_value = rule.name == "Default" ? null : try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) - condition_dictionary_name = rule.name == "Default" ? null : try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) - condition_dictionary_value = rule.name == "Default" ? null : try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) - condition_operator = rule.name == "Default" ? null : try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) - profile = try(rule.profile, local.defaults.ise.device_administration.policy_sets.authorization_rules.profile, null) - command_sets = try(rule.command_sets, local.defaults.ise.device_administration.policy_sets.authorization_rules.command_sets, null) - children = try([for i in rule.condition.children : { - attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) - dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) - condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) - is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) - operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) - id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) - children = try([for j in i.children : { - attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) - dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) - condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) - is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) - operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) - id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) - }], null) - }], null) - } - ] - ]) -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_0" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_1" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 1 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_2" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 2 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_3" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 3 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_4" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 4 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_5" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 5 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_6" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 6 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_7" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 7 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_8" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 8 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_9" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 9 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_10" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 10 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_11" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 11 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_12" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 12 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_11, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_13" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 13 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_12, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_14" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 14 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_13, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_15" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 15 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_16" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 16 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_17" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 17 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_18" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 18 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_19" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 19 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_18, ise_active_directory_add_groups.active_directory_groups] -} - -locals { - device_admin_authorization_exception_rules = flatten([ - for ps in try(local.ise.device_administration.policy_sets, []) : [ - for rule in try(ps.authorization_exception_rules, []) : { - key = format("%s/%s", ps.name, rule.name) - policy_set_id = local.device_admin_policy_set_ids[ps.name] - name = rule.name - rank = try(rule.rank, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.rank, null) - state = try(rule.state, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.state, null) - condition_type = try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) - condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) - condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) - condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) - condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) - condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) - condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) - condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) - profile = try(rule.profile, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.profile, null) - command_sets = try(rule.command_sets, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.command_sets, null) - children = try([for i in rule.condition.children : { - attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) - dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) - condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) - is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) - operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) - id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) - children = try([for j in i.children : { - attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) - dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) - condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) - is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) - operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) - id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) - }], null) - }], null) - } - ] - ]) -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_0" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_1" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 1 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_2" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 2 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_3" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 3 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_4" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 4 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_5" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 5 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_6" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 6 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_7" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 7 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_8" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 8 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_9" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 9 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_10" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 10 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_11" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 11 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_12" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 12 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_13" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 13 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_14" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 14 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_15" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 15 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_16" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 16 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_17" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 17 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_18" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 18 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_19" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 19 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] -} - -locals { - device_admin_authorization_global_exception_rules = [ - for rule in try(local.ise.device_administration.authorization_global_exception_rules, []) : { - name = rule.name - rank = try(rule.rank, local.defaults.ise.device_administration.authorization_global_exception_rules.rank, null) - state = try(rule.state, local.defaults.ise.device_administration.authorization_global_exception_rules.state, null) - condition_type = try(rule.condition.