Add support for additional aaa security management settings (#52)

netascode · Feb 10, 2024 · 58403f4 · 58403f4
1 parent 38418ac
commit 58403f4
Show file tree

Hide file tree

Showing 10 changed files with 310 additions and 48 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,7 @@
 ## 0.8.2 (unreleased)
 
 - Add support for PBR L1L2 destinations
+- Add support for additional AAA security management settings
 
 ## 0.8.1
 

diff --git a/aci_fabric_policies.tf b/aci_fabric_policies.tf
@@ -576,12 +576,26 @@ module "aci_aaa" {
   security_domains = [for sd in try(local.fabric_policies.aaa.security_domains, []) : {
     name                   = sd.name
     description            = try(sd.description, "")
-    restricted_rbac_domain = try(sd.restricted_rbac_domain, false)
+    restricted_rbac_domain = try(sd.restricted_rbac_domain, local.defaults.fabric_policies.aaa.security_domains.restricted_rbac_domain)
   }]
-  password_strength_check  = try(local.fabric_policies.aaa.management_settings.password_strength_check, local.defaults.apic.fabric_policies.aaa.management_settings.password_strength_check)
-  web_token_timeout        = try(local.fabric_policies.aaa.management_settings.web_token_timeout, local.defaults.apic.fabric_policies.aaa.management_settings.web_token_timeout)
-  web_token_max_validity   = try(local.fabric_policies.aaa.management_settings.web_token_max_validity, local.defaults.apic.fabric_policies.aaa.management_settings.web_token_max_validity)
-  web_session_idle_timeout = try(local.fabric_policies.aaa.management_settings.web_session_idle_timeout, local.defaults.apic.fabric_policies.aaa.management_settings.web_session_idle_timeout)
+  password_strength_check          = try(local.fabric_policies.aaa.management_settings.password_strength_check, local.defaults.apic.fabric_policies.aaa.management_settings.password_strength_check)
+  min_password_length              = try(local.fabric_policies.aaa.management_settings.password_strength_profile.password_mininum_length, local.defaults.apic.fabric_policies.aaa.management_settings.password_strength_profile.password_mininum_length)
+  max_password_length              = try(local.fabric_policies.aaa.management_settings.password_strength_profile.password_maximum_length, local.defaults.apic.fabric_policies.aaa.management_settings.password_strength_profile.password_maximum_length)
+  password_strength_test_type      = try(local.fabric_policies.aaa.management_settings.password_strength_profile.password_strength_test_type, local.defaults.apic.fabric_policies.aaa.management_settings.password_strength_profile.password_strength_test_type)
+  password_class_flags             = try(local.fabric_policies.aaa.management_settings.password_strength_profile.password_class_flags, local.defaults.apic.fabric_policies.aaa.management_settings.password_strength_profile.password_class_flags)
+  password_change_during_interval  = try(local.fabric_policies.aaa.management_settings.password_change_during_interval, local.defaults.apic.fabric_policies.aaa.management_settings.password_change_during_interval)
+  password_change_interval         = try(local.fabric_policies.aaa.management_settings.password_change_interval, local.defaults.apic.fabric_policies.aaa.management_settings.password_change_interval)
+  password_change_count            = try(local.fabric_policies.aaa.management_settings.password_change_count, local.defaults.apic.fabric_policies.aaa.management_settings.password_change_count)
+  password_history_count           = try(local.fabric_policies.aaa.management_settings.password_history_count, local.defaults.apic.fabric_policies.aaa.management_settings.password_history_count)
+  password_no_change_interval      = try(local.fabric_policies.aaa.management_settings.password_no_change_interval, local.defaults.apic.fabric_policies.aaa.management_settings.password_no_change_interval)
+  web_token_timeout                = try(local.fabric_policies.aaa.management_settings.web_token_timeout, local.defaults.apic.fabric_policies.aaa.management_settings.web_token_timeout)
+  web_token_max_validity           = try(local.fabric_policies.aaa.management_settings.web_token_max_validity, local.defaults.apic.fabric_policies.aaa.management_settings.web_token_max_validity)
+  web_session_idle_timeout         = try(local.fabric_policies.aaa.management_settings.web_session_idle_timeout, local.defaults.apic.fabric_policies.aaa.management_settings.web_session_idle_timeout)
+  include_refresh_session_records  = try(local.fabric_policies.aaa.management_settings.include_refresh_session_records, local.defaults.apic.fabric_policies.aaa.management_settings.include_refresh_session_records)
+  enable_login_block               = try(local.fabric_policies.aaa.management_settings.enable_login_block, local.defaults.apic.fabric_policies.aaa.management_settings.enable_login_block)
+  login_block_duration             = try(local.fabric_policies.aaa.management_settings.login_block_duration, local.defaults.apic.fabric_policies.aaa.management_settings.login_block_duration)
+  login_max_failed_attempts        = try(local.fabric_policies.aaa.management_settings.login_max_failed_attempts, local.defaults.apic.fabric_policies.aaa.management_settings.login_max_failed_attempts)
+  login_max_failed_attempts_window = try(local.fabric_policies.aaa.management_settings.login_max_failed_attempts_window, local.defaults.apic.fabric_policies.aaa.management_settings.login_max_failed_attempts_window)
 }
 
