search

netascode / terraform-ise-nac-ise

Terraform Cisco ISE Network-as-Code Module
https://registry.terraform.io/modules/netascode/nac-ise/ise
Apache License 2.0
3 stars 1 forks source link

Device Admin authorization_rules - commands_sets attribute not read into terraform plan/apply #8

Closed grg1bbs closed 9 months ago

grg1bbs commented 9 months ago

When creating a Device Admin Policy set with the nested authentication_rules and authorization_rules blocks, the command_sets attribute is not captured and read into the TF plan/apply operation. As such, the AuthZ Policy created in ISE is lacking the Command Sets value.

Example code block

ise:
  device_administration:
    policy_sets:
## Create Device Admin Policy Set - Routers and Switches
      - name: Routers and Switches
        description: Cisco Routers and Switches
        condition:
          type: ConditionOrBlock
          children:
            - type: ConditionAttributes
              attribute_name: DEVICE:Device Type
              operator: equals
              attribute_value: "All Device Types#Cisco Switch"
            - type: ConditionAttributes
              attribute_name: DEVICE:Device Type
              operator: equals
              attribute_value: "All Device Types#Cisco Router"
        service_name: PAP
        authentication_rules:
          - name: PAP
            condition:
              type: ConditionAttributes
              attribute_name: Network Access:AuthenticationMethod
              operator: equals
              attribute_value: PAP_ASCII
            identity_source_name: ISELAB_AD
        authorization_rules:
          - name: Router Switch ReadOnly
            condition:
              type: ConditionAndBlock
              children:
                - type: ConditionOrBlock
                  children:
                    - type: ConditionAttributes
                      attribute_name: DEVICE:Device Type
                      operator: equals
                      attribute_value: All Device Types#Cisco Router
                    - type: ConditionAttributes
                      attribute_name: DEVICE:Device Type
                      operator: equals
                      attribute_value: All Device Types#Cisco Switch
                - type: ConditionAttributes
                  attribute_name: ISELAB_AD:ExternalGroups
                  operator: equals
                  attribute_value: "trappedunderise.com/Users/Net Monitor"
            profile: IOS_Admin_Priv10
            commands_sets:
              - PermitShowCommands

Example TF plan output

Terraform will perform the following actions:

  # module.ise.ise_device_admin_authorization_rule.device_admin_authorization_rule_0["Routers and Switches/Router Switch ReadOnly"] will be created
  + resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_0" {
      + children            = [
          + {
              + children       = [
                  + {
                      + attribute_name  = "Device Type"
                      + attribute_value = "All Device Types#Cisco Router"
                      + condition_type  = "ConditionAttributes"
                      + dictionary_name = "DEVICE"
                      + is_negate       = false
                      + operator        = "equals"
                    },
                  + {
                      + attribute_name  = "Device Type"
                      + attribute_value = "All Device Types#Cisco Switch"
                      + condition_type  = "ConditionAttributes"
                      + dictionary_name = "DEVICE"
                      + is_negate       = false
                      + operator        = "equals"
                    },
                ]
              + condition_type = "ConditionOrBlock"
              + is_negate      = false
            },
          + {
              + attribute_name  = "ExternalGroups"
              + attribute_value = "trappedunderise.com/Users/Net Monitor"
              + condition_type  = "ConditionAttributes"
              + dictionary_name = "ISELAB_AD"
              + is_negate       = false
              + operator        = "equals"
            },
        ]
      + condition_is_negate = false
      + condition_type      = "ConditionAndBlock"
      + default             = false
      + id                  = (known after apply)
      + name                = "Router Switch ReadOnly"
      + policy_set_id       = "813c3812-fec1-4bd0-a78f-4d95c79a6cfb"
      + profile             = "IOS_Admin_Priv10"
      + state               = "enabled"
    }
kuba-mazurkiewicz commented 9 months ago

hey @grg1bbs attribute name should be command_sets not commands_sets

  # module.ise.ise_device_admin_authorization_rule.device_admin_authorization_rule_0["Routers and Switches/Router Switch ReadOnly"] will be created
  + resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_0" {
      + children            = [
          + {
              + children       = [
                  + {
                      + attribute_name  = "Device Type"
                      + attribute_value = "All Device Types#Cisco Router"
                      + condition_type  = "ConditionAttributes"
                      + dictionary_name = "DEVICE"
                      + is_negate       = false
                      + operator        = "equals"
                    },
                  + {
                      + attribute_name  = "Device Type"
                      + attribute_value = "All Device Types#Cisco Switch"
                      + condition_type  = "ConditionAttributes"
                      + dictionary_name = "DEVICE"
                      + is_negate       = false
                      + operator        = "equals"
                    },
                ]
              + condition_type = "ConditionOrBlock"
              + is_negate      = false
            },
          + {
              + attribute_name  = "ExternalGroups"
              + attribute_value = "trappedunderise.com/Users/Net Monitor"
              + condition_type  = "ConditionAttributes"
              + dictionary_name = "ISELAB_AD"
              + is_negate       = false
              + operator        = "equals"
            },
        ]
      + command_sets        = [
          + "PermitShowCommands",
        ]
      + condition_is_negate = false
      + condition_type      = "ConditionAndBlock"
      + default             = false
      + id                  = (known after apply)
      + name                = "Router Switch ReadOnly"
      + policy_set_id       = (known after apply)
      + profile             = "IOS_Admin_Priv10"
      + state               = "enabled"
    }
grg1bbs commented 9 months ago

@kuba-mazurkiewicz : Of course! That was my silly mistake. I tested it with the corrected syntax and the apply worked as expected. The iac-validate doesn't catch this, so that should help in future when it's available.

grg1bbs commented 9 months ago

Closing this issue. User error.