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) - condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) - condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) - condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) - condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) - condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) - condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) - condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) - profile = try(rule.profile, local.defaults.ise.device_administration.authorization_global_exception_rules.profile, null) - command_sets = try(rule.command_sets, local.defaults.ise.device_administration.authorization_global_exception_rules.command_sets, null) - children = try([for i in rule.condition.children : { - attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) - dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) - condition_type = try(i.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) - is_negate = try(i.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) - operator = try(i.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) - id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) - children = try([for j in i.children : { - attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) - dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) - condition_type = try(j.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) - is_negate = try(j.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) - operator = try(j.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) - id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) - }], null) - }], null) - } - ] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_0" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if(rule.rank == 0 || rule.rank == null) } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_1" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 1 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_2" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 2 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_3" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 3 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_4" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 4 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_5" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 5 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_6" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 6 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children - - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_7" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 7 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children + } + ] + ]) - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] + device_admin_authentication_rules_with_ranks = [ + for idx, rule in local.device_admin_authentication_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_8" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 8 } +resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule" { + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule } + policy_set_id = each.value.policy_set_id name = each.value.name - rank = each.value.rank + default = each.value.default state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2362,78 +302,92 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au condition_attribute_value = each.value.condition_attribute_value condition_dictionary_name = each.value.condition_dictionary_name condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets + identity_source_name = each.value.identity_source_name + if_auth_fail = each.value.if_auth_fail + if_process_fail = each.value.if_process_fail + if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_9" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 9 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +resource "ise_device_admin_authentication_rule_update_rank" "device_admin_authentication_rule_update_rank" { + for_each = { for rule in local.device_admin_authentication_rules_with_ranks : rule.key => rule } - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = each.value.policy_set_id + rule_id = ise_device_admin_authentication_rule.device_admin_authentication_rule[each.value.key].id + rank = each.value.generated_rank } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_10" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 10 } +# Workaround for ISE API issue where deleting a TACACS profile or command set immediately after deleting an object using it fails +resource "time_sleep" "device_admin_policy_object_wait" { + count = (length(try(local.ise.device_administration.policy_elements.tacacs_profiles, [])) > 0 || length(try(local.ise.device_administration.policy_elements.tacacs_command_sets, [])) > 0) ? 1 : 0 - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children + destroy_duration = "5s" - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ + ise_tacacs_profile.tacacs_profile, + ise_tacacs_command_set.tacacs_command_set, + ] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_11" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 11 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +locals { + device_admin_authorization_rules = flatten([ + for ps in try(local.ise.device_administration.policy_sets, []) : [ + for rule in try(ps.authorization_rules, []) : { + key = format("%s/%s", ps.name, rule.name) + policy_set_id = local.device_admin_policy_set_ids[ps.name] + name = rule.name + rank = try(rule.rank, local.defaults.ise.device_administration.policy_sets.authorization_rules.rank, null) + default = rule.name == "Default" ? true : null + state = try(rule.state, local.defaults.ise.device_administration.policy_sets.authorization_rules.state, null) + condition_type = rule.name == "Default" ? null : try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) + condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) + condition_is_negate = rule.name == "Default" ? null : try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) + condition_attribute_name = rule.name == "Default" ? null : try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) + condition_attribute_value = rule.name == "Default" ? null : try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) + condition_dictionary_name = rule.name == "Default" ? null : try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) + condition_dictionary_value = rule.name == "Default" ? null : try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) + condition_operator = rule.name == "Default" ? null : try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) + profile = try(rule.profile, local.defaults.ise.device_administration.policy_sets.authorization_rules.profile, null) + command_sets = try(rule.command_sets, local.defaults.ise.device_administration.policy_sets.authorization_rules.command_sets, null) + children = try([for i in rule.condition.children : { + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) + condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) + is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) + operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) + id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) + children = try([for j in i.children : { + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) + condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) + is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) + operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) + id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) + }], null) + }], null) + } + ] + ]) - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] + device_admin_authorization_rules_with_ranks = [ + for idx, rule in local.device_admin_authorization_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_12" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 12 } +resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule" { + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule } + policy_set_id = each.value.policy_set_id name = each.value.name - rank = each.value.rank + default = each.value.default state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2446,54 +400,72 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_13" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 13 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +resource "ise_device_admin_authorization_rule_update_rank" "device_admin_authorization_rule_update_rank" { + for_each = { for rule in local.device_admin_authorization_rules_with_ranks : rule.key => rule } - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = each.value.policy_set_id + rule_id = ise_device_admin_authorization_rule.device_admin_authorization_rule[each.value.key].id + rank = each.value.generated_rank } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_14" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 14 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +locals { + device_admin_authorization_exception_rules = flatten([ + for ps in try(local.ise.device_administration.policy_sets, []) : [ + for rule in try(ps.authorization_exception_rules, []) : { + key = format("%s/%s", ps.name, rule.name) + policy_set_id = local.device_admin_policy_set_ids[ps.name] + name = rule.name + rank = try(rule.rank, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.rank, null) + state = try(rule.state, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.state, null) + condition_type = try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) + condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) + condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) + condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) + profile = try(rule.profile, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.profile, null) + command_sets = try(rule.command_sets, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.command_sets, null) + children = try([for i in rule.condition.children : { + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) + condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) + is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) + operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) + id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) + children = try([for j in i.children : { + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) + condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) + is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) + operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) + id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) + }], null) + }], null) + } + ] + ]) - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] + device_admin_authorization_exception_rules_with_ranks = [ + for idx, rule in local.device_admin_authorization_exception_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_15" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 15 } +resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule" { + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule } + policy_set_id = each.value.policy_set_id name = each.value.name - rank = each.value.rank state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2506,54 +478,67 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_16" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 16 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +resource "ise_device_admin_authorization_exception_rule_update_rank" "device_admin_authorization_exception_rule_update_rank" { + for_each = { for rule in local.device_admin_authorization_exception_rules_with_ranks : rule.key => rule } - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = each.value.policy_set_id + rule_id = ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule[each.value.key].id + rank = each.value.generated_rank } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_17" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 17 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +locals { + device_admin_authorization_global_exception_rules = [ + for rule in try(local.ise.device_administration.authorization_global_exception_rules, []) : { + name = rule.name + rank = try(rule.rank, local.defaults.ise.device_administration.authorization_global_exception_rules.rank, null) + state = try(rule.state, local.defaults.ise.device_administration.authorization_global_exception_rules.state, null) + condition_type = try(rule.condition.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) + condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) + condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) + condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) + profile = try(rule.profile, local.defaults.ise.device_administration.authorization_global_exception_rules.profile, null) + command_sets = try(rule.command_sets, local.defaults.ise.device_administration.authorization_global_exception_rules.command_sets, null) + children = try([for i in rule.condition.children : { + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) + condition_type = try(i.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) + is_negate = try(i.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) + operator = try(i.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) + id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) + children = try([for j in i.children : { + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) + condition_type = try(j.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) + is_negate = try(j.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) + operator = try(j.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) + id = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null) + }], null) + }], null) + } + ] - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] + device_admin_authorization_global_exception_rules_with_ranks = [ + for idx, rule in local.device_admin_authorization_global_exception_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_18" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 18 } +resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule" { + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule } name = each.value.name - rank = each.value.rank state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2566,25 +551,12 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_19" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 19 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profile = each.value.profile - command_sets = each.value.command_sets - children = each.value.children +resource "ise_device_admin_authorization_global_exception_rule_update_rank" "device_admin_authorization_global_exception_rule_update_rank" { + for_each = { for rule in local.device_admin_authorization_global_exception_rules_with_ranks : rule.key => rule } - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] + rule_id = ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule[each.value.name].id + rank = each.value.rank } diff --git a/ise_network_access.tf b/ise_network_access.tf index e8a0109..c2b7653 100644 --- a/ise_network_access.tf +++ b/ise_network_access.tf @@ -310,296 +310,16 @@ locals { }], null) } ] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_0" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if(ps.rank == 0 || ps.rank == null) } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_authorization_profile.authorization_profile, ise_allowed_protocols.allowed_protocols, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_1" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 1 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_2" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 2 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_3" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 