Skip to content

Commit d0ad965

Browse files
kuba-mazurkiewiczkuba-mazurkiewicz
authored
Add active directory resources (#2)
1 parent eebef78 commit d0ad965

File tree

10 files changed

+334
-208
lines changed

10 files changed

+334
-208
lines changed

README.md

Lines changed: 9 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -22,8 +22,7 @@ ise:
2222
- name: CertificateNotExpired
2323
type: LibraryConditionAttributes
2424
is_negate: false
25-
dictionary_name: CERTIFICATE
26-
attribute_name: Is Expired
25+
attribute_name: CERTIFICATE:Is Expired
2726
operator: equals
2827
attribute_value: "False"
2928
```
@@ -36,6 +35,8 @@ module "ise" {
3635
version = ">= 0.1.0"
3736
3837
yaml_files = ["network_access_condition.yaml"]
38+
39+
manage_network_access = true
3940
}
4041
```
4142

@@ -44,7 +45,7 @@ module "ise" {
4445
| Name | Version |
4546
|------|---------|
4647
| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
47-
| <a name="requirement_ise"></a> [ise](#requirement\_ise) | >= 0.1.8 |
48+
| <a name="requirement_ise"></a> [ise](#requirement\_ise) | >= 0.1.12 |
4849
| <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.3.0 |
4950
| <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.10.0 |
5051
| <a name="requirement_utils"></a> [utils](#requirement\_utils) | >= 0.2.5 |
@@ -72,6 +73,9 @@ module "ise" {
7273

7374
| Name | Type |
7475
|------|------|
76+
| [ise_active_directory_add_groups.active_directory_groups](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/active_directory_add_groups) | resource |
77+
| [ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/active_directory_join_domain_with_all_nodes) | resource |
78+
| [ise_active_directory_join_point.active_directory_join_point](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/active_directory_join_point) | resource |
7579
| [ise_allowed_protocols.allowed_protocols](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/allowed_protocols) | resource |
7680
| [ise_allowed_protocols_tacacs.allowed_protocols_tacacs](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/allowed_protocols_tacacs) | resource |
7781
| [ise_authorization_profile.authorization_profile](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/authorization_profile) | resource |
@@ -305,6 +309,7 @@ module "ise" {
305309
| [time_sleep.device_admin_policy_object_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
306310
| [time_sleep.network_device_group_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
307311
| [time_sleep.sgt_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource |
312+
| [ise_active_directory_groups_by_domain.all_groups](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/active_directory_groups_by_domain) | data source |
308313
| [ise_device_admin_condition.device_admin_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/device_admin_condition) | data source |
309314
| [ise_device_admin_condition.device_admin_condition_circular](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/device_admin_condition) | data source |
310315
| [ise_endpoint_identity_group.endpoint_identity_group](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/endpoint_identity_group) | data source |
@@ -317,4 +322,4 @@ module "ise" {
317322
## Modules
318323

319324
No modules.
320-
<!-- END_TF_DOCS -->
325+
<!-- END_TF_DOCS -->

examples/network_access_condition/README.md

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -30,8 +30,7 @@ ise:
3030
- name: CertificateNotExpired
3131
type: LibraryConditionAttributes
3232
is_negate: false
33-
dictionary_name: CERTIFICATE
34-
attribute_name: Is Expired
33+
attribute_name: CERTIFICATE:Is Expired
3534
operator: equals
3635
attribute_value: "False"
3736
```
@@ -43,6 +42,8 @@ module "ise" {
4342
source = "netascode/nac-ise/ise"
4443
version = ">= 0.1.0"
4544
45+
manage_network_access = true
46+
4647
yaml_files = ["network_access_condition.yaml"]
4748
}
4849
```

examples/network_access_condition/main.tf

Lines changed: 2 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -3,4 +3,6 @@ module "ise" {
33
version = ">= 0.1.0"
44