 module "aci_tacacs" {

diff --git a/defaults/defaults.yaml b/defaults/defaults.yaml
@@ -234,9 +234,27 @@ defaults:
           restricted_rbac_domain: false
         management_settings:
           password_strength_check: false
+          password_strength_profile:
+            password_mininum_length: 8
+            password_maximum_length: 64
+            password_strength_test_type: default
+            password_class_flags:
+              - digits
+              - lowercase
+              - uppercase
+          password_change_during_interval: true
+          password_change_count: 2
+          password_change_interval: 48
+          password_no_change_interval: 24
+          password_history_count: 5
           web_token_timeout: 600
           web_token_max_validity: 24
           web_session_idle_timeout: 1200
+          include_refresh_session_records: true
+          enable_login_block: false
+          login_block_duration: 60
+          login_max_failed_attempts: 5
+          login_max_failed_attempts_window: 5
         tacacs_providers:
           protocol: pap
           monitoring: false

diff --git a/modules/terraform-aci-aaa/README.md b/modules/terraform-aci-aaa/README.md
@@ -13,16 +13,30 @@ module "aci_aaa" {
   source  = "netascode/nac-aci/aci//modules/terraform-aci-aaa"
   version = ">= 0.8.0"
 
-  remote_user_login_policy = "assign-default-role"
-  default_fallback_check   = true
-  default_realm            = "tacacs"
-  default_login_domain     = "ISE"
-  console_realm            = "tacacs"
-  console_login_domain     = "ISE"
-  password_strength_check  = true
-  web_token_timeout        = 600
-  web_token_max_validity   = 24
-  web_session_idle_timeout = 1200
+  remote_user_login_policy         = "assign-default-role"
+  default_fallback_check           = true
+  default_realm                    = "tacacs"
+  default_login_domain             = "ISE"
+  console_realm                    = "tacacs"
+  console_login_domain             = "ISE"
+  password_strength_check          = true
+  min_password_length              = 8
+  max_password_length              = 64
+  password_strength_test_type      = "custom"
+  password_class_flags             = ["digits", "lowercase", "specialchars", "uppercase"]
+  password_change_during_interval  = true
+  password_change_interval         = 72
+  password_change_count            = 3
+  password_history_count           = 6
+  password_no_change_interval      = 24
+  web_token_timeout                = 600
+  web_token_max_validity           = 24
+  web_session_idle_timeout         = 1200
+  include_refresh_session_records  = true
+  enable_login_block               = true
+  login_block_duration             = 60
+  login_max_failed_attempts        = 5
+  login_max_failed_attempts_window = 5
 }
 ```
 
@@ -51,9 +65,23 @@ module "aci_aaa" {
 | <a name="input_console_login_domain"></a> [console\_login\_domain](#input\_console\_login\_domain) | Console login domain. | `string` | `""` | no |
 | <a name="input_security_domains"></a> [security\_domains](#input\_security\_domains) | List of security domains. | <pre>list(object({<br>    name                   = string<br>    description            = optional(string, "")<br>    restricted_rbac_domain = optional(bool, false)<br>  }))</pre> | `[]` | no |
 | <a name="input_password_strength_check"></a> [password\_strength\_check](#input\_password\_strength\_check) | Password strength check. | `bool` | `false` | no |
+| <a name="input_min_password_length"></a> [min\_password\_length](#input\_min\_password\_length) | Minimum password length. | `number` | `8` | no |
+| <a name="input_max_password_length"></a> [max\_password\_length](#input\_max\_password\_length) | Maximum password length. | `number` | `64` | no |
+| <a name="input_password_strength_test_type"></a> [password\_strength\_test\_type](#input\_password\_strength\_test\_type) | Password strength test type for Password Strength Policy | `string` | `"default"` | no |
+| <a name="input_password_class_flags"></a> [password\_class\_flags](#input\_password\_class\_flags) | Password class flags for Password Strength Policy | `list(string)` | <pre>[<br>  "digits",<br>  "lowercase",<br>  "uppercase"<br>]</pre> | no |
+| <a name="input_password_change_during_interval"></a> [password\_change\_during\_interval](#input\_password\_change\_during\_interval) | Enables or disables password change during interval. | `bool` | `true` | no |
+| <a name="input_password_change_count"></a> [password\_change\_count](#input\_password\_change\_count) | The number of password changes allowed within the change interval. | `number` | `2` | no |
+| <a name="input_password_change_interval"></a> [password\_change\_interval](#input\_password\_change\_interval) | A time interval (hours) for limiting the number of password changes. | `number` | `48` | no |
