From 7bd3a342c86903d01c87abe3bf6b098125a42962 Mon Sep 17 00:00:00 2001
From: Kuba Mazurkiewicz <132581633+kuba-mazurkiewicz@users.noreply.github.com>
Date: Wed, 15 May 2024 19:46:29 +0200
Subject: [PATCH] Add endpoint support and default user identity groups in
 internal users (#11)

---
 CHANGELOG.md               |  6 ++++
 README.md                  |  4 ++-
 defaults/defaults.yaml     |  3 ++
 ise_identity_management.tf | 60 ++++++++++++++++++++++++++++++++++----
 ise_network_resources.tf   |  2 +-
 versions.tf                |  2 +-
 6 files changed, 68 insertions(+), 9 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index 9946d99..70f1186 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -1,3 +1,9 @@
+## 0.1.2 (unreleased)
+
+- Added endpoints resource support
+- Added support for default user identity groups assignment under internal users
+- Fix description attribute of `network_device_groups_children_children`
+
 ## 0.1.1
 
 - Fix issue with error due to missing settings for `allowed_protocols` and EAP-TLS stateless session resume
diff --git a/README.md b/README.md
index 6fa821d..6efde57 100644
--- a/README.md
+++ b/README.md
@@ -44,7 +44,7 @@ module "ise" {
 | Name | Version |
 |------|---------|
 | <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
-| <a name="requirement_ise"></a> [ise](#requirement\_ise) | >= 0.1.14 |
+| <a name="requirement_ise"></a> [ise](#requirement\_ise) | >= 0.2.0 |
 | <a name="requirement_local"></a> [local](#requirement\_local) | >= 2.3.0 |
 | <a name="requirement_time"></a> [time](#requirement\_time) | >= 0.10.0 |
 | <a name="requirement_utils"></a> [utils](#requirement\_utils) | >= 0.2.5 |
@@ -176,6 +176,7 @@ module "ise" {
 | [ise_device_admin_policy_set.device_admin_policy_set_9](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_policy_set) | resource |
 | [ise_device_admin_time_and_date_condition.device_admin_time_and_date_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_time_and_date_condition) | resource |
 | [ise_downloadable_acl.downloadable_acl](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/downloadable_acl) | resource |
+| [ise_endpoint.endpoint](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/endpoint) | resource |
 | [ise_endpoint_identity_group.endpoint_identity_group](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/endpoint_identity_group) | resource |
 | [ise_identity_source_sequence.identity_source_sequences](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/identity_source_sequence) | resource |
 | [ise_internal_user.internal_user](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/internal_user) | resource |
@@ -311,6 +312,7 @@ module "ise" {
 | [ise_network_access_condition.network_access_condition_circular](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/network_access_condition) | data source |
 | [ise_trustsec_security_group.trustsec_security_group](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/trustsec_security_group) | data source |
 | [ise_trustsec_security_group_acl.trustsec_security_group_acl](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/trustsec_security_group_acl) | data source |
+| [ise_user_identity_group.user_identity_group](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/user_identity_group) | data source |
 | [utils_yaml_merge.defaults](https://registry.terraform.io/providers/netascode/utils/latest/docs/data-sources/yaml_merge) | data source |
 | [utils_yaml_merge.model](https://registry.terraform.io/providers/netascode/utils/latest/docs/data-sources/yaml_merge) | data source |
 ## Modules
diff --git a/defaults/defaults.yaml b/defaults/defaults.yaml
index 0612f31..e444b1d 100644
--- a/defaults/defaults.yaml
+++ b/defaults/defaults.yaml
@@ -29,6 +29,9 @@ defaults:
           send_configuration_to_device_using: DISABLE_ALL
           include_when_deploying_sgt_updates: false
     identity_management:
+      endpoints:
+        static_group_assignment_defined: true
+        static_profile_assignment_defined: true
       internal_users:
         enabled: true
         change_password: true
diff --git a/ise_identity_management.tf b/ise_identity_management.tf
index 421df7e..e716d0f 100644
--- a/ise_identity_management.tf
+++ b/ise_identity_management.tf
@@ -5,6 +5,22 @@ resource "ise_user_identity_group" "user_identity_group" {
   description = try(each.value.description, local.defaults.ise.identity_management.user_identity_groups.description, null)
 }
 
