From aabb487fd09889f98d35b8beb6889344719d043d Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Sat, 27 Jan 2024 23:45:51 +0100 Subject: [PATCH 01/14] added active_directory resources --- defaults/defaults.yaml | 13 +++++ ise_identity_management.tf | 105 +++++++++++++++++++++++++++++++++++++ 2 files changed, 118 insertions(+) diff --git a/defaults/defaults.yaml b/defaults/defaults.yaml index dc9541a..c840603 100644 --- a/defaults/defaults.yaml +++ b/defaults/defaults.yaml @@ -29,6 +29,19 @@ defaults: send_configuration_to_device_using: DISABLE_ALL include_when_deploying_sgt_updates: false identity_management: + active_directory: + ad_scopes_names: Default_Scope + enable_domain_allowed_list: true + enable_rewrites: false + enable_pass_change: true + enable_machine_auth: true + enable_machine_access: true + enable_dialin_permission_check: false + plaintext_auth: false + aging_time: 5 + enable_callback_for_dialin_client: false + enable_failed_auth_protection: false + failed_auth_threshold: 5 internal_users: enabled: true change_password: true diff --git a/ise_identity_management.tf b/ise_identity_management.tf index 1ab9dc2..5903f02 100644 --- a/ise_identity_management.tf +++ b/ise_identity_management.tf @@ -53,3 +53,108 @@ resource "ise_certificate_authentication_profile" "certificate_authentication_pr match_mode = try(each.value.match_mode, local.defaults.ise.identity_management.certificate_authentication_profiles.description, null) username_from = try(each.value.username_from, local.defaults.ise.identity_management.certificate_authentication_profiles.description, null) } + +resource "ise_active_directory_join_point" "active_directory_join_point" { + for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + + name = each.key + description = try(each.value.description, local.defaults.ise.identity_management.active_directory.description, null) + domain = try(each.value.domain, local.defaults.ise.identity_management.active_directory.domain, null) + ad_scopes_names = try(each.value.ad_scopes_names, local.defaults.ise.identity_management.active_directory.ad_scopes_names, null) + enable_domain_allowed_list = try(each.value.enable_domain_allowed_list, local.defaults.ise.identity_management.active_directory.enable_domain_allowed_list, null) + groups = [] + attributes = [for attr in try(each.value.attributes, []) : { + name = try(attr.name, null) + type = try(attr.type, local.defaults.ise.identity_management.active_directory.attributes.type, null) + internal_name = try(attr.internal_name, local.defaults.ise.identity_management.active_directory.attributes.internal_name, null) + default_value = try(attr.default_value, local.defaults.ise.identity_management.active_directory.attributes.default_value, null) + }] + rewrite_rules = [for rule in try(each.value.rewrite_rules, []) : { + row_id = try(rule.row_id, local.defaults.ise.identity_management.active_directory.rewrite_rules.row_id, null) + rewrite_match = try(rule.rewrite_match, local.defaults.ise.identity_management.active_directory.rewrite_rules.rewrite_match, null) + rewrite_result = try(rule.rewrite_result, local.defaults.ise.identity_management.active_directory.rewrite_rules.rewrite_result, null) + }] + enable_rewrites = try(each.value.enable_rewrites, local.defaults.ise.identity_management.active_directory.enable_rewrites, null) + enable_pass_change = try(each.value.enable_pass_change, local.defaults.ise.identity_management.active_directory.enable_pass_change, null) + enable_machine_auth = try(each.value.enable_machine_auth, local.defaults.ise.identity_management.active_directory.enable_machine_auth, null) + enable_machine_access = try(each.value.enable_machine_access, local.defaults.ise.identity_management.active_directory.enable_machine_access, null) + enable_dialin_permission_check = try(each.value.enable_dialin_permission_check, local.defaults.ise.identity_management.active_directory.enable_dialin_permission_check, null) + plaintext_auth = try(each.value.plaintext_auth, local.defaults.ise.identity_management.active_directory.plaintext_auth, null) + aging_time = try(each.value.aging_time, local.defaults.ise.identity_management.active_directory.aging_time, null) + enable_callback_for_dialin_client = try(each.value.enable_callback_for_dialin_client, local.defaults.ise.identity_management.active_directory.enable_callback_for_dialin_client, null) + identity_not_in_ad_behaviour = try(each.value.identity_not_in_ad_behaviour, local.defaults.ise.identity_management.active_directory.identity_not_in_ad_behaviour, null) + unreachable_domains_behaviour = try(each.value.unreachable_domains_behaviour, local.defaults.ise.identity_management.active_directory.unreachable_domains_behaviour, null) + schema = try(each.value.schema, local.defaults.ise.identity_management.active_directory.schema, null) + first_name = try(each.value.first_name, local.defaults.ise.identity_management.active_directory.first_name, null) + department = try(each.value.department, local.defaults.ise.identity_management.active_directory.department, null) + last_name = try(each.value.last_name, local.defaults.ise.identity_management.active_directory.last_name, null) + organizational_unit = try(each.value.organizational_unit, local.defaults.ise.identity_management.active_directory.organizational_unit, null) + job_title = try(each.value.job_title, local.defaults.ise.identity_management.active_directory.job_title, null) + locality = try(each.value.locality, local.defaults.ise.identity_management.active_directory.locality, null) + email = try(each.value.email, local.defaults.ise.identity_management.active_directory.email, null) + state_or_province = try(each.value.state_or_province, local.defaults.ise.identity_management.active_directory.state_or_province, null) + telephone = try(each.value.telephone, local.defaults.ise.identity_management.active_directory.telephone, null) + country = try(each.value.country, local.defaults.ise.identity_management.active_directory.country, null) + street_address = try(each.value.street_address, local.defaults.ise.identity_management.active_directory.street_address, null) + enable_failed_auth_protection = try(each.value.enable_failed_auth_protection, local.defaults.ise.identity_management.active_directory.enable_failed_auth_protection, null) + failed_auth_threshold = try(each.value.failed_auth_threshold, local.defaults.ise.identity_management.active_directory.failed_auth_threshold, null) + auth_protection_type = try(each.value.auth_protection_type, local.defaults.ise.identity_management.active_directory.auth_protection_type, null) +} + +resource "ise_active_directory_join_domain_with_all_nodes" "active_directory_join_domain_with_all_nodes" { + for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + + join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id + additional_data = [ + { + name = "username" + value = try(each.value.ad_username, local.defaults.ise.identity_management.active_directory.ad_username, null) + }, + { + name = "password" + value = try(each.value.ad_password, local.defaults.ise.identity_management.active_directory.ad_password, null) + } + ] + + depends_on = [ise_active_directory_join_point.active_directory_join_point] +} + +data "ise_active_directory_groups_by_domain" "all_groups" { + for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + + join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id + domain = try(each.value.domain, local.defaults.ise.identity_management.active_directory.domain, null) + + depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes] +} + +locals { + active_directory_groups_all = { + for k, v in ise_active_directory_groups_by_domain.all_groups : + k => { for group in v.groups : group.name => group } + } + + active_directory_groups = { + for ad in try(local.ise.identity_management.active_directory, []) : ad.name => [ + for group in ad.groups : { + name = group + type = try(local.active_directory_groups_all[ad.name][group].type, null) + sid = try(local.active_directory_groups_all[ad.name][group].sid, null) + } + ] + } +} + +resource "ise_active_directory_add_groups" "active_directory_groups" { + for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + + join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id + name = ise_active_directory_join_point.active_directory_join_point[each.key].name + description = ise_active_directory_join_point.active_directory_join_point[each.key].description + domain = ise_active_directory_join_point.active_directory_join_point[each.key].domain + ad_scopes_names = ise_active_directory_join_point.active_directory_join_point[each.key].ad_scopes_names + enable_domain_allowed_list = ise_active_directory_join_point.active_directory_join_point[each.key].enable_domain_allowed_list + groups = try(local.active_directory_groups, local.defaults.ise.identity_management.active_directory.groups, null) + + depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes] +} \ No newline at end of file From aa2da0dc53097e21d5155fb13f178fbb7897c5ce Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Sun, 28 Jan 2024 15:06:58 +0000 Subject: [PATCH 02/14] fix dependencies --- ise_device_admin.tf | 202 ++++++++++++++++++------------------ ise_identity_management.tf | 8 +- ise_network_access.tf | 204 +++++++++++++++++++------------------ versions.tf | 2 +- 4 files changed, 212 insertions(+), 204 deletions(-) diff --git a/ise_device_admin.tf b/ise_device_admin.tf index 27d8fbf..f41e96a 100644 --- a/ise_device_admin.tf +++ b/ise_device_admin.tf @@ -48,6 +48,8 @@ resource "ise_device_admin_condition" "device_admin_condition" { id = try(c2.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) == "ConditionReference" ? data.ise_device_admin_condition.device_admin_condition_circular[c2.name].id : null }] }] + + depends_on = [ise_active_directory_add_groups.active_directory_groups] } resource "ise_allowed_protocols_tacacs" "allowed_protocols_tacacs" { @@ -214,7 +216,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_0" { rank = each.value.rank children = each.value.children - depends_on = [ise_allowed_protocols_tacacs.allowed_protocols_tacacs] + depends_on = [ise_allowed_protocols_tacacs.allowed_protocols_tacacs, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_1" { @@ -235,7 +237,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_1" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_0] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_2" { @@ -256,7 +258,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_2" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_1] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_3" { @@ -277,7 +279,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_3" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_2] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_4" { @@ -298,7 +300,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_4" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_3] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_5" { @@ -319,7 +321,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_5" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_4] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_6" { @@ -340,7 +342,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_6" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_5] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_7" { @@ -361,7 +363,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_7" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_6] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_8" { @@ -382,7 +384,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_8" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_7] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_9" { @@ -403,7 +405,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_9" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_8] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_10" { @@ -424,7 +426,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_10" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_9] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_11" { @@ -445,7 +447,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_11" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_10] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_12" { @@ -466,7 +468,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_12" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_11] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_13" { @@ -487,7 +489,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_13" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_12] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_14" { @@ -508,7 +510,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_14" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_13] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_15" { @@ -529,7 +531,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_15" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_14] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_16" { @@ -550,7 +552,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_16" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_15] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_17" { @@ -571,7 +573,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_17" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_16] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_18" { @@ -592,7 +594,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_18" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_17] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_policy_set" "device_admin_policy_set_19" { @@ -613,7 +615,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_19" { rank = each.value.rank children = each.value.children - depends_on = [ise_device_admin_policy_set.device_admin_policy_set_18] + depends_on = [ise_device_admin_policy_set.device_admin_policy_set_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -705,6 +707,8 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_process_fail = each.value.if_process_fail if_user_not_found = each.value.if_user_not_found children = each.value.children + + depends_on = [ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_1" { @@ -728,7 +732,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_0] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_2" { @@ -752,7 +756,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_1] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_3" { @@ -776,7 +780,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_2] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_4" { @@ -800,7 +804,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_3] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_5" { @@ -824,7 +828,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_4] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_6" { @@ -848,7 +852,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_5] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_7" { @@ -872,7 +876,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_6] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_8" { @@ -896,7 +900,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_7] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_9" { @@ -920,7 +924,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_8] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_10" { @@ -944,7 +948,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_9] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_11" { @@ -968,7 +972,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_10] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_12" { @@ -992,7 +996,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_11] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_13" { @@ -1016,7 +1020,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_12] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_14" { @@ -1040,7 +1044,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_13] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_15" { @@ -1064,7 +1068,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_14] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_16" { @@ -1088,7 +1092,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_15] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_17" { @@ -1112,7 +1116,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_16] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_18" { @@ -1136,7 +1140,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_17] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_19" { @@ -1160,7 +1164,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_18] + depends_on = [ise_device_admin_authentication_rule.device_admin_authentication_rule_18, ise_active_directory_add_groups.active_directory_groups] } # Workaround for ISE API issue where deleting a TACACS profile or command set immediately after deleting an object using it fails @@ -1237,7 +1241,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait] + depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_1" { @@ -1259,7 +1263,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_0] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_2" { @@ -1281,7 +1285,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_1] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_3" { @@ -1303,7 +1307,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_2] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_4" { @@ -1325,7 +1329,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_3] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_5" { @@ -1347,7 +1351,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_4] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_6" { @@ -1369,7 +1373,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_5] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_7" { @@ -1391,7 +1395,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_6] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_8" { @@ -1413,7 +1417,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_7] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_9" { @@ -1435,7 +1439,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_8] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_10" { @@ -1457,7 +1461,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_9] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_11" { @@ -1479,7 +1483,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_10] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_12" { @@ -1501,7 +1505,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_11] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_13" { @@ -1523,7 +1527,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_12] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_14" { @@ -1545,7 +1549,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_13] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_15" { @@ -1567,7 +1571,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_14] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_16" { @@ -1589,7 +1593,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_15] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_17" { @@ -1611,7 +1615,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_16] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_18" { @@ -1633,7 +1637,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_17] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_19" { @@ -1655,7 +1659,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_18] + depends_on = [ise_device_admin_authorization_rule.device_admin_authorization_rule_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -1722,7 +1726,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait] + depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_1" { @@ -1744,7 +1748,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_0] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_2" { @@ -1766,7 +1770,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_1] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_3" { @@ -1788,7 +1792,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_2] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_4" { @@ -1810,7 +1814,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_3] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_5" { @@ -1832,7 +1836,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_4] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_6" { @@ -1854,7 +1858,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_5] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_7" { @@ -1876,7 +1880,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_6] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_8" { @@ -1898,7 +1902,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_7] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_9" { @@ -1920,7 +1924,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_8] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_10" { @@ -1942,7 +1946,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_9] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_11" { @@ -1964,7 +1968,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_10] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_12" { @@ -1986,7 +1990,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_11] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_13" { @@ -2008,7 +2012,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_12] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_14" { @@ -2030,7 +2034,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_13] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_15" { @@ -2052,7 +2056,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_14] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_16" { @@ -2074,7 +2078,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_15] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_17" { @@ -2096,7 +2100,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_16] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_18" { @@ -2118,7 +2122,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_17] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_19" { @@ -2140,7 +2144,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_18] + depends_on = [ise_device_admin_authorization_exception_rule.device_admin_authorization_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -2202,7 +2206,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait] + depends_on = [ise_tacacs_profile.tacacs_profile, ise_tacacs_command_set.tacacs_command_set, time_sleep.device_admin_policy_object_wait, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_1" { @@ -2223,7 +2227,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_0] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_2" { @@ -2244,7 +2248,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_1] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_3" { @@ -2265,7 +2269,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_2] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_4" { @@ -2286,7 +2290,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_3] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_5" { @@ -2307,7 +2311,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_4] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_6" { @@ -2328,7 +2332,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_5] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_7" { @@ -2349,7 +2353,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_6] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_8" { @@ -2370,7 +2374,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_7] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_9" { @@ -2391,7 +2395,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_8] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_10" { @@ -2412,7 +2416,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_9] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_11" { @@ -2433,7 +2437,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_10] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_12" { @@ -2454,7 +2458,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_11] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_13" { @@ -2475,7 +2479,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_12] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_14" { @@ -2496,7 +2500,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_13] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_15" { @@ -2517,7 +2521,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_14] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_16" { @@ -2538,7 +2542,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_15] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_17" { @@ -2559,7 +2563,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_16] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_18" { @@ -2580,7 +2584,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_17] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_19" { @@ -2601,5 +2605,5 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au command_sets = each.value.command_sets children = each.value.children - depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_18] + depends_on = [ise_device_admin_authorization_global_exception_rule.device_admin_authorization_global_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] } diff --git a/ise_identity_management.tf b/ise_identity_management.tf index 5903f02..2f34630 100644 --- a/ise_identity_management.tf +++ b/ise_identity_management.tf @@ -130,8 +130,8 @@ data "ise_active_directory_groups_by_domain" "all_groups" { locals { active_directory_groups_all = { - for k, v in ise_active_directory_groups_by_domain.all_groups : - k => { for group in v.groups : group.name => group } + for k, v in data.ise_active_directory_groups_by_domain.all_groups : + k => { for group in v.groups : group.name => group } if var.manage_identity_management } active_directory_groups = { @@ -141,7 +141,7 @@ locals { type = try(local.active_directory_groups_all[ad.name][group].type, null) sid = try(local.active_directory_groups_all[ad.name][group].sid, null) } - ] + ] if var.manage_identity_management } } @@ -154,7 +154,7 @@ resource "ise_active_directory_add_groups" "active_directory_groups" { domain = ise_active_directory_join_point.active_directory_join_point[each.key].domain ad_scopes_names = ise_active_directory_join_point.active_directory_join_point[each.key].ad_scopes_names enable_domain_allowed_list = ise_active_directory_join_point.active_directory_join_point[each.key].enable_domain_allowed_list - groups = try(local.active_directory_groups, local.defaults.ise.identity_management.active_directory.groups, null) + groups = try(local.active_directory_groups[each.key], local.defaults.ise.identity_management.active_directory.groups, null) depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes] } \ No newline at end of file diff --git a/ise_network_access.tf b/ise_network_access.tf index fbd8224..e61dc0e 100644 --- a/ise_network_access.tf +++ b/ise_network_access.tf @@ -122,7 +122,7 @@ resource "ise_authorization_profile" "authorization_profile" { create_before_destroy = true } - depends_on = [ise_downloadable_acl.downloadable_acl] + depends_on = [ise_downloadable_acl.downloadable_acl, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -175,6 +175,8 @@ resource "ise_network_access_condition" "network_access_condition" { id = try(c2.type, local.defaults.ise.network_access.policy_elements.conditions.type, null) == "ConditionReference" ? data.ise_network_access_condition.network_access_condition_circular[c2.name].id : null }] }] + + depends_on = [ise_active_directory_add_groups.active_directory_groups] } resource "ise_downloadable_acl" "downloadable_acl" { @@ -324,7 +326,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_0" { rank = each.value.rank children = each.value.children - depends_on = [ise_authorization_profile.authorization_profile, ise_allowed_protocols.allowed_protocols] + depends_on = [ise_authorization_profile.authorization_profile, ise_allowed_protocols.allowed_protocols, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_1" { @@ -345,7 +347,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_1" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_0] + depends_on = [ise_network_access_policy_set.network_access_policy_set_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_2" { @@ -366,7 +368,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_2" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_1] + depends_on = [ise_network_access_policy_set.network_access_policy_set_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_3" { @@ -387,7 +389,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_3" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_2] + depends_on = [ise_network_access_policy_set.network_access_policy_set_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_4" { @@ -408,7 +410,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_4" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_3] + depends_on = [ise_network_access_policy_set.network_access_policy_set_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_5" { @@ -429,7 +431,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_5" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_4] + depends_on = [ise_network_access_policy_set.network_access_policy_set_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_6" { @@ -450,7 +452,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_6" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_5] + depends_on = [ise_network_access_policy_set.network_access_policy_set_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_7" { @@ -471,7 +473,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_7" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_6] + depends_on = [ise_network_access_policy_set.network_access_policy_set_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_8" { @@ -492,7 +494,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_8" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_7] + depends_on = [ise_network_access_policy_set.network_access_policy_set_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_9" { @@ -513,7 +515,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_9" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_8] + depends_on = [ise_network_access_policy_set.network_access_policy_set_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_10" { @@ -534,7 +536,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_10" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_9] + depends_on = [ise_network_access_policy_set.network_access_policy_set_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_11" { @@ -555,7 +557,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_11" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_10] + depends_on = [ise_network_access_policy_set.network_access_policy_set_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_12" { @@ -576,7 +578,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_12" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_11] + depends_on = [ise_network_access_policy_set.network_access_policy_set_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_13" { @@ -597,7 +599,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_13" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_12] + depends_on = [ise_network_access_policy_set.network_access_policy_set_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_14" { @@ -618,7 +620,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_14" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_13] + depends_on = [ise_network_access_policy_set.network_access_policy_set_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_15" { @@ -639,7 +641,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_15" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_14] + depends_on = [ise_network_access_policy_set.network_access_policy_set_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_16" { @@ -660,7 +662,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_16" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_15] + depends_on = [ise_network_access_policy_set.network_access_policy_set_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_17" { @@ -681,7 +683,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_17" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_16] + depends_on = [ise_network_access_policy_set.network_access_policy_set_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_18" { @@ -702,7 +704,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_18" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_17] + depends_on = [ise_network_access_policy_set.network_access_policy_set_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_policy_set" "network_access_policy_set_19" { @@ -723,7 +725,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_19" { rank = each.value.rank children = each.value.children - depends_on = [ise_network_access_policy_set.network_access_policy_set_18] + depends_on = [ise_network_access_policy_set.network_access_policy_set_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -815,6 +817,8 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_process_fail = each.value.if_process_fail if_user_not_found = each.value.if_user_not_found children = each.value.children + + depends_on = [ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_1" { @@ -838,7 +842,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_0] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_2" { @@ -862,7 +866,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_1] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_3" { @@ -886,7 +890,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_2] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_4" { @@ -910,7 +914,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_3] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_5" { @@ -934,7 +938,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_4] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_6" { @@ -958,7 +962,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_5] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_7" { @@ -982,7 +986,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_6] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_8" { @@ -1006,7 +1010,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_7] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_9" { @@ -1030,7 +1034,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_8] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_10" { @@ -1054,7 +1058,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_9] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_11" { @@ -1078,7 +1082,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_10] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_12" { @@ -1102,7 +1106,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_11] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_13" { @@ -1126,7 +1130,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_12] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_14" { @@ -1150,7 +1154,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_13] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_15" { @@ -1174,7 +1178,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_14] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_16" { @@ -1198,7 +1202,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_15] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_17" { @@ -1222,7 +1226,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_16] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_18" { @@ -1246,7 +1250,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_17] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_19" { @@ -1270,7 +1274,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication if_user_not_found = each.value.if_user_not_found children = each.value.children - depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_18] + depends_on = [ise_network_access_authentication_rule.network_access_authentication_rule_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -1337,7 +1341,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group] + depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_1" { @@ -1359,7 +1363,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_0] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_2" { @@ -1381,7 +1385,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_1] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_3" { @@ -1403,7 +1407,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_2] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_4" { @@ -1425,7 +1429,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_3] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_5" { @@ -1447,7 +1451,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_4] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_6" { @@ -1469,7 +1473,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_5] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_7" { @@ -1491,7 +1495,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_6] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_8" { @@ -1513,7 +1517,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_7] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_9" { @@ -1535,7 +1539,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_8] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_10" { @@ -1557,7 +1561,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_9] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_11" { @@ -1579,7 +1583,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_10] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_12" { @@ -1601,7 +1605,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_11] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_13" { @@ -1623,7 +1627,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_12] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_14" { @@ -1645,7 +1649,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_13] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_15" { @@ -1667,7 +1671,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_14] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_16" { @@ -1689,7 +1693,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_15] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_17" { @@ -1711,7 +1715,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_16] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_18" { @@ -1733,7 +1737,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_17] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_19" { @@ -1755,7 +1759,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_18] + depends_on = [ise_network_access_authorization_rule.network_access_authorization_rule_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -1822,7 +1826,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group] + depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_1" { @@ -1844,7 +1848,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_0] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_2" { @@ -1866,7 +1870,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_1] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_3" { @@ -1888,7 +1892,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_2] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_4" { @@ -1910,7 +1914,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_3] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_5" { @@ -1932,7 +1936,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_4] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_6" { @@ -1954,7 +1958,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_5] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_7" { @@ -1976,7 +1980,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_6] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_8" { @@ -1998,7 +2002,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_7] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_9" { @@ -2020,7 +2024,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_8] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_10" { @@ -2042,7 +2046,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_9] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_11" { @@ -2064,7 +2068,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_10] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_12" { @@ -2086,7 +2090,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_11] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_13" { @@ -2108,7 +2112,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_12] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_14" { @@ -2130,7 +2134,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_13] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_15" { @@ -2152,7 +2156,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_14] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_16" { @@ -2174,7 +2178,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_15] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_17" { @@ -2196,7 +2200,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_16] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_18" { @@ -2218,7 +2222,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_17] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_19" { @@ -2240,7 +2244,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_18] + depends_on = [ise_network_access_authorization_exception_rule.network_access_authorization_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] } locals { @@ -2302,7 +2306,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group] + depends_on = [ise_authorization_profile.authorization_profile, ise_trustsec_security_group.trustsec_security_group, time_sleep.sgt_wait, ise_endpoint_identity_group.endpoint_identity_group, ise_user_identity_group.user_identity_group, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_1" { @@ -2323,7 +2327,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_0] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_0, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_2" { @@ -2344,7 +2348,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_1] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_1, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_3" { @@ -2365,7 +2369,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_2] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_2, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_4" { @@ -2386,7 +2390,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_3] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_3, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_5" { @@ -2407,7 +2411,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_4] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_4, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_6" { @@ -2428,7 +2432,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_5] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_5, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_7" { @@ -2449,7 +2453,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_6] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_6, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_8" { @@ -2470,7 +2474,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_7] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_7, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_9" { @@ -2491,7 +2495,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_8] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_8, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_10" { @@ -2512,7 +2516,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_9] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_9, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_11" { @@ -2533,7 +2537,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_10] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_10, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_12" { @@ -2554,7 +2558,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_11] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_11, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_13" { @@ -2575,7 +2579,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_12] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_12, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_14" { @@ -2596,7 +2600,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_13] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_13, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_15" { @@ -2617,7 +2621,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_14] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_14, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_16" { @@ -2638,7 +2642,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_15] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_15, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_17" { @@ -2659,7 +2663,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_16] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_16, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_18" { @@ -2680,7 +2684,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_17] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_17, ise_active_directory_add_groups.active_directory_groups] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_19" { @@ -2701,5 +2705,5 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces security_group = each.value.security_group children = each.value.children - depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_18] + depends_on = [ise_network_access_authorization_global_exception_rule.network_access_authorization_global_exception_rule_18, ise_active_directory_add_groups.active_directory_groups] } diff --git a/versions.tf b/versions.tf index fe9b154..017fbae 100644 --- a/versions.tf +++ b/versions.tf @@ -4,7 +4,7 @@ terraform { required_providers { ise = { source = "CiscoDevNet/ise" - version = ">= 0.1.8" + version = ">= 0.1.12" } utils = { source = "netascode/utils" From eb9e5fffefd2b487463423264778dd78e1749463 Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Sun, 28 Jan 2024 23:36:06 +0100 Subject: [PATCH 03/14] fixed example and make sleep objects dependant on manage flags --- README.md | 11 ++++++++--- examples/network_access_condition/README.md | 5 +++-- examples/network_access_condition/main.tf | 2 ++ .../network_access_condition.yaml | 3 +-- ise_device_admin.tf | 2 ++ ise_network_resources.tf | 2 ++ ise_trustsec.tf | 2 ++ 7 files changed, 20 insertions(+), 7 deletions(-) diff --git a/README.md b/README.md index ae348ec..21db1a5 100644 --- a/README.md +++ b/README.md @@ -22,8 +22,7 @@ ise: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false - dictionary_name: CERTIFICATE - attribute_name: Is Expired + attribute_name: CERTIFICATE:Is Expired operator: equals attribute_value: "False" ``` @@ -35,6 +34,8 @@ module "ise" { source = "netascode/nac-ise/ise" version = ">= 0.1.0" + manage_network_access = true + yaml_files = ["network_access_condition.yaml"] } ``` @@ -44,7 +45,7 @@ module "ise" { | Name | Version | |------|---------| | [terraform](#requirement\_terraform) | >= 1.3.0 | -| [ise](#requirement\_ise) | >= 0.1.8 | +| [ise](#requirement\_ise) | >= 0.1.12 | | [local](#requirement\_local) | >= 2.3.0 | | [time](#requirement\_time) | >= 0.10.0 | | [utils](#requirement\_utils) | >= 0.2.5 | @@ -72,6 +73,9 @@ module "ise" { | Name | Type | |------|------| +| [ise_active_directory_add_groups.active_directory_groups](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/active_directory_add_groups) | resource | +| [ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/active_directory_join_domain_with_all_nodes) | resource | +| [ise_active_directory_join_point.active_directory_join_point](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/active_directory_join_point) | resource | | [ise_allowed_protocols.allowed_protocols](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/allowed_protocols) | resource | | [ise_allowed_protocols_tacacs.allowed_protocols_tacacs](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/allowed_protocols_tacacs) | resource | | [ise_authorization_profile.authorization_profile](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/authorization_profile) | resource | @@ -305,6 +309,7 @@ module "ise" { | [time_sleep.device_admin_policy_object_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.network_device_group_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | | [time_sleep.sgt_wait](https://registry.terraform.io/providers/hashicorp/time/latest/docs/resources/sleep) | resource | +| [ise_active_directory_groups_by_domain.all_groups](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/active_directory_groups_by_domain) | data source | | [ise_device_admin_condition.device_admin_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/device_admin_condition) | data source | | [ise_device_admin_condition.device_admin_condition_circular](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/device_admin_condition) | data source | | [ise_endpoint_identity_group.endpoint_identity_group](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/data-sources/endpoint_identity_group) | data source | diff --git a/examples/network_access_condition/README.md b/examples/network_access_condition/README.md index 744c900..c919f7f 100644 --- a/examples/network_access_condition/README.md +++ b/examples/network_access_condition/README.md @@ -30,8 +30,7 @@ ise: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false - dictionary_name: CERTIFICATE - attribute_name: Is Expired + attribute_name: CERTIFICATE:Is Expired operator: equals attribute_value: "False" ``` @@ -43,6 +42,8 @@ module "ise" { source = "netascode/nac-ise/ise" version = ">= 0.1.0" + manage_network_access = true + yaml_files = ["network_access_condition.yaml"] } ``` diff --git a/examples/network_access_condition/main.tf b/examples/network_access_condition/main.tf index c5f145e..216461a 100644 --- a/examples/network_access_condition/main.tf +++ b/examples/network_access_condition/main.tf @@ -2,5 +2,7 @@ module "ise" { source = "netascode/nac-ise/ise" version = ">= 0.1.0" + manage_network_access = true + yaml_files = ["network_access_condition.yaml"] } diff --git a/examples/network_access_condition/network_access_condition.yaml b/examples/network_access_condition/network_access_condition.yaml index 03b8c1d..072ce83 100644 --- a/examples/network_access_condition/network_access_condition.yaml +++ b/examples/network_access_condition/network_access_condition.yaml @@ -6,7 +6,6 @@ ise: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false - dictionary_name: CERTIFICATE - attribute_name: Is Expired + attribute_name: CERTIFICATE:Is Expired operator: equals attribute_value: "False" diff --git a/ise_device_admin.tf b/ise_device_admin.tf index f41e96a..27a35ef 100644 --- a/ise_device_admin.tf +++ b/ise_device_admin.tf @@ -1169,6 +1169,8 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul # Workaround for ISE API issue where deleting a TACACS profile or command set immediately after deleting an object using it fails resource "time_sleep" "device_admin_policy_object_wait" { + count = var.manage_device_administration ? 1 : 0 + destroy_duration = "5s" depends_on = [ diff --git a/ise_network_resources.tf b/ise_network_resources.tf index ea2bc5f..80391c9 100644 --- a/ise_network_resources.tf +++ b/ise_network_resources.tf @@ -136,6 +136,8 @@ resource "ise_network_device_group" "network_device_group_5" { # Workaround for ISE API issue where creating/deleting a network device immediately after creating/deleting a network device group fails resource "time_sleep" "network_device_group_wait" { + count = var.manage_network_resources ? 1 : 0 + create_duration = "5s" destroy_duration = "5s" diff --git a/ise_trustsec.tf b/ise_trustsec.tf index 346adca..70f1681 100644 --- a/ise_trustsec.tf +++ b/ise_trustsec.tf @@ -67,6 +67,8 @@ resource "ise_trustsec_ip_to_sgt_mapping" "trustsec_ip_to_sgt_mapping" { # Workaround for ISE API issue where deleting an SGT immediately after deleting an object using this SGT fails resource "time_sleep" "sgt_wait" { + count = var.manage_trust_sec ? 