Add Endpoint Tag Policies

.pre-commit-config.yaml

@@ -209,6 +209,14 @@ repos:
         args: ["./modules/terraform-aci-endpoint-security-group"]
       - id: terraform-docs-system
         args: ["./modules/terraform-aci-endpoint-security-group/examples/complete"]
+      - id: terraform-docs-system
+        args: ["./modules/terraform-aci-endpoint-ip-tag-policy"]
+      - id: terraform-docs-system
+        args: ["./modules/terraform-aci-endpoint-ip-tag-policy/examples/complete"]
+      - id: terraform-docs-system
+        args: ["./modules/terraform-aci-endpoint-mac-tag-policy"]
+      - id: terraform-docs-system
+        args: ["./modules/terraform-aci-endpoint-mac-tag-policy/examples/complete"]
       - id: terraform-docs-system
         args: ["./modules/terraform-aci-error-disabled-recovery"]
       - id: terraform-docs-system

README.md

@@ -190,7 +190,9 @@ Additional example repositories:
 | <a name="module_aci_dns_policy"></a> [aci\_dns\_policy](#module\_aci\_dns\_policy) | ./modules/terraform-aci-dns-policy | n/a |
 | <a name="module_aci_eigrp_interface_policy"></a> [aci\_eigrp\_interface\_policy](#module\_aci\_eigrp\_interface\_policy) | ./modules/terraform-aci-eigrp-interface-policy | n/a |
 | <a name="module_aci_endpoint_group"></a> [aci\_endpoint\_group](#module\_aci\_endpoint\_group) | ./modules/terraform-aci-endpoint-group | n/a |
+| <a name="module_aci_endpoint_ip_tag_policy"></a> [aci\_endpoint\_ip\_tag\_policy](#module\_aci\_endpoint\_ip\_tag\_policy) | ./modules/terraform-aci-endpoint-ip-tag-policy | n/a |
 | <a name="module_aci_endpoint_loop_protection"></a> [aci\_endpoint\_loop\_protection](#module\_aci\_endpoint\_loop\_protection) | ./modules/terraform-aci-endpoint-loop-protection | n/a |
+| <a name="module_aci_endpoint_mac_tag_policy"></a> [aci\_endpoint\_mac\_tag\_policy](#module\_aci\_endpoint\_mac\_tag\_policy) | ./modules/terraform-aci-endpoint-mac-tag-policy | n/a |
 | <a name="module_aci_endpoint_security_group"></a> [aci\_endpoint\_security\_group](#module\_aci\_endpoint\_security\_group) | ./modules/terraform-aci-endpoint-security-group | n/a |
 | <a name="module_aci_error_disabled_recovery"></a> [aci\_error\_disabled\_recovery](#module\_aci\_error\_disabled\_recovery) | ./modules/terraform-aci-error-disabled-recovery | n/a |
 | <a name="module_aci_external_connectivity_policy"></a> [aci\_external\_connectivity\_policy](#module\_aci\_external\_connectivity\_policy) | ./modules/terraform-aci-external-connectivity-policy | n/a |

aci_tenants.tf

@@ -3499,4 +3499,65 @@ module "aci_track_member" {
   scope_type     = each.value.scope_type
   scope          = each.value.scope
   ip_sla_policy  = each.value.ip_sla_policy
+}
+
+locals {
+  ep_mac_tags = flatten([
+    for tenant in local.tenants : [
+      for policy in try(tenant.policies.endpoint_mac_tags, []) : {
+        key           = format("%s/%s/%s", tenant.name, policy.mac, policy.bridge_domain)
+        tenant        = tenant.name
+        mac           = upper(policy.mac)
+        bridge_domain = policy.bridge_domain == "all" ? "*" : policy.bridge_domain
+        vrf           = policy.bridge_domain == "all" ? policy.vrf : null
+        tags          = try(policy.tags, [])
+      }
+    ]
+  ])
+}
+
+module "aci_endpoint_mac_tag_policy" {
+  source = "./modules/terraform-aci-endpoint-mac-tag-policy"
+
+  for_each      = { for pol in local.ep_mac_tags : pol.key => pol if local.modules.aci_endpoint_mac_tag_policy && var.manage_tenants }
+  tenant        = each.value.tenant
+  mac           = each.value.mac
+  bridge_domain = each.value.bridge_domain
+  vrf           = try(each.value.vrf, null)
+  tags          = each.value.tags
+
+  depends_on = [
+    module.aci_tenant,
+    module.aci_vrf,
+    module.aci_bridge_domain,
+  ]
+}
+
+locals {
+  ep_ip_tags = flatten([
+    for tenant in local.tenants : [
+      for policy in try(tenant.policies.endpoint_ip_tags, []) : {
+        key    = format("%s/%s/%s", tenant.name, policy.vrf, policy.ip)
+        ip     = policy.ip
+        tenant = tenant.name
+        vrf    = policy.vrf
+        tags   = try(policy.tags, [])
+      }
+    ]
+  ])
+}
+
+module "aci_endpoint_ip_tag_policy" {
+  source = "./modules/terraform-aci-endpoint-ip-tag-policy"
+
+  for_each = { for pol in local.ep_ip_tags : pol.key => pol if local.modules.aci_endpoint_ip_tag_policy && var.manage_tenants }
+  ip       = each.value.ip
+  tenant   = each.value.tenant
+  vrf      = each.value.vrf
+  tags     = each.value.tags
+
+  depends_on = [
+    module.aci_tenant,
+    module.aci_vrf,
+  ]
 }

