Skip to content

[Bug] ConditionAndBlock/ConditionOrBlock Not Allowed in Deeply Nested Policy Conditions in Terraform Provider #169

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
camschaecisco wants to merge 7 commits into
base: main
Choose a base branch
from
Open

[Bug] ConditionAndBlock/ConditionOrBlock Not Allowed in Deeply Nested Policy Conditions in Terraform Provider #169

camschaecisco wants to merge 7 commits into from

Conversation

@camschaecisco
Copy link

@camschaecisco camschaecisco commented Dec 8, 2025
edited
Loading

Extended Network Access and Device Admin Policies for Nesting to 7 Levels

This PR extends ISE policy condition nesting from 3 levels to 7 levels (1 root + 6 nested children) for policy sets and rules in both Network Access and Device Administration domains.

This enhancement enables deeply nested conditional logic using ConditionAndBlock and ConditionOrBlock at all nesting levels.

The 7-level nesting capability enables sophisticated access control policies that combine multiple logical operators at arbitrary depths, supporting complex organizational structures, multi-factor authentication scenarios, and granular network segmentation policies.

Resources Extended

Network Access Domain (5 resources):

  • ise_network_access_policy_set
  • ise_network_access_authentication_rule
  • ise_network_access_authorization_rule
  • ise_network_access_authorization_exception_rule
  • ise_network_access_authorization_global_exception_rule

Device Administration Domain (5 resources):

  • ise_device_admin_policy_set
  • ise_device_admin_authentication_rule
  • ise_device_admin_authorization_rule
  • ise_device_admin_authorization_exception_rule
  • ise_device_admin_authorization_global_exception_rule

Total: 10 provider resources + 10 corresponding data sources

Benefits

Policy Modeling Capabilities

  • Construct complex multi-factor access control policies with deep logical evaluation trees
  • Support organizational hierarchies with nested department/role/location conditions
  • Model real-world access scenarios: (user in group A OR B) AND (device type X OR Y) AND (location Z) AND (time is business hours)
  • Combine multiple RADIUS/TACACS attributes in hierarchical boolean expressions

Operational Improvements

  • Single complex policy can replace dozens of simple policies
  • Reduced policy evaluation overhead through consolidated logic
  • Improved maintainability with hierarchical condition organization
  • Better compliance support for multi-attribute validation requirements

Integration Benefits

  • Advanced posture assessment scenarios with nested conditions
  • Third-party system integration requiring multi-attribute validation
  • Complex TrustSec policy evaluation with deep attribute inspection
  • Intricate guest access workflows with multi-stage validation

Platform Compatibility

Validated against Cisco ISE 3.4

API Requirements

  • ✅ ISE OpenAPI - Policy Set and Rule Management APIs

Technical Implementation

Provider Definition Files Extended

Updated YAML Definitions (gen/definitions/):

Network Access Policies:

- network_access_policy_set.yaml
- network_access_authentication_rule.yaml
- network_access_authorization_rule.yaml
- network_access_authorization_exception_rule.yaml
- network_access_authorization_global_exception_rule.yaml

Device Administration Policies:

- device_admin_policy_set.yaml
- device_admin_authentication_rule.yaml
- device_admin_authorization_rule.yaml
- device_admin_authorization_exception_rule.yaml
- device_admin_authorization_global_exception_rule.yaml

Nesting Structure Added:
Each definition file extended with recursive children attributes:

  • children (Level 1)
  • children_children (Level 2)
  • children_children_children (Level 3)
  • children_children_children_children (Level 4)
  • children_children_children_children_children (Level 5)
  • children_children_children_children_children_children (Level 6)

Code Generation Updates

Generated Go Code:

  • Extended model structs with 6 additional nesting levels
  • Updated resource schemas with recursive nested object attributes
  • Enhanced CRUD operations for deep condition structures
  • Improved JSON marshaling/unmarshaling for nested conditions
  • Added validation for maximum nesting depth

Template Modifications:

  • gen/templates/model.go - Generate recursive nested structs
  • gen/templates/resource.go - Process deep condition trees
  • gen/templates/data_source.go - Retrieve nested conditions