3 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_4" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 4 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_5" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 5 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_6" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 6 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_5, ise_active_directory_add_groups.active_directory_groups] -} -resource "ise_network_access_policy_set" "network_access_policy_set_7" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 7 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_8" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 8 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_9" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 9 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_10" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 10 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_11" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 11 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_12" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 12 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_11, ise_active_directory_add_groups.active_directory_groups] + network_access_policy_sets_with_ranks = [ + for idx, ps in local.network_access_policy_sets : merge(ps, { + generated_rank = idx + }) + ] } -resource "ise_network_access_policy_set" "network_access_policy_set_13" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 13 } +resource "ise_network_access_policy_set" "network_access_policy_set" { + for_each = { for ps in local.network_access_policy_sets : ps.name => ps } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -614,167 +334,20 @@ resource "ise_network_access_policy_set" "network_access_policy_set_13" { service_name = each.value.service_name state = each.value.state default = each.value.default - rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_12, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_authorization_profile.authorization_profile, ise_allowed_protocols.allowed_protocols, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_network_access_policy_set" "network_access_policy_set_14" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 14 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children +resource "ise_network_access_policy_set_update_rank" "network_access_policy_set_update_rank" { + for_each = { for ps in local.network_access_policy_sets_with_ranks : ps.name => ps } - depends_on = [ise_network_access_policy_set.network_access_policy_set_13, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = ise_network_access_policy_set.network_access_policy_set[each.key].id + rank = each.value.generated_rank } -resource "ise_network_access_policy_set" "network_access_policy_set_15" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 15 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_16" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 16 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_17" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 17 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_18" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 18 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_policy_set" "network_access_policy_set_19" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 19 } - - condition_type = each.value.condition_type - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_id = each.value.condition_id - condition_operator = each.value.condition_operator - description = each.value.description - is_proxy = each.value.is_proxy - name = each.value.name - service_name = each.value.service_name - state = each.value.state - default = each.value.default - rank = each.value.rank - children = each.value.children - - depends_on = [ise_network_access_policy_set.network_access_policy_set_18, ise_active_directory_add_groups.active_directory_groups] -} - -locals { - network_access_policy_set_ids = merge( - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_0[ps.name].id if ps.rank == 0 || ps.rank == null }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_1[ps.name].id if ps.rank == 1 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_2[ps.name].id if ps.rank == 2 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_3[ps.name].id if ps.rank == 3 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_4[ps.name].id if ps.rank == 4 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_5[ps.name].id if ps.rank == 5 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_6[ps.name].id if ps.rank == 6 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_7[ps.name].id if ps.rank == 7 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_8[ps.name].id if ps.rank == 8 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_9[ps.name].id if ps.rank == 9 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_10[ps.name].id if ps.rank == 10 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_11[ps.name].id if ps.rank == 11 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_12[ps.name].id if ps.rank == 12 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_13[ps.name].id if ps.rank == 13 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_14[ps.name].id if ps.rank == 14 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_15[ps.name].id if ps.rank == 15 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_16[ps.name].id if ps.rank == 16 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_17[ps.name].id if ps.rank == 17 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_18[ps.name].id if ps.rank == 18 }, - { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_19[ps.name].id if ps.rank == 19 }, - ) +locals { + network_access_policy_set_ids = { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set[ps.name].id } network_access_authentication_rules = flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ @@ -817,1228 +390,23 @@ locals { id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) }], null) }], null) - } - ] - ]) -} - -locals { - network_access_authentication_rules_with_ranks = [ - for idx, rule in local.network_access_authentication_rules : merge(rule, { - generated_rank = idx - }) - ] -} - -resource "ise_network_access_authentication_rule" "network_access_authentication_rule" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule } - - policy_set_id = each.value.policy_set_id - name = each.value.name - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - identity_source_name = each.value.identity_source_name - if_auth_fail = each.value.if_auth_fail - if_process_fail = each.value.if_process_fail - if_user_not_found = each.value.if_user_not_found - children = each.value.children - - depends_on = [ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] - - lifecycle { - ignore_changes = [rank] - } -} - -resource "ise_network_access_authentication_rule_update_rank" "network_access_authentication_rule_update_rank" { - for_each = { for rule in local.network_access_authentication_rules_with_ranks : rule.key => rule } - - policy_set_id = each.value.policy_set_id - auth_rule_id = ise_network_access_authentication_rule.network_access_authentication_rule[each.value.key].id - rank = each.value.generated_rank -} - -locals { - network_access_authorization_rules = flatten([ - for ps in try(local.ise.network_access.policy_sets, []) : [ - for rule in try(ps.authorization_rules, []) : { - key = format("%s/%s", ps.name, rule.name) - policy_set_id = local.network_access_policy_set_ids[ps.name] - name = rule.name - rank = try(rule.rank, local.defaults.ise.network_access.policy_sets.authorization_rules.rank, null) - default = rule.name == "Default" ? true : null - state = try(rule.state, local.defaults.ise.network_access.policy_sets.authorization_rules.state, null) - condition_type = rule.name == "Default" ? null : try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) - condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) - condition_is_negate = rule.name == "Default" ? null : try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) - condition_attribute_name = rule.name == "Default" ? null : try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) - condition_attribute_value = rule.name == "Default" ? null : try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) - condition_dictionary_name = rule.name == "Default" ? null : try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) - condition_dictionary_value = rule.name == "Default" ? null : try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) - condition_operator = rule.name == "Default" ? null : try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) - profiles = try(rule.profiles, local.defaults.ise.network_access.policy_sets.authorization_rules.profiles, null) - security_group = try(rule.security_group, local.defaults.ise.network_access.policy_sets.authorization_rules.security_group, null) - children = try([for i in rule.condition.children : { - attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) - dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) - condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) - is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) - operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) - id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) - children = try([for j in i.children : { - attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) - dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) - condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) - is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) - operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) - id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) - }], null) - }], null) - } - ] - ]) -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_0" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_1" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 1 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_2" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 2 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_3" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 3 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_4" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 4 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_5" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 5 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_6" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 6 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_7" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 7 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_8" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 8 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_9" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 9 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_10" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 10 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_11" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 11 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_12" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 12 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_11, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_13" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 13 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_12, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_14" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 14 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_13, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_15" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 15 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_16" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 16 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_17" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 17 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_18" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 18 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_rule" "network_access_authorization_rule_19" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 19 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - default = each.value.default - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_18, ise_active_directory_add_groups.active_directory_groups] -} - -locals { - network_access_authorization_exception_rules = flatten([ - for ps in try(local.ise.network_access.policy_sets, []) : [ - for rule in try(ps.authorization_exception_rules, []) : { - key = format("%s/%s", ps.name, rule.name) - policy_set_id = local.network_access_policy_set_ids[ps.name] - name = rule.name - rank = try(rule.rank, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.rank, null) - state = try(rule.state, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.state, null) - condition_type = try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) - condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) - condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) - condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) - condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) - condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) - condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) - condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) - profiles = try(rule.profiles, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.profiles, null) - security_group = try(rule.security_group, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.security_group, null) - children = try([for i in rule.condition.children : { - attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) - dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) - condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) - is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) - operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) - id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) - children = try([for j in i.children : { - attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) - dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) - condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) - is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) - operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) - id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) - }], null) - }], null) - } - ] - ]) -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_0" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 0 || rule.rank == null } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_1" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 1 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_2" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 2 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_3" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 3 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_4" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 4 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_5" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 5 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_6" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 6 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_7" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 7 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_8" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 8 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_9" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 9 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_10" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 10 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_11" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 11 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_12" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 12 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_13" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 13 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_14" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 14 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_15" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 15 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_16" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 16 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_17" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 17 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_18" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 18 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_19" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 19 } - - policy_set_id = each.value.policy_set_id - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] -} - -locals { - network_access_authorization_global_exception_rules = [ - for rule in try(local.ise.network_access.authorization_global_exception_rules, []) : { - name = rule.name - rank = try(rule.rank, local.defaults.ise.network_access.authorization_global_exception_rules.rank, null) - state = try(rule.state, local.defaults.ise.network_access.authorization_global_exception_rules.state, null) - condition_type = try(rule.condition.