+| <a name="input_password_no_change_interval"></a> [password\_no\_change\_interval](#input\_password\_no\_change\_interval) | A minimum period after a password change before the user can change the password again. | `number` | `24` | no |
+| <a name="input_password_history_count"></a> [password\_history\_count](#input\_password\_history\_count) | Number of recent user passwords to store. | `number` | `5` | no |
 | <a name="input_web_token_timeout"></a> [web\_token\_timeout](#input\_web\_token\_timeout) | Web session idle timeout (s). | `number` | `600` | no |
 | <a name="input_web_token_max_validity"></a> [web\_token\_max\_validity](#input\_web\_token\_max\_validity) | Web token maximum validity period (h). | `number` | `24` | no |
 | <a name="input_web_session_idle_timeout"></a> [web\_session\_idle\_timeout](#input\_web\_session\_idle\_timeout) | Web session idle timeout (s). | `number` | `1200` | no |
+| <a name="input_include_refresh_session_records"></a> [include\_refresh\_session\_records](#input\_include\_refresh\_session\_records) | Enables or disables inluding a refresh in the session records. | `bool` | `true` | no |
+| <a name="input_enable_login_block"></a> [enable\_login\_block](#input\_enable\_login\_block) | Enables or disables lockout user after multiple failed login attempts. | `bool` | `false` | no |
+| <a name="input_login_block_duration"></a> [login\_block\_duration](#input\_login\_block\_duration) | Duration in minutes for which future logins should be blocked. | `number` | `60` | no |
+| <a name="input_login_max_failed_attempts"></a> [login\_max\_failed\_attempts](#input\_login\_max\_failed\_attempts) | Max failed login attempts before blocking user login. | `number` | `5` | no |
+| <a name="input_login_max_failed_attempts_window"></a> [login\_max\_failed\_attempts\_window](#input\_login\_max\_failed\_attempts\_window) | Time period (unit: minute) in which consecutive attempts were failed. | `number` | `5` | no |
 
 ## Outputs
 
@@ -66,9 +94,12 @@ module "aci_aaa" {
 | Name | Type |
 |------|------|
 | [aci_rest_managed.aaaAuthRealm](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
+| [aci_rest_managed.aaaBlockLoginProfile](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.aaaConsoleAuth](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.aaaDefaultAuth](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.aaaDomain](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
+| [aci_rest_managed.aaaPwdProfile](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
+| [aci_rest_managed.aaaPwdStrengthProfile](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.aaaUserEp](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 | [aci_rest_managed.pkiWebTokenData](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
 <!-- END_TF_DOCS -->
diff --git a/modules/terraform-aci-aaa/examples/complete/README.md b/modules/terraform-aci-aaa/examples/complete/README.md
@@ -16,16 +16,30 @@ module "aci_aaa" {
   source  = "netascode/nac-aci/aci//modules/terraform-aci-aaa"
   version = ">= 0.8.0"
 
-  remote_user_login_policy = "assign-default-role"
-  default_fallback_check   = true
-  default_realm            = "tacacs"
-  default_login_domain     = "ISE"
-  console_realm            = "tacacs"
-  console_login_domain     = "ISE"
-  password_strength_check  = true
-  web_token_timeout        = 600
-  web_token_max_validity   = 24
-  web_session_idle_timeout = 1200
+  remote_user_login_policy         = "assign-default-role"
+  default_fallback_check           = true
+  default_realm                    = "tacacs"
+  default_login_domain             = "ISE"
+  console_realm                    = "tacacs"
+  console_login_domain             = "ISE"
+  password_strength_check          = true
+  min_password_length              = 8
+  max_password_length              = 64
+  password_strength_test_type      = "custom"
+  password_class_flags             = ["digits", "lowercase", "specialchars", "uppercase"]
+  password_change_during_interval  = true
+  password_change_interval         = 72
+  password_change_count            = 3
+  password_history_count           = 6
+  password_no_change_interval      = 24
+  web_token_timeout                = 600
+  web_token_max_validity           = 24
+  web_session_idle_timeout         = 1200
+  include_refresh_session_records  = true
+  enable_login_block               = true
+  login_block_duration             = 60
+  login_max_failed_attempts        = 5
+  login_max_failed_attempts_window = 5
 }
 ```
 <!-- END_TF_DOCS -->
diff --git a/modules/terraform-aci-aaa/examples/complete/main.tf b/modules/terraform-aci-aaa/examples/complete/main.tf
@@ -2,14 +2,28 @@ module "aci_aaa" {
   source  = "netascode/nac-aci/aci//modules/terraform-aci-aaa"
   version = ">= 0.8.0"
 
