nautobot-app-golden-config icon indicating copy to clipboard operation
nautobot-app-golden-config copied to clipboard

Published 20 hours ago verified publisher icon nautobot

Add filter / targeting to compliancies

Open bsmeding opened this issue 3 years ago • 4 comments

Environment

  • Python version: 3.7.1
  • Nautobot version: 1.0.0b4
  • nautobot-golden-config version: develop

Proposed Functionality

At this moment the complancies are based on platform, so all devices from the same platfrom are targeted to the same compliancy ruleset. Add more options to filter the targeting

Use Case

When having several Cisco IOS devices in different parts of the network, they often have other compliancy rules that needed to comply.

For example: For the Access switches (eg device role: 'access') must have TenGig1/1 and TenGig1/2 as uplink with several settings. And all access ports needs to have CDP disabled. But the distribution switches must have CDP/LLDP enables on all interfaces. This is also for security settings etc. And for devices in planned state the compliancy are minimal, disabled state does not have to apply. Also with tags for example skip check fo tag: 'development'

A minimal filter to apply to device_role and device_state will help a lot to differentiate the compliancy rules

bsmeding avatar Apr 26 '21 19:04 bsmeding

Makes sense, after 1.0 is released, will re-evaluate.

itdependsnetworks avatar Apr 27 '21 01:04 itdependsnetworks

Related to https://github.com/nautobot/nautobot/issues/896 - ComplianceRule should point to multiple Dynamic/Custom groups. This would allow for greater flexibility while defining compliance policies.

This might include:

  • "compliance home" view to be reorganised to include multiple groups
  • "compliance home" view to hide detailed features into per group defined features
  • reporting

mzbroch avatar Nov 08 '21 13:11 mzbroch

from @mzbroch in #204

Proposed Functionality

Associate ComplianceRules with GoldenConfigSetting instances.

!! This feature is dependent on implementation of #202 !!

Use Case

Improve granularity, tenancy and flexibility in ComplianceRules definitions. Allow for different and multiple ComplianceRule of the same Feature Type per Platform.

Current Solution: Currently ComplianceRule of a given Feature type is associated per Platform. In more complex scenarios, users might have different ComplianceRules associated per Platform (ie. Voice routers having different AAA configuration than VPN routers)

Solution Proposal:

  • Associate ComplianceRule with GoldenConfigSetting object.

  • Introduce a name field to ComplianceRule instance.

  • Perform the scope definition (ie device role, tenant etc) at the GoldenConfigSetting

  • Preserve existing patterns:

    • Minimised impact on existing UI views and complexity
    • Assume each device is logically related to maximum one ComplianceRule of a given feature type.

Migration Path

  • ComplianceRule associated to default instance of GoldenConfigSetting

itdependsnetworks avatar Jul 20 '22 03:07 itdependsnetworks

Will need to review design before implementation

itdependsnetworks avatar Jul 20 '22 03:07 itdependsnetworks