defaults/modules.yaml

@@ -46,6 +46,8 @@ modules:
   aci_useg_endpoint_group: true
   aci_endpoint_loop_protection: true
   aci_endpoint_security_group: true
+  aci_endpoint_mac_tag_policy: true
+  aci_endpoint_ip_tag_policy: true
   aci_eigrp_interface_policy: true
   aci_error_disabled_recovery: true
   aci_external_connectivity_policy: true

modules/terraform-aci-endpoint-ip-tag-policy/.terraform-docs.yml

@@ -0,0 +1,34 @@
+version: '>= 0.14.0'
+
+formatter: markdown table
+
+content: |-
+  # Endpoint IP Tag Module
+
+  Manages Endpoint IP Tags
+
+  Location in GUI:
+  `Tenants` » `XXX` » `Policies` » `Endpoint Tags` » `Endpoint IP`
+
+  ## Examples
+
+  ```hcl
+  {{ include "./examples/complete/main.tf" }}
+  ```
+
+  {{ .Requirements }}
+
+  {{ .Providers }}
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}
+
+  {{ .Resources }}
+
+output:
+  file: README.md
+  mode: replace
+
+sort:
+  enabled: false

modules/terraform-aci-endpoint-ip-tag-policy/README.md

@@ -0,0 +1,60 @@
+<!-- BEGIN_TF_DOCS -->
+# Endpoint IP Tag Module
+
+Manages Endpoint IP Tags
+
+Location in GUI:
+`Tenants` » `XXX` » `Policies` » `Endpoint Tags` » `Endpoint IP`
+
+## Examples
+
+```hcl
+module "aci_endpoint_ip_tag_policy" {
+  source  = "netascode/nac-aci/aci//modules/terraform-aci-endpoint-ip-tag-policy"
+  version = ">= 0.8.0"
+
+  ip     = "1.1.1.1"
+  tenant = "TEN1"
+  vrf    = "TEN1-VRF"
+  tags = [{
+    key   = "Environment"
+    value = "PROD"
+  }]
+}
+```
+
+## Requirements
+
+| Name | Version |
+|------|---------|
+| <a name="requirement_terraform"></a> [terraform](#requirement\_terraform) | >= 1.3.0 |
+| <a name="requirement_aci"></a> [aci](#requirement\_aci) | >= 2.0.0 |
+
+## Providers
+
+| Name | Version |
+|------|---------|
+| <a name="provider_aci"></a> [aci](#provider\_aci) | >= 2.0.0 |
+
+## Inputs
+
+| Name | Description | Type | Default | Required |
+|------|-------------|------|---------|:--------:|
+| <a name="input_ip"></a> [ip](#input\_ip) | IP address. | `string` | n/a | yes |
+| <a name="input_tenant"></a> [tenant](#input\_tenant) | Tenant Name. | `string` | n/a | yes |
+| <a name="input_vrf"></a> [vrf](#input\_vrf) | VRF Name. | `string` | `null` | no |
+| <a name="input_tags"></a> [tags](#input\_tags) | Policy Tags | <pre>list(object({<br>    key   = string<br>    value = string<br>  }))</pre> | `[]` | no |
+
+## Outputs
+
+| Name | Description |
+|------|-------------|
+| <a name="output_dn"></a> [dn](#output\_dn) | Distinguised name of `fvEpIpTag` object. |
+
+## Resources
+
+| Name | Type |
+|------|------|
+| [aci_rest_managed.fvEpIpTag](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
+| [aci_rest_managed.tagTag](https://registry.terraform.io/providers/CiscoDevNet/aci/latest/docs/resources/rest_managed) | resource |
+<!-- END_TF_DOCS -->

modules/terraform-aci-endpoint-ip-tag-policy/examples/complete/.terraform-docs.yml

@@ -0,0 +1,24 @@
+version: '>= 0.14.0'
+
+formatter: markdown table
+
+content: |-
+  # Endpoint IP Tag Example
+
+  To run this example you need to execute:
+
+  ```bash
+  $ terraform init
+  $ terraform plan
+  $ terraform apply
+  ```
+
+  Note that this example will create resources. Resources can be destroyed with `terraform destroy`.
+
+  ```hcl
+  {{ include "./main.tf" }}
+  ```
+
+output:
+  file: README.md
+  mode: replace

