Git Product home page Git Product logo

terraform-ise-nac-ise's Introduction

Terraform Network-as-Code Cisco ISE Module

A Terraform module to configure Cisco ISE.

Usage

This module supports an inventory driven approach, where a complete ISE configuration or parts of it are either modeled in one or more YAML files or natively using Terraform variables.

Examples

Configuring a Network Access Condition using YAML:

network_access_condition.yaml

---
ise:
  network_access:
    policy_elements:
      conditions:
        - name: CertificateNotExpired
          type: LibraryConditionAttributes
          is_negate: false
          dictionary_name: CERTIFICATE
          attribute_name: Is Expired
          operator: equals
          attribute_value: "False"

main.tf

module "ise" {
  source  = "netascode/nac-ise/ise"
  version = ">= 0.1.0"

  yaml_files = ["network_access_condition.yaml"]
}

Requirements

Name Version
terraform >= 1.3.0
ise >= 0.2.0
local >= 2.3.0
time >= 0.10.0
utils >= 0.2.5

Inputs

Name Description Type Default Required
model As an alternative to YAML files, a native Terraform data structure can be provided as well. map(any) {} no
write_default_values_file Write all default values to a YAML file. Value is a path pointing to the file to be created. string "" no
yaml_directories List of paths to YAML directories. list(string) [] no
yaml_files List of paths to YAML files. list(string) [] no

Outputs

Name Description
default_values All default values.
model Full model.

