Added Fabric Extranet Policies feature

mhamroz · mhamroz · commit 8b4cf8d74ad3 · 2025-11-24T12:05:35.000+01:00
diff --git a/EXTRANET_POLICY_USAGE.md b/EXTRANET_POLICY_USAGE.md
@@ -0,0 +1,254 @@
+# Extranet Policy Configuration Guide
+
+This document explains how to configure Extranet Policies using the Terraform Catalyst Center NAC module.
+
+## Overview
+
+Extranet Policies enable communication between different virtual networks (VNs) in an SD-Access fabric. The module supports configuring extranet policies at the fabric level with an optional `fabric_sites` parameter to specify which sites the policy applies to:
+- **Global fabric policies** - Applied to all fabric sites (when `fabric_sites` is not specified)
+- **Site-specific fabric policies** - Applied only to specified fabric sites (when `fabric_sites` is provided)
+
+## YAML Configuration
+
+### Global Extranet Policy
+
+Configure policies that apply to all fabric sites:
+
+```yaml
+catalyst_center:
+  fabric:
+    extranet_policies:
+      - name: LISP_extranet_global
+        provider_VN: Campus
+        subscriber_VNs:
+          - Guest
+          - IoT
+```
+
+### Site-Specific Extranet Policy
+
+Configure policies for specific fabric sites using the `fabric_sites` parameter:
+
+```yaml
+catalyst_center:
+  fabric:
+    extranet_policies:
+      - name: LISP_extranet
+        provider_VN: Campus2
+        subscriber_VNs:
+          - Guest2
+          - Printers2
+        fabric_sites:
+          - Global/Poland/Krakow
+```
+
+## Complete Example
+
+Here's a complete example showing both global and site-specific extranet policies:
+
+```yaml
+---
+catalyst_center:
+  fabric:
+    # Multiple extranet policies with different scopes
+    extranet_policies:
+      # Global policy (applies to all sites)
+      - name: Global_Campus_Extranet
+        provider_VN: Campus
+        subscriber_VNs:
+          - Guest
+          - IoT
+
+      # Site-specific policy (applies only to Boston)
+      - name: Boston_Local_Extranet
+        provider_VN: Campus_Boston
+        subscriber_VNs:
+          - Guest_Boston
+          - Printers_Boston
+        fabric_sites:
+          - Global/US/Boston
+
+      # Multi-site policy (applies to specific sites)
+      - name: East_Coast_DMZ_Extranet
+        provider_VN: DMZ_Shared
+        subscriber_VNs:
+          - Internal_Boston
+          - Internal_NYC
+        fabric_sites:
+          - Global/US/Boston
+          - Global/US/NYC
+
+    fabric_sites:
+      - name: Global/US/Boston
+        l3_virtual_networks:
+          - Campus_Boston
+          - Guest_Boston
+          - Printers_Boston
+          - Internal_Boston
+        # ... other site configuration
+
+      - name: Global/US/NYC
+        l3_virtual_networks:
+          - Campus_NYC
+          - Internal_NYC
+        # ... other site configuration
+```
+
+## Terraform Configuration
+
+### Basic Usage
+
+```hcl
+module "catalystcenter" {
+  source  = "netascode/nac-catalystcenter/catalystcenter"
+  version = "0.2.0"
+
+  yaml_files = ["fabric.yaml"]
+}
+```
+
+### Advanced Configuration
+
+```hcl
+module "catalystcenter" {
+  source  = "netascode/nac-catalystcenter/catalystcenter"
+  version = "0.2.0"
+
+  yaml_directories         = ["./data"]
+  managed_sites           = ["Global/US/Boston", "Global/US/NYC"]
+  manage_global_settings  = true
+  use_bulk_api           = true
+}
+```
+
+## Data Model Structure
+
+### Required Fields
+
+- `name`: Unique name for the extranet policy
+- `provider_VN`: Name of the provider virtual network
+- `subscriber_VNs`: List of subscriber virtual network names
+
+### Optional Fields
+
+- `fabric_sites`: List of fabric site names where the policy should be applied. If omitted, the policy applies to all fabric sites.