modules/terraform-aci-endpoint-ip-tag-policy/examples/complete/README.md

@@ -0,0 +1,28 @@
+<!-- BEGIN_TF_DOCS -->
+# Endpoint IP Tag Example
+
+To run this example you need to execute:
+
+```bash
+$ terraform init
+$ terraform plan
+$ terraform apply
+```
+
+Note that this example will create resources. Resources can be destroyed with `terraform destroy`.
+
+```hcl
+module "aci_endpoint_ip_tag_policy" {
+  source  = "netascode/nac-aci/aci//modules/terraform-aci-endpoint-ip-tag-policy"
+  version = ">= 0.8.0"
+
+  ip     = "1.1.1.1"
+  tenant = "TEN1"
+  vrf    = "TEN1-VRF"
+  tags = [{
+    key   = "Environment"
+    value = "PROD"
+  }]
+}
+```
+<!-- END_TF_DOCS -->

modules/terraform-aci-endpoint-ip-tag-policy/examples/complete/main.tf

@@ -0,0 +1,12 @@
+module "aci_endpoint_ip_tag_policy" {
+  source  = "netascode/nac-aci/aci//modules/terraform-aci-endpoint-ip-tag-policy"
+  version = ">= 0.8.0"
+
+  ip     = "1.1.1.1"
+  tenant = "TEN1"
+  vrf    = "TEN1-VRF"
+  tags = [{
+    key   = "Environment"
+    value = "PROD"
+  }]
+}

modules/terraform-aci-endpoint-ip-tag-policy/examples/complete/versions.tf

@@ -0,0 +1,10 @@
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aci = {
+      source  = "CiscoDevNet/aci"
+      version = ">= 2.0.0"
+    }
+  }
+}

modules/terraform-aci-endpoint-ip-tag-policy/main.tf

@@ -0,0 +1,19 @@
+resource "aci_rest_managed" "fvEpIpTag" {
+  dn         = "uni/tn-${var.tenant}/eptags/epiptag-[${var.ip}]-${var.vrf}"
+  class_name = "fvEpIpTag"
+
+  content = {
+    ip      = var.ip
+    ctxName = var.vrf
+  }
+}
+
+resource "aci_rest_managed" "tagTag" {
+  for_each   = { for tag in var.tags : "${tag.key}/${tag.value}" => tag }
+  dn         = "${aci_rest_managed.fvEpIpTag.dn}/tagKey-${each.value.key}"
+  class_name = "tagTag"
+  content = {
+    key   = each.value.key
+    value = each.value.value
+  }
+}

modules/terraform-aci-endpoint-ip-tag-policy/outputs.tf

@@ -0,0 +1,4 @@
+output "dn" {
+  value       = aci_rest_managed.fvEpIpTag.id
+  description = "Distinguised name of `fvEpIpTag` object."
+}

modules/terraform-aci-endpoint-ip-tag-policy/variables.tf

@@ -0,0 +1,48 @@
+variable "ip" {
+  description = "IP address."
+  type        = string
+}
+
+variable "tenant" {
+  description = "Tenant Name."
+  type        = string
+
+  validation {
+    condition     = can(regex("^[a-zA-Z0-9_.:-]{0,64}$", var.tenant))
+    error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
+  }
+}
+
+variable "vrf" {
+  description = "VRF Name."
+  type        = string
+  default     = null
+
+  validation {
+    condition     = var.vrf == null || can(regex("^[a-zA-Z0-9_.:-]{0,64}$", var.vrf))
+    error_message = "Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
+  }
+}
+
+variable "tags" {
+  description = "Policy Tags"
+  type = list(object({
+    key   = string
+    value = string
+  }))
+  default = []
+
+  validation {
+    condition = alltrue([
+      for tag in coalesce(var.tags, []) : can(regex("^[a-zA-Z0-9_.:-]{0,64}$", tag.key))
+    ])
+    error_message = "`tags.key`: Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 64."
+  }
+
+  validation {
+    condition = alltrue([
+      for tag in coalesce(var.tags, []) : can(regex("^[a-zA-Z0-9_.:-]{0,128}$", tag.value))
+    ])
+    error_message = "`tags.value`: Allowed characters: `a`-`z`, `A`-`Z`, `0`-`9`, `_`, `.`, `:`, `-`. Maximum characters: 128."
+  }
+}

modules/terraform-aci-endpoint-ip-tag-policy/versions.tf

@@ -0,0 +1,11 @@
+
+terraform {
+  required_version = ">= 1.3.0"
+
+  required_providers {
+    aci = {
+      source  = "CiscoDevNet/aci"
+      version = ">= 2.0.0"
+    }
+  }
+}

modules/terraform-aci-endpoint-mac-tag-policy/.terraform-docs.yml

@@ -0,0 +1,34 @@
+version: '>= 0.14.0'
+
+formatter: markdown table
+
+content: |-
+  # Endpoint IP Tag Module
+
+  Manages Endpoint IP Tags
+
+  Location in GUI:
+  `Tenants` » `XXX` » `Policies` » `Endpoint Tags` » `Endpoint MAC`
+
+  ## Examples
+
+  ```hcl
+  {{ include "./examples/complete/main.tf" }}
+  ```
+
+  {{ .Requirements }}
+
+  {{ .Providers }}
+
+  {{ .Inputs }}
+
+  {{ .Outputs }}
+
+  {{ .Resources }}
+
+output:
+  file: README.md
+  mode: replace
+
+sort:
+  enabled: false