+locals {
+  user_identity_groups = distinct(flatten([
+    for user in try(local.ise.identity_management.internal_users, []) : [
+      for group in try(user.user_identity_groups, []) : group
+    ]
+  ]))
+}
+
+data "ise_user_identity_group" "user_identity_group" {
+  for_each = toset(local.user_identity_groups)
+
+  name = each.value
+
+  depends_on = [ise_user_identity_group.user_identity_group]
+}
+
 resource "ise_internal_user" "internal_user" {
   for_each = { for user in try(local.ise.identity_management.internal_users, []) : user.name => user }
 
@@ -18,7 +34,7 @@ resource "ise_internal_user" "internal_user" {
   first_name             = try(each.value.first_name, local.defaults.ise.identity_management.internal_users.first_name, null)
   last_name              = try(each.value.last_name, local.defaults.ise.identity_management.internal_users.last_name, null)
   change_password        = try(each.value.change_password, local.defaults.ise.identity_management.internal_users.change_password, null)
-  identity_groups        = length(try(each.value.user_identity_groups, [])) > 0 ? join(",", [for i in try(each.value.user_identity_groups, []) : ise_user_identity_group.user_identity_group[i].id]) : null
+  identity_groups        = length(try(each.value.user_identity_groups, [])) > 0 ? join(",", [for i in try(each.value.user_identity_groups, []) : data.ise_user_identity_group.user_identity_group[i].id]) : null
   password_never_expires = try(each.value.password_never_expires, local.defaults.ise.identity_management.internal_users.password_never_expires, null)
   password_id_store      = try(each.value.password_id_store, local.defaults.ise.identity_management.internal_users.password_id_store, null)
 
@@ -26,24 +42,56 @@ resource "ise_internal_user" "internal_user" {
 }
 
 locals {
-  endpoint_identity_groups             = { for group in try(local.ise.identity_management.endpoint_identity_groups, []) : group.name => group }
-  endpoint_identity_groups_with_parent = { for k, v in local.endpoint_identity_groups : k => v if try(v.parent_group, "") != "" }
+  endpoint_identity_groups              = { for group in try(local.ise.identity_management.endpoint_identity_groups, []) : group.name => group }
+  endpoint_identity_groups_with_parent  = [for k, v in local.endpoint_identity_groups : v.parent_group if try(v.parent_group, "") != ""]
+  endpoint_identity_groups_in_endpoints = [for endpoint in try(local.ise.identity_management.endpoints, []) : endpoint.endpoint_identity_group if try(endpoint.endpoint_identity_group, "") != ""]
 }
 
 data "ise_endpoint_identity_group" "endpoint_identity_group" {
-  for_each = local.endpoint_identity_groups_with_parent
+  for_each = toset(concat(local.endpoint_identity_groups_with_parent, local.endpoint_identity_groups_in_endpoints))
 
-  name = each.value.parent_group
+  name = each.value
 }
 
 resource "ise_endpoint_identity_group" "endpoint_identity_group" {
   for_each = local.endpoint_identity_groups
 
   name                              = each.key
-  parent_endpoint_identity_group_id = try(data.ise_endpoint_identity_group.endpoint_identity_group[each.key].id, null)
+  parent_endpoint_identity_group_id = try(data.ise_endpoint_identity_group.endpoint_identity_group[each.value.parent_group].id, null)
   description                       = try(each.value.description, local.defaults.ise.identity_management.endpoint_identity_groups.description, null)
 }
 