1 : 0 + destroy_duration = "10s" depends_on = [ise_trustsec_security_group.trustsec_security_group] From 2ccd7541bab53aadcb08cd50440fff843625c383 Mon Sep 17 00:00:00 2001 From: Daniel Schmidt <79086712+danischm@users.noreply.github.com> Date: Sat, 3 Feb 2024 16:47:44 +0100 Subject: [PATCH 04/14] Update README.md --- README.md | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) diff --git a/README.md b/README.md index 21db1a5..35afda8 100644 --- a/README.md +++ b/README.md @@ -34,9 +34,9 @@ module "ise" { source = "netascode/nac-ise/ise" version = ">= 0.1.0" - manage_network_access = true - yaml_files = ["network_access_condition.yaml"] + + manage_network_access = true } ``` @@ -322,4 +322,4 @@ module "ise" { ## Modules No modules. - \ No newline at end of file + From c760f03b4cb41ea0e72a70da399fdc40fb50908a Mon Sep 17 00:00:00 2001 From: Daniel Schmidt <79086712+danischm@users.noreply.github.com> Date: Sat, 3 Feb 2024 16:49:11 +0100 Subject: [PATCH 05/14] Update defaults.yaml --- defaults/defaults.yaml | 13 ------------- 1 file changed, 13 deletions(-) diff --git a/defaults/defaults.yaml b/defaults/defaults.yaml index c840603..dc9541a 100644 --- a/defaults/defaults.yaml +++ b/defaults/defaults.yaml @@ -29,19 +29,6 @@ defaults: send_configuration_to_device_using: DISABLE_ALL include_when_deploying_sgt_updates: false identity_management: - active_directory: - ad_scopes_names: Default_Scope - enable_domain_allowed_list: true - enable_rewrites: false - enable_pass_change: true - enable_machine_auth: true - enable_machine_access: true - enable_dialin_permission_check: false - plaintext_auth: false - aging_time: 5 - enable_callback_for_dialin_client: false - enable_failed_auth_protection: false - failed_auth_threshold: 5 internal_users: enabled: true change_password: true From 142490e37e64ba806fc64b4415c92d189d2f9184 Mon Sep 17 00:00:00 2001 From: Daniel Schmidt <79086712+danischm@users.noreply.github.com> Date: Sat, 3 Feb 2024 16:49:42 +0100 Subject: [PATCH 06/14] Update main.tf --- examples/network_access_condition/main.tf | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/examples/network_access_condition/main.tf b/examples/network_access_condition/main.tf index 216461a..53ac257 100644 --- a/examples/network_access_condition/main.tf +++ b/examples/network_access_condition/main.tf @@ -2,7 +2,7 @@ module "ise" { source = "netascode/nac-ise/ise" version = ">= 0.1.0" - manage_network_access = true - yaml_files = ["network_access_condition.yaml"] + + manage_network_access = true } From 2aaf7a96e7d188d2423a82525d22093c944c0052 Mon Sep 17 00:00:00 2001 From: Daniel Schmidt <79086712+danischm@users.noreply.github.com> Date: Sat, 3 Feb 2024 16:53:47 +0100 Subject: [PATCH 07/14] Update ise_identity_management.tf --- ise_identity_management.tf | 90 +++++++++++++++++++------------------- 1 file changed, 45 insertions(+), 45 deletions(-) diff --git a/ise_identity_management.tf b/ise_identity_management.tf index 2f34630..1e29fd7 100644 --- a/ise_identity_management.tf +++ b/ise_identity_management.tf @@ -55,64 +55,64 @@ resource "ise_certificate_authentication_profile" "certificate_authentication_pr } resource "ise_active_directory_join_point" "active_directory_join_point" { - for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } name = each.key - description = try(each.value.description, local.defaults.ise.identity_management.active_directory.description, null) - domain = try(each.value.domain, local.defaults.ise.identity_management.active_directory.domain, null) - ad_scopes_names = try(each.value.ad_scopes_names, local.defaults.ise.identity_management.active_directory.ad_scopes_names, null) - enable_domain_allowed_list = try(each.value.enable_domain_allowed_list, local.defaults.ise.identity_management.active_directory.enable_domain_allowed_list, null) + description = try(each.value.description, local.defaults.ise.identity_management.active_directories.description, null) + domain = try(each.value.domain, local.defaults.ise.identity_management.active_directories.domain, null) + ad_scopes_names = try(each.value.ad_scopes_names, local.defaults.ise.identity_management.active_directories.ad_scopes_names, null) + enable_domain_allowed_list = try(each.value.enable_domain_allowed_list, local.defaults.ise.identity_management.active_directories.enable_domain_allowed_list, null) groups = [] attributes = [for attr in try(each.value.attributes, []) : { name = try(attr.name, null) - type = try(attr.type, local.defaults.ise.identity_management.active_directory.attributes.type, null) - internal_name = try(attr.internal_name, local.defaults.ise.identity_management.active_directory.attributes.internal_name, null) - default_value = try(attr.default_value, local.defaults.ise.identity_management.active_directory.attributes.default_value, null) + type = try(attr.type, local.defaults.ise.identity_management.active_directories.attributes.type, null) + internal_name = try(attr.internal_name, local.defaults.ise.identity_management.active_directories.attributes.internal_name, null) + default_value = try(attr.default_value, local.defaults.ise.identity_management.active_directories.attributes.default_value, null) }] rewrite_rules = [for rule in try(each.value.rewrite_rules, []) : { - row_id = try(rule.row_id, local.defaults.ise.identity_management.active_directory.rewrite_rules.row_id, null) - rewrite_match = try(rule.rewrite_match, local.defaults.ise.identity_management.active_directory.rewrite_rules.rewrite_match, null) - rewrite_result = try(rule.rewrite_result, local.defaults.ise.identity_management.active_directory.rewrite_rules.rewrite_result, null) + row_id = try(rule.row_id, local.defaults.ise.identity_management.active_directories.rewrite_rules.row_id, null) + rewrite_match = try(rule.rewrite_match, local.defaults.ise.identity_management.active_directories.rewrite_rules.rewrite_match, null) + rewrite_result = try(rule.rewrite_result, local.defaults.ise.identity_management.active_directories.rewrite_rules.rewrite_result, null) }] - enable_rewrites = try(each.value.enable_rewrites, local.defaults.ise.identity_management.active_directory.enable_rewrites, null) - enable_pass_change = try(each.value.enable_pass_change, local.defaults.ise.identity_management.active_directory.enable_pass_change, null) - enable_machine_auth = try(each.value.enable_machine_auth, local.defaults.ise.identity_management.active_directory.enable_machine_auth, null) - enable_machine_access = try(each.value.enable_machine_access, local.defaults.ise.identity_management.active_directory.enable_machine_access, null) - enable_dialin_permission_check = try(each.value.enable_dialin_permission_check, local.defaults.ise.identity_management.active_directory.enable_dialin_permission_check, null) - plaintext_auth = try(each.value.plaintext_auth, local.defaults.ise.identity_management.active_directory.plaintext_auth, null) - aging_time = try(each.value.aging_time, local.defaults.ise.identity_management.active_directory.aging_time, null) - enable_callback_for_dialin_client = try(each.value.enable_callback_for_dialin_client, local.defaults.ise.identity_management.active_directory.enable_callback_for_dialin_client, null) - identity_not_in_ad_behaviour = try(each.value.identity_not_in_ad_behaviour, local.defaults.ise.identity_management.active_directory.identity_not_in_ad_behaviour, null) - unreachable_domains_behaviour = try(each.value.unreachable_domains_behaviour, local.defaults.ise.identity_management.active_directory.unreachable_domains_behaviour, null) - schema = try(each.value.schema, local.defaults.ise.identity_management.active_directory.schema, null) - first_name = try(each.value.first_name, local.defaults.ise.identity_management.active_directory.first_name, null) - department = try(each.value.department, local.defaults.ise.identity_management.active_directory.department, null) - last_name = try(each.value.last_name, local.defaults.ise.identity_management.active_directory.last_name, null) - organizational_unit = try(each.value.organizational_unit, local.defaults.ise.identity_management.active_directory.organizational_unit, null) - job_title = try(each.value.job_title, local.defaults.ise.identity_management.active_directory.job_title, null) - locality = try(each.value.locality, local.defaults.ise.identity_management.active_directory.locality, null) - email = try(each.value.email, local.defaults.ise.identity_management.active_directory.email, null) - state_or_province = try(each.value.state_or_province, local.defaults.ise.identity_management.active_directory.state_or_province, null) - telephone = try(each.value.telephone, local.defaults.ise.identity_management.active_directory.telephone, null) - country = try(each.value.country, local.defaults.ise.identity_management.active_directory.country, null) - street_address = try(each.value.street_address, local.defaults.ise.identity_management.active_directory.street_address, null) - enable_failed_auth_protection = try(each.value.enable_failed_auth_protection, local.defaults.ise.identity_management.active_directory.enable_failed_auth_protection, null) - failed_auth_threshold = try(each.value.failed_auth_threshold, local.defaults.ise.identity_management.active_directory.failed_auth_threshold, null) - auth_protection_type = try(each.value.auth_protection_type, local.defaults.ise.identity_management.active_directory.auth_protection_type, null) + enable_rewrites = try(each.value.enable_rewrites, local.defaults.ise.identity_management.active_directories.enable_rewrites, null) + enable_pass_change = try(each.value.enable_pass_change, local.defaults.ise.identity_management.active_directories.enable_pass_change, null) + enable_machine_auth = try(each.value.enable_machine_auth, local.defaults.ise.identity_management.active_directories.enable_machine_auth, null) + enable_machine_access = try(each.value.enable_machine_access, local.defaults.ise.identity_management.active_directories.enable_machine_access, null) + enable_dialin_permission_check = try(each.value.enable_dialin_permission_check, local.defaults.ise.identity_management.active_directories.enable_dialin_permission_check, null) + plaintext_auth = try(each.value.plaintext_auth, local.defaults.ise.identity_management.active_directories.plaintext_auth, null) + aging_time = try(each.value.aging_time, local.defaults.ise.identity_management.active_directories.aging_time, null) + enable_callback_for_dialin_client = try(each.value.enable_callback_for_dialin_client, local.defaults.ise.identity_management.active_directories.enable_callback_for_dialin_client, null) + identity_not_in_ad_behaviour = try(each.value.identity_not_in_ad_behaviour, local.defaults.ise.identity_management.active_directories.identity_not_in_ad_behaviour, null) + unreachable_domains_behaviour = try(each.value.unreachable_domains_behaviour, local.defaults.ise.identity_management.active_directories.unreachable_domains_behaviour, null) + schema = try(each.value.schema, local.defaults.ise.identity_management.active_directories.schema, null) + first_name = try(each.value.first_name, local.defaults.ise.identity_management.active_directories.first_name, null) + department = try(each.value.department, local.defaults.ise.identity_management.active_directories.department, null) + last_name = try(each.value.last_name, local.defaults.ise.identity_management.active_directories.last_name, null) + organizational_unit = try(each.value.organizational_unit, local.defaults.ise.identity_management.active_directories.organizational_unit, null) + job_title = try(each.value.job_title, local.defaults.ise.identity_management.active_directories.job_title, null) + locality = try(each.value.locality, local.defaults.ise.identity_management.active_directories.locality, null) + email = try(each.value.email, local.defaults.ise.identity_management.active_directories.email, null) + state_or_province = try(each.value.state_or_province, local.defaults.ise.identity_management.active_directories.state_or_province, null) + telephone = try(each.value.telephone, local.defaults.ise.identity_management.active_directories.telephone, null) + country = try(each.value.country, local.defaults.ise.identity_management.active_directories.country, null) + street_address = try(each.value.street_address, local.defaults.ise.identity_management.active_directories.street_address, null) + enable_failed_auth_protection = try(each.value.enable_failed_auth_protection, local.defaults.ise.identity_management.active_directories.enable_failed_auth_protection, null) + failed_auth_threshold = try(each.value.failed_auth_threshold, local.defaults.ise.identity_management.active_directories.failed_auth_threshold, null) + auth_protection_type = try(each.value.auth_protection_type, local.defaults.ise.identity_management.active_directories.auth_protection_type, null) } resource "ise_active_directory_join_domain_with_all_nodes" "active_directory_join_domain_with_all_nodes" { - for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id additional_data = [ { name = "username" - value = try(each.value.ad_username, local.defaults.ise.identity_management.active_directory.ad_username, null) + value = try(each.value.ad_username, local.defaults.ise.identity_management.active_directories.ad_username, null) }, { name = "password" - value = try(each.value.ad_password, local.defaults.ise.identity_management.active_directory.ad_password, null) + value = try(each.value.ad_password, local.defaults.ise.identity_management.active_directories.ad_password, null) } ] @@ -120,10 +120,10 @@ resource "ise_active_directory_join_domain_with_all_nodes" "active_directory_joi } data "ise_active_directory_groups_by_domain" "all_groups" { - for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id - domain = try(each.value.domain, local.defaults.ise.identity_management.active_directory.domain, null) + domain = try(each.value.domain, local.defaults.ise.identity_management.active_directories.domain, null) depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes] } @@ -135,7 +135,7 @@ locals { } active_directory_groups = { - for ad in try(local.ise.identity_management.active_directory, []) : ad.name => [ + for ad in try(local.ise.identity_management.active_directories, []) : ad.name => [ for group in ad.groups : { name = group type = try(local.active_directory_groups_all[ad.name][group].type, null) @@ -146,7 +146,7 @@ locals { } resource "ise_active_directory_add_groups" "active_directory_groups" { - for_each = { for ad in try(local.ise.identity_management.active_directory, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id name = ise_active_directory_join_point.active_directory_join_point[each.key].name @@ -154,7 +154,7 @@ resource "ise_active_directory_add_groups" "active_directory_groups" { domain = ise_active_directory_join_point.active_directory_join_point[each.key].domain ad_scopes_names = ise_active_directory_join_point.active_directory_join_point[each.key].ad_scopes_names enable_domain_allowed_list = ise_active_directory_join_point.active_directory_join_point[each.key].enable_domain_allowed_list - groups = try(local.active_directory_groups[each.key], local.defaults.ise.identity_management.active_directory.groups, null) + groups = try(local.active_directory_groups[each.key], local.defaults.ise.identity_management.active_directories.groups, null) depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes] -} \ No newline at end of file +} From 28c4f159e5dbe4548e7642e920cfa880b6ef89eb Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Tue, 6 Feb 2024 21:48:24 +0100 Subject: [PATCH 08/14] fix: manage flags dependencies add conditionals for locals --- README.md | 2 +- examples/network_access_condition/README.md | 4 +- ise_device_admin.tf | 94 ++++++++++----------- ise_network_access.tf | 94 ++++++++++----------- ise_network_resources.tf | 24 +++--- ise_trustsec.tf | 12 +-- 6 files changed, 115 insertions(+), 115 deletions(-) diff --git a/README.md b/README.md index 35afda8..ba5fcd2 100644 --- a/README.md +++ b/README.md @@ -322,4 +322,4 @@ module "ise" { ## Modules No modules. - + \ No newline at end of file diff --git a/examples/network_access_condition/README.md b/examples/network_access_condition/README.md index c919f7f..cb693a0 100644 --- a/examples/network_access_condition/README.md +++ b/examples/network_access_condition/README.md @@ -42,9 +42,9 @@ module "ise" { source = "netascode/nac-ise/ise" version = ">= 0.1.0" - manage_network_access = true - yaml_files = ["network_access_condition.yaml"] + + manage_network_access = true } ``` \ No newline at end of file diff --git a/ise_device_admin.tf b/ise_device_admin.tf index 27a35ef..59bd991 100644 --- a/ise_device_admin.tf +++ b/ise_device_admin.tf @@ -1,11 +1,11 @@ locals { - device_admin_conditions_circular_names = distinct(flatten([ + device_admin_conditions_circular_names = var.manage_device_administration ? distinct(flatten([ for v in try(local.ise.device_administration.policy_elements.conditions, []) : [ for v2 in try(v.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ])) + ])) : [] } data "ise_device_admin_condition" "device_admin_condition_circular" { @@ -105,14 +105,14 @@ resource "ise_device_admin_time_and_date_condition" "device_admin_time_and_date_ } locals { - conditions_device_admin_policy_sets = flatten([ + conditions_device_admin_policy_sets = var.manage_device_administration ? flatten([ for v in try(local.ise.device_administration.policy_sets, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) - conditions_device_admin_policy_set_authentication_rules = flatten([ + ]) : [] + conditions_device_admin_policy_set_authentication_rules = var.manage_device_administration ? flatten([ for v in try(local.ise.device_administration.policy_sets, []) : [ for r in try(v.authentication_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -120,8 +120,8 @@ locals { ] ] ] - ]) - conditions_device_admin_policy_set_authorization_rules = flatten([ + ]) : [] + conditions_device_admin_policy_set_authorization_rules = var.manage_device_administration ? flatten([ for v in try(local.ise.device_administration.policy_sets, []) : [ for r in try(v.authorization_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -129,8 +129,8 @@ locals { ] ] ] - ]) - conditions_device_admin_policy_set_authorization_exception_rules = flatten([ + ]) : [] + conditions_device_admin_policy_set_authorization_exception_rules = var.manage_device_administration ? flatten([ for v in try(local.ise.device_administration.policy_sets, []) : [ for r in try(v.authorization_exception_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -138,17 +138,17 @@ locals { ] ] ] - ]) - conditions_device_admin_authorization_global_exception_rules = flatten([ + ]) : [] + conditions_device_admin_authorization_global_exception_rules = var.manage_device_administration ? flatten([ for v in try(local.ise.device_administration.authorization_global_exception_rules, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) - unique_conditions_device_admin = distinct(concat(local.conditions_device_admin_policy_sets, local.conditions_device_admin_policy_set_authentication_rules, local.conditions_device_admin_policy_set_authorization_rules, local.conditions_device_admin_policy_set_authorization_exception_rules, local.conditions_device_admin_authorization_global_exception_rules)) - known_conditions_device_admin = [for condition in try(local.ise.device_administration.policy_elements.conditions, []) : condition.name] - unknown_conditions_device_admin = setsubtract(local.unique_conditions_device_admin, local.known_conditions_device_admin) + ]) : [] + unique_conditions_device_admin = var.manage_device_administration ? distinct(concat(local.conditions_device_admin_policy_sets, local.conditions_device_admin_policy_set_authentication_rules, local.conditions_device_admin_policy_set_authorization_rules, local.conditions_device_admin_policy_set_authorization_exception_rules, local.conditions_device_admin_authorization_global_exception_rules)) : [] + known_conditions_device_admin = var.manage_device_administration ? [for condition in try(local.ise.device_administration.policy_elements.conditions, []) : condition.name] : [] + unknown_conditions_device_admin = var.manage_device_administration ? setsubtract(local.unique_conditions_device_admin, local.known_conditions_device_admin) : [] } data "ise_device_admin_condition" "device_admin_condition" { @@ -158,7 +158,7 @@ data "ise_device_admin_condition" "device_admin_condition" { } locals { - device_admin_policy_sets = [ + device_admin_policy_sets = var.manage_device_administration ? [ for ps in try(local.ise.device_administration.policy_sets, []) : { condition_type = try(ps.condition.type, local.defaults.ise.device_administration.policy_sets.condition.type, null) condition_is_negate = try(ps.condition.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null) @@ -195,7 +195,7 @@ locals { }], null) }], null) } - ] + ] : [] } resource "ise_device_admin_policy_set" "device_admin_policy_set_0" { @@ -619,7 +619,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_19" { } locals { - device_admin_policy_set_ids = merge( + device_admin_policy_set_ids = var.manage_device_administration ? merge( { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_0[ps.name].id if ps.rank == 0 || ps.rank == null }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_1[ps.name].id if ps.rank == 1 }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_2[ps.name].id if ps.rank == 2 }, @@ -640,8 +640,8 @@ locals { { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_17[ps.name].id if ps.rank == 17 }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_18[ps.name].id if ps.rank == 18 }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_19[ps.name].id if ps.rank == 19 }, - ) - device_admin_authentication_rules = flatten([ + ) : {} + device_admin_authentication_rules = var.manage_device_administration ? flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authentication_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -684,11 +684,11 @@ locals { }], null) } ] - ]) + ]) : null } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_0" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && (rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -712,7 +712,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_1" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 1 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -736,7 +736,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_2" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 2 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -760,7 +760,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_3" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 3 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -784,7 +784,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_4" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 4 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -808,7 +808,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_5" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 5 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -832,7 +832,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_6" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 6 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -856,7 +856,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_7" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 7 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -880,7 +880,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_8" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 8 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -904,7 +904,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_9" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 9 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -928,7 +928,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_10" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 10 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -952,7 +952,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_11" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 11 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -976,7 +976,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_12" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 12 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1000,7 +1000,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_13" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 13 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1024,7 +1024,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_14" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 14 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1048,7 +1048,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_15" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 15 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1072,7 +1072,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_16" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 16 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1096,7 +1096,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_17" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 17 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1120,7 +1120,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_18" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 18 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1144,7 +1144,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_19" { - for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if var.manage_device_administration && rule.rank == 19 } + for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1180,7 +1180,7 @@ resource "time_sleep" "device_admin_policy_object_wait" { } locals { - device_admin_authorization_rules = flatten([ + device_admin_authorization_rules = var.manage_device_administration ? flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authorization_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1221,7 +1221,7 @@ locals { }], null) } ] - ]) + ]) : [] } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_0" { @@ -1665,7 +1665,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } locals { - device_admin_authorization_exception_rules = flatten([ + device_admin_authorization_exception_rules = var.manage_device_administration ? flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authorization_exception_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1706,7 +1706,7 @@ locals { }], null) } ] - ]) + ]) : [] } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_0" { @@ -2150,7 +2150,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } locals { - device_admin_authorization_global_exception_rules = [ + device_admin_authorization_global_exception_rules = var.manage_device_administration ? [ for rule in try(local.ise.device_administration.authorization_global_exception_rules, []) : { name = rule.name rank = try(rule.rank, local.defaults.ise.device_administration.authorization_global_exception_rules.rank, null) @@ -2187,7 +2187,7 @@ locals { }], null) }], null) } - ] + ] : [] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_0" { diff --git a/ise_network_access.tf b/ise_network_access.tf index e61dc0e..e2bc2b0 100644 --- a/ise_network_access.tf +++ b/ise_network_access.tf @@ -126,13 +126,13 @@ resource "ise_authorization_profile" "authorization_profile" { } locals { - network_access_conditions_circular_names = distinct(flatten([ + network_access_conditions_circular_names = var.manage_network_access ? distinct(flatten([ for v in try(local.ise.network_access.policy_elements.conditions, []) : [ for v2 in try(v.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ])) + ])) : [] } data "ise_network_access_condition" "network_access_condition_circular" { @@ -215,14 +215,14 @@ resource "ise_network_access_time_and_date_condition" "network_access_time_and_d } locals { - conditions_network_access_policy_sets = flatten([ + conditions_network_access_policy_sets = var.manage_network_access ? flatten([ for v in try(local.ise.network_access.policy_sets, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) - conditions_network_access_policy_set_authentication_rules = flatten([ + ]) : [] + conditions_network_access_policy_set_authentication_rules = var.manage_network_access ? flatten([ for v in try(local.ise.network_access.policy_sets, []) : [ for r in try(v.authentication_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -230,8 +230,8 @@ locals { ] ] ] - ]) - conditions_network_access_policy_set_authorization_rules = flatten([ + ]) : [] + conditions_network_access_policy_set_authorization_rules = var.manage_network_access ? flatten([ for v in try(local.ise.network_access.policy_sets, []) : [ for r in try(v.authorization_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -239,8 +239,8 @@ locals { ] ] ] - ]) - conditions_network_access_policy_set_authorization_exception_rules = flatten([ + ]) : [] + conditions_network_access_policy_set_authorization_exception_rules = var.manage_network_access ? flatten([ for v in try(local.ise.network_access.policy_sets, []) : [ for r in try(v.authorization_exception_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -248,17 +248,17 @@ locals { ] ] ] - ]) - conditions_network_access_authorization_global_exception_rules = flatten([ + ]) : [] + conditions_network_access_authorization_global_exception_rules = var.manage_network_access ? flatten([ for v in try(local.ise.network_access.authorization_global_exception_rules, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) - unique_conditions_network_access = distinct(concat(local.conditions_network_access_policy_sets, local.conditions_network_access_policy_set_authentication_rules, local.conditions_network_access_policy_set_authorization_rules, local.conditions_network_access_policy_set_authorization_exception_rules, local.conditions_network_access_authorization_global_exception_rules)) - known_conditions_network_access = [for condition in try(local.ise.network_access.policy_elements.conditions, []) : condition.name] - unknown_conditions_network_access = setsubtract(local.unique_conditions_network_access, local.known_conditions_network_access) + ]) : [] + unique_conditions_network_access = var.manage_network_access ? distinct(concat(local.conditions_network_access_policy_sets, local.conditions_network_access_policy_set_authentication_rules, local.conditions_network_access_policy_set_authorization_rules, local.conditions_network_access_policy_set_authorization_exception_rules, local.conditions_network_access_authorization_global_exception_rules)) : [] + known_conditions_network_access = var.manage_network_access ? [for condition in try(local.ise.network_access.policy_elements.conditions, []) : condition.name] : [] + unknown_conditions_network_access = var.manage_network_access ? setsubtract(local.unique_conditions_network_access, local.known_conditions_network_access) : [] } data "ise_network_access_condition" "network_access_condition" { @@ -268,7 +268,7 @@ data "ise_network_access_condition" "network_access_condition" { } locals { - network_access_policy_sets = [ + network_access_policy_sets = var.manage_network_access ? [ for ps in try(local.ise.network_access.policy_sets, []) : { condition_type = try(ps.condition.type, local.defaults.ise.network_access.policy_sets.condition.type, null) condition_is_negate = try(ps.condition.is_negate, local.defaults.ise.network_access.policy_sets.condition.is_negate, null) @@ -305,7 +305,7 @@ locals { }], null) }], null) } - ] + ] : [] } resource "ise_network_access_policy_set" "network_access_policy_set_0" { @@ -729,7 +729,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_19" { } locals { - network_access_policy_set_ids = merge( + network_access_policy_set_ids = var.manage_network_access ? merge( { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_0[ps.name].id if ps.rank == 0 || ps.rank == null }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_1[ps.name].id if ps.rank == 1 }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_2[ps.name].id if ps.rank == 2 }, @@ -750,8 +750,8 @@ locals { { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_17[ps.name].id