From 0db041d22452824b6287d6c92c44c72c16ec718a Mon Sep 17 00:00:00 2001 From: Krasen Kolev Date: Sat, 28 Dec 2024 19:19:29 +0000 Subject: [PATCH 1/8] added support for fips_restrictions under management security --- .../eos_cli_config_gen/documentation/devices/host1.md | 2 ++ .../molecule/eos_cli_config_gen/intended/configs/host1.cfg | 2 ++ .../inventory/host_vars/host1/management-security.yml | 4 ++++ .../eos_cli_config_gen/docs/tables/management-security.md | 4 ++++ .../j2templates/eos/management-security.j2 | 3 +++ python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py | 5 +++++ .../_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml | 3 +++ .../schema/schema_fragments/management_security.schema.yml | 4 ++++ 8 files changed, 27 insertions(+) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md index d84487ab92c..12c8364914e 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md @@ -1555,6 +1555,7 @@ management security cipher-list ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 ! ssl profile SSL_PROFILE + fips restrictions tls versions 1.1 1.2 certificate SSL_CERT key SSL_KEY ! @@ -1583,6 +1584,7 @@ management security tls versions 1.1 ! ssl profile tls-versions-profile + fips restrictions tls versions 1.0 1.1 ``` diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg index e213b30b800..59779471511 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg @@ -1353,6 +1353,7 @@ management security cipher-list ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 ! ssl profile SSL_PROFILE + fips restrictions tls versions 1.1 1.2 certificate SSL_CERT key SSL_KEY ! @@ -1381,6 +1382,7 @@ management security tls versions 1.1 ! ssl profile tls-versions-profile + fips restrictions tls versions 1.0 1.1 ! radius-server deadtime 10 diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml index 01c91089d33..20396f18e4d 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/host1/management-security.yml @@ -23,15 +23,19 @@ management_security: sequential: 7 ssl_profiles: - name: SSL_PROFILE + fips_restrictions: true tls_versions: 1.1 1.2 certificate: file: SSL_CERT key: SSL_KEY - name: tls-versions-profile + fips_restrictions: true tls_versions: "1.0 1.1" - name: cipher-list-profile + fips_restrictions: false cipher_list: ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 - name: certificate-profile + fips_restrictions: false certificate: file: eAPI.crt key: eAPI.key diff --git a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md index 9600f59bd9e..f54245b4931 100644 --- a/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md +++ b/ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/management-security.md @@ -30,6 +30,7 @@ | [          sequential](## "management_security.password.policies.[].maximum.sequential") | Integer | | | Min: 1
Max: 65535 | | | [  ssl_profiles](## "management_security.ssl_profiles") | List, items: Dictionary | | | | | | [    - name](## "management_security.ssl_profiles.[].name") | String | | | | | + | [      fips_restrictions](## "management_security.ssl_profiles.[].fips_restrictions") | Boolean | | | | Use FIPS compliant algorithms. | | [      tls_versions](## "management_security.ssl_profiles.[].tls_versions") | String | | | | List of allowed TLS versions as string.
Examples:
- "1.0"
- "1.0 1.1"
| | [      cipher_list](## "management_security.ssl_profiles.[].cipher_list") | String | | | | cipher_list syntax follows the openssl cipher strings format.
Colon (:) separated list of allowed ciphers as a string.
Not supported on EOS version starting 4.32.0F, use the `ciphers` setting instead.