Resources

Name Type
ise_active_directory_add_groups.active_directory_groups resource
ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes resource
ise_active_directory_join_point.active_directory_join_point resource
ise_allowed_protocols.allowed_protocols resource
ise_allowed_protocols_tacacs.allowed_protocols_tacacs resource
ise_authorization_profile.authorization_profile resource
ise_certificate_authentication_profile.certificate_authentication_profile resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_0 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_1 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_10 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_11 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_12 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_13 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_14 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_15 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_16 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_17 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_18 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_19 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_2 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_3 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_4 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_5 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_6 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_7 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_8 resource
ise_device_admin_authentication_rule.device_admin_authentication_rule_9 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_0 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_1 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_10 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_11 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_12 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_13 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_14 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_15 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_16 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_17 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_18 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_19 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_2 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_3 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_4 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_5 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_6 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_7 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_8 resource
ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_9 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_0 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_1 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_10 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_11 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_12 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_13 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_14 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_15 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_16 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_17 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_18 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_19 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_2 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_3 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_4 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_5 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_6 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_7 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_8 resource
ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_9 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_0 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_1 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_10 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_11 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_12 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_13 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_14 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_15 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_16 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_17 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_18 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_19 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_2 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_3 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_4 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_5 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_6 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_7 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_8 resource
ise_device_admin_authorization_rule.device_admin_authorization_rule_9 resource
ise_device_admin_condition.device_admin_condition resource
ise_device_admin_policy_set.device_admin_policy_set_0 resource
ise_device_admin_policy_set.device_admin_policy_set_1 resource
ise_device_admin_policy_set.device_admin_policy_set_10 resource
ise_device_admin_policy_set.device_admin_policy_set_11 resource
ise_device_admin_policy_set.device_admin_policy_set_12 resource
ise_device_admin_policy_set.device_admin_policy_set_13 resource
ise_device_admin_policy_set.device_admin_policy_set_14 resource
ise_device_admin_policy_set.device_admin_policy_set_15 resource
ise_device_admin_policy_set.device_admin_policy_set_16 resource
ise_device_admin_policy_set.device_admin_policy_set_17 resource
ise_device_admin_policy_set.device_admin_policy_set_18 resource
ise_device_admin_policy_set.device_admin_policy_set_19 resource
ise_device_admin_policy_set.device_admin_policy_set_2 resource
ise_device_admin_policy_set.device_admin_policy_set_3 resource
ise_device_admin_policy_set.device_admin_policy_set_4 resource
ise_device_admin_policy_set.device_admin_policy_set_5 resource
ise_device_admin_policy_set.device_admin_policy_set_6 resource
ise_device_admin_policy_set.device_admin_policy_set_7 resource
ise_device_admin_policy_set.device_admin_policy_set_8 resource
ise_device_admin_policy_set.device_admin_policy_set_9 resource
ise_device_admin_time_and_date_condition.device_admin_time_and_date_condition resource
ise_downloadable_acl.downloadable_acl resource
ise_endpoint.endpoint resource
ise_endpoint_identity_group.endpoint_identity_group resource
ise_identity_source_sequence.identity_source_sequences resource
ise_internal_user.internal_user resource
ise_license_tier_state.license_tier_state resource
ise_network_access_authentication_rule.network_access_authentication_rule_0 resource
ise_network_access_authentication_rule.network_access_authentication_rule_1 resource
ise_network_access_authentication_rule.network_access_authentication_rule_10 resource
ise_network_access_authentication_rule.network_access_authentication_rule_11 resource
ise_network_access_authentication_rule.network_access_authentication_rule_12 resource
ise_network_access_authentication_rule.network_access_authentication_rule_13 resource
ise_network_access_authentication_rule.network_access_authentication_rule_14 resource
ise_network_access_authentication_rule.network_access_authentication_rule_15 resource
ise_network_access_authentication_rule.network_access_authentication_rule_16 resource
ise_network_access_authentication_rule.network_access_authentication_rule_17 resource
ise_network_access_authentication_rule.network_access_authentication_rule_18 resource
ise_network_access_authentication_rule.network_access_authentication_rule_19 resource
ise_network_access_authentication_rule.network_access_authentication_rule_2 resource