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) - condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) - condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) - condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) - condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) - condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) - condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) - condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) - profiles = try(rule.profiles, local.defaults.ise.network_access.authorization_global_exception_rules.profiles, null) - security_group = try(rule.security_group, local.defaults.ise.network_access.authorization_global_exception_rules.security_group, null) - children = try([for i in rule.condition.children : { - attribute_name = try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) - dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) - condition_type = try(i.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) - is_negate = try(i.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) - operator = try(i.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) - id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) - children = try([for j in i.children : { - attribute_name = try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) - dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) - condition_type = try(j.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) - is_negate = try(j.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) - operator = try(j.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) - id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) - }], null) - }], null) - } - ] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_0" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 0 || rule.rank == null } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_1" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 1 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_2" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 2 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_3" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 3 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_4" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 4 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_5" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 5 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_6" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 6 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_7" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 7 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children - - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] -} - -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_8" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 8 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children + } + ] + ]) - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] + network_access_authentication_rules_with_ranks = [ + for idx, rule in local.network_access_authentication_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_9" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 9 } +resource "ise_network_access_authentication_rule" "network_access_authentication_rule" { + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule } + policy_set_id = each.value.policy_set_id name = each.value.name - rank = each.value.rank + default = each.value.default state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2047,58 +415,80 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces condition_attribute_value = each.value.condition_attribute_value condition_dictionary_name = each.value.condition_dictionary_name condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group + identity_source_name = each.value.identity_source_name + if_auth_fail = each.value.if_auth_fail + if_process_fail = each.value.if_process_fail + if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_10" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 10 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +resource "ise_network_access_authentication_rule_update_rank" "network_access_authentication_rule_update_rank" { + for_each = { for rule in local.network_access_authentication_rules_with_ranks : rule.key => rule } - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = each.value.policy_set_id + rule_id = ise_network_access_authentication_rule.network_access_authentication_rule[each.value.key].id + rank = each.value.generated_rank } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_11" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 11 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +locals { + network_access_authorization_rules = flatten([ + for ps in try(local.ise.network_access.policy_sets, []) : [ + for rule in try(ps.authorization_rules, []) : { + key = format("%s/%s", ps.name, rule.name) + policy_set_id = local.network_access_policy_set_ids[ps.name] + name = rule.name + rank = try(rule.rank, local.defaults.ise.network_access.policy_sets.authorization_rules.rank, null) + default = rule.name == "Default" ? true : null + state = try(rule.state, local.defaults.ise.network_access.policy_sets.authorization_rules.state, null) + condition_type = rule.name == "Default" ? null : try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) + condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) + condition_is_negate = rule.name == "Default" ? null : try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) + condition_attribute_name = rule.name == "Default" ? null : try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) + condition_attribute_value = rule.name == "Default" ? null : try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) + condition_dictionary_name = rule.name == "Default" ? null : try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) + condition_dictionary_value = rule.name == "Default" ? null : try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) + condition_operator = rule.name == "Default" ? null : try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) + profiles = try(rule.profiles, local.defaults.ise.network_access.policy_sets.authorization_rules.profiles, null) + security_group = try(rule.security_group, local.defaults.ise.network_access.policy_sets.authorization_rules.security_group, null) + children = try([for i in rule.condition.children : { + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) + condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) + is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) + operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) + id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) + children = try([for j in i.children : { + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) + condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) + is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) + operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) + id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) + }], null) + }], null) + } + ] + ]) - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] + network_access_authorization_rules_with_ranks = [ + for idx, rule in