Provider Configuration Enhancement

New Provider Parameter:

provider "ise" {
  request_timeout = 360  # Extended timeout for complex policies
  retries         = 3    # Retry logic for large payloads
}

Why Extended Timeout:

  • Deep nested conditions generate large JSON payloads (10KB+)
  • ISE policy evaluation engine processes entire condition tree
  • Network latency for large request/response cycles
  • Recommended: 180-360 seconds for 6-7 level nesting

Critical Bug Fix

Device Admin Policy Type Correction:

# Changed from:
children:
  type: Set

# Changed to:
children:
  type: List

Reason: Terraform Sets don't preserve order, causing state drift with nested conditions. Lists maintain proper ordering and ensure idempotent operations.

Testing

Provider Compilation ✅

  • ✅ All 10 extended resources compile successfully
  • ✅ Generated Go code passes go vet and linting
  • ✅ Code generation (make gen) executes without errors
  • ✅ No breaking changes to existing resources

Integration Testing ✅

Terraform Operations:

  • terraform plan - Correctly identifies 7-level nested conditions
  • terraform apply - Successfully deploys to ISE 3.4
  • terraform refresh - No configuration drift detected
  • terraform destroy - Cleanly removes nested policies
  • ✅ State management accurate for deep structures

ISE API Validation:

  • ✅ HTTP 200/201 responses for all operations
  • ✅ Proper JSON payload structure for 7-level hierarchy
  • ✅ Idempotent updates confirmed
  • ✅ Large payload handling verified

Manual Device Verification:

  • ✅ Policy sets visible in ISE GUI with 7-level nesting
  • ✅ All condition levels display correctly
  • ✅ Condition evaluation works at all depths

Deployment Validation ✅

ISE 3.4 Node:

Network Access Policy Example:

Policy Set: NA_PolicySet_V2
Condition: ConditionAndBlock
└─ Child L1: ConditionOrBlock
└─ Child L2: ConditionAndBlock
└─ Child L3: ConditionOrBlock
└─ Child L4: ConditionAndBlock
└─ Child L5: ConditionOrBlock
└─ Child L6: ConditionAttributes (User-Name contains "value")

Device Admin Policy Example:

Policy Set: DA_PolicySet_1202
Condition: ConditionAndBlock
└─ Child L1: ConditionOrBlock
└─ Child L2: ConditionAndBlock
└─ Child L3: ConditionOrBlock
└─ Child L4: ConditionAndBlock
└─ Child L5: ConditionOrBlock
└─ Child L6: ConditionAttributes (User contains "value")

Example Usage

Network Access - 7-Level Authorization Rule

resource "ise_network_access_authorization_rule" "deep_nested" {
  policy_set_id = ise_network_access_policy_set.main.id
  name          = "Complex_7Level_Rule"
  state         = "enabled"
  
  condition = {
    condition_type = "ConditionAndBlock"
    is_negate      = false
    children = [
      {
        condition_type = "ConditionOrBlock"
        children = [
          {
            condition_type = "ConditionAndBlock"
            children = [
              {
                condition_type = "ConditionOrBlock"
                children = [
                  {
                    condition_type = "ConditionAndBlock"
                    children = [
                      {
                        condition_type = "ConditionOrBlock"
                        children = [
                          {
                            condition_type  = "ConditionAttributes"
                            dictionary_name = "Radius"
                            attribute_name  = "User-Name"
                            operator        = "contains"
                            attribute_value = "employee"
                          },
                          {
                            condition_type  = "ConditionAttributes"
                            dictionary_name = "Radius"
                            attribute_name  = "User-Name"
                            operator        = "contains"
                            attribute_value = "contractor"
                          }
                        ]
                      },
                      {
                        condition_type  = "ConditionAttributes"
                        dictionary_name = "DEVICE"
                        attribute_name  = "Device Type"
                        operator        = "equals"
                        attribute_value = "Wireless"
                      }
                    ]
                  },
                  {
                    condition_type  = "ConditionAttributes"
                    dictionary_name = "Network Access"
                    attribute_name  = "EapAuthentication"
                    operator        = "equals"
                    attribute_value = "EAP-TLS"
                  }
                ]
              },
              {
                condition_type  = "ConditionAttributes"
                dictionary_name = "DEVICE"
                attribute_name  = "Location"
                operator        = "startsWith"
                attribute_value = "Building-A"
              }
            ]
          },
          {
            condition_type = "ConditionReference"
            name           = "Business_Hours"
          }
        ]
      },
      {
        condition_type  = "ConditionAttributes"
        dictionary_name = "Network Access"
        attribute_name  = "UseCase"
        operator        = "equals"
        attribute_value = "Host Onboarding"
      }
    ]
  }
  