+
+### Field Mapping
+
+The YAML structure maps to the Terraform resource as follows:
+
+| YAML Field | Terraform Resource Field | Description |
+|------------|-------------------------|-------------|
+| `name` | `extranet_policy_name` | Name of the extranet policy |
+| `provider_VN` | `provider_virtual_network_name` | Provider virtual network |
+| `subscriber_VNs` | `subscriber_virtual_network_names` | Subscriber virtual networks |
+| `fabric_sites` | `fabric_ids` (computed) | List of fabric site IDs (computed from site names) |
+
+## Prerequisites
+
+Before configuring extranet policies, ensure:
+
+1. **Virtual Networks Exist**: All referenced virtual networks must be defined in the configuration
+2. **Fabric Sites Configured**: Target fabric sites must be properly configured
+3. **Provider Dependencies**: The module will automatically handle dependencies between resources
+
+## Behavior and Logic
+
+### Global vs Site-Specific Policies
+
+- **Global policies** (`fabric.extranet_policy`): Applied to all managed fabric sites
+- **Site-specific policies** (`fabric_sites[].extranet_policy`): Applied only to the specific fabric site
+
+### Resource Naming
+
+- Global policies: Use the policy `name` as the resource key
+- Site-specific policies: Use `{name}_{site_name}` as the resource key
+
+### Dependency Management
+
+The module automatically handles dependencies:
+- Fabric sites must exist before applying policies
+- L3 virtual networks must be configured before extranet policies
+- Provider virtual networks are validated during planning
+
+## Validation Rules
+
+The module includes validation to ensure:
+- Policy names are unique within their scope
+- Provider and subscriber virtual networks are defined
+- No circular dependencies between policies
+- Fabric sites exist for site-specific policies
+
+## Common Use Cases
+
+### 1. Campus-Guest Connectivity
+
+Allow guest network access to campus services:
+
+```yaml
+extranet_policy:
+  - name: Campus_Guest_Access
+    provider_VN: Campus
+    subscriber_VNs:
+      - Guest
+```
+
+### 2. Multi-Tenant Shared Services
+
+Enable multiple tenant VNs to access shared services:
+
+```yaml
+extranet_policy:
+  - name: Shared_Services_Access
+    provider_VN: Shared_Services
+    subscriber_VNs:
+      - Tenant_A
+      - Tenant_B
+      - Tenant_C
+```
+
+### 3. Site-Specific DMZ Access
+
+Configure DMZ access for specific sites:
+
+```yaml
+fabric_sites:
+  - name: Global/DC/Primary
+    extranet_policy:
+      - name: DMZ_Internal_Access
+        provider_VN: Internal
+        subscriber_VNs:
+          - DMZ
+```
+
+## Troubleshooting
+
+### Common Issues
+
+1. **Virtual Network Not Found**: Ensure all referenced VNs are defined in `l3_virtual_networks`
+2. **Fabric Site Not Managed**: Check that the site is in the `managed_sites` list
+3. **Duplicate Policy Names**: Use unique names for policies within their scope
+4. **Provider/Subscriber Conflict**: A VN cannot be both provider and subscriber in the same policy
+
+### Validation Commands
+
+```bash
+# Validate YAML structure
+nac-validate data/
+
+# Plan to see what resources will be created
+terraform plan
+
+# Check for naming conflicts
+terraform plan | grep "catalystcenter_extranet_policy"
+```
+
+## Related Configuration
+
+Extranet policies work in conjunction with:
+- L3 Virtual Networks
+- Fabric Sites
+- Anycast Gateways
+- Security Group Tags (if configured)
+
+Ensure these components are properly configured in your YAML model.
diff --git a/README.md b/README.md
@@ -101,10 +101,10 @@ module "catalystcenter" {
 | [catalystcenter_discovery.discovery](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/discovery) | resource |
 | [catalystcenter_dns_settings.dns_settings](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/dns_settings) | resource |
 | [catalystcenter_dns_settings.global_dns_settings](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/dns_settings) | resource |
+| [catalystcenter_extranet_policy.extranet_policy](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/extranet_policy) | resource |
 | [catalystcenter_fabric_device.border_device](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_device) | resource |
 | [catalystcenter_fabric_device.edge_device](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_device) | resource |
 | [catalystcenter_fabric_device.wireless_controller](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_device) | resource |
-| [catalystcenter_fabric_devices.fabric_devices](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_devices) | resource |
 | [catalystcenter_fabric_ewlc.ewlc_device](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_ewlc) | resource |
 | [catalystcenter_fabric_l2_handoff.l2_handoff](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_l2_handoff) | resource |
 | [catalystcenter_fabric_l2_handoff.l2_handoff_no_anycast](https://registry.terraform.io/providers/CiscoDevNet/catalystcenter/latest/docs/resources/fabric_l2_handoff) | resource |
diff --git a/cc_fabric.tf b/cc_fabric.tf
