[enhancement] Add support for global level crypto engine compliance shield disable Support in Terraform Module

[camschaecisco]

Crypto Engine Compliance Shield Support

Add Terraform mapping logic to translate schema's crypto engine compliance shield configurations into the Terraform provider's iosxe_crypto_engine resource attributes.

Schema Mappings

Device Crypto Engine Configuration:

• crypto.engine.compliance_shield_disable → compliance_shield_disable

Changes

Add new crypto engine resource module iosxe_crypto.tf:

• compliance_shield_disable (line 299) - Disable compliance shield feature
• for_each (line 296) - Multi-device deployment support
• Support for device-specific, default, and null configuration values
• Three-tier fallback hierarchy: device config → global defaults → null
• Pre-commit hooks passed: terraform fmt, tflint, terraform-docs

This Enables Declarative Configuration of:

• Crypto engine compliance shield control for security policy management
• Per-device crypto engine policies with global default fallback
• Compliance shield disable for environments requiring legacy crypto protocols
• Multi-device crypto engine deployments from centralized YAML data models
• Network-wide cryptographic policy enforcement
• Consistent crypto engine behavior across routers and switches
• GitOps workflows for crypto configuration management
• Security compliance verification through infrastructure as code

Version Requirements

IOS-XE 17.12 and later:

• ✅ compliance_shield_disable - Disable compliance shield enforcement

Platform Notes:

• Both Cat8k routers and Cat9k switches support crypto engine features
• Compliance shield enforces FIPS 140-2/3 and Suite-B cryptographic standards by default
• Disabling compliance shield allows legacy crypto algorithms for backward compatibility
• YANG model path: Cisco-IOS-XE-native:native/crypto/Cisco-IOS-XE-crypto:engine

Example Configuration

Single Device Configuration:

iosxe:
  devices:
    - name: Cat8k-Router
      configuration:
        crypto:
          engine:
            compliance_shield_disable: true

Multi-Device Configuration:
iosxe:
  devices:
    - name: Cat8k-Router-1
      configuration:
        crypto:
          engine:
            compliance_shield_disable: true
    - name: Cat9k-Switch-1
      configuration:
        crypto:
          engine:
            compliance_shield_disable: true
    - name: Cat8k-Router-2
      configuration:
        crypto:
          engine:
            compliance_shield_disable: true

Global Defaults:
iosxe:
  defaults:
    configuration:
      crypto:
        engine:
          compliance_shield_disable: false

Testing

Multi-Platform Validation
- ✅ Catalyst 8000V (Router, IOS-XE 17.15): Crypto engine compliance shield disable deployed successfully
- ✅ Catalyst 9000 (Switch, IOS-XE 17.15): Crypto engine compliance shield disable deployed successfully
- ✅ Catalyst 8000 (Router, IOS-XE 17.15): Crypto engine compliance shield disable deployed successfully

Terraform Operations Verified
- ✅ terraform plan - Correctly identifies crypto engine configuration changes
- ✅ terraform apply - Successfully creates crypto engine configuration on all 3 devices
- ✅ terraform destroy - Cleanly removes crypto engine configuration from all 3 devices
- ✅ Device verification - Crypto engine compliance shield disable removed from running-config
- ✅ State management - Proper resource state tracking across lifecycle
- ✅ Idempotency - No changes on second apply

Robot Framework Integration Tests
- ✅ Crypto engine tests passed (3/3)
  - Router test 1 - RESTCONF validation passed
  - Switch test - RESTCONF validation passed
  - Router test 2 - RESTCONF validation passed
- ✅ RESTCONF validation - JSONPath queries validate compliance_shield_disable parameter
- ✅ Schema validation - nac-validate passes for all test data

Pre-commit Quality Checks
- ✅ Terraform fmt............................................................Passed
- ✅ Terraform validate with tflint...........................................Passed
- ✅ terraform-docs...........................................................Passed
- ✅ terraform-docs...........................................................Passed
- ✅ terraform-docs...........................................................Passed
- ✅ terraform-docs...........................................................Passed