55
yaml_files = ["network_access_condition.yaml"]
6+
7+
manage_network_access = true
68
}

examples/network_access_condition/network_access_condition.yaml

Lines changed: 1 addition & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ ise:
66
- name: CertificateNotExpired
77
type: LibraryConditionAttributes
88
is_negate: false
9-
dictionary_name: CERTIFICATE
10-
attribute_name: Is Expired
9+
attribute_name: CERTIFICATE:Is Expired
1110
operator: equals
1211
attribute_value: "False"

ise_device_admin.tf

Lines changed: 105 additions & 99 deletions
Large diffs are not rendered by default.

ise_identity_management.tf

Lines changed: 105 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -53,3 +53,108 @@ resource "ise_certificate_authentication_profile" "certificate_authentication_pr
5353
match_mode = try(each.value.match_mode, local.defaults.ise.identity_management.certificate_authentication_profiles.description, null)
5454
username_from = try(each.value.username_from, local.defaults.ise.identity_management.certificate_authentication_profiles.description, null)
5555
}
56+
57+
resource "ise_active_directory_join_point" "active_directory_join_point" {
58+
for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management }
59+
60+
name = each.key
61+
description = try(each.value.description, local.defaults.ise.identity_management.active_directories.description, null)
62+
domain = try(each.value.domain, local.defaults.ise.identity_management.active_directories.domain, null)
63+
ad_scopes_names = try(each.value.ad_scopes_names, local.defaults.ise.identity_management.active_directories.ad_scopes_names, null)
64+
enable_domain_allowed_list = try(each.value.enable_domain_allowed_list, local.defaults.ise.identity_management.active_directories.enable_domain_allowed_list, null)
65+
groups = []
66+
attributes = [for attr in try(each.value.attributes, []) : {
67+
name = try(attr.name, null)
68+
type = try(attr.type, local.defaults.ise.identity_management.active_directories.attributes.type, null)
69+
internal_name = try(attr.internal_name, local.defaults.ise.identity_management.active_directories.attributes.internal_name, null)
70+
default_value = try(attr.default_value, local.defaults.ise.identity_management.active_directories.attributes.default_value, null)
71+
}]
72+
rewrite_rules = [for rule in try(each.value.rewrite_rules, []) : {
73+
row_id = try(rule.row_id, local.defaults.ise.identity_management.active_directories.rewrite_rules.row_id, null)
74+
rewrite_match = try(rule.rewrite_match, local.defaults.ise.identity_management.active_directories.rewrite_rules.rewrite_match, null)
75+
rewrite_result = try(rule.rewrite_result, local.defaults.ise.identity_management.active_directories.rewrite_rules.rewrite_result, null)
76+
}]
77+
enable_rewrites = try(each.value.enable_rewrites, local.defaults.ise.identity_management.active_directories.enable_rewrites, null)
78+
enable_pass_change = try(each.value.enable_pass_change, local.defaults.ise.identity_management.active_directories.enable_pass_change, null)
79+
enable_machine_auth = try(each.value.enable_machine_auth, local.defaults.ise.identity_management.active_directories.enable_machine_auth, null)
80+
enable_machine_access = try(each.value.enable_machine_access, local.defaults.ise.identity_management.active_directories.enable_machine_access, null)
81+
enable_dialin_permission_check = try(each.value.enable_dialin_permission_check, local.defaults.ise.identity_management.active_directories.enable_dialin_permission_check, null)
82+
plaintext_auth = try(each.value.plaintext_auth, local.defaults.ise.identity_management.active_directories.plaintext_auth, null)
83+
aging_time = try(each.value.aging_time, local.defaults.ise.identity_management.active_directories.aging_time, null)
84+
enable_callback_for_dialin_client = try(each.value.enable_callback_for_dialin_client, local.defaults.ise.identity_management.active_directories.enable_callback_for_dialin_client, null)
85+
identity_not_in_ad_behaviour = try(each.value.identity_not_in_ad_behaviour, local.defaults.ise.identity_management.active_directories.identity_not_in_ad_behaviour, null)
86+
unreachable_domains_behaviour = try(each.value.unreachable_domains_behaviour, local.defaults.ise.identity_management.active_directories.unreachable_domains_behaviour, null)
87+
schema = try(each.value.schema, local.defaults.ise.identity_management.active_directories.schema, null)
88+