ise_network_access_authentication_rule.network_access_authentication_rule_3 resource
ise_network_access_authentication_rule.network_access_authentication_rule_4 resource
ise_network_access_authentication_rule.network_access_authentication_rule_5 resource
ise_network_access_authentication_rule.network_access_authentication_rule_6 resource
ise_network_access_authentication_rule.network_access_authentication_rule_7 resource
ise_network_access_authentication_rule.network_access_authentication_rule_8 resource
ise_network_access_authentication_rule.network_access_authentication_rule_9 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_0 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_1 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_10 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_11 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_12 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_13 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_14 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_15 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_16 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_17 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_18 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_19 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_2 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_3 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_4 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_5 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_6 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_7 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_8 resource
ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_9 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_0 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_1 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_10 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_11 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_12 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_13 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_14 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_15 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_16 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_17 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_18 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_19 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_2 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_3 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_4 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_5 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_6 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_7 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_8 resource
ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_9 resource
ise_network_access_authorization_rule.network_access_authorization_rule_0 resource
ise_network_access_authorization_rule.network_access_authorization_rule_1 resource
ise_network_access_authorization_rule.network_access_authorization_rule_10 resource
ise_network_access_authorization_rule.network_access_authorization_rule_11 resource
ise_network_access_authorization_rule.network_access_authorization_rule_12 resource
ise_network_access_authorization_rule.network_access_authorization_rule_13 resource
ise_network_access_authorization_rule.network_access_authorization_rule_14 resource
ise_network_access_authorization_rule.network_access_authorization_rule_15 resource
ise_network_access_authorization_rule.network_access_authorization_rule_16 resource
ise_network_access_authorization_rule.network_access_authorization_rule_17 resource
ise_network_access_authorization_rule.network_access_authorization_rule_18 resource
ise_network_access_authorization_rule.network_access_authorization_rule_19 resource
ise_network_access_authorization_rule.network_access_authorization_rule_2 resource
ise_network_access_authorization_rule.network_access_authorization_rule_3 resource
ise_network_access_authorization_rule.network_access_authorization_rule_4 resource
ise_network_access_authorization_rule.network_access_authorization_rule_5 resource
ise_network_access_authorization_rule.network_access_authorization_rule_6 resource
ise_network_access_authorization_rule.network_access_authorization_rule_7 resource
ise_network_access_authorization_rule.network_access_authorization_rule_8 resource
ise_network_access_authorization_rule.network_access_authorization_rule_9 resource
ise_network_access_condition.network_access_condition resource
ise_network_access_dictionary.network_access_dictionary resource
ise_network_access_policy_set.network_access_policy_set_0 resource
ise_network_access_policy_set.network_access_policy_set_1 resource
ise_network_access_policy_set.network_access_policy_set_10 resource
ise_network_access_policy_set.network_access_policy_set_11 resource
ise_network_access_policy_set.network_access_policy_set_12 resource
ise_network_access_policy_set.network_access_policy_set_13 resource
ise_network_access_policy_set.network_access_policy_set_14 resource
ise_network_access_policy_set.network_access_policy_set_15 resource
ise_network_access_policy_set.network_access_policy_set_16 resource
ise_network_access_policy_set.network_access_policy_set_17 resource
ise_network_access_policy_set.network_access_policy_set_18 resource
ise_network_access_policy_set.network_access_policy_set_19 resource
ise_network_access_policy_set.network_access_policy_set_2 resource
ise_network_access_policy_set.network_access_policy_set_3 resource
ise_network_access_policy_set.network_access_policy_set_4 resource
ise_network_access_policy_set.network_access_policy_set_5 resource
ise_network_access_policy_set.network_access_policy_set_6 resource
ise_network_access_policy_set.network_access_policy_set_7 resource
ise_network_access_policy_set.network_access_policy_set_8 resource
ise_network_access_policy_set.network_access_policy_set_9 resource
ise_network_access_time_and_date_condition.network_access_time_and_date_condition resource
ise_network_device.network_device resource
ise_network_device_group.network_device_group_0 resource
ise_network_device_group.network_device_group_1 resource
ise_network_device_group.network_device_group_2 resource
ise_network_device_group.network_device_group_3 resource
ise_network_device_group.network_device_group_4 resource
ise_network_device_group.network_device_group_5 resource
ise_repository.repository resource
ise_tacacs_command_set.tacacs_command_set resource
ise_tacacs_profile.tacacs_profile resource
ise_trustsec_egress_matrix_cell.trustsec_egress_matrix_cell resource
ise_trustsec_ip_to_sgt_mapping.trustsec_ip_to_sgt_mapping resource
ise_trustsec_ip_to_sgt_mapping_group.trustsec_ip_to_sgt_mapping_group resource
ise_trustsec_security_group.trustsec_security_group resource
ise_trustsec_security_group_acl.trustsec_security_group_acl resource
ise_user_identity_group.user_identity_group resource
local_sensitive_file.defaults resource
time_sleep.device_admin_policy_object_wait resource
time_sleep.network_device_group_wait resource
time_sleep.sgt_wait resource
ise_active_directory_groups_by_domain.all_groups data source
ise_device_admin_condition.device_admin_condition data source
ise_device_admin_condition.device_admin_condition_circular data source
ise_endpoint_identity_group.endpoint_identity_group data source
ise_network_access_condition.network_access_condition data source
ise_network_access_condition.network_access_condition_circular data source
ise_trustsec_security_group.trustsec_security_group data source
ise_trustsec_security_group_acl.trustsec_security_group_acl data source
ise_user_identity_group.user_identity_group data source
utils_yaml_merge.defaults data source
utils_yaml_merge.model data source