  profiles = ["Wireless_Access_Profile"]
}

Device Administration - 7-Level Policy Set

resource "ise_device_admin_policy_set" "tacacs_nested" {
  name        = "TACACS_7Level_Policy"
  description = "Multi-level TACACS authorization"
  state       = "enabled"
  
  condition = {
    condition_type = "ConditionAndBlock"
    is_negate      = false
    children = [
      {
        condition_type = "ConditionOrBlock"
        children = [
          {
            condition_type = "ConditionAndBlock"
            children = [
              {
                condition_type = "ConditionOrBlock"
                children = [
                  {
                    condition_type = "ConditionAndBlock"
                    children = [
                      {
                        condition_type = "ConditionOrBlock"
                        children = [
                          {
                            condition_type  = "ConditionAttributes"
                            dictionary_name = "TACACS"
                            attribute_name  = "User"
                            operator        = "contains"
                            attribute_value = "admin"
                          },
                          {
                            condition_type  = "ConditionAttributes"
                            dictionary_name = "TACACS"
                            attribute_name  = "User"
                            operator        = "contains"
                            attribute_value = "network-ops"
                          }
                        ]
                      },
                      {
                        condition_type  = "ConditionAttributes"
                        dictionary_name = "DEVICE"
                        attribute_name  = "Device Type"
                        operator        = "equals"
                        attribute_value = "All Device Types#Routers"
                      }
                    ]
                  },
                  {
                    condition_type  = "ConditionAttributes"
                    dictionary_name = "TACACS"
                    attribute_name  = "Port"
                    operator        = "equals"
                    attribute_value = "49"
                  }
                ]
              },
              {
                condition_type  = "ConditionAttributes"
                dictionary_name = "DEVICE"
                attribute_name  = "Location"
                operator        = "equals"
                attribute_value = "All Locations#DataCenter"
              }
            ]
          },
          {
            condition_type = "ConditionReference"
            name           = "Trusted_Network_Devices"
          }
        ]
      },
      {
        condition_type  = "ConditionAttributes"
        dictionary_name = "TACACS"
        attribute_name  = "Service"
        operator        = "equals"
        attribute_value = "Login"
      }
    ]
  }
  
  service_name = "Default Device Admin"
}

Performance Considerations

Recommended Provider Configuration

For policies with 5-7 levels of nesting:

provider "ise" {
  url             = var.ise_url
  username        = var.ise_username
  password        = var.ise_password
  request_timeout = 360  # 6 minutes for deep nesting
  retries         = 3    # Enable retry logic
}

Performance Impact:

  • Deep nesting generates larger JSON payloads (10KB+)
  • ISE processes entire condition tree on each evaluation
  • Increased request/response times for 6-7 level policies
  • Acceptable performance with proper timeout configuration

Breaking Changes

None - This is a backward-compatible enhancement.

Existing policies with 1-3 levels of nesting continue to work without modification. The extension to 7 levels is additive.

Migration Notes

No migration required. Existing resources automatically gain 7-level nesting capability.