if ps.rank == 17 }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_18[ps.name].id if ps.rank == 18 }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_19[ps.name].id if ps.rank == 19 }, - ) - network_access_authentication_rules = flatten([ + ) : {} + network_access_authentication_rules = var.manage_network_access ? flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ for rule in try(ps.authentication_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -794,11 +794,11 @@ locals { }], null) } ] - ]) + ]) : null } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_0" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && (rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -822,7 +822,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_1" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 1 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -846,7 +846,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_2" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 2 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -870,7 +870,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_3" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 3 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -894,7 +894,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_4" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 4 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -918,7 +918,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_5" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 5 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -942,7 +942,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_6" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 6 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -966,7 +966,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_7" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 7 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -990,7 +990,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_8" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 8 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1014,7 +1014,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_9" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 9 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1038,7 +1038,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_10" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 10 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1062,7 +1062,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_11" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 11 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1086,7 +1086,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_12" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 12 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1110,7 +1110,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_13" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 13 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1134,7 +1134,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_14" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 14 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1158,7 +1158,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_15" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 15 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1182,7 +1182,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_16" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 16 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1206,7 +1206,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_17" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 17 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1230,7 +1230,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_18" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 18 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1254,7 +1254,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_19" { - for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if var.manage_network_access && rule.rank == 19 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1278,7 +1278,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } locals { - network_access_authorization_rules = flatten([ + network_access_authorization_rules = var.manage_network_access ? flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ for rule in try(ps.authorization_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1319,7 +1319,7 @@ locals { }], null) } ] - ]) + ]) : [] } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_0" { @@ -1763,7 +1763,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } locals { - network_access_authorization_exception_rules = flatten([ + network_access_authorization_exception_rules = var.manage_network_access ? flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ for rule in try(ps.authorization_exception_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1804,7 +1804,7 @@ locals { }], null) } ] - ]) + ]) : [] } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_0" { @@ -2248,7 +2248,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } locals { - network_access_authorization_global_exception_rules = [ + network_access_authorization_global_exception_rules = var.manage_network_access ? [ for rule in try(local.ise.network_access.authorization_global_exception_rules, []) : { name = rule.name rank = try(rule.rank, local.defaults.ise.network_access.authorization_global_exception_rules.rank, null) @@ -2285,7 +2285,7 @@ locals { }], null) }], null) } - ] + ] : [] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_0" { diff --git a/ise_network_resources.tf b/ise_network_resources.tf index 80391c9..a9236bb 100644 --- a/ise_network_resources.tf +++ b/ise_network_resources.tf @@ -1,9 +1,9 @@ locals { - network_device_groups = [for group in try(local.ise.network_resources.network_device_groups, []) : { + network_device_groups = var.manage_network_resources ? [for group in try(local.ise.network_resources.network_device_groups, []) : { name = try(split("#", group.path)[0] == "All Device Types", false) ? "Device Type#${group.path}#${group.name}" : (try(split("#", group.path)[0] == "All Locations", false) ? "Location#${group.path}#${group.name}" : (try(split("#", group.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${group.path}" : (try(group.path, null) == null ? "${group.name}#${group.name}" : "${split("#", group.path)[0]}#${group.path}#${group.name}"))) description = try(group.description, local.defaults.ise.network_resources.network_device_groups.description, null) root_group = try(split("#", group.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", group.path)[0] == "All Locations", false) ? "Location" : (try(split("#", group.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", group.path)[0], group.name))) - }] + }] : [] } resource "ise_network_device_group" "network_device_group_0" { @@ -15,13 +15,13 @@ resource "ise_network_device_group" "network_device_group_0" { } locals { - network_device_groups_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : { name = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type#${p.path}#${p.name}#${c.name}" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location#${p.path}#${p.name}#${c.name}" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${p.path}" : (try(p.path, null) == null ? "${p.name}#${p.name}#${c.name}" : "${split("#", p.path)[0]}#${p.path}#${p.name}#${c.name}"))) description = try(c.description, local.defaults.ise.network_resources.network_device_groups.children.description, null) root_group = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", p.path)[0], p.name))) } - ]]) + ]]) : [] } resource "ise_network_device_group" "network_device_group_1" { @@ -35,7 +35,7 @@ resource "ise_network_device_group" "network_device_group_1" { } locals { - network_device_groups_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : { name = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type#${p.path}#${p.name}#${c.name}#${c2.name}" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location#${p.path}#${p.name}#${c.name}#${c2.name}" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${p.path}" : (try(p.path, null) == null ? "${p.name}#${p.name}#${c.name}#${c2.name}" : "${split("#", p.path)[0]}#${p.path}#${p.name}#${c.name}#${c2.name}"))) @@ -43,7 +43,7 @@ locals { root_group = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", p.path)[0], p.name))) } ] - ]]) + ]]) : [] } resource "ise_network_device_group" "network_device_group_2" { @@ -57,7 +57,7 @@ resource "ise_network_device_group" "network_device_group_2" { } locals { - network_device_groups_children_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : [ for c3 in try(c2.children, []) : { @@ -67,7 +67,7 @@ locals { } ] ] - ]]) + ]]) : [] } resource "ise_network_device_group" "network_device_group_3" { @@ -81,7 +81,7 @@ resource "ise_network_device_group" "network_device_group_3" { } locals { - network_device_groups_children_children_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : [ for c3 in try(c2.children, []) : [ @@ -93,7 +93,7 @@ locals { ] ] ] - ]]) + ]]) : [] } resource "ise_network_device_group" "network_device_group_4" { @@ -107,7 +107,7 @@ resource "ise_network_device_group" "network_device_group_4" { } locals { - network_device_groups_children_children_children_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children_children_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : [ for c3 in try(c2.children, []) : [ @@ -121,7 +121,7 @@ locals { ] ] ] - ]]) + ]]) : [] } resource "ise_network_device_group" "network_device_group_5" { diff --git a/ise_trustsec.tf b/ise_trustsec.tf index 70f1681..7a765a0 100644 --- a/ise_trustsec.tf +++ b/ise_trustsec.tf @@ -1,11 +1,11 @@ locals { trustsec_matrix = { for cell in try(local.ise.trust_sec.matrix_entries, []) : "${cell.source_sgt}-${cell.destination_sgt}" => cell if var.manage_trust_sec } - unique_sgts = distinct(concat([for key, value in local.trustsec_matrix : value.source_sgt], [for key, value in local.trustsec_matrix : value.destination_sgt], [for map in try(local.ise.trust_sec.ip_sgt_mappings, []) : try(map.sgt, null) if try(map.sgt, null) != null], [for map in try(local.ise.trust_sec.ip_sgt_mapping_groups, []) : try(map.sgt, null) if try(map.sgt, null) != null])) - known_sgts = [for group in try(local.ise.trust_sec.security_groups, []) : group.name] - unknown_sgts = setsubtract(local.unique_sgts, local.known_sgts) - unique_sgacls = distinct([for key, value in local.trustsec_matrix : value.sgacl_name]) - known_sgacls = [for acl in try(local.ise.trust_sec.security_group_acls, []) : acl.name] - unknown_sgacls = setsubtract(local.unique_sgacls, local.known_sgacls) + unique_sgts = var.manage_trust_sec ? distinct(concat([for key, value in local.trustsec_matrix : value.source_sgt], [for key, value in local.trustsec_matrix : value.destination_sgt], [for map in try(local.ise.trust_sec.ip_sgt_mappings, []) : try(map.sgt, null) if try(map.sgt, null) != null], [for map in try(local.ise.trust_sec.ip_sgt_mapping_groups, []) : try(map.sgt, null) if try(map.sgt, null) != null])) : [] + known_sgts = var.manage_trust_sec ? [for group in try(local.ise.trust_sec.security_groups, []) : group.name] : [] + unknown_sgts = var.manage_trust_sec ? setsubtract(local.unique_sgts, local.known_sgts) : [] + unique_sgacls = var.manage_trust_sec ? distinct([for key, value in local.trustsec_matrix : value.sgacl_name]) : [] + known_sgacls = var.manage_trust_sec ? [for acl in try(local.ise.trust_sec.security_group_acls, []) : acl.name] : [] + unknown_sgacls = var.manage_trust_sec ? setsubtract(local.unique_sgacls, local.known_sgacls) : [] } data "ise_trustsec_security_group" "trustsec_security_group" { From f3219798224643ba1822c95a3f85ec2d60fb8de2 Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Wed, 14 Feb 2024 14:46:37 +0100 Subject: [PATCH 09/14] removed manage variables --- README.md | 6 - ise_device_admin.tf | 266 ++++++++++++++++++------------------ ise_identity_management.tf | 22 +-- ise_network_access.tf | 267 +++++++++++++++++++------------------ ise_network_resources.tf | 40 +++--- ise_system.tf | 4 +- ise_trustsec.tf | 24 ++-- variables.tf | 36 ----- 8 files changed, 312 insertions(+), 353 deletions(-) diff --git a/README.md b/README.md index ba5fcd2..9c6181e 100644 --- a/README.md +++ b/README.md @@ -53,12 +53,6 @@ module "ise" { | Name | Description | Type | Default | Required | |------|-------------|------|---------|:--------:| -| [manage\_device\_administration](#input\_manage\_device\_administration) | Flag to indicate if device administration configuration should be managed. | `bool` | `false` | no | -| [manage\_identity\_management](#input\_manage\_identity\_management) | Flag to indicate if identity management configuration should be managed. | `bool` | `false` | no | -| [manage\_network\_access](#input\_manage\_network\_access) | Flag to indicate if network access configuration should be managed. | `bool` | `false` | no | -| [manage\_network\_resources](#input\_manage\_network\_resources) | Flag to indicate if network resources configuration should be managed. | `bool` | `false` | no | -| [manage\_system](#input\_manage\_system) | Flag to indicate if system configuration should be managed. | `bool` | `false` | no | -| [manage\_trust\_sec](#input\_manage\_trust\_sec) | Flag to indicate if TrustSec configuration should be managed. | `bool` | `false` | no | | [model](#input\_model) | As an alternative to YAML files, a native Terraform data structure can be provided as well. | `map(any)` | `{}` | no | | [write\_default\_values\_file](#input\_write\_default\_values\_file) | Write all default values to a YAML file. Value is a path pointing to the file to be created. | `string` | `""` | no | | [yaml\_directories](#input\_yaml\_directories) | List of paths to YAML directories. | `list(string)` | `[]` | no | diff --git a/ise_device_admin.tf b/ise_device_admin.tf index 59bd991..fc25580 100644 --- a/ise_device_admin.tf +++ b/ise_device_admin.tf @@ -1,11 +1,11 @@ locals { - device_admin_conditions_circular_names = var.manage_device_administration ? distinct(flatten([ + device_admin_conditions_circular_names = distinct(flatten([ for v in try(local.ise.device_administration.policy_elements.conditions, []) : [ for v2 in try(v.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ])) : [] + ])) } data "ise_device_admin_condition" "device_admin_condition_circular" { @@ -15,7 +15,7 @@ data "ise_device_admin_condition" "device_admin_condition_circular" { } resource "ise_device_admin_condition" "device_admin_condition" { - for_each = { for condition in try(local.ise.device_administration.policy_elements.conditions, []) : condition.name => condition if var.manage_device_administration } + for_each = { for condition in try(local.ise.device_administration.policy_elements.conditions, []) : condition.name => condition } condition_type = try(each.value.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) is_negate = try(each.value.is_negate, local.defaults.ise.device_administration.policy_elements.conditions.is_negate, null) @@ -53,7 +53,7 @@ resource "ise_device_admin_condition" "device_admin_condition" { } resource "ise_allowed_protocols_tacacs" "allowed_protocols_tacacs" { - for_each = { for protocol in try(local.ise.device_administration.policy_elements.allowed_protocols, []) : protocol.name => protocol if var.manage_device_administration } + for_each = { for protocol in try(local.ise.device_administration.policy_elements.allowed_protocols, []) : protocol.name => protocol } description = try(each.value.description, "") name = each.key @@ -63,7 +63,7 @@ resource "ise_allowed_protocols_tacacs" "allowed_protocols_tacacs" { } resource "ise_tacacs_profile" "tacacs_profile" { - for_each = { for profile in try(local.ise.device_administration.policy_elements.tacacs_profiles, []) : profile.name => profile if var.manage_device_administration } + for_each = { for profile in try(local.ise.device_administration.policy_elements.tacacs_profiles, []) : profile.name => profile } name = each.key description = try(each.value.description, local.defaults.ise.device_administration.policy_elements.tacacs_profiles.description, null) @@ -75,7 +75,7 @@ resource "ise_tacacs_profile" "tacacs_profile" { } resource "ise_tacacs_command_set" "tacacs_command_set" { - for_each = { for cs in try(local.ise.device_administration.policy_elements.tacacs_command_sets, []) : cs.name => cs if var.manage_device_administration } + for_each = { for cs in try(local.ise.device_administration.policy_elements.tacacs_command_sets, []) : cs.name => cs } name = each.key description = try(each.value.description, local.defaults.ise.device_administration.policy_elements.tacacs_command_sets.description, null) @@ -88,7 +88,7 @@ resource "ise_tacacs_command_set" "tacacs_command_set" { } resource "ise_device_admin_time_and_date_condition" "device_admin_time_and_date_condition" { - for_each = { for c in try(local.ise.device_administration.policy_elements.time_date_conditions, []) : c.name => c if var.manage_device_administration } + for_each = { for c in try(local.ise.device_administration.policy_elements.time_date_conditions, []) : c.name => c } name = each.key description = try(each.value.description, local.defaults.ise.device_administration.policy_elements.time_date_conditions.description, null) @@ -105,14 +105,14 @@ resource "ise_device_admin_time_and_date_condition" "device_admin_time_and_date_ } locals { - conditions_device_admin_policy_sets = var.manage_device_administration ? flatten([ + conditions_device_admin_policy_sets = flatten([ for v in try(local.ise.device_administration.policy_sets, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) : [] - conditions_device_admin_policy_set_authentication_rules = var.manage_device_administration ? flatten([ + ]) + conditions_device_admin_policy_set_authentication_rules = flatten([ for v in try(local.ise.device_administration.policy_sets, []) : [ for r in try(v.authentication_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -120,8 +120,8 @@ locals { ] ] ] - ]) : [] - conditions_device_admin_policy_set_authorization_rules = var.manage_device_administration ? flatten([ + ]) + conditions_device_admin_policy_set_authorization_rules = flatten([ for v in try(local.ise.device_administration.policy_sets, []) : [ for r in try(v.authorization_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -129,8 +129,8 @@ locals { ] ] ] - ]) : [] - conditions_device_admin_policy_set_authorization_exception_rules = var.manage_device_administration ? flatten([ + ]) + conditions_device_admin_policy_set_authorization_exception_rules = flatten([ for v in try(local.ise.device_administration.policy_sets, []) : [ for r in try(v.authorization_exception_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -138,17 +138,17 @@ locals { ] ] ] - ]) : [] - conditions_device_admin_authorization_global_exception_rules = var.manage_device_administration ? flatten([ + ]) + conditions_device_admin_authorization_global_exception_rules = flatten([ for v in try(local.ise.device_administration.authorization_global_exception_rules, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) : [] - unique_conditions_device_admin = var.manage_device_administration ? distinct(concat(local.conditions_device_admin_policy_sets, local.conditions_device_admin_policy_set_authentication_rules, local.conditions_device_admin_policy_set_authorization_rules, local.conditions_device_admin_policy_set_authorization_exception_rules, local.conditions_device_admin_authorization_global_exception_rules)) : [] - known_conditions_device_admin = var.manage_device_administration ? [for condition in try(local.ise.device_administration.policy_elements.conditions, []) : condition.name] : [] - unknown_conditions_device_admin = var.manage_device_administration ? setsubtract(local.unique_conditions_device_admin, local.known_conditions_device_admin) : [] + ]) + unique_conditions_device_admin = distinct(concat(local.conditions_device_admin_policy_sets, local.conditions_device_admin_policy_set_authentication_rules, local.conditions_device_admin_policy_set_authorization_rules, local.conditions_device_admin_policy_set_authorization_exception_rules, local.conditions_device_admin_authorization_global_exception_rules)) + known_conditions_device_admin = [for condition in try(local.ise.device_administration.policy_elements.conditions, []) : condition.name] + unknown_conditions_device_admin = setsubtract(local.unique_conditions_device_admin, local.known_conditions_device_admin) } data "ise_device_admin_condition" "device_admin_condition" { @@ -158,7 +158,7 @@ data "ise_device_admin_condition" "device_admin_condition" { } locals { - device_admin_policy_sets = var.manage_device_administration ? [ + device_admin_policy_sets = [ for ps in try(local.ise.device_administration.policy_sets, []) : { condition_type = try(ps.condition.type, local.defaults.ise.device_administration.policy_sets.condition.type, null) condition_is_negate = try(ps.condition.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null) @@ -195,11 +195,11 @@ locals { }], null) }], null) } - ] : [] + ] } resource "ise_device_admin_policy_set" "device_admin_policy_set_0" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && (ps.rank == 0 || ps.rank == null) } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if(ps.rank == 0 || ps.rank == null) } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -220,7 +220,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_0" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_1" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 1 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 1 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -241,7 +241,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_1" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_2" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 2 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 2 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -262,7 +262,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_2" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_3" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 3 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 3 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -283,7 +283,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_3" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_4" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 4 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 4 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -304,7 +304,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_4" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_5" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 5 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 5 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -325,7 +325,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_5" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_6" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 6 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 6 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -346,7 +346,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_6" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_7" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 7 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 7 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -367,7 +367,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_7" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_8" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 8 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 8 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -388,7 +388,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_8" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_9" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 9 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 9 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -409,7 +409,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_9" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_10" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 10 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 10 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -430,7 +430,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_10" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_11" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 11 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 11 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -451,7 +451,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_11" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_12" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 12 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 12 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -472,7 +472,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_12" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_13" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 13 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 13 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -493,7 +493,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_13" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_14" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 14 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 14 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -514,7 +514,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_14" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_15" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 15 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 15 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -535,7 +535,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_15" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_16" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 16 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 16 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -556,7 +556,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_16" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_17" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 17 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 17 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -577,7 +577,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_17" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_18" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 18 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 18 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -598,7 +598,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_18" { } resource "ise_device_admin_policy_set" "device_admin_policy_set_19" { - for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if var.manage_device_administration && ps.rank == 19 } + for_each = { for ps in local.device_admin_policy_sets : ps.name => ps if ps.rank == 19 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -619,7 +619,7 @@ resource "ise_device_admin_policy_set" "device_admin_policy_set_19" { } locals { - device_admin_policy_set_ids = var.manage_device_administration ? merge( + device_admin_policy_set_ids = merge( { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_0[ps.name].id if ps.rank == 0 || ps.rank == null }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_1[ps.name].id if ps.rank == 1 }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_2[ps.name].id if ps.rank == 2 }, @@ -640,8 +640,8 @@ locals { { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_17[ps.name].id if ps.rank == 17 }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_18[ps.name].id if ps.rank == 18 }, { for ps in local.device_admin_policy_sets : ps.name => ise_device_admin_policy_set.device_admin_policy_set_19[ps.name].id if ps.rank == 19 }, - ) : {} - device_admin_authentication_rules = var.manage_device_administration ? flatten([ + ) + device_admin_authentication_rules = flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authentication_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -684,11 +684,11 @@ locals { }], null) } ] - ]) : null + ]) } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_0" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -712,7 +712,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_1" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 1 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -736,7 +736,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_2" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 2 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -760,7 +760,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_3" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 3 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -784,7 +784,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_4" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 4 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -808,7 +808,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_5" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 5 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -832,7 +832,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_6" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 6 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -856,7 +856,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_7" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 7 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -880,7 +880,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_8" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 8 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -904,7 +904,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_9" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 9 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -928,7 +928,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_10" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 10 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -952,7 +952,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_11" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 11 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -976,7 +976,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_12" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 12 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1000,7 +1000,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_13" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 13 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1024,7 +1024,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_14" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 14 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1048,7 +1048,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_15" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 15 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1072,7 +1072,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_16" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 16 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1096,7 +1096,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_17" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 17 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1120,7 +1120,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_18" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 18 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1144,7 +1144,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul } resource "ise_device_admin_authentication_rule" "device_admin_authentication_rule_19" { - for_each = { for rule in coalesce(local.device_admin_authentication_rules, []) : rule.key => rule if var.manage_device_administration && rule.rank == 19 } + for_each = { for rule in local.device_admin_authentication_rules : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1169,7 +1169,7 @@ resource "ise_device_admin_authentication_rule" "device_admin_authentication_rul # Workaround for ISE API issue where deleting a TACACS profile or command set immediately after deleting an object using it fails resource "time_sleep" "device_admin_policy_object_wait" { - count = var.manage_device_administration ? 