-  remote_user_login_policy = "assign-default-role"
-  default_fallback_check   = true
-  default_realm            = "tacacs"
-  default_login_domain     = "ISE"
-  console_realm            = "tacacs"
-  console_login_domain     = "ISE"
-  password_strength_check  = true
-  web_token_timeout        = 600
-  web_token_max_validity   = 24
-  web_session_idle_timeout = 1200
+  remote_user_login_policy         = "assign-default-role"
+  default_fallback_check           = true
+  default_realm                    = "tacacs"
+  default_login_domain             = "ISE"
+  console_realm                    = "tacacs"
+  console_login_domain             = "ISE"
+  password_strength_check          = true
+  min_password_length              = 8
+  max_password_length              = 64
+  password_strength_test_type      = "custom"
+  password_class_flags             = ["digits", "lowercase", "specialchars", "uppercase"]
+  password_change_during_interval  = true
+  password_change_interval         = 72
+  password_change_count            = 3
+  password_history_count           = 6
+  password_no_change_interval      = 24
+  web_token_timeout                = 600
+  web_token_max_validity           = 24
+  web_session_idle_timeout         = 1200
+  include_refresh_session_records  = true
+  enable_login_block               = true
+  login_block_duration             = 60
+  login_max_failed_attempts        = 5
+  login_max_failed_attempts_window = 5
 }
diff --git a/modules/terraform-aci-aaa/main.tf b/modules/terraform-aci-aaa/main.tf
@@ -44,12 +44,54 @@ resource "aci_rest_managed" "aaaUserEp" {
   }
 }
 
+resource "aci_rest_managed" "aaaPwdStrengthProfile" {
+  count = var.password_strength_check ? 1 : 0
+
+  dn         = "uni/userext/pwdstrengthprofile"
+  class_name = "aaaPwdStrengthProfile"
+  content = {
+    pwdMinLength        = var.min_password_length
+    pwdMaxLength        = var.max_password_length
+    pwdStrengthTestType = var.password_strength_test_type
+    pwdClassFlags       = var.password_strength_test_type == "custom" ? join(",", sort(var.password_class_flags)) : join(",", ["digits", "lowercase", "uppercase"])
+  }
+
+  depends_on = [
+    aci_rest_managed.aaaUserEp
+  ]
+}
+
+resource "aci_rest_managed" "aaaPwdProfile" {
+  dn         = "uni/userext/pwdprofile"
+  class_name = "aaaPwdProfile"
+  content = {
+    changeDuringInterval = var.password_change_during_interval ? "enable" : "disable"
+    changeInterval       = var.password_change_interval
+    changeCount          = var.password_change_count
+    noChangeInterval     = var.password_no_change_interval
+    historyCount         = var.password_history_count
+
+  }
+}
+
 resource "aci_rest_managed" "pkiWebTokenData" {
   dn         = "uni/userext/pkiext/webtokendata"
   class_name = "pkiWebTokenData"
   content = {
     webtokenTimeoutSeconds = var.web_token_timeout
     maximumValidityPeriod  = var.web_token_max_validity
     uiIdleTimeoutSeconds   = var.web_session_idle_timeout
+    sessionRecordFlags     = var.include_refresh_session_records ? "login,logout,refresh" : "login,logout"
+  }
+}
+
+resource "aci_rest_managed" "aaaBlockLoginProfile" {
+  dn         = "uni/userext/blockloginp"
+  class_name = "aaaBlockLoginProfile"
+  content = {
+    enableLoginBlock        = var.enable_login_block ? "enable" : "disable"
+    blockDuration           = var.login_block_duration
+    maxFailedAttempts       = var.login_max_failed_attempts
+    maxFailedAttemptsWindow = var.login_max_failed_attempts_window
   }
 }