local.network_access_authorization_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_12" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 12 } +resource "ise_network_access_authorization_rule" "network_access_authorization_rule" { + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule } + policy_set_id = each.value.policy_set_id name = each.value.name - rank = each.value.rank + default = each.value.default state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2111,54 +501,72 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_13" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 13 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +resource "ise_network_access_authorization_rule_update_rank" "network_access_authorization_rule_update_rank" { + for_each = { for rule in local.network_access_authorization_rules_with_ranks : rule.key => rule } - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = each.value.policy_set_id + rule_id = ise_network_access_authorization_rule.network_access_authorization_rule[each.value.key].id + rank = each.value.generated_rank } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_14" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 14 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +locals { + network_access_authorization_exception_rules = flatten([ + for ps in try(local.ise.network_access.policy_sets, []) : [ + for rule in try(ps.authorization_exception_rules, []) : { + key = format("%s/%s", ps.name, rule.name) + policy_set_id = local.network_access_policy_set_ids[ps.name] + name = rule.name + rank = try(rule.rank, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.rank, null) + state = try(rule.state, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.state, null) + condition_type = try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) + condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) + condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) + condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) + profiles = try(rule.profiles, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.profiles, null) + security_group = try(rule.security_group, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.security_group, null) + children = try([for i in rule.condition.children : { + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) + condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) + is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) + operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) + id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) + children = try([for j in i.children : { + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) + condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) + is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) + operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) + id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) + }], null) + }], null) + } + ] + ]) - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] + network_access_authorization_exception_rules_with_ranks = [ + for idx, rule in local.network_access_authorization_exception_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_15" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 15 } +resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule" { + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule } + policy_set_id = each.value.policy_set_id name = each.value.name - rank = each.value.rank state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2171,54 +579,67 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_16" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 16 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +resource "ise_network_access_authorization_exception_rule_update_rank" "network_access_authorization_exception_rule_update_rank" { + for_each = { for rule in local.network_access_authorization_exception_rules_with_ranks : rule.key => rule } - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] + policy_set_id = each.value.policy_set_id + rule_id = ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule[each.value.key].id + rank = each.value.generated_rank } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_17" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 17 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +locals { + network_access_authorization_global_exception_rules = [ + for rule in try(local.ise.network_access.authorization_global_exception_rules, []) : { + name = rule.name + rank = try(rule.rank, local.defaults.ise.network_access.authorization_global_exception_rules.rank, null) + state = try(rule.state, local.defaults.ise.network_access.authorization_global_exception_rules.state, null) + condition_type = try(rule.condition.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) + condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) + condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) + condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) + profiles = try(rule.profiles, local.defaults.ise.network_access.authorization_global_exception_rules.profiles, null) + security_group = try(rule.security_group, local.defaults.ise.network_access.authorization_global_exception_rules.security_group, null) + children = try([for i in rule.condition.children : { + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) + condition_type = try(i.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) + is_negate = try(i.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) + operator = try(i.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) + id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) + children = try([for j in i.children : { + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) + condition_type = try(j.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) + is_negate = try(j.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) + operator = try(j.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) + id = contains(local.known_conditions_network_access, try(j.name, "")) ? ise_network_access_condition.network_access_condition[j.name].id : try(data.ise_network_access_condition.network_access_condition[j.name].id, null) + }], null) + }], null) + } + ] - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] + network_access_authorization_global_exception_rules_with_ranks = [ + for idx, rule in local.network_access_authorization_global_exception_rules : merge(rule, { + generated_rank = idx + }) + ] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_18" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 18 } +resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule" { + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule } name = each.value.name - rank = each.value.rank state = each.value.state condition_type = each.value.condition_type condition_id = each.value.condition_id @@ -2231,25 +652,12 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] + depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_network_device_group.network_device_group_5, ise_active_directory_add_groups.active_directory_groups] } -resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_19" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 19 } - - name = each.value.name - rank = each.value.rank - state = each.value.state - condition_type = each.value.condition_type - condition_id = each.value.condition_id - condition_is_negate = each.value.condition_is_negate - condition_attribute_name = each.value.condition_attribute_name - condition_attribute_value = each.value.condition_attribute_value - condition_dictionary_name = each.value.condition_dictionary_name - condition_operator = each.value.condition_operator - profiles = each.value.profiles - security_group = each.value.security_group - children = each.value.children +resource "ise_network_access_authorization_global_exception_rule_update_rank" "network_access_authorization_global_exception_rule_update_rank" { + for_each = { for rule in local.network_access_authorization_global_exception_rules_with_ranks : rule.key => rule } - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] + rule_id = ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule[each.value.name].id + rank = each.value.rank }