1 : 0 + count = (length(try(local.ise.device_administration.policy_elements.tacacs_profiles, [])) > 0 || length(try(local.ise.device_administration.policy_elements.tacacs_command_sets, [])) > 0) ? 1 : 0 destroy_duration = "5s" @@ -1180,7 +1180,7 @@ resource "time_sleep" "device_admin_policy_object_wait" { } locals { - device_admin_authorization_rules = var.manage_device_administration ? flatten([ + device_admin_authorization_rules = flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authorization_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1221,11 +1221,11 @@ locals { }], null) } ] - ]) : [] + ]) } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_0" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1247,7 +1247,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_1" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 1 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1269,7 +1269,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_2" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 2 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1291,7 +1291,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_3" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 3 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1313,7 +1313,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_4" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 4 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1335,7 +1335,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_5" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 5 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1357,7 +1357,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_6" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 6 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1379,7 +1379,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_7" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 7 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1401,7 +1401,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_8" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 8 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1423,7 +1423,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_9" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 9 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1445,7 +1445,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_10" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 10 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1467,7 +1467,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_11" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 11 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1489,7 +1489,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_12" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 12 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1511,7 +1511,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_13" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 13 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1533,7 +1533,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_14" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 14 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1555,7 +1555,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_15" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 15 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1577,7 +1577,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_16" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 16 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1599,7 +1599,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_17" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 17 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1621,7 +1621,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_18" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 18 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1643,7 +1643,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_19" { - for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if var.manage_device_administration && rule.rank == 19 } + for_each = { for rule in local.device_admin_authorization_rules : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1665,7 +1665,7 @@ resource "ise_device_admin_authorization_rule" "device_admin_authorization_rule_ } locals { - device_admin_authorization_exception_rules = var.manage_device_administration ? flatten([ + device_admin_authorization_exception_rules = flatten([ for ps in try(local.ise.device_administration.policy_sets, []) : [ for rule in try(ps.authorization_exception_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1706,11 +1706,11 @@ locals { }], null) } ] - ]) : [] + ]) } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_0" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1732,7 +1732,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_1" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 1 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1754,7 +1754,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_2" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 2 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1776,7 +1776,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_3" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 3 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1798,7 +1798,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_4" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 4 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1820,7 +1820,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_5" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 5 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1842,7 +1842,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_6" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 6 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1864,7 +1864,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_7" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 7 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1886,7 +1886,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_8" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 8 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1908,7 +1908,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_9" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 9 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1930,7 +1930,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_10" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 10 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1952,7 +1952,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_11" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 11 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1974,7 +1974,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_12" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 12 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1996,7 +1996,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_13" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 13 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2018,7 +2018,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_14" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 14 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2040,7 +2040,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_15" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 15 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2062,7 +2062,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_16" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 16 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2084,7 +2084,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_17" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 17 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2106,7 +2106,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_18" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 18 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2128,7 +2128,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } resource "ise_device_admin_authorization_exception_rule" "device_admin_authorization_exception_rule_19" { - for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if var.manage_device_administration && rule.rank == 19 } + for_each = { for rule in local.device_admin_authorization_exception_rules : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2150,7 +2150,7 @@ resource "ise_device_admin_authorization_exception_rule" "device_admin_authoriza } locals { - device_admin_authorization_global_exception_rules = var.manage_device_administration ? [ + device_admin_authorization_global_exception_rules = [ for rule in try(local.ise.device_administration.authorization_global_exception_rules, []) : { name = rule.name rank = try(rule.rank, local.defaults.ise.device_administration.authorization_global_exception_rules.rank, null) @@ -2187,11 +2187,11 @@ locals { }], null) }], null) } - ] : [] + ] } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_0" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if(rule.rank == 0 || rule.rank == null) } name = each.value.name rank = each.value.rank @@ -2212,7 +2212,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_1" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 1 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 1 } name = each.value.name rank = each.value.rank @@ -2233,7 +2233,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_2" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 2 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 2 } name = each.value.name rank = each.value.rank @@ -2254,7 +2254,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_3" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 3 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 3 } name = each.value.name rank = each.value.rank @@ -2275,7 +2275,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_4" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 4 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 4 } name = each.value.name rank = each.value.rank @@ -2296,7 +2296,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_5" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 5 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 5 } name = each.value.name rank = each.value.rank @@ -2317,7 +2317,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_6" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 6 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 6 } name = each.value.name rank = each.value.rank @@ -2338,7 +2338,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_7" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 7 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 7 } name = each.value.name rank = each.value.rank @@ -2359,7 +2359,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_8" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 8 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 8 } name = each.value.name rank = each.value.rank @@ -2380,7 +2380,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_9" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 9 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 9 } name = each.value.name rank = each.value.rank @@ -2401,7 +2401,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_10" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 10 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 10 } name = each.value.name rank = each.value.rank @@ -2422,7 +2422,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_11" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 11 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 11 } name = each.value.name rank = each.value.rank @@ -2443,7 +2443,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_12" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 12 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 12 } name = each.value.name rank = each.value.rank @@ -2464,7 +2464,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_13" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 13 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 13 } name = each.value.name rank = each.value.rank @@ -2485,7 +2485,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_14" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 14 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 14 } name = each.value.name rank = each.value.rank @@ -2506,7 +2506,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_15" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 15 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 15 } name = each.value.name rank = each.value.rank @@ -2527,7 +2527,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_16" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 16 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 16 } name = each.value.name rank = each.value.rank @@ -2548,7 +2548,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_17" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 17 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 17 } name = each.value.name rank = each.value.rank @@ -2569,7 +2569,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_18" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 18 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 18 } name = each.value.name rank = each.value.rank @@ -2590,7 +2590,7 @@ resource "ise_device_admin_authorization_global_exception_rule" "device_admin_au } resource "ise_device_admin_authorization_global_exception_rule" "device_admin_authorization_global_exception_rule_19" { - for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if var.manage_device_administration && rule.rank == 19 } + for_each = { for rule in local.device_admin_authorization_global_exception_rules : rule.name => rule if rule.rank == 19 } name = each.value.name rank = each.value.rank diff --git a/ise_identity_management.tf b/ise_identity_management.tf index 1e29fd7..a643d23 100644 --- a/ise_identity_management.tf +++ b/ise_identity_management.tf @@ -1,12 +1,12 @@ resource "ise_user_identity_group" "user_identity_group" { - for_each = { for group in try(local.ise.identity_management.user_identity_groups, []) : group.name => group if var.manage_identity_management } + for_each = { for group in try(local.ise.identity_management.user_identity_groups, []) : group.name => group } name = each.key description = try(each.value.description, local.defaults.ise.identity_management.user_identity_groups.description, null) } resource "ise_internal_user" "internal_user" { - for_each = { for user in try(local.ise.identity_management.internal_users, []) : user.name => user if var.manage_identity_management } + for_each = { for user in try(local.ise.identity_management.internal_users, []) : user.name => user } name = each.key description = try(each.value.description, local.defaults.ise.identity_management.internal_users.description, null) @@ -24,8 +24,8 @@ resource "ise_internal_user" "internal_user" { } locals { - endpoint_identity_groups = { for group in try(local.ise.identity_management.endpoint_identity_groups, []) : group.name => group if var.manage_identity_management } - endpoint_identity_groups_with_parent = { for k, v in local.endpoint_identity_groups : k => v if try(v.parent_group, "") != "" && var.manage_identity_management } + endpoint_identity_groups = { for group in try(local.ise.identity_management.endpoint_identity_groups, []) : group.name => group } + endpoint_identity_groups_with_parent = { for k, v in local.endpoint_identity_groups : k => v if try(v.parent_group, "") != "" } } data "ise_endpoint_identity_group" "endpoint_identity_group" { @@ -43,7 +43,7 @@ resource "ise_endpoint_identity_group" "endpoint_identity_group" { } resource "ise_certificate_authentication_profile" "certificate_authentication_profile" { - for_each = { for profile in try(local.ise.identity_management.certificate_authentication_profiles, []) : profile.name => profile if var.manage_identity_management } + for_each = { for profile in try(local.ise.identity_management.certificate_authentication_profiles, []) : profile.name => profile } name = each.key description = try(each.value.description, local.defaults.ise.identity_management.certificate_authentication_profiles.description, null) @@ -55,7 +55,7 @@ resource "ise_certificate_authentication_profile" "certificate_authentication_pr } resource "ise_active_directory_join_point" "active_directory_join_point" { - for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad } name = each.key description = try(each.value.description, local.defaults.ise.identity_management.active_directories.description, null) @@ -102,7 +102,7 @@ resource "ise_active_directory_join_point" "active_directory_join_point" { } resource "ise_active_directory_join_domain_with_all_nodes" "active_directory_join_domain_with_all_nodes" { - for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad } join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id additional_data = [ @@ -120,7 +120,7 @@ resource "ise_active_directory_join_domain_with_all_nodes" "active_directory_joi } data "ise_active_directory_groups_by_domain" "all_groups" { - for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad } join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id domain = try(each.value.domain, local.defaults.ise.identity_management.active_directories.domain, null) @@ -131,7 +131,7 @@ data "ise_active_directory_groups_by_domain" "all_groups" { locals { active_directory_groups_all = { for k, v in data.ise_active_directory_groups_by_domain.all_groups : - k => { for group in v.groups : group.name => group } if var.manage_identity_management + k => { for group in v.groups : group.name => group } } active_directory_groups = { @@ -141,12 +141,12 @@ locals { type = try(local.active_directory_groups_all[ad.name][group].type, null) sid = try(local.active_directory_groups_all[ad.name][group].sid, null) } - ] if var.manage_identity_management + ] } } resource "ise_active_directory_add_groups" "active_directory_groups" { - for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad if var.manage_identity_management } + for_each = { for ad in try(local.ise.identity_management.active_directories, []) : ad.name => ad } join_point_id = ise_active_directory_join_point.active_directory_join_point[each.key].id name = ise_active_directory_join_point.active_directory_join_point[each.key].name diff --git a/ise_network_access.tf b/ise_network_access.tf index e2bc2b0..b7250a7 100644 --- a/ise_network_access.tf +++ b/ise_network_access.tf @@ -1,5 +1,5 @@ resource "ise_allowed_protocols" "allowed_protocols" { - for_each = { for protocol in try(local.ise.network_access.policy_elements.allowed_protocols, []) : protocol.name => protocol if var.manage_network_access } + for_each = { for protocol in try(local.ise.network_access.policy_elements.allowed_protocols, []) : protocol.name => protocol } description = try(each.value.description, "") name = each.key @@ -75,7 +75,7 @@ resource "ise_allowed_protocols" "allowed_protocols" { } resource "ise_authorization_profile" "authorization_profile" { - for_each = { for profile in try(local.ise.network_access.policy_elements.authorization_profiles, []) : profile.name => profile if var.manage_network_access } + for_each = { for profile in try(local.ise.network_access.policy_elements.authorization_profiles, []) : profile.name => profile } name = each.key description = try(each.value.description, local.defaults.ise.network_access.policy_elements.authorization_profiles.description, null) @@ -126,13 +126,13 @@ resource "ise_authorization_profile" "authorization_profile" { } locals { - network_access_conditions_circular_names = var.manage_network_access ? distinct(flatten([ + network_access_conditions_circular_names = distinct(flatten([ for v in try(local.ise.network_access.policy_elements.conditions, []) : [ for v2 in try(v.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ])) : [] + ])) } data "ise_network_access_condition" "network_access_condition_circular" { @@ -142,7 +142,7 @@ data "ise_network_access_condition" "network_access_condition_circular" { } resource "ise_network_access_condition" "network_access_condition" { - for_each = { for condition in try(local.ise.network_access.policy_elements.conditions, []) : condition.name => condition if var.manage_network_access } + for_each = { for condition in try(local.ise.network_access.policy_elements.conditions, []) : condition.name => condition } condition_type = try(each.value.type, local.defaults.ise.network_access.policy_elements.conditions.type, null) is_negate = try(each.value.is_negate, local.defaults.ise.network_access.policy_elements.conditions.is_negate, null) @@ -180,7 +180,7 @@ resource "ise_network_access_condition" "network_access_condition" { } resource "ise_downloadable_acl" "downloadable_acl" { - for_each = { for dacl in try(local.ise.network_access.policy_elements.downloadable_acls, []) : dacl.name => dacl if var.manage_network_access } + for_each = { for dacl in try(local.ise.network_access.policy_elements.downloadable_acls, []) : dacl.name => dacl } name = each.key description = try(each.value.description, local.defaults.ise.network_access.policy_elements.downloadable_acls.description, null) @@ -189,7 +189,7 @@ resource "ise_downloadable_acl" "downloadable_acl" { } resource "ise_network_access_dictionary" "network_access_dictionary" { - for_each = { for d in try(local.ise.network_access.policy_elements.dictionaries, []) : d.name => d if var.manage_network_access } + for_each = { for d in try(local.ise.network_access.policy_elements.dictionaries, []) : d.name => d } name = each.key description = try(each.value.description, local.defaults.ise.network_access.policy_elements.dictionaries.description, null) @@ -198,7 +198,7 @@ resource "ise_network_access_dictionary" "network_access_dictionary" { } resource "ise_network_access_time_and_date_condition" "network_access_time_and_date_condition" { - for_each = { for c in try(local.ise.network_access.policy_elements.time_date_conditions, []) : c.name => c if var.manage_network_access } + for_each = { for c in try(local.ise.network_access.policy_elements.time_date_conditions, []) : c.name => c } name = each.key description = try(each.value.description, local.defaults.ise.network_access.policy_elements.time_date_conditions.description, null) @@ -215,14 +215,14 @@ resource "ise_network_access_time_and_date_condition" "network_access_time_and_d } locals { - conditions_network_access_policy_sets = var.manage_network_access ? flatten([ + conditions_network_access_policy_sets = flatten([ for v in try(local.ise.network_access.policy_sets, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) : [] - conditions_network_access_policy_set_authentication_rules = var.manage_network_access ? flatten([ + ]) + conditions_network_access_policy_set_authentication_rules = flatten([ for v in try(local.ise.network_access.policy_sets, []) : [ for r in try(v.authentication_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -230,8 +230,8 @@ locals { ] ] ] - ]) : [] - conditions_network_access_policy_set_authorization_rules = var.manage_network_access ? flatten([ + ]) + conditions_network_access_policy_set_authorization_rules = flatten([ for v in try(local.ise.network_access.policy_sets, []) : [ for r in try(v.authorization_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -239,8 +239,8 @@ locals { ] ] ] - ]) : [] - conditions_network_access_policy_set_authorization_exception_rules = var.manage_network_access ? flatten([ + ]) + conditions_network_access_policy_set_authorization_exception_rules = flatten([ for v in try(local.ise.network_access.policy_sets, []) : [ for r in try(v.authorization_exception_rules, []) : try(r.condition.type, null) == "ConditionReference" ? [[[r.condition.name]]] : [ for v2 in try(r.