+resource "ise_endpoint" "endpoint" {
+  for_each = { for endpoint in try(local.ise.identity_management.endpoints, []) : endpoint.mac => endpoint }
+
+  name                              = each.key
+  mac                               = each.key
+  description                       = try(each.value.description, local.defaults.ise.identity_management.endpoints.description, null)
+  static_profile_assignment         = try(each.value.static_profile_assignment, local.defaults.ise.identity_management.endpoints.static_profile_assignment, null)
+  static_group_assignment           = try(each.value.static_group_assignment, local.defaults.ise.identity_management.endpoints.static_group_assignment, null)
+  group_id                          = try(ise_endpoint_identity_group.endpoint_identity_group[each.value.endpoint_identity_group].id, data.ise_endpoint_identity_group.endpoint_identity_group[each.value.endpoint_identity_group].id, null)
+  static_profile_assignment_defined = try(each.value.static_profile_assignment_defined, local.defaults.ise.identity_management.endpoints.static_profile_assignment_defined, null)
+  static_group_assignment_defined   = try(each.value.static_group_assignment_defined, local.defaults.ise.identity_management.endpoints.static_group_assignment_defined, null)
+  identity_store                    = try(each.value.identity_store, local.defaults.ise.identity_management.endpoints.identity_store, null)
+  identity_store_id                 = try(each.value.identity_store_id, local.defaults.ise.identity_management.endpoints.identity_store_id, null)
+  portal_user                       = try(each.value.portal_user, local.defaults.ise.identity_management.endpoints.portal_user, null)
+  profile_id                        = try(each.value.profile_id, local.defaults.ise.identity_management.endpoints.profile_id, null)
+  custom_attributes                 = try(each.value.custom_attributes, local.defaults.ise.identity_management.endpoints.custom_attributes, null)
+  mdm_compliance_status             = try(each.value.mdm_attributes.compliance_status, local.defaults.ise.identity_management.endpoints.mdm_attributes.compliance_status, null)
+  mdm_encrypted                     = try(each.value.mdm_attributes.encrypted, local.defaults.ise.identity_management.endpoints.mdm_attributes.encrypted, null)
+  mdm_enrolled                      = try(each.value.mdm_attributes.enrolled, local.defaults.ise.identity_management.endpoints.mdm_attributes.enrolled, null)
+  mdm_imei                          = try(each.value.mdm_attributes.imei, local.defaults.ise.identity_management.endpoints.mdm_attributes.imei, null)
+  mdm_jail_broken                   = try(each.value.mdm_attributes.jail_broken, local.defaults.ise.identity_management.endpoints.mdm_attributes.jail_broken, null)
+  mdm_manufacturer                  = try(each.value.mdm_attributes.manufacturer, local.defaults.ise.identity_management.endpoints.mdm_attributes.manufacturer, null)
+  mdm_model                         = try(each.value.mdm_attributes.model, local.defaults.ise.identity_management.endpoints.mdm_attributes.model, null)
+  mdm_os                            = try(each.value.mdm_attributes.os, local.defaults.ise.identity_management.endpoints.mdm_attributes.os, null)
+  mdm_phone_number                  = try(each.value.mdm_attributes.phone_number, local.defaults.ise.identity_management.endpoints.mdm_attributes.phone_number, null)
+  mdm_pinlock                       = try(each.value.mdm_attributes.pin_lock, local.defaults.ise.identity_management.endpoints.mdm_attributes.pin_lock, null)
+  mdm_reachable                     = try(each.value.mdm_attributes.reachable, local.defaults.ise.identity_management.endpoints.mdm_attributes.reachable, null)
+  mdm_serial                        = try(each.value.mdm_attributes.serial, local.defaults.ise.identity_management.endpoints.mdm_attributes.serial, null)
+  mdm_server_name                   = try(each.value.mdm_attributes.server_name, local.defaults.ise.identity_management.endpoints.mdm_attributes.server_name, null)
+}
+
 resource "ise_certificate_authentication_profile" "certificate_authentication_profile" {
   for_each = { for profile in try(local.ise.identity_management.certificate_authentication_profiles, []) : profile.name => profile }
 
diff --git a/ise_network_resources.tf b/ise_network_resources.tf
index 3f132e2..f77d003 100644
--- a/ise_network_resources.tf
+++ b/ise_network_resources.tf
@@ -39,7 +39,7 @@ locals {
     for c in try(p.children, []) : [
       for c2 in try(c.children, []) : {
         name        = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type#${p.path}#${p.name}#${c.name}#${c2.name}" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location#${p.path}#${p.name}#${c.name}#${c2.name}" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${p.path}" : (try(p.path, null) == null ? "${p.name}#${p.name}#${c.name}#${c2.name}" : "${split("#", p.path)[0]}#${p.path}#${p.name}#${c.name}#${c2.name}")))
-        description = try(c.description, local.defaults.ise.network_resources.network_device_groups.children.description, null)
+        description = try(c2.description, local.defaults.ise.network_resources.network_device_groups.children.description, null)
         root_group  = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", p.path)[0], p.name)))
       }
     ]
diff --git a/versions.tf b/versions.tf
index 51d7858..5a581ac 100644
--- a/versions.tf
+++ b/versions.tf
@@ -4,7 +4,7 @@ terraform {
   required_providers {
     ise = {
       source  = "CiscoDevNet/ise"
-      version = ">= 0.1.14"
+      version = ">= 0.2.0"
     }
     utils = {
       source  = "netascode/utils"