Modules

No modules.

terraform-ise-nac-ise's People

Contributors

danischm avatar dependabot[bot] avatar kuba-mazurkiewicz avatar

Watchers

avatar

Forkers

kuba-mazurkiewicz

terraform-ise-nac-ise's Issues

Terraform planning failed error when creating multiple Device Admin Policy Sets

When creating more than one Device Admin Policy Set, Terraform throws a Planning failed error for "Inconsistent conditional result types"

If I comment out the second Policy Set block, there are no issues with the create/update operations.

Example error

Planning failed. Terraform encountered an error while generating this plan.

╷
│ Error: Inconsistent conditional result types
│ 
│   on .terraform/modules/ise/ise_device_admin.tf line 161, in locals:
│  161:   device_admin_policy_sets = var.manage_device_administration ? [
│  162:     for ps in try(local.ise.device_administration.policy_sets, []) : {
│  163:       condition_type             = try(ps.condition.type, local.defaults.ise.device_administration.policy_sets.condition.type, null)
│  164:       condition_is_negate        = try(ps.condition.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null)
│  165:       condition_attribute_name   = strcontains(try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[1] : try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null)
│  166:       condition_attribute_value  = strcontains(try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[1] : try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null)
│  167:       condition_dictionary_name  = strcontains(try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[0] : null
│  168:       condition_dictionary_value = strcontains(try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[0] : null
│  169:       condition_id               = contains(local.known_conditions_device_admin, try(ps.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[ps.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[ps.condition.name].id, null)
│  170:       condition_operator         = try(ps.condition.operator, local.defaults.ise.device_administration.policy_sets.condition.operator, null)
│  171:       description                = try(ps.description, local.defaults.ise.device_administration.policy_sets.description, null)
│  172:       is_proxy                   = try(ps.is_proxy, local.defaults.ise.device_administration.policy_sets.is_proxy)
│  173:       name                       = ps.name
│  174:       service_name               = try(ps.service_name, local.defaults.ise.device_administration.policy_sets.service_name)
│  175:       state                      = try(ps.state, local.defaults.ise.device_administration.policy_sets.state)
│  176:       rank                       = try(ps.rank, local.defaults.ise.device_administration.policy_sets.rank, null)
│  177:       children = try([for i in ps.condition.children : {
│  178:         attribute_name   = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null)
│  179:         attribute_value  = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null)
│  180:         dictionary_name  = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[0] : null
│  181:         dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[0] : null
│  182:         condition_type   = try(i.type, local.defaults.ise.device_administration.policy_sets.condition.type, null)
│  183:         is_negate        = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null)
│  184:         operator         = try(i.operator, local.defaults.ise.device_administration.policy_sets.condition.operator, null)
│  185:         id               = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null)
│  186:         children = try([for j in i.children : {
│  187:           attribute_name   = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null)
│  188:           attribute_value  = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null)
│  189:           dictionary_name  = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[0] : null
│  190:           dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[0] : null
│  191:           condition_type   = try(j.type, local.defaults.ise.device_administration.policy_sets.condition.type, null)
│  192:           is_negate        = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null)
│  193:           operator         = try(j.operator, local.defaults.ise.device_administration.policy_sets.condition.operator, null)
│  194:           id               = contains(local.known_conditions_device_admin, try(j.name, "")) ? ise_device_admin_condition.device_admin_condition[j.name].id : try(data.ise_device_admin_condition.device_admin_condition[j.name].id, null)
│  195:         }], null)
│  196:       }], null)
│  197:     }
│  198:   ] : []
│     ├────────────────
│     │ data.ise_device_admin_condition.device_admin_condition is object with no attributes
│     │ ise_device_admin_condition.device_admin_condition is object with no attributes
│     │ local.defaults.ise.device_administration.policy_sets is object with 7 attributes
│     │ local.defaults.ise.device_administration.policy_sets.condition is object with 2 attributes
│     │ local.defaults.ise.device_administration.policy_sets.condition.is_negate is false
│     │ local.defaults.ise.device_administration.policy_sets.is_proxy is false
│     │ local.defaults.ise.device_administration.policy_sets.state is "enabled"
│     │ local.ise.device_administration.policy_sets is tuple with 2 elements
│     │ local.known_conditions_device_admin is empty tuple
│ 
│ The true result value has the wrong type: element types must all match for conversion to list.

Example code

ise:
  device_administration:
    policy_sets:
## Create Device Admin Policy Set - Routers and Switches
      - name: Routers and Switches
        description: Cisco Routers and Switches
        condition:
          type: ConditionOrBlock
          children:
            - type: ConditionAttributes
              attribute_name: DEVICE:Device Type
              operator: equals
              attribute_value: "All Device Types#Cisco Switch"
            - type: ConditionAttributes
              attribute_name: DEVICE:Device Type
              operator: equals
              attribute_value: "All Device Types#Cisco Router"
        service_name: PAP

### Create Device Admin Policy Set - Wireless Controllers
      - name: Wireless Controllers
        description: Cisco Wireless LAN Controllers
        condition:
          type: ConditionAttributes
          attribute_name: DEVICE:Device Type
          operator: equals
          attribute_value: "All Device Types#Cisco WLC"
        service_name: PAP

Device Admin authorization_rules - commands_sets attribute not read into terraform plan/apply

When creating a Device Admin Policy set with the nested authentication_rules and authorization_rules blocks, the command_sets attribute is not captured and read into the TF plan/apply operation. As such, the AuthZ Policy created in ISE is lacking the Command Sets value.