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ @@ -248,17 +248,17 @@ locals { ] ] ] - ]) : [] - conditions_network_access_authorization_global_exception_rules = var.manage_network_access ? flatten([ + ]) + conditions_network_access_authorization_global_exception_rules = flatten([ for v in try(local.ise.network_access.authorization_global_exception_rules, []) : try(v.condition.type, null) == "ConditionReference" ? [[[v.condition.name]]] : [ for v2 in try(v.condition.children, []) : try(v2.type, null) == "ConditionReference" ? [[v2.name]] : [ for v3 in try(v2.children, []) : try(v3.type, null) == "ConditionReference" ? [v3.name] : [] ] ] - ]) : [] - unique_conditions_network_access = var.manage_network_access ? distinct(concat(local.conditions_network_access_policy_sets, local.conditions_network_access_policy_set_authentication_rules, local.conditions_network_access_policy_set_authorization_rules, local.conditions_network_access_policy_set_authorization_exception_rules, local.conditions_network_access_authorization_global_exception_rules)) : [] - known_conditions_network_access = var.manage_network_access ? [for condition in try(local.ise.network_access.policy_elements.conditions, []) : condition.name] : [] - unknown_conditions_network_access = var.manage_network_access ? setsubtract(local.unique_conditions_network_access, local.known_conditions_network_access) : [] + ]) + unique_conditions_network_access = distinct(concat(local.conditions_network_access_policy_sets, local.conditions_network_access_policy_set_authentication_rules, local.conditions_network_access_policy_set_authorization_rules, local.conditions_network_access_policy_set_authorization_exception_rules, local.conditions_network_access_authorization_global_exception_rules)) + known_conditions_network_access = [for condition in try(local.ise.network_access.policy_elements.conditions, []) : condition.name] + unknown_conditions_network_access = setsubtract(local.unique_conditions_network_access, local.known_conditions_network_access) } data "ise_network_access_condition" "network_access_condition" { @@ -268,7 +268,7 @@ data "ise_network_access_condition" "network_access_condition" { } locals { - network_access_policy_sets = var.manage_network_access ? [ + network_access_policy_sets = [ for ps in try(local.ise.network_access.policy_sets, []) : { condition_type = try(ps.condition.type, local.defaults.ise.network_access.policy_sets.condition.type, null) condition_is_negate = try(ps.condition.is_negate, local.defaults.ise.network_access.policy_sets.condition.is_negate, null) @@ -305,11 +305,11 @@ locals { }], null) }], null) } - ] : [] + ] } resource "ise_network_access_policy_set" "network_access_policy_set_0" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && (ps.rank == 0 || ps.rank == null) } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if(ps.rank == 0 || ps.rank == null) } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -330,7 +330,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_0" { } resource "ise_network_access_policy_set" "network_access_policy_set_1" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 1 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 1 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -351,7 +351,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_1" { } resource "ise_network_access_policy_set" "network_access_policy_set_2" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 2 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 2 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -372,7 +372,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_2" { } resource "ise_network_access_policy_set" "network_access_policy_set_3" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 3 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 3 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -393,7 +393,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_3" { } resource "ise_network_access_policy_set" "network_access_policy_set_4" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 4 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 4 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -414,7 +414,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_4" { } resource "ise_network_access_policy_set" "network_access_policy_set_5" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 5 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 5 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -435,7 +435,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_5" { } resource "ise_network_access_policy_set" "network_access_policy_set_6" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 6 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 6 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -456,7 +456,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_6" { } resource "ise_network_access_policy_set" "network_access_policy_set_7" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 7 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 7 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -477,7 +477,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_7" { } resource "ise_network_access_policy_set" "network_access_policy_set_8" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 8 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 8 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -498,7 +498,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_8" { } resource "ise_network_access_policy_set" "network_access_policy_set_9" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 9 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 9 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -519,7 +519,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_9" { } resource "ise_network_access_policy_set" "network_access_policy_set_10" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 10 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 10 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -540,7 +540,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_10" { } resource "ise_network_access_policy_set" "network_access_policy_set_11" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 11 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 11 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -561,7 +561,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_11" { } resource "ise_network_access_policy_set" "network_access_policy_set_12" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 12 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 12 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -582,7 +582,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_12" { } resource "ise_network_access_policy_set" "network_access_policy_set_13" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 13 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 13 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -603,7 +603,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_13" { } resource "ise_network_access_policy_set" "network_access_policy_set_14" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 14 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 14 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -624,7 +624,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_14" { } resource "ise_network_access_policy_set" "network_access_policy_set_15" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 15 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 15 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -645,7 +645,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_15" { } resource "ise_network_access_policy_set" "network_access_policy_set_16" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 16 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 16 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -666,7 +666,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_16" { } resource "ise_network_access_policy_set" "network_access_policy_set_17" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 17 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 17 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -687,7 +687,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_17" { } resource "ise_network_access_policy_set" "network_access_policy_set_18" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 18 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 18 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -708,7 +708,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_18" { } resource "ise_network_access_policy_set" "network_access_policy_set_19" { - for_each = { for ps in local.network_access_policy_sets : ps.name => ps if var.manage_network_access && ps.rank == 19 } + for_each = { for ps in local.network_access_policy_sets : ps.name => ps if ps.rank == 19 } condition_type = each.value.condition_type condition_is_negate = each.value.condition_is_negate @@ -729,7 +729,7 @@ resource "ise_network_access_policy_set" "network_access_policy_set_19" { } locals { - network_access_policy_set_ids = var.manage_network_access ? merge( + network_access_policy_set_ids = merge( { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_0[ps.name].id if ps.rank == 0 || ps.rank == null }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_1[ps.name].id if ps.rank == 1 }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_2[ps.name].id if ps.rank == 2 }, @@ -750,8 +750,9 @@ locals { { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_17[ps.name].id if ps.rank == 17 }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_18[ps.name].id if ps.rank == 18 }, { for ps in local.network_access_policy_sets : ps.name => ise_network_access_policy_set.network_access_policy_set_19[ps.name].id if ps.rank == 19 }, - ) : {} - network_access_authentication_rules = var.manage_network_access ? flatten([ + ) + + network_access_authentication_rules = flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ for rule in try(ps.authentication_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -794,11 +795,11 @@ locals { }], null) } ] - ]) : null + ]) } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_0" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -822,7 +823,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_1" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 1 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -846,7 +847,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_2" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 2 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -870,7 +871,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_3" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 3 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -894,7 +895,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_4" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 4 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -918,7 +919,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_5" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 5 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -942,7 +943,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_6" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 6 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -966,7 +967,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_7" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 7 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -990,7 +991,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_8" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 8 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1014,7 +1015,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_9" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 9 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1038,7 +1039,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_10" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 10 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1062,7 +1063,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_11" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 11 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1086,7 +1087,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_12" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 12 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1110,7 +1111,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_13" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 13 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1134,7 +1135,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_14" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 14 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1158,7 +1159,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_15" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 15 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1182,7 +1183,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_16" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 16 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1206,7 +1207,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_17" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 17 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1230,7 +1231,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_18" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 18 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1254,7 +1255,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_19" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if var.manage_network_access && rule.rank == 19 } + for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1278,7 +1279,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } locals { - network_access_authorization_rules = var.manage_network_access ? flatten([ + network_access_authorization_rules = flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ for rule in try(ps.authorization_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1319,11 +1320,11 @@ locals { }], null) } ] - ]) : [] + ]) } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_0" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if(rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1345,7 +1346,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_1" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 1 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1367,7 +1368,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_2" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 2 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1389,7 +1390,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_3" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 3 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1411,7 +1412,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_4" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 4 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1433,7 +1434,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_5" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 5 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1455,7 +1456,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_6" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 6 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1477,7 +1478,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_7" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 7 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1499,7 +1500,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_8" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 8 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1521,7 +1522,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_9" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 9 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1543,7 +1544,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_10" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 10 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1565,7 +1566,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_11" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 11 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1587,7 +1588,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_12" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 12 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1609,7 +1610,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_13" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 13 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1631,7 +1632,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_14" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 14 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1653,7 +1654,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_15" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 15 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1675,7 +1676,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_16" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 16 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1697,7 +1698,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_17" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 17 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1719,7 +1720,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_18" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 18 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1741,7 +1742,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } resource "ise_network_access_authorization_rule" "network_access_authorization_rule_19" { - for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if var.manage_network_access && rule.rank == 19 } + for_each = { for rule in local.network_access_authorization_rules : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1763,7 +1764,7 @@ resource "ise_network_access_authorization_rule" "network_access_authorization_r } locals { - network_access_authorization_exception_rules = var.manage_network_access ? flatten([ + network_access_authorization_exception_rules = flatten([ for ps in try(local.ise.network_access.policy_sets, []) : [ for rule in try(ps.authorization_exception_rules, []) : { key = format("%s/%s", ps.name, rule.name) @@ -1804,11 +1805,11 @@ locals { }], null) } ] - ]) : [] + ]) } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_0" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule && (rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1830,7 +1831,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_1" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 1 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1852,7 +1853,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_2" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 2 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1874,7 +1875,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_3" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 3 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1896,7 +1897,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_4" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 4 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1918,7 +1919,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_5" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 5 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1940,7 +1941,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_6" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 6 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1962,7 +1963,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_7" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 7 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1984,7 +1985,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_8" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 8 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2006,7 +2007,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_9" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 9 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2028,7 +2029,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_10" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 10 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2050,7 +2051,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_11" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 11 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2072,7 +2073,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_12" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 12 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2094,7 +2095,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_13" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 13 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2116,7 +2117,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_14" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 14 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2138,7 +2139,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_15" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 15 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2160,7 +2161,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_16" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 16 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2182,7 +2183,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_17" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 17 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2204,7 +2205,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_18" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 18 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2226,7 +2227,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_19" { - for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if var.manage_network_access && rule.rank == 19 } + for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2248,7 +2249,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } locals { - network_access_authorization_global_exception_rules = var.manage_network_access ? [ + network_access_authorization_global_exception_rules = [ for rule in try(local.ise.network_access.authorization_global_exception_rules, []) : { name = rule.name rank = try(rule.rank, local.defaults.ise.network_access.authorization_global_exception_rules.rank, null) @@ -2285,11 +2286,11 @@ locals { }], null) }], null) } - ] : [] + ] } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_0" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule && (rule.rank == 0 || rule.rank == null) } name = each.value.name rank = each.value.rank @@ -2310,7 +2311,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_1" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 1 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 1 } name = each.value.name rank = each.value.rank @@ -2331,7 +2332,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_2" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 2 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 2 } name = each.value.name rank = each.value.rank @@ -2352,7 +2353,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_3" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 3 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 3 } name = each.value.name rank = each.value.rank @@ -2373,7 +2374,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_4" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 4 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 4 } name = each.value.name rank = each.value.rank @@ -2394,7 +2395,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_5" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 5 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 5 } name = each.value.name rank = each.value.rank @@ -2415,7 +2416,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_6" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 6 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 6 } name = each.value.name rank = each.value.rank @@ -2436,7 +2437,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_7" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 7 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 7 } name = each.value.name rank = each.value.rank @@ -2457,7 +2458,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_8" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 8 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 8 } name = each.value.name rank = each.value.rank @@ -2478,7 +2479,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_9" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 9 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 9 } name = each.value.name rank = each.value.rank @@ -2499,7 +2500,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_10" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 10 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 10 } name = each.value.name rank = each.value.rank @@ -2520,7 +2521,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_11" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 11 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 11 } name = each.value.name rank = each.value.rank @@ -2541,7 +2542,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_12" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 12 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 12 } name = each.value.name rank = each.value.rank @@ -2562,7 +2563,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_13" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 13 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 13 } name = each.value.name rank = each.value.rank @@ -2583,7 +2584,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_14" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 14 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 14 } name = each.value.name rank = each.value.rank @@ -2604,7 +2605,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_15" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 15 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 15 } name = each.value.name rank = each.value.rank @@ -2625,7 +2626,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_16" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 16 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 16 } name = each.value.name rank = each.value.rank @@ -2646,7 +2647,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_17" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 17 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 17 } name = each.value.name rank = each.value.rank @@ -2667,7 +2668,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_18" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 18 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 18 } name = each.value.name rank = each.value.rank @@ -2688,7 +2689,7 @@ resource "ise_network_access_authorization_global_exception_rule" "network_acces } resource "ise_network_access_authorization_global_exception_rule" "network_access_authorization_global_exception_rule_19" { - for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if var.manage_network_access && rule.rank == 19 } + for_each = { for rule in local.network_access_authorization_global_exception_rules : rule.name => rule if rule.rank == 19 } name = each.value.name rank = each.value.rank diff --git a/ise_network_resources.tf b/ise_network_resources.tf index a9236bb..84f186b 100644 --- a/ise_network_resources.tf +++ b/ise_network_resources.tf @@ -1,13 +1,13 @@ locals { - network_device_groups = var.manage_network_resources ? [for group in try(local.ise.network_resources.network_device_groups, []) : { + network_device_groups = [for group in try(local.ise.network_resources.network_device_groups, []) : { name = try(split("#", group.path)[0] == "All Device Types", false) ? "Device Type#${group.path}#${group.name}" : (try(split("#", group.path)[0] == "All Locations", false) ? "Location#${group.path}#${group.name}" : (try(split("#", group.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${group.path}" : (try(group.path, null) == null ? "${group.name}#${group.name}" : "${split("#", group.path)[0]}#${group.path}#${group.name}"))) description = try(group.description, local.defaults.ise.network_resources.network_device_groups.description, null) root_group = try(split("#", group.