Checklist

Code Generation:

  • ✅ Updated 10 provider definition YAML files
  • ✅ Extended condition nesting to 7 levels
  • ✅ Executed make gen successfully
  • ✅ All generated Go code compiles
  • ✅ No linter warnings

Bug Fixes:

  • ✅ Changed device_admin children from Set to List
  • ✅ Added request_timeout parameter to provider

Testing:

  • ✅ Provider compiles and loads successfully
  • ✅ Integration tests pass on ISE 3.4
  • ✅ Manual validation on live ISE node
  • ✅ Terraform plan/apply/destroy lifecycle verified
  • ✅ No configuration drift detected

Documentation:

  • ✅ Resource documentation auto-generated
  • ✅ Examples include 7-level nesting patterns
  • ✅ Provider parameter documentation updated

Deployment Notes

For Users:

  1. Update provider version to include this change
  2. Set request_timeout = 180 or higher for deep nesting
  3. Test with terraform plan before deploying to production
  4. Verify policy evaluation in ISE GUI after deployment

camschae and others added 7 commits November 26, 2025 18:41
@camschae @claude
Fix: Allow ConditionAndBlock/ConditionOrBlock at nested level 3+ in p…
81b7b57 
…olicy conditions

Extends support for deeply nested policy conditions (3+ levels) in both
Network Access and Device Admin resources by:

1. Adding ConditionAndBlock and ConditionOrBlock to level 3+ enum validators
2. Adding recursive children structure supporting up to 5 levels of nesting

This fixes the issue where customers could not deploy deeply nested policy
conditions via Terraform, even though ISE itself supports this configuration.

Previously, level 3+ children only allowed ConditionAttributes and
ConditionReference, blocking customers from using nested ConditionAndBlock
and ConditionOrBlock at deeper levels.

Affects 12 resources:
- Network Access: authentication_rule, authorization_rule,
  authorization_exception_rule, authorization_global_exception_rule,
  condition, policy_set
- Device Admin: authentication_rule, authorization_rule,
  authorization_exception_rule, authorization_global_exception_rule,
  condition, policy_set

Customer: USPS

🤖 Generated with Claude Code (https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>
@camschae
feat: Extend authorization rule nesting to 7 levels and improve perfo…
5e8cc78 
…rmance

- Extended model.go template to support 7 levels of nested children (toBody serialization)
- Changed children attributes from SetNestedAttribute to ListNestedAttribute for better performance
- Updated network_access_authorization_rule.yaml to use List type instead of Set
- Added missing imports to data_source.go and resource.go templates
- Regenerated all provider code with 7-level support

This resolves customer complaints about ConditionAndBlock not being allowed
as condition_type for children under network_access resources.
@camschae
Extend all policy types to support 7 levels of condition nesting
58f5999 
- Changed all children attributes from Set to List for better performance
- Extended policy_sets, authentication_rules, authorization_rules, and exception_rules
- Both network_access and device_admin policies now support 1 root + 6 nested children
- Terminal level (Level 7) restricted to ConditionAttributes and ConditionReference only
@camschae
Fix device_admin policies: Change all children from Set to List
c24756c 
- Changed all children attributes from SetNestedAttribute to ListNestedAttribute
- Resolves performance hang with 7-level nesting in device_admin authorization rules
- All device_admin policy types now use List for better performance
@camschae
Add request_timeout parameter to provider
917b5cb 
- Add configurable HTTP request timeout (default: 60s, max: 600s)
- Resolves timeout issues with deeply nested policy conditions (7 levels)
- Customers can set request_timeout = 180 for complex nested structures
- Also configurable via ISE_REQUEST_TIMEOUT environment variable

Fixes: ISE API takes 60-120+ seconds to process 7-level nested conditions,
exceeding the default 60s HTTP timeout. With request_timeout = 180,
all operations complete successfully and get recorded in Terraform state.
@camschae
chore: Remove development artifacts before merge
8c85497
@camschae
chore: Add request_timeout to provider template and regenerate
1c23a3e 
- Add request_timeout parameter to gen/templates/provider.go
- Run go generate to update all documentation and examples
- Includes 7-level nesting documentation for all policy resources
- Updates Set to List for children attributes (per YAML definitions)
- Formatting updates for all example files (terraform fmt)

This ensures CI/CD git diff check passes after go generate.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@camschaecisco @camschae