| | [      ciphers](## "management_security.ssl_profiles.[].ciphers") | Dictionary | | | | This setting is applicable to EOS versions 4.32.0F and later. | @@ -108,6 +109,9 @@ ssl_profiles: - name: + # Use FIPS compliant algorithms. + fips_restrictions: + # List of allowed TLS versions as string. # Examples: # - "1.0" diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 index 7c54cb9cff3..450028f1d1e 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 @@ -87,6 +87,9 @@ management security {% for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %} ! ssl profile {{ ssl_profile.name }} +{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %} + fips restrictions +{% endif %} {% if ssl_profile.tls_versions is arista.avd.defined %} tls versions {{ ssl_profile.tls_versions }} {% endif %} diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py index 6614afafb4c..e2f68bf5a51 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/__init__.py @@ -21587,6 +21587,7 @@ class CertificateRevocationLists(AvdList[str]): _fields: ClassVar[dict] = { "name": {"type": str}, + "fips_restrictions": {"type": bool}, "tls_versions": {"type": str}, "cipher_list": {"type": str}, "ciphers": {"type": Ciphers}, @@ -21597,6 +21598,8 @@ class CertificateRevocationLists(AvdList[str]): "_custom_data": {"type": dict}, } name: str | None + fips_restrictions: bool | None + """Use FIPS compliant algorithms.""" tls_versions: str | None """ List of allowed TLS versions as string. @@ -21642,6 +21645,7 @@ def __init__( self, *, name: str | None | UndefinedType = Undefined, + fips_restrictions: bool | None | UndefinedType = Undefined, tls_versions: str | None | UndefinedType = Undefined, cipher_list: str | None | UndefinedType = Undefined, ciphers: Ciphers | UndefinedType = Undefined, @@ -21659,6 +21663,7 @@ def __init__( Args: name: name + fips_restrictions: Use FIPS compliant algorithms. tls_versions: List of allowed TLS versions as string. Examples: # fmt: skip diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml index 54b86f4b634..42ac5407978 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/eos_cli_config_gen.schema.yml @@ -7514,6 +7514,9 @@ keys: keys: name: type: str + fips_restrictions: + type: bool + description: Use FIPS compliant algorithms. tls_versions: type: str description: "List of allowed TLS versions as string.\nExamples:\n - diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml index 529b494c844..e099487e5e0 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml @@ -101,6 +101,9 @@ keys: keys: name: type: str + fips_restrictions: + type: bool + description: Use FIPS compliant algorithms. tls_versions: type: str description: | @@ -190,6 +193,7 @@ keys: If specified, one CRL needs to be provided for every certificate in the chain, even if the revocation list in the CRL is empty. items: type: str + shared_secret_profiles: type: list primary_key: profile From 9e6e48c4d45bf4c53fc5c3c256c97b4b52c9321e Mon Sep 17 00:00:00 2001 From: Krasen Kolev Date: Tue, 31 Dec 2024 16:07:28 +0000 Subject: [PATCH 2/8] reordered management-security template --- .../eos_cli_config_gen/documentation/devices/host1.md | 4 ++-- .../molecule/eos_cli_config_gen/intended/configs/host1.cfg | 4 ++-- .../j2templates/eos/management-security.j2 | 6 +++--- 3 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md index 12c8364914e..e095ac0812c 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md @@ -1555,8 +1555,8 @@ management security cipher-list ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 ! ssl profile SSL_PROFILE - fips restrictions tls versions 1.1 1.2 + fips restrictions certificate SSL_CERT key SSL_KEY ! ssl profile test1-chain-cert @@ -1584,8 +1584,8 @@ management security tls versions 1.1 ! ssl profile tls-versions-profile - fips restrictions tls versions 1.0 1.1 + fips restrictions ``` ## Prompt Device Configuration diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg index 59779471511..2391d1fbd3a 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/host1.cfg @@ -1353,8 +1353,8 @@ management security cipher-list ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 ! ssl profile SSL_PROFILE - fips restrictions tls versions 1.1 1.2 + fips restrictions certificate SSL_CERT key SSL_KEY ! ssl profile test1-chain-cert @@ -1382,8 +1382,8 @@ management security tls versions 1.1 ! ssl profile tls-versions-profile - fips restrictions tls versions 1.0 1.1 + fips restrictions ! radius-server deadtime 10 radius-server attribute 32 include-in-access-req hostname diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 index 450028f1d1e..60656eb8e5d 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/eos/management-security.j2 @@ -87,12 +87,12 @@ management security {% for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %} ! ssl profile {{ ssl_profile.name }} -{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %} - fips restrictions -{% endif %} {% if ssl_profile.tls_versions is arista.avd.defined %} tls versions {{ ssl_profile.tls_versions }} {% endif %} +{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %} + fips restrictions +{% endif %} {% if ssl_profile.ciphers.v1_0 is arista.avd.defined %} cipher v1.0 {{ ssl_profile.ciphers.v1_0 }} {% elif ssl_profile.cipher_list is arista.avd.defined %} From 86c19c65444c6c6228e9384a8b6fb5e4b8a59cd2 Mon Sep 17 00:00:00 2001 From: KrasenKolev <35165989+KrasenKolev@users.noreply.github.com> Date: Fri, 3 Jan 2025 11:46:28 +0100 Subject: [PATCH 3/8] Update python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml Co-authored-by: Mahesh Kumar <122076792+MaheshGSLAB@users.noreply.github.com> --- .../schema/schema_fragments/management_security.schema.yml | 1 - 1 file changed, 1 deletion(-) diff --git a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml index e099487e5e0..127141b64a2 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml +++ b/python-avd/pyavd/_eos_cli_config_gen/schema/schema_fragments/management_security.schema.yml @@ -193,7 +193,6 @@ keys: If specified, one CRL needs to be provided for every certificate in the chain, even if the revocation list in the CRL is empty. items: type: str - shared_secret_profiles: type: list primary_key: profile From c8b3be97c10e3553d9f3a892c47036f7a7d1d7f7 Mon Sep 17 00:00:00 2001 From: Krasen Kolev Date: Fri, 3 Jan 2025 17:06:03 +0000 Subject: [PATCH 4/8] updated documentation management-security template with new column to now include fips-restrictions --- .../documentation/devices/host1.md | 24 +++++++++---------- .../documentation/devices/host2.md | 6 ++--- .../documentation/management-security.j2 | 9 ++++--- 3 files changed, 21 insertions(+), 18 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md index e095ac0812c..22ffcce59b0 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md @@ -1452,18 +1452,18 @@ address locking ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl | -| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | -| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | -| test1-chain-cert | - | - | - | - | - | -| test1-trust-cert | - | - | - | - | - | -| test2-chain-cert | - | - | - | - | - | -| test2-trust-cert | - | - | - | - | - | -| tls-single-version-profile-as-float | 1.0 | - | - | - | - | -| tls-single-version-profile-as-string | 1.1 | - | - | - | - | -| tls-versions-profile | 1.0 1.1 | - | - | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ----------------- | +| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl | - | +| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | - | +| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | enabled | +| test1-chain-cert | - | - | - | - | - | - | +| test1-trust-cert | - | - | - | - | - | - | +| test2-chain-cert | - | - | - | - | - | - | +| test2-trust-cert | - | - | - | - | - | - | +| tls-single-version-profile-as-float | 1.0 | - | - | - | - | - | +| tls-single-version-profile-as-string | 1.1 | - | - | - | - | - | +| tls-versions-profile | 1.0 1.1 | - | - | - | - | enabled | ### SSL profile test1-chain-cert Certificates Summary diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md index cfdfc2cb655..6296823c613 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md @@ -335,9 +335,9 @@ aaa accounting exec default none ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ----------------- | +| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | - | ### Management Security Device Configuration diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 index f410338f78c..3740b9f1918 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 @@ -34,8 +34,8 @@ ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ----------------- | {% set ssl_profiles_certs = [] %} {% for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %} {% set crls = "-" %} @@ -53,7 +53,10 @@ {% elif ssl_profile.cipher_list is arista.avd.defined %} {% set ciphers = [ssl_profile.cipher_list] %} {% endif %} -| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | +{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %} +{% set fips = "enabled" %} +{% endif %} +| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | {{ fips | arista.avd.default('-') }} | {% set tmp_cert = {} %} {% if ssl_profile.trust_certificate is arista.avd.defined %} {% set tmp_cert = {'trust_certificate': ssl_profile.trust_certificate} %} From efdfe479b2ed754e660c584e25c3c308ef8926c6 Mon Sep 17 00:00:00 2001 From: Krasen Kolev Date: Mon, 6 Jan 2025 09:46:02 +0000 Subject: [PATCH 