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", group.path)[0] == "All Locations", false) ? "Location" : (try(split("#", group.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", group.path)[0], group.name))) - }] : [] + }] } resource "ise_network_device_group" "network_device_group_0" { - for_each = { for group in local.network_device_groups : group.name => group if var.manage_network_resources } + for_each = { for group in local.network_device_groups : group.name => group } name = each.value.name description = each.value.description @@ -15,17 +15,17 @@ resource "ise_network_device_group" "network_device_group_0" { } locals { - network_device_groups_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : { name = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type#${p.path}#${p.name}#${c.name}" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location#${p.path}#${p.name}#${c.name}" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${p.path}" : (try(p.path, null) == null ? "${p.name}#${p.name}#${c.name}" : "${split("#", p.path)[0]}#${p.path}#${p.name}#${c.name}"))) description = try(c.description, local.defaults.ise.network_resources.network_device_groups.children.description, null) root_group = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", p.path)[0], p.name))) } - ]]) : [] + ]]) } resource "ise_network_device_group" "network_device_group_1" { - for_each = { for group in local.network_device_groups_children : group.name => group if var.manage_network_resources } + for_each = { for group in local.network_device_groups_children : group.name => group } name = each.value.name description = each.value.description @@ -35,7 +35,7 @@ resource "ise_network_device_group" "network_device_group_1" { } locals { - network_device_groups_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : { name = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type#${p.path}#${p.name}#${c.name}#${c2.name}" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location#${p.path}#${p.name}#${c.name}#${c2.name}" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC#${p.path}" : (try(p.path, null) == null ? "${p.name}#${p.name}#${c.name}#${c2.name}" : "${split("#", p.path)[0]}#${p.path}#${p.name}#${c.name}#${c2.name}"))) @@ -43,11 +43,11 @@ locals { root_group = try(split("#", p.path)[0] == "All Device Types", false) ? "Device Type" : (try(split("#", p.path)[0] == "All Locations", false) ? "Location" : (try(split("#", p.path)[0] == "Is IPSEC Device", false) ? "IPSEC" : try(split("#", p.path)[0], p.name))) } ] - ]]) : [] + ]]) } resource "ise_network_device_group" "network_device_group_2" { - for_each = { for group in local.network_device_groups_children_children : group.name => group if var.manage_network_resources } + for_each = { for group in local.network_device_groups_children_children : group.name => group } name = each.value.name description = each.value.description @@ -57,7 +57,7 @@ resource "ise_network_device_group" "network_device_group_2" { } locals { - network_device_groups_children_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : [ for c3 in try(c2.children, []) : { @@ -67,11 +67,11 @@ locals { } ] ] - ]]) : [] + ]]) } resource "ise_network_device_group" "network_device_group_3" { - for_each = { for group in local.network_device_groups_children_children_children : group.name => group if var.manage_network_resources } + for_each = { for group in local.network_device_groups_children_children_children : group.name => group } name = each.value.name description = each.value.description @@ -81,7 +81,7 @@ resource "ise_network_device_group" "network_device_group_3" { } locals { - network_device_groups_children_children_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : [ for c3 in try(c2.children, []) : [ @@ -93,11 +93,11 @@ locals { ] ] ] - ]]) : [] + ]]) } resource "ise_network_device_group" "network_device_group_4" { - for_each = { for group in local.network_device_groups_children_children_children_children : group.name => group if var.manage_network_resources } + for_each = { for group in local.network_device_groups_children_children_children_children : group.name => group } name = each.value.name description = each.value.description @@ -107,7 +107,7 @@ resource "ise_network_device_group" "network_device_group_4" { } locals { - network_device_groups_children_children_children_children_children = var.manage_network_resources ? flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ + network_device_groups_children_children_children_children_children = flatten([for p in try(local.ise.network_resources.network_device_groups, []) : [ for c in try(p.children, []) : [ for c2 in try(c.children, []) : [ for c3 in try(c2.children, []) : [ @@ -121,11 +121,11 @@ locals { ] ] ] - ]]) : [] + ]]) } resource "ise_network_device_group" "network_device_group_5" { - for_each = { for group in local.network_device_groups_children_children_children_children_children : group.name => group if var.manage_network_resources } + for_each = { for group in local.network_device_groups_children_children_children_children_children : group.name => group } name = each.value.name description = each.value.description @@ -136,7 +136,7 @@ resource "ise_network_device_group" "network_device_group_5" { # Workaround for ISE API issue where creating/deleting a network device immediately after creating/deleting a network device group fails resource "time_sleep" "network_device_group_wait" { - count = var.manage_network_resources ? 1 : 0 + count = length(try(local.network_device_groups_children_children_children_children_children, [])) > 0 ? 1 : 0 create_duration = "5s" destroy_duration = "5s" @@ -145,7 +145,7 @@ resource "time_sleep" "network_device_group_wait" { } resource "ise_network_device" "network_device" { - for_each = { for nd in try(local.ise.network_resources.network_devices, []) : nd.name => nd if var.manage_network_resources } + for_each = { for nd in try(local.ise.network_resources.network_devices, []) : nd.name => nd } name = each.value.name description = try(each.value.description, local.defaults.ise.network_resources.network_devices.description, null) diff --git a/ise_system.tf b/ise_system.tf index eb69e09..7c193ba 100644 --- a/ise_system.tf +++ b/ise_system.tf @@ -1,5 +1,5 @@ resource "ise_repository" "repository" { - for_each = { for repository in try(local.ise.system.repositories, []) : repository.name => repository if var.manage_system } + for_each = { for repository in try(local.ise.system.repositories, []) : repository.name => repository } name = each.key enable_pki = try(each.value.enable_pki, local.defaults.ise.system.repositories.enable_pki, null) @@ -11,7 +11,7 @@ resource "ise_repository" "repository" { } resource "ise_license_tier_state" "license_tier_state" { - count = length(try(local.ise.system.licenses, [])) > 0 && var.manage_system ? 1 : 0 + count = length(try(local.ise.system.licenses, [])) > 0 ? 1 : 0 licenses = [for license in try(local.ise.system.licenses, []) : { name = license.name diff --git a/ise_trustsec.tf b/ise_trustsec.tf index 7a765a0..02ef7cd 100644 --- a/ise_trustsec.tf +++ b/ise_trustsec.tf @@ -1,11 +1,11 @@ locals { - trustsec_matrix = { for cell in try(local.ise.trust_sec.matrix_entries, []) : "${cell.source_sgt}-${cell.destination_sgt}" => cell if var.manage_trust_sec } - unique_sgts = var.manage_trust_sec ? distinct(concat([for key, value in local.trustsec_matrix : value.source_sgt], [for key, value in local.trustsec_matrix : value.destination_sgt], [for map in try(local.ise.trust_sec.ip_sgt_mappings, []) : try(map.sgt, null) if try(map.sgt, null) != null], [for map in try(local.ise.trust_sec.ip_sgt_mapping_groups, []) : try(map.sgt, null) if try(map.sgt, null) != null])) : [] - known_sgts = var.manage_trust_sec ? [for group in try(local.ise.trust_sec.security_groups, []) : group.name] : [] - unknown_sgts = var.manage_trust_sec ? setsubtract(local.unique_sgts, local.known_sgts) : [] - unique_sgacls = var.manage_trust_sec ? distinct([for key, value in local.trustsec_matrix : value.sgacl_name]) : [] - known_sgacls = var.manage_trust_sec ? [for acl in try(local.ise.trust_sec.security_group_acls, []) : acl.name] : [] - unknown_sgacls = var.manage_trust_sec ? setsubtract(local.unique_sgacls, local.known_sgacls) : [] + trustsec_matrix = { for cell in try(local.ise.trust_sec.matrix_entries, []) : "${cell.source_sgt}-${cell.destination_sgt}" => cell } + unique_sgts = distinct(concat([for key, value in local.trustsec_matrix : value.source_sgt], [for key, value in local.trustsec_matrix : value.destination_sgt], [for map in try(local.ise.trust_sec.ip_sgt_mappings, []) : try(map.sgt, null) if try(map.sgt, null) != null], [for map in try(local.ise.trust_sec.ip_sgt_mapping_groups, []) : try(map.sgt, null) if try(map.sgt, null) != null])) + known_sgts = [for group in try(local.ise.trust_sec.security_groups, []) : group.name] + unknown_sgts = setsubtract(local.unique_sgts, local.known_sgts) + unique_sgacls = distinct([for key, value in local.trustsec_matrix : value.sgacl_name]) + known_sgacls = [for acl in try(local.ise.trust_sec.security_group_acls, []) : acl.name] + unknown_sgacls = setsubtract(local.unique_sgacls, local.known_sgacls) } data "ise_trustsec_security_group" "trustsec_security_group" { @@ -21,7 +21,7 @@ data "ise_trustsec_security_group_acl" "trustsec_security_group_acl" { } resource "ise_trustsec_security_group" "trustsec_security_group" { - for_each = { for group in try(local.ise.trust_sec.security_groups, []) : group.name => group if var.manage_trust_sec } + for_each = { for group in try(local.ise.trust_sec.security_groups, []) : group.name => group } name = each.key description = try(each.value.description, local.defaults.ise.trust_sec.security_groups.description, null) @@ -30,7 +30,7 @@ resource "ise_trustsec_security_group" "trustsec_security_group" { } resource "ise_trustsec_security_group_acl" "trustsec_security_group_acl" { - for_each = { for acl in try(local.ise.trust_sec.security_group_acls, []) : acl.name => acl if var.manage_trust_sec } + for_each = { for acl in try(local.ise.trust_sec.security_group_acls, []) : acl.name => acl } name = each.key acl_content = try(each.value.acl_content, local.defaults.ise.trust_sec.security_group_acls.acl_content, null) @@ -41,7 +41,7 @@ resource "ise_trustsec_security_group_acl" "trustsec_security_group_acl" { } resource "ise_trustsec_ip_to_sgt_mapping_group" "trustsec_ip_to_sgt_mapping_group" { - for_each = { for group in try(local.ise.trust_sec.ip_sgt_mapping_groups, []) : group.name => group if var.manage_trust_sec } + for_each = { for group in try(local.ise.trust_sec.ip_sgt_mapping_groups, []) : group.name => group } name = each.key sgt = contains(local.known_sgts, each.value.sgt) ? ise_trustsec_security_group.trustsec_security_group[each.value.sgt].id : data.ise_trustsec_security_group.trustsec_security_group[each.value.sgt].id @@ -52,7 +52,7 @@ resource "ise_trustsec_ip_to_sgt_mapping_group" "trustsec_ip_to_sgt_mapping_grou } resource "ise_trustsec_ip_to_sgt_mapping" "trustsec_ip_to_sgt_mapping" { - for_each = { for map in try(local.ise.trust_sec.ip_sgt_mappings, []) : try(map.host_name, map.host_ip) => map if var.manage_trust_sec } + for_each = { for map in try(local.ise.trust_sec.ip_sgt_mappings, []) : try(map.host_name, map.host_ip) => map } name = each.key host_ip = try(each.value.host_ip, local.defaults.ise.trust_sec.ip_sgt_mappings.host_ip, null) @@ -67,7 +67,7 @@ resource "ise_trustsec_ip_to_sgt_mapping" "trustsec_ip_to_sgt_mapping" { # Workaround for ISE API issue where deleting an SGT immediately after deleting an object using this SGT fails resource "time_sleep" "sgt_wait" { - count = var.manage_trust_sec ? 1 : 0 + count = length(try(local.ise.trust_sec.security_groups, [])) > 0 ? 1 : 0 destroy_duration = "10s" diff --git a/variables.tf b/variables.tf index 66c6152..ac749f3 100644 --- a/variables.tf +++ b/variables.tf @@ -16,42 +16,6 @@ variable "model" { default = {} } -variable "manage_network_resources" { - description = "Flag to indicate if network resources configuration should be managed." - type = bool - default = false -} - -variable "manage_network_access" { - description = "Flag to indicate if network access configuration should be managed." - type = bool - default = false -} - -variable "manage_device_administration" { - description = "Flag to indicate if device administration configuration should be managed." - type = bool - default = false -} - -variable "manage_identity_management" { - description = "Flag to indicate if identity management configuration should be managed." - type = bool - default = false -} - -variable "manage_trust_sec" { - description = "Flag to indicate if TrustSec configuration should be managed." - type = bool - default = false -} - -variable "manage_system" { - description = "Flag to indicate if system configuration should be managed." - type = bool - default = false -} - variable "write_default_values_file" { description = "Write all default values to a YAML file. Value is a path pointing to the file to be created." type = string From f5ba313070b0b21c3670c42f111b69d767d1f202 Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Wed, 14 Feb 2024 22:26:51 +0100 Subject: [PATCH 10/14] added identity_source_sequence - fix #6, changed attribute_name to dictionary_name and attribute_name --- README.md | 1 + ise_device_admin.tf | 144 ++++++++++++++++++------------------- ise_identity_management.tf | 15 ++++ ise_network_access.tf | 144 ++++++++++++++++++------------------- 4 files changed, 160 insertions(+), 144 deletions(-) diff --git a/README.md b/README.md index 9c6181e..added55 100644 --- a/README.md +++ b/README.md @@ -178,6 +178,7 @@ module "ise" { | [ise_device_admin_time_and_date_condition.device_admin_time_and_date_condition](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/device_admin_time_and_date_condition) | resource | | [ise_downloadable_acl.downloadable_acl](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/downloadable_acl) | resource | | [ise_endpoint_identity_group.endpoint_identity_group](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/endpoint_identity_group) | resource | +| [ise_identity_source_sequence.identity_source_sequences](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/identity_source_sequence) | resource | | [ise_internal_user.internal_user](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/internal_user) | resource | | [ise_license_tier_state.license_tier_state](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/license_tier_state) | resource | | [ise_network_access_authentication_rule.network_access_authentication_rule_0](https://registry.terraform.io/providers/CiscoDevNet/ise/latest/docs/resources/network_access_authentication_rule) | resource | diff --git a/ise_device_admin.tf b/ise_device_admin.tf index fc25580..c17b8a5 100644 --- a/ise_device_admin.tf +++ b/ise_device_admin.tf @@ -19,28 +19,28 @@ resource "ise_device_admin_condition" "device_admin_condition" { condition_type = try(each.value.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) is_negate = try(each.value.is_negate, local.defaults.ise.device_administration.policy_elements.conditions.is_negate, null) - attribute_name = strcontains(try(each.value.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(each.value.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null))[1] : try(each.value.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null) - attribute_value = strcontains(try(each.value.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(each.value.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null))[1] : try(each.value.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null) - dictionary_name = strcontains(try(each.value.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(each.value.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null))[0] : null - dictionary_value = strcontains(try(each.value.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(each.value.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null))[0] : null + attribute_name = try(each.value.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null) + attribute_value = try(each.value.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null) + dictionary_name = try(each.value.dictionary_name, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_name, null) + dictionary_value = try(each.value.dictionary_value, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_value, null) operator = try(each.value.operator, local.defaults.ise.device_administration.policy_elements.conditions.operator, null) description = try(each.value.description, local.defaults.ise.device_administration.policy_elements.conditions.description, null) name = each.key children = [for c in try(each.value.children, []) : { - attribute_name = strcontains(try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null))[1] : try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null) - attribute_value = strcontains(try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null))[1] : try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null) - dictionary_name = strcontains(try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null))[0] : null - dictionary_value = strcontains(try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null))[0] : null + attribute_name = try(c.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null) + attribute_value = try(c.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null) + dictionary_name = try(c.dictionary_name, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_name, null) + dictionary_value = try(c.dictionary_value, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_value, null) condition_type = try(c.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) is_negate = try(c.is_negate, local.defaults.ise.device_administration.policy_elements.conditions.is_negate, null) operator = try(c.operator, local.defaults.ise.device_administration.policy_elements.conditions.operator, null) name = try(c.name, null) id = try(c.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) == "ConditionReference" ? data.ise_device_admin_condition.device_admin_condition_circular[c.name].id : null children = [for c2 in try(c.children, []) : { - attribute_name = strcontains(try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null))[1] : try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null) - attribute_value = strcontains(try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null))[1] : try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null) - dictionary_name = strcontains(try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null))[0] : null - dictionary_value = strcontains(try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null))[0] : null + attribute_name = try(c2.attribute_name, local.defaults.ise.device_administration.policy_elements.conditions.attribute_name, null) + attribute_value = try(c2.attribute_value, local.defaults.ise.device_administration.policy_elements.conditions.attribute_value, null) + dictionary_name = try(c2.dictionary_name, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_name, null) + dictionary_value = try(c2.dictionary_value, local.defaults.ise.device_administration.policy_elements.conditions.dictionary_value, null) condition_type = try(c2.type, local.defaults.ise.device_administration.policy_elements.conditions.type, null) is_negate = try(c2.is_negate, local.defaults.ise.device_administration.policy_elements.conditions.is_negate, null) operator = try(c2.operator, local.defaults.ise.device_administration.policy_elements.conditions.operator, null) @@ -162,10 +162,10 @@ locals { for ps in try(local.ise.device_administration.policy_sets, []) : { condition_type = try(ps.condition.type, local.defaults.ise.device_administration.policy_sets.condition.type, null) condition_is_negate = try(ps.condition.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null) - condition_attribute_name = strcontains(try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[1] : try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null) - condition_attribute_value = strcontains(try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[1] : try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[0] : null + condition_attribute_name = try(ps.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null) + condition_attribute_value = try(ps.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null) + condition_dictionary_name = try(ps.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.condition.dictionary_name, null) + condition_dictionary_value = try(ps.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.condition.dictionary_value, null) condition_id = contains(local.known_conditions_device_admin, try(ps.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[ps.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[ps.condition.name].id, null) condition_operator = try(ps.condition.operator, local.defaults.ise.device_administration.policy_sets.condition.operator, null) description = try(ps.description, local.defaults.ise.device_administration.policy_sets.description, null) @@ -175,19 +175,19 @@ locals { state = try(ps.state, local.defaults.ise.device_administration.policy_sets.state) rank = try(ps.rank, local.defaults.ise.device_administration.policy_sets.rank, null) children = try([for i in ps.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.condition.operator, null) id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.condition.operator, null) @@ -653,29 +653,29 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.type, null) condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.operator, null) identity_source_name = try(rule.identity_source_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.identity_source_name, null) if_auth_fail = try(rule.if_auth_fail, local.defaults.ise.device_administration.policy_sets.authentication_rules.if_auth_fail, null) if_process_fail = try(rule.if_process_fail, local.defaults.ise.device_administration.policy_sets.authentication_rules.if_process_fail, null) if_user_not_found = try(rule.if_user_not_found, local.defaults.ise.device_administration.policy_sets.authentication_rules.if_user_not_found, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.operator, null) id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authentication_rules.condition.operator, null) @@ -1192,27 +1192,27 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) profile = try(rule.profile, local.defaults.ise.device_administration.policy_sets.authorization_rules.profile, null) command_sets = try(rule.command_sets, local.defaults.ise.device_administration.policy_sets.authorization_rules.command_sets, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authorization_rules.condition.operator, null) @@ -1677,27 +1677,27 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) profile = try(rule.profile, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.profile, null) command_sets = try(rule.command_sets, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.command_sets, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.device_administration.policy_sets.authorization_exception_rules.condition.operator, null) @@ -2159,27 +2159,27 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) condition_id = contains(local.known_conditions_device_admin, try(rule.condition.name, "")) ? ise_device_admin_condition.device_admin_condition[rule.condition.name].id : try(data.ise_device_admin_condition.device_admin_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) profile = try(rule.profile, local.defaults.ise.device_administration.authorization_global_exception_rules.profile, null) command_sets = try(rule.command_sets, local.defaults.ise.device_administration.authorization_global_exception_rules.command_sets, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) id = contains(local.known_conditions_device_admin, try(i.name, "")) ? ise_device_admin_condition.device_admin_condition[i.name].id : try(data.ise_device_admin_condition.device_admin_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.device_administration.authorization_global_exception_rules.condition.operator, null) diff --git a/ise_identity_management.tf b/ise_identity_management.tf index a643d23..bbdf155 100644 --- a/ise_identity_management.tf +++ b/ise_identity_management.tf @@ -158,3 +158,18 @@ resource "ise_active_directory_add_groups" "active_directory_groups" { depends_on = [ise_active_directory_join_point.active_directory_join_point, ise_active_directory_join_domain_with_all_nodes.active_directory_join_domain_with_all_nodes] } + +resource "ise_identity_source_sequence" "identity_source_sequences" { + for_each = { for sequence in try(local.ise.identity_management.identity_source_sequences, []) : sequence.name => sequence } + + name = each.key + description = try(each.value.description, local.defaults.ise.identity_management.identity_source_sequences.description, null) + break_on_store_fail = try(each.value.break_on_store_fail, local.defaults.ise.identity_management.identity_source_sequences.break_on_store_fail, null) + certificate_authentication_profile = try(each.value.certificate_authentication_profile, local.defaults.ise.identity_management.identity_source_sequences.certificate_authentication_profile, null) + identity_sources = [for index, identity_source in try(each.value.identity_sources, []) : { + name = try(identity_source, local.defaults.ise.identity_management.identity_source_sequences.identity_sources, null) + order = index + 1 + }] + + depends_on = [ise_active_directory_join_point.active_directory_join_point] +} diff --git a/ise_network_access.tf b/ise_network_access.tf index b7250a7..334e580 100644 --- a/ise_network_access.tf +++ b/ise_network_access.tf @@ -146,28 +146,28 @@ resource "ise_network_access_condition" "network_access_condition" { condition_type = try(each.value.type, local.defaults.ise.network_access.policy_elements.conditions.type, null) is_negate = try(each.value.is_negate, local.defaults.ise.network_access.policy_elements.conditions.is_negate, null) - attribute_name = strcontains(try(each.value.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(each.value.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null))[1] : try(each.value.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null) - attribute_value = strcontains(try(each.value.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(each.value.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null))[1] : try(each.value.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null) - dictionary_name = strcontains(try(each.value.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(each.value.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null))[0] : null - dictionary_value = strcontains(try(each.value.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(each.value.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null))[0] : null + attribute_name = try(each.value.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null) + attribute_value = try(each.value.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null) + dictionary_name = try(each.value.dictionary_name, local.defaults.ise.network_access.policy_elements.conditions.dictionary_name, null) + dictionary_value = try(each.value.dictionary_value, local.defaults.ise.network_access.policy_elements.conditions.dictionary_value, null) operator = try(each.value.operator, local.defaults.ise.network_access.policy_elements.conditions.operator, null) description = try(each.value.description, local.defaults.ise.network_access.policy_elements.conditions.description, null) name = each.key children = [for c in try(each.value.children, []) : { - attribute_name = strcontains(try(c.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null))[1] : try(c.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null) - attribute_value = strcontains(try(c.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null))[1] : try(c.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null) - dictionary_name = strcontains(try(c.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null))[0] : null - dictionary_value = strcontains(try(c.