Example code block

ise:
  device_administration:
    policy_sets:
## Create Device Admin Policy Set - Routers and Switches
      - name: Routers and Switches
        description: Cisco Routers and Switches
        condition:
          type: ConditionOrBlock
          children:
            - type: ConditionAttributes
              attribute_name: DEVICE:Device Type
              operator: equals
              attribute_value: "All Device Types#Cisco Switch"
            - type: ConditionAttributes
              attribute_name: DEVICE:Device Type
              operator: equals
              attribute_value: "All Device Types#Cisco Router"
        service_name: PAP
        authentication_rules:
          - name: PAP
            condition:
              type: ConditionAttributes
              attribute_name: Network Access:AuthenticationMethod
              operator: equals
              attribute_value: PAP_ASCII
            identity_source_name: ISELAB_AD
        authorization_rules:
          - name: Router Switch ReadOnly
            condition:
              type: ConditionAndBlock
              children:
                - type: ConditionOrBlock
                  children:
                    - type: ConditionAttributes
                      attribute_name: DEVICE:Device Type
                      operator: equals
                      attribute_value: All Device Types#Cisco Router
                    - type: ConditionAttributes
                      attribute_name: DEVICE:Device Type
                      operator: equals
                      attribute_value: All Device Types#Cisco Switch
                - type: ConditionAttributes
                  attribute_name: ISELAB_AD:ExternalGroups
                  operator: equals
                  attribute_value: "trappedunderise.com/Users/Net Monitor"
            profile: IOS_Admin_Priv10
            commands_sets:
              - PermitShowCommands

Example TF plan output

Terraform will perform the following actions:

  # module.ise.ise_device_admin_authorization_rule.device_admin_authorization_rule_0["Routers and Switches/Router Switch ReadOnly"] will be created
  + resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_0" {
      + children            = [
          + {
              + children       = [
                  + {
                      + attribute_name  = "Device Type"
                      + attribute_value = "All Device Types#Cisco Router"
                      + condition_type  = "ConditionAttributes"
                      + dictionary_name = "DEVICE"
                      + is_negate       = false
                      + operator        = "equals"
                    },
                  + {
                      + attribute_name  = "Device Type"
                      + attribute_value = "All Device Types#Cisco Switch"
                      + condition_type  = "ConditionAttributes"
                      + dictionary_name = "DEVICE"
                      + is_negate       = false
                      + operator        = "equals"
                    },
                ]
              + condition_type = "ConditionOrBlock"
              + is_negate      = false
            },
          + {
              + attribute_name  = "ExternalGroups"
              + attribute_value = "trappedunderise.com/Users/Net Monitor"
              + condition_type  = "ConditionAttributes"
              + dictionary_name = "ISELAB_AD"
              + is_negate       = false
              + operator        = "equals"
            },
        ]
      + condition_is_negate = false
      + condition_type      = "ConditionAndBlock"
      + default             = false
      + id                  = (known after apply)
      + name                = "Router Switch ReadOnly"
      + policy_set_id       = "813c3812-fec1-4bd0-a78f-4d95c79a6cfb"
      + profile             = "IOS_Admin_Priv10"
      + state               = "enabled"
    }

Client Error on network_access_policy_set module with nested conditions due to missing dictionaryName

When creating a Policy Set with nested conditions, TF throws a Client Error due to missing dictionaryName values. The values exist in the YAML, but the terraform plan does not show the 'dictionary_name' or 'dictionary_value' attributes.

Depending on the dictionary and condition being configured, the dictionary_value is not always null.

Example YAML code

ise:
  network_access:
    policy_sets:
      - name: Wired MM
        description: Wired Monitor Mode
        condition:
          type: ConditionAndBlock
          children:
          - type: ConditionAttributes
            dictionary_name: Radius
            attribute_name: NAS-Port-Type
            operator: equals
            dictionary_value: null
            attribute_value: Ethernet
          - type: ConditionAttributes
            dictionary_name: DEVICE
            attribute_name: Deployment Stage
            operator: equals
            dictionary_value: null
            attribute_value: Deployment Stage#Monitor Mode
        service_name: MAB_Dot1x

Plan & Client Error

Terraform will perform the following actions:

  # module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"] will be created
  + resource "ise_network_access_policy_set" "network_access_policy_set_0" {
      + children            = [
          + {
              + attribute_name  = "NAS-Port-Type"
              + attribute_value = "Ethernet"
              + condition_type  = "ConditionAttributes"
              + is_negate       = false
              + operator        = "equals"
            },
          + {
              + attribute_name  = "Deployment Stage"
              + attribute_value = "Deployment Stage#Monitor Mode"
              + condition_type  = "ConditionAttributes"
              + is_negate       = false
              + operator        = "equals"
            },
        ]
      + condition_is_negate = false
      + condition_type      = "ConditionAndBlock"
      + description         = "Wired Monitor Mode"
      + id                  = (known after apply)
      + is_proxy            = false
      + name                = "Wired MM"
      + service_name        = "MAB_Dot1x"
      + state               = "enabled"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"]: Creating...
module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"]: Still creating... [10s elapsed]
module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"]: Still creating... [20s elapsed]
╷
│ Error: Client Error
│ 
│   with module.ise.ise_network_access_policy_set.network_access_policy_set_0["Wired MM"],
│   on .terraform/modules/ise/ise_network_access.tf line 311, in resource "ise_network_access_policy_set" "network_access_policy_set_0":
│  311: resource "ise_network_access_policy_set" "network_access_policy_set_0" {
│ 
│ Failed to configure object (POST), got error: HTTP Request failed: StatusCode 400, Message: , {
│   "message" : "condition.children[1].dictionaryName, must not be null, condition.children[0].dictionaryName, must not be null",
│   "code" : 400
│ }