5/8] updated the FIPS header and used directly the boolean --- .../documentation/devices/host1.md | 24 +++++++++---------- .../documentation/devices/host2.md | 6 ++--- .../documentation/management-security.j2 | 9 +++---- 3 files changed, 18 insertions(+), 21 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md index 22ffcce59b0..560414e92d4 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md @@ -1452,18 +1452,18 @@ address locking ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ----------------- | -| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl | - | -| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | - | -| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | enabled | -| test1-chain-cert | - | - | - | - | - | - | -| test1-trust-cert | - | - | - | - | - | - | -| test2-chain-cert | - | - | - | - | - | - | -| test2-trust-cert | - | - | - | - | - | - | -| tls-single-version-profile-as-float | 1.0 | - | - | - | - | - | -| tls-single-version-profile-as-string | 1.1 | - | - | - | - | - | -| tls-versions-profile | 1.0 1.1 | - | - | - | - | enabled | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl | False | +| cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | False | +| SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | True | +| test1-chain-cert | - | - | - | - | - | False | +| test1-trust-cert | - | - | - | - | - | False | +| test2-chain-cert | - | - | - | - | - | False | +| test2-trust-cert | - | - | - | - | - | False | +| tls-single-version-profile-as-float | 1.0 | - | - | - | - | False | +| tls-single-version-profile-as-string | 1.1 | - | - | - | - | False | +| tls-versions-profile | 1.0 1.1 | - | - | - | - | True | ### SSL profile test1-chain-cert Certificates Summary diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md index 6296823c613..98e53ba9ea8 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md @@ -335,9 +335,9 @@ aaa accounting exec default none ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ----------------- | -| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | False | ### Management Security Device Configuration diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 index 3740b9f1918..b94cf64aca5 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 @@ -34,8 +34,8 @@ ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ----------------- | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | {% set ssl_profiles_certs = [] %} {% for ssl_profile in management_security.ssl_profiles | arista.avd.natural_sort %} {% set crls = "-" %} @@ -53,10 +53,7 @@ {% elif ssl_profile.cipher_list is arista.avd.defined %} {% set ciphers = [ssl_profile.cipher_list] %} {% endif %} -{% if ssl_profile.fips_restrictions is arista.avd.defined(true) %} -{% set fips = "enabled" %} -{% endif %} -| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | {{ fips | arista.avd.default('-') }} | +| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | {{ ssl_profile.fips_restrictions | arista.avd.default(false) }} | {% set tmp_cert = {} %} {% if ssl_profile.trust_certificate is arista.avd.defined %} {% set tmp_cert = {'trust_certificate': ssl_profile.trust_certificate} %} From 4593538dfc3bbfd82a8ed42c421718eae4a3d8e9 Mon Sep 17 00:00:00 2001 From: KrasenKolev <35165989+KrasenKolev@users.noreply.github.com> Date: Tue, 7 Jan 2025 10:49:17 +0100 Subject: [PATCH 6/8] Update python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 Co-authored-by: Claus Holbech --- .../j2templates/documentation/management-security.j2 | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 index b94cf64aca5..6fbe0edaedc 100644 --- a/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 +++ b/python-avd/pyavd/_eos_cli_config_gen/j2templates/documentation/management-security.j2 @@ -53,7 +53,7 @@ {% elif ssl_profile.cipher_list is arista.avd.defined %} {% set ciphers = [ssl_profile.cipher_list] %} {% endif %} -| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | {{ ssl_profile.fips_restrictions | arista.avd.default(false) }} | +| {{ ssl_profile.name | arista.avd.default('-') }} | {{ ssl_profile.tls_versions | arista.avd.default('-') }} | {{ ssl_profile.certificate.file | arista.avd.default('-') }} | {{ ssl_profile.certificate.key | arista.avd.default('-') }} | {{ ciphers | arista.avd.default(['-']) | join('