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null))[0] : null + attribute_name = try(c.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null) + attribute_value = try(c.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null) + dictionary_name = try(c.dictionary_name, local.defaults.ise.network_access.policy_elements.conditions.dictionary_name, null) + dictionary_value = try(c.dictionary_value, local.defaults.ise.network_access.policy_elements.conditions.dictionary_value, null) condition_type = try(c.type, local.defaults.ise.network_access.policy_elements.conditions.type, null) is_negate = try(c.is_negate, local.defaults.ise.network_access.policy_elements.conditions.is_negate, null) operator = try(c.operator, local.defaults.ise.network_access.policy_elements.conditions.operator, null) name = try(c.name, null) id = try(c.type, local.defaults.ise.network_access.policy_elements.conditions.type, null) == "ConditionReference" ? data.ise_network_access_condition.network_access_condition_circular[c.name].id : null children = [for c2 in try(c.children, []) : { - attribute_name = strcontains(try(c2.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c2.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null))[1] : try(c2.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null) - attribute_value = strcontains(try(c2.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c2.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null))[1] : try(c2.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null) - dictionary_name = strcontains(try(c2.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, ""), ":") ? split(":", try(c2.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null))[0] : null - dictionary_value = strcontains(try(c2.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, ""), ":") ? split(":", try(c2.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null))[0] : null + attribute_name = try(c2.attribute_name, local.defaults.ise.network_access.policy_elements.conditions.attribute_name, null) + attribute_value = try(c2.attribute_value, local.defaults.ise.network_access.policy_elements.conditions.attribute_value, null) + dictionary_name = try(c2.dictionary_name, local.defaults.ise.network_access.policy_elements.conditions.dictionary_name, null) + dictionary_value = try(c2.dictionary_value, local.defaults.ise.network_access.policy_elements.conditions.dictionary_value, null) condition_type = try(c2.type, local.defaults.ise.network_access.policy_elements.conditions.type, null) is_negate = try(c2.is_negate, local.defaults.ise.network_access.policy_elements.conditions.is_negate, null) operator = try(c2.operator, local.defaults.ise.network_access.policy_elements.conditions.operator, null) @@ -272,10 +272,10 @@ locals { for ps in try(local.ise.network_access.policy_sets, []) : { condition_type = try(ps.condition.type, local.defaults.ise.network_access.policy_sets.condition.type, null) condition_is_negate = try(ps.condition.is_negate, local.defaults.ise.network_access.policy_sets.condition.is_negate, null) - condition_attribute_name = strcontains(try(ps.condition.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(ps.condition.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null))[1] : try(ps.condition.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null) - condition_attribute_value = strcontains(try(ps.condition.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(ps.condition.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null))[1] : try(ps.condition.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(ps.condition.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(ps.condition.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(ps.condition.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(ps.condition.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null))[0] : null + condition_attribute_name = try(ps.condition.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null) + condition_attribute_value = try(ps.condition.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null) + condition_dictionary_name = try(ps.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.condition.dictionary_name, null) + condition_dictionary_value = try(ps.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.condition.dictionary_value, null) condition_id = contains(local.known_conditions_network_access, try(ps.condition.name, "")) ? ise_network_access_condition.network_access_condition[ps.condition.name].id : try(data.ise_network_access_condition.network_access_condition[ps.condition.name].id, null) condition_operator = try(ps.condition.operator, local.defaults.ise.network_access.policy_sets.condition.operator, null) description = try(ps.description, local.defaults.ise.network_access.policy_sets.description, null) @@ -285,19 +285,19 @@ locals { state = try(ps.state, local.defaults.ise.network_access.policy_sets.state) rank = try(ps.rank, local.defaults.ise.network_access.policy_sets.rank, null) children = try([for i in ps.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null), + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.network_access.policy_sets.condition.operator, null) id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.network_access.policy_sets.condition.operator, null) @@ -764,29 +764,29 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.type, null) condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.operator, null) identity_source_name = try(rule.identity_source_name, local.defaults.ise.network_access.policy_sets.authentication_rules.identity_source_name, null) if_auth_fail = try(rule.if_auth_fail, local.defaults.ise.network_access.policy_sets.authentication_rules.if_auth_fail, null) if_process_fail = try(rule.if_process_fail, local.defaults.ise.network_access.policy_sets.authentication_rules.if_process_fail, null) if_user_not_found = try(rule.if_user_not_found, local.defaults.ise.network_access.policy_sets.authentication_rules.if_user_not_found, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.operator, null) id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authentication_rules.condition.operator, null) @@ -1291,27 +1291,27 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) profiles = try(rule.profiles, local.defaults.ise.network_access.policy_sets.authorization_rules.profiles, null) security_group = try(rule.security_group, local.defaults.ise.network_access.policy_sets.authorization_rules.security_group, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authorization_rules.condition.operator, null) @@ -1776,27 +1776,27 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) profiles = try(rule.profiles, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.profiles, null) security_group = try(rule.security_group, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.security_group, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.network_access.policy_sets.authorization_exception_rules.condition.operator, null) @@ -2258,27 +2258,27 @@ locals { condition_type = try(rule.condition.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) condition_id = contains(local.known_conditions_network_access, try(rule.condition.name, "")) ? ise_network_access_condition.network_access_condition[rule.condition.name].id : try(data.ise_network_access_condition.network_access_condition[rule.condition.name].id, null) condition_is_negate = try(rule.condition.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) - condition_attribute_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null))[1] : try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) - condition_attribute_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null))[1] : try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) - condition_dictionary_name = strcontains(try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null))[0] : null - condition_dictionary_value = strcontains(try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null))[0] : null + condition_attribute_name = try(rule.condition.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) + condition_attribute_value = try(rule.condition.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) + condition_dictionary_name = try(rule.condition.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) + condition_dictionary_value = try(rule.condition.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) condition_operator = try(rule.condition.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) profiles = try(rule.profiles, local.defaults.ise.network_access.authorization_global_exception_rules.profiles, null) security_group = try(rule.security_group, local.defaults.ise.network_access.authorization_global_exception_rules.security_group, null) children = try([for i in rule.condition.children : { - attribute_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null))[1] : try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null))[1] : try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(i.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(i.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(i.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(i.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) condition_type = try(i.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) is_negate = try(i.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) operator = try(i.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) id = contains(local.known_conditions_network_access, try(i.name, "")) ? ise_network_access_condition.network_access_condition[i.name].id : try(data.ise_network_access_condition.network_access_condition[i.name].id, null) children = try([for j in i.children : { - attribute_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null))[1] : try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) - attribute_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null))[1] : try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) - dictionary_name = strcontains(try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, ""), ":") ? split(":", try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null))[0] : null - dictionary_value = strcontains(try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, ""), ":") ? split(":", try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null))[0] : null + attribute_name = try(j.attribute_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_name, null) + attribute_value = try(j.attribute_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.attribute_value, null) + dictionary_name = try(j.dictionary_name, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_name, null) + dictionary_value = try(j.dictionary_value, local.defaults.ise.network_access.authorization_global_exception_rules.condition.dictionary_value, null) condition_type = try(j.type, local.defaults.ise.network_access.authorization_global_exception_rules.condition.type, null) is_negate = try(j.is_negate, local.defaults.ise.network_access.authorization_global_exception_rules.condition.is_negate, null) operator = try(j.operator, local.defaults.ise.network_access.authorization_global_exception_rules.condition.operator, null) From b5c48d4a9373c6697b036425b715256b23da84dd Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Wed, 14 Feb 2024 23:15:55 +0100 Subject: [PATCH 11/14] fix issue #4 --- CHANGELOG.md | 7 ++++ ise_network_access.tf | 81 ++++++++++++++++++++++--------------------- 2 files changed, 49 insertions(+), 39 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 090fc36..6c58aed 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,3 +1,10 @@ +## 0.1.1 + +- Fixed issue #4 Client error due to missing settings for allowed_protocols EAP-TLS stateless session resume +- Added `ise_identity_source_sequence` support +- BREAKING CHANGE: Split `attribute_name` to `dictionary_name`:`attribute_name` +- Removed `manage` variables + ## 0.1.0 - Initial release diff --git a/ise_network_access.tf b/ise_network_access.tf index 334e580..88f817b 100644 --- a/ise_network_access.tf +++ b/ise_network_access.tf @@ -22,6 +22,9 @@ resource "ise_allowed_protocols" "allowed_protocols" { require_message_auth = try(each.value.require_message_auth, local.defaults.ise.network_access.policy_elements.allowed_protocols.require_message_auth, null) eap_tls_allow_auth_of_expired_certs = try(each.value.allow_eap_tls, local.defaults.ise.network_access.policy_elements.allowed_protocols.allow_eap_tls, false) ? try(each.value.eap_tls.auth_of_expired_certs, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.auth_of_expired_certs, null) : null eap_tls_enable_stateless_session_resume = try(each.value.allow_eap_tls, local.defaults.ise.network_access.policy_elements.allowed_protocols.allow_eap_tls, false) ? try(each.value.eap_tls.enable_stateless_session_resume, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.enable_stateless_session_resume, null) : null + eap_tls_session_ticket_ttl = try(each.value.eap_tls.enable_stateless_session_resume, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.enable_stateless_session_resume, false) ? try(each.value.eap_tls.session_ticket_ttl, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.session_ticket_ttl, null) : null + eap_tls_session_ticket_ttl_unit = try(each.value.eap_tls.enable_stateless_session_resume, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.enable_stateless_session_resume, false) ? try(each.value.eap_tls.session_ticket_ttl_unit, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.session_ticket_ttl_unit, null) : null + eap_tls_session_ticket_percentage = try(each.value.eap_tls.enable_stateless_session_resume, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.enable_stateless_session_resume, false) ? try(each.value.eap_tls.session_ticket_percentage, local.defaults.ise.network_access.policy_elements.allowed_protocols.eap_tls.session_ticket_percentage, null) : null peap_allow_peap_eap_ms_chap_v2 = try(each.value.allow_peap, local.defaults.ise.network_access.policy_elements.allowed_protocols.allow_peap, false) ? try(each.value.peap.eap_ms_chap_v2, local.defaults.ise.network_access.policy_elements.allowed_protocols.peap.eap_ms_chap_v2, null) : null peap_allow_peap_eap_ms_chap_v2_pwd_change = try(each.value.allow_peap, local.defaults.ise.network_access.policy_elements.allowed_protocols.allow_peap, false) && try(each.value.peap.eap_ms_chap_v2, local.defaults.ise.network_access.policy_elements.allowed_protocols.peap.eap_ms_chap_v2, false) ? try(each.value.peap.eap_ms_chap_v2_pwd_change, local.defaults.ise.network_access.policy_elements.allowed_protocols.peap.eap_ms_chap_v2_pwd_change, null) : null peap_allow_peap_eap_ms_chap_v2_pwd_change_retries = try(each.value.allow_peap, local.defaults.ise.network_access.policy_elements.allowed_protocols.allow_peap, false) && try(each.value.peap.eap_ms_chap_v2, local.defaults.ise.network_access.policy_elements.allowed_protocols.peap.eap_ms_chap_v2, false) ? try(each.value.peap.eap_ms_chap_v2_pwd_change_retries, local.defaults.ise.network_access.policy_elements.allowed_protocols.peap.eap_ms_chap_v2_pwd_change_retries, null) : null @@ -823,7 +826,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_1" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 1 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -847,7 +850,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_2" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 2 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -871,7 +874,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_3" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 3 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -895,7 +898,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_4" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 4 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -919,7 +922,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_5" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 5 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -943,7 +946,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_6" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 6 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -967,7 +970,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_7" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 7 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -991,7 +994,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_8" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 8 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1015,7 +1018,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_9" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 9 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1039,7 +1042,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_10" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 10 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1063,7 +1066,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_11" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 11 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1087,7 +1090,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_12" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 12 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1111,7 +1114,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_13" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 13 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1135,7 +1138,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_14" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 14 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1159,7 +1162,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_15" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 15 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1183,7 +1186,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_16" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 16 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1207,7 +1210,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_17" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 17 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1231,7 +1234,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_18" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 18 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1255,7 +1258,7 @@ resource "ise_network_access_authentication_rule" "network_access_authentication } resource "ise_network_access_authentication_rule" "network_access_authentication_rule_19" { - for_each = { for rule in coalesce(local.network_access_authentication_rules, []) : rule.key => rule if rule.rank == 19 } + for_each = { for rule in local.network_access_authentication_rules : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1809,7 +1812,7 @@ locals { } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_0" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule && (rule.rank == 0 || rule.rank == null) } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule && (rule.rank == 0 || rule.rank == null) } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1831,7 +1834,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_1" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 1 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 1 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1853,7 +1856,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_2" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 2 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 2 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1875,7 +1878,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_3" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 3 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 3 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1897,7 +1900,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_4" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 4 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 4 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1919,7 +1922,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_5" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 5 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 5 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1941,7 +1944,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_6" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 6 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 6 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1963,7 +1966,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_7" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 7 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 7 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -1985,7 +1988,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_8" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 8 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 8 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2007,7 +2010,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_9" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 9 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 9 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2029,7 +2032,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_10" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 10 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 10 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2051,7 +2054,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_11" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 11 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 11 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2073,7 +2076,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_12" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 12 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 12 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2095,7 +2098,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_13" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 13 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 13 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2117,7 +2120,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_14" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 14 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 14 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2139,7 +2142,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_15" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 15 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 15 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2161,7 +2164,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_16" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 16 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 16 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2183,7 +2186,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_17" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 17 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 17 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2205,7 +2208,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_18" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 18 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 18 } policy_set_id = each.value.policy_set_id name = each.value.name @@ -2227,7 +2230,7 @@ resource "ise_network_access_authorization_exception_rule" "network_access_autho } resource "ise_network_access_authorization_exception_rule" "network_access_authorization_exception_rule_19" { - for_each = { for rule in coalesce(local.network_access_authorization_exception_rules, []) : rule.key => rule if rule.rank == 19 } + for_each = { for rule in local.network_access_authorization_exception_rules : rule.key => rule if rule.rank == 19 } policy_set_id = each.value.policy_set_id name = each.value.name From d88b2d1c4716833dbe772788f31960a87efaeac8 Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Wed, 14 Feb 2024 23:37:58 +0100 Subject: [PATCH 12/14] Update readme and example --- README.md | 5 ++--- examples/network_access_condition/README.md | 5 ++--- examples/network_access_condition/main.tf | 2 -- .../network_access_condition/network_access_condition.yaml | 3 ++- 4 files changed, 6 insertions(+), 9 deletions(-) diff --git a/README.md b/README.md index added55..12e0f12 100644 --- a/README.md +++ b/README.md @@ -22,7 +22,8 @@ ise: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false - attribute_name: CERTIFICATE:Is Expired + dictionary_name: CERTIFICATE + attribute_name: Is Expired operator: equals attribute_value: "False" ``` @@ -35,8 +36,6 @@ module "ise" { version = ">= 0.1.0" yaml_files = ["network_access_condition.yaml"] - - manage_network_access = true } ``` diff --git a/examples/network_access_condition/README.md b/examples/network_access_condition/README.md index cb693a0..744c900 100644 --- a/examples/network_access_condition/README.md +++ b/examples/network_access_condition/README.md @@ -30,7 +30,8 @@ ise: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false - attribute_name: CERTIFICATE:Is Expired + dictionary_name: CERTIFICATE + attribute_name: Is Expired operator: equals attribute_value: "False" ``` @@ -43,8 +44,6 @@ module "ise" { version = ">= 0.1.0" yaml_files = ["network_access_condition.yaml"] - - manage_network_access = true } ``` \ No newline at end of file diff --git a/examples/network_access_condition/main.tf b/examples/network_access_condition/main.tf index 53ac257..c5f145e 100644 --- a/examples/network_access_condition/main.tf +++ b/examples/network_access_condition/main.tf @@ -3,6 +3,4 @@ module "ise" { version = ">= 0.1.0" yaml_files = ["network_access_condition.yaml"] - - manage_network_access = true } diff --git a/examples/network_access_condition/network_access_condition.yaml b/examples/network_access_condition/network_access_condition.yaml index 072ce83..03b8c1d 100644 --- a/examples/network_access_condition/network_access_condition.yaml +++ b/examples/network_access_condition/network_access_condition.yaml @@ -6,6 +6,7 @@ ise: - name: CertificateNotExpired type: LibraryConditionAttributes is_negate: false - attribute_name: CERTIFICATE:Is Expired + dictionary_name: CERTIFICATE + attribute_name: Is Expired operator: equals attribute_value: "False" From 8cc50d6f891afe07d8967d1441dc7fc3febb17f4 Mon Sep 17 00:00:00 2001 From: Kuba Mazurkiewicz Date: Thu, 15 Feb 2024 09:05:34 +0100 Subject: [PATCH 13/14] fix issue with ndg time wait --- ise_network_resources.tf | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ise_network_resources.tf b/ise_network_resources.tf index 84f186b..3f132e2 100644 --- a/ise_network_resources.tf +++ b/ise_network_resources.tf @@ -136,7 +136,7 @@ resource "ise_network_device_group" "network_device_group_5" { # Workaround for ISE API issue where creating/deleting a network device immediately after creating/deleting a network device group fails resource "time_sleep" "network_device_group_wait" { - count = length(try(local.network_device_groups_children_children_children_children_children, [])) > 0 ? 1 : 0 + count = length(try(local.network_device_groups, [])) > 0 ? 1 : 0 create_duration = "5s" destroy_duration = "5s" From 2555f67384ec08f2c331a008b9729740fa84fe85 Mon Sep 17 00:00:00 2001 From: Daniel Schmidt <79086712+danischm@users.noreply.github.com> Date: Thu, 15 Feb 2024 11:09:18 +0100 Subject: [PATCH 14/14] Update CHANGELOG.md --- CHANGELOG.md | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index 6c58aed..f504a7f 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,9 +1,9 @@ -## 0.1.1 +## 0.1.1 (unreleased) -- Fixed issue #4 Client error due to missing settings for allowed_protocols EAP-TLS stateless session resume +- Fix issue with error due to missing settings for `allowed_protocols` and EAP-TLS stateless session resume - Added `ise_identity_source_sequence` support -- BREAKING CHANGE: Split `attribute_name` to `dictionary_name`:`attribute_name` -- Removed `manage` variables +- BREAKING CHANGE: Split `attribute_name` to `dictionary_name` and `attribute_name` +- BREAKING CHANGE: Removed `manage_*` variables ## 0.1.0