Example TF code

resource "ise_network_access_policy_set" "ps_wired_mm" {
  name                = var.ps_wired_mm_name
  description         = "Wired Monitor Mode"
  rank                = 0
  service_name        = ise_allowed_protocols.mab_dot1x.name
  state               = "enabled"
  is_proxy            = false
  condition_is_negate = false
  condition_type      = "ConditionAndBlock"
  children = [
    {
      condition_type  = "ConditionAttributes"
      is_negate       = false
      dictionary_name = "Radius"
      attribute_name  = "NAS-Port-Type"
      operator        = "equals"
      attribute_value = "Ethernet"
    },
    {
      condition_type  = "ConditionAttributes"
      is_negate       = false
      dictionary_name = "DEVICE"
      attribute_name  = ise_network_device_group.ndg_deployment_stage.root_group
      operator        = "equals"
      attribute_value = "Deployment Stage#Monitor Mode"
    },
  ]
}

Client error due to missing settings for allowed_protocols EAP-TLS stateless session resume

When configuration an Allowed Protocols list that includes enabling the EAP-TLS stateless session resume option, Terraform throws a Client Error due to missing required settings.

Example error:

│ Error: Client Error
│ 
│   with module.ise.ise_allowed_protocols.allowed_protocols["MAB_Dot1x"],
│   on .terraform/modules/ise/ise_network_access.tf line 1, in resource "ise_allowed_protocols" "allowed_protocols":
│    1: resource "ise_allowed_protocols" "allowed_protocols" {
│ 
│ Failed to configure object (PUT), got error: HTTP Request failed: StatusCode 400, Message: Validation Error - Mandatory fields
│ missing: [EapTlsEnableStatelessSessionResume is allowed but the following field is missing: EapTlsSessionTicketTtl,
│ EapTlsEnableStatelessSessionResume is allowed but the following field is missing: EapTlsSessionTicketTtlUnits,
│ EapTlsEnableStatelessSessionResume is allowed but the following field is missing: EapTlsSessionTicketPrecentage], {
│   "ERSResponse" : {
│     "operation" : "PUT-update-allowedprotocols",
│     "messages" : [ {
│       "title" : "Validation Error - Mandatory fields missing: [EapTlsEnableStatelessSessionResume is allowed but the following field is missing: EapTlsSessionTicketTtl, EapTlsEnableStatelessSessionResume is allowed but the following field is missing: EapTlsSessionTicketTtlUnits, EapTlsEnableStatelessSessionResume is allowed but the following field is missing: EapTlsSessionTicketPrecentage]",
│       "type" : "ERROR",
│       "code" : "Application resource validation exception"
│     } ],
│     "link" : {
│       "rel" : "related",
│       "href" : "https://ise32-3.ise.trappedunderise.com/ers/config/allowedprotocols/56bdbe30-c646-11ee-b966-ead89af9fdb3",
│       "type" : "application/xml"
│     }
│   }
│ }

Example code:

ise:
  network_access:
    policy_elements:
      allowed_protocols:
        - name: MAB_Dot1x
          description: MAB, EAP-TLS, and TEAP protocols
          process_host_lookup: true
          allow_pap_ascii: false
          allow_eap_md5: false
          allow_eap_tls: true
          eap_tls:
           enable_stateless_session_resume: true
          allow_eap_ttls: false
          allow_eap_fast: false
          allow_peap: false
          allow_teap: true
          teap:
            enable_eap_chaining: true
            eap_tls_auth_of_expired_certs: true

Additional info:

The TF provider includes objects for these settings, but the data model does not reference these options. There should be defaults and schema to modify these options.

  eap_tls_session_ticket_ttl                        = 5
  eap_tls_session_ticket_ttl_unit                   = "DAYS"
  eap_tls_session_ticket_percentage                 = 5

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.