') }} | {{ crls }} | {{ ssl_profile.fips_restrictions | arista.avd.default('-') }} | {% set tmp_cert = {} %} {% if ssl_profile.trust_certificate is arista.avd.defined %} {% set tmp_cert = {'trust_certificate': ssl_profile.trust_certificate} %} From a222781713bf472f6dd423912c405c989c79d7a6 Mon Sep 17 00:00:00 2001 From: Krasen Kolev Date: Tue, 7 Jan 2025 13:16:54 +0000 Subject: [PATCH 7/8] results after modifying the template to use boolean and default to '-' when the value is undefined --- .../documentation/devices/host1.md | 12 ++++++------ .../documentation/devices/host2.md | 2 +- 2 files changed, 7 insertions(+), 7 deletions(-) diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md index 560414e92d4..cd0e222281e 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host1.md @@ -1457,12 +1457,12 @@ address locking | certificate-profile | - | eAPI.crt | eAPI.key | - | ca.crl
intermediate.crl | False | | cipher-list-profile | - | - | - | ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384 | - | False | | SSL_PROFILE | 1.1 1.2 | SSL_CERT | SSL_KEY | - | - | True | -| test1-chain-cert | - | - | - | - | - | False | -| test1-trust-cert | - | - | - | - | - | False | -| test2-chain-cert | - | - | - | - | - | False | -| test2-trust-cert | - | - | - | - | - | False | -| tls-single-version-profile-as-float | 1.0 | - | - | - | - | False | -| tls-single-version-profile-as-string | 1.1 | - | - | - | - | False | +| test1-chain-cert | - | - | - | - | - | - | +| test1-trust-cert | - | - | - | - | - | - | +| test2-chain-cert | - | - | - | - | - | - | +| test2-trust-cert | - | - | - | - | - | - | +| tls-single-version-profile-as-float | 1.0 | - | - | - | - | - | +| tls-single-version-profile-as-string | 1.1 | - | - | - | - | - | | tls-versions-profile | 1.0 1.1 | - | - | - | - | True | ### SSL profile test1-chain-cert Certificates Summary diff --git a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md index 98e53ba9ea8..2fd28f89e38 100644 --- a/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md +++ b/ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/host2.md @@ -337,7 +337,7 @@ aaa accounting exec default none | SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | | ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | -| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | False | +| cipher-v1.0-v1.3 | - | - | - | v1.0 to v1.2: SHA256:SHA384
v1.3: TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256 | - | - | ### Management Security Device Configuration From f714aa230d0e1b845603d734b54db214d62fbffa Mon Sep 17 00:00:00 2001 From: Krasen Kolev Date: Tue, 7 Jan 2025 15:17:50 +0000 Subject: [PATCH 8/8] molecule cv-pathfinder example --- .../avd/examples/cv-pathfinder/documentation/devices/pf1.md | 6 +++--- .../avd/examples/cv-pathfinder/documentation/devices/pf2.md | 6 +++--- .../cv-pathfinder/documentation/devices/site1-wan1.md | 6 +++--- .../cv-pathfinder/documentation/devices/site1-wan2.md | 6 +++--- .../cv-pathfinder/documentation/devices/site2-wan1.md | 6 +++--- .../cv-pathfinder/documentation/devices/site2-wan2.md | 6 +++--- .../cv-pathfinder/documentation/devices/site3-wan1.md | 6 +++--- 7 files changed, 21 insertions(+), 21 deletions(-) diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md index 60e6a48542f..e43752c042c 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf1.md @@ -240,9 +240,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md index e5e192667ce..4f04fb312c9 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/pf2.md @@ -240,9 +240,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md index 248d830e916..84414a908ee 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan1.md @@ -239,9 +239,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md index ca91d355000..5bc18f2a6cb 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site1-wan2.md @@ -239,9 +239,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md index c0cd49de3e9..6978d161799 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan1.md @@ -236,9 +236,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md index f5d04b9a5d2..9d6ab304d28 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site2-wan2.md @@ -238,9 +238,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary diff --git a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md index 3d5d2d9c577..235045bc10c 100644 --- a/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md +++ b/ansible_collections/arista/avd/examples/cv-pathfinder/documentation/devices/site3-wan1.md @@ -238,9 +238,9 @@ aaa authorization exec default local ### Management Security SSL Profiles -| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | -| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | -| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | +| SSL Profile Name | TLS protocol accepted | Certificate filename | Key filename | Ciphers | CRLs | FIPS restrictions enabled | +| ---------------- | --------------------- | -------------------- | ------------ | ------- | ---- | ------------------------- | +| STUN-DTLS | 1.2 | STUN-DTLS.crt | STUN-DTLS.key | - | - | - | ### SSL profile STUN-DTLS Certificates Summary