first_name = try(each.value.first_name, local.defaults.ise.identity_management.active_directories.first_name, null)
89+
department = try(each.value.department, local.defaults.ise.identity_management.active_directories.department, null)
90+
last_name = try(each.value.last_name, local.defaults.ise.identity_management.active_directories.last_name, null)
91+
organizational_unit = try(each.value.organizational_unit, local.defaults.ise.identity_management.active_directories.organizational_unit, null)
92+
job_title = try(each.value.job_title, local.defaults.ise.identity_management.active_directories.job_title, null)
93+
locality = try(each.value.locality, local.defaults.ise.identity_management.active_directories.locality, null)
94+
email = try(each.value.email, local.defaults.ise.identity_management.active_directories.email, null)
95+
state_or_province = try(each.value.state_or_province, local.defaults.ise.identity_management.active_directories.state_or_province, null)
96+
telephone = try(each.value.telephone, local.defaults.ise.identity_management.active_directories.telephone, null)
97+
country = try(each.value.country, local.defaults.ise.identity_management.active_directories.country, null)
98+
street_address = try(each.value.street_address, local.defaults.ise.identity_management.active_directories.street_address, null)
99+
enable_failed_auth_protection = try(each.value.enable_failed_auth_protection, local.defaults.ise.identity_management.active_directories.enable_failed_auth_protection, null)
100+
failed_auth_threshold = try(each.value.failed_auth_threshold, local.defaults.ise.identity_management.active_directories.failed_auth_threshold, null)
101+
auth_protection_type = try(each.value.auth_protection_type, local.defaults.ise.identity_management.active_directories.auth_protection_type, null)
102+
}
103+
104+
resource "ise_active_directory_join_domain_with_all_nodes" "active_directory_join_domain_with_all_nodes" {
105+
for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management }
106+
107+
join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id
108+
additional_data = [
109+
{
110+
name = "username"
111+
value = try(each.value.ad_username, local.defaults.ise.identity_management.active_directories.ad_username, null)
112+
},
113+
{
114+
name = "password"
115+
value = try(each.value.ad_password, local.defaults.ise.identity_management.active_directories.ad_password, null)
116+
}
117+
]
118+
119+
depends_on = [ise_active_directory_join_point.active_directory_join_point]
120+
}
121+
122+
data "ise_active_directory_groups_by_domain" "all_groups" {
123+
for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management }
124+
125+
join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id
126+
domain = try(each.value.domain, local.defaults.ise.identity_management.active_directories.domain, null)
127+
128+
depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes]
129+
}
130+
131+
locals {
132+
active_directory_groups_all = {
133+
for k, v in data.ise_active_directory_groups_by_domain.all_groups :
134+
k => { for group in v.groups : group.name => group } if var.manage_identity_management
135+
}
136+
137+
active_directory_groups = {
138+
for ad in try(local.ise.identity_management.active_directories, []) : ad.name => [
139+
for group in ad.groups : {
140+
name = group
141+
type = try(local.active_directory_groups_all[ad.name][group].type, null)
142+
sid = try(local.active_directory_groups_all[ad.name][group].sid, null)
143+
}
144+
] if var.manage_identity_management
145+
}
146+
}
147+
148+
resource "ise_active_directory_add_groups" "active_directory_groups" {
149+
for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management }
150+
151+
join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id
152+
name = ise_active_directory_join_point.active_directory_join_point[each.key].name
153+
description = ise_active_directory_join_point.active_directory_join_point[each.key].description
154+
domain = ise_active_directory_join_point.active_directory_join_point[each.key].domain
155+
ad_scopes_names = ise_active_directory_join_point.active_directory_join_point[each.key].ad_scopes_names
156+
enable_domain_allowed_list = ise_active_directory_join_point.active_directory_join_point[each.key].enable_domain_allowed_list
157+
groups = try(local.active_directory_groups[each.key], local.defaults.ise.identity_management.active_directories.groups, null)
158+
159+
depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes]
160+
}

0 commit comments

Comments
 (0)