[enhancement] Add support for global level crypto engine compliance shield disable Support in Terraform Provider

[camschaecisco]

Crypto Engine Compliance Shield Disable Support

This PR adds support for crypto engine compliance shield configuration to the terraform-provider-iosxe.

This enhancement introduces the iosxe_crypto_engine resource and data source with the ability to disable the crypto engine compliance shield. This feature provides network operators with the flexibility to configure legacy or non-compliant cryptographic algorithms when required for interoperability with older systems or specific use cases. By default, IOS-XE enforces compliance mode which restricts the use of weak cryptographic algorithms; this resource allows administrators to disable that restriction when operationally necessary.

CLI Commands Supported

Crypto Engine Configuration

crypto engine compliance shield disable

This command enables the following capability:

• compliance shield disable: Allows configuration of cryptographic algorithms that don't meet current compliance standards

Important Note: Disabling compliance shield mode will take effect after device reboot on some platforms.

Benefits

• Enables interoperability with legacy systems requiring older cryptographic algorithms
• Provides flexibility for lab/testing environments where strict crypto compliance isn't required
• Supports gradual migration strategies from legacy to modern cryptographic standards
• Allows configuration of custom cipher suites for specific use cases
• Facilitates troubleshooting of crypto-related connectivity issues
• Enables backwards compatibility with older network equipment
• Provides operational flexibility while maintaining security awareness through explicit configuration requirement

Platform Compatibility

These features have been validated against:

• Cisco Catalyst 8000V router running IOS-XE 17.15.1
• Cisco Catalyst 8000V router running IOS-XE 17.12.x
• Cisco Catalyst 9000V switch running IOS-XE 17.15.1

Version Requirements

IOS-XE 17.12.1 and later:

• ✅ compliance_shield_disable (Boolean) - Disable crypto engine compliance shield

YANG Model Validation:

• Feature added in YANG revision 2023-11-01 (IOS-XE 17.15.x)
• Backported and available in IOS-XE 17.12.1 (YANG revision 2023-07-01)
• Both revisions include the same configuration structure at path: Cisco-IOS-XE-crypto:engine/compliance/shield/disable

Platform Notes:

• Both Cat8K routers and Cat9K switches support crypto engine compliance shield configuration
• The implementation uses the Cisco-IOS-XE-crypto YANG model augmented to /native/crypto
• RESTCONF read (GET) and write (PATCH) operations supported on all tested platforms
• Configuration persists across reboots (effect may require reboot on some platforms)

Technical Implementation

• Added iosxe_crypto_engine resource with the following attributes:
  • compliance_shield_disable (Boolean, Optional) - Allow weak crypto to be configured
  • device (String, Optional) - Device name from provider configuration
  • delete_mode (String, Optional) - Configure deletion behavior ("all" or "attributes")
• Added corresponding iosxe_crypto_engine data source for configuration retrieval
• Correctly mapped RESTCONF path: /restconf/data/Cisco-IOS-XE-native:native/crypto/Cisco-IOS-XE-crypto:engine
• Implemented proper YANG model integration with Cisco-IOS-XE-native and Cisco-IOS-XE-crypto modules
• Ensured idempotent behavior for the boolean attribute
• Generated comprehensive examples and documentation
• Updated CHANGELOG with new resource
• Added acceptance tests for full lifecycle testing

Testing

Go Acceptance Tests

=========================================
Testing against 17.15.x Router...
=========================================
Running tests matching: TestAccIosxeCryptoEngine
?       github.com/CiscoDevNet/terraform-provider-iosxe [no test files]
=== RUN   TestAccIosxeCryptoEngine
--- PASS: TestAccIosxeCryptoEngine (5.03s)
PASS
ok      github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider       5.052s
testing: warning: no tests to run
PASS
ok      github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers       0.005s [no tests to run]
=========================================
Testing against 17.15.x Switch...
=========================================
Running tests matching: TestAccIosxeCryptoEngine
?       github.com/CiscoDevNet/terraform-provider-iosxe [no test files]
=== RUN   TestAccIosxeCryptoEngine
--- PASS: TestAccIosxeCryptoEngine (3.80s)
PASS
ok      github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider       3.815s
testing: warning: no tests to run
PASS
ok      github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers       0.009s [no tests to run]
=========================================
Testing against 17.12.x Router...
=========================================
Running tests matching: TestAccIosxeCryptoEngine
?       github.com/CiscoDevNet/terraform-provider-iosxe [no test files]
=== RUN   TestAccIosxeCryptoEngine
--- PASS: TestAccIosxeCryptoEngine (4.22s)
PASS
ok      github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider       4.235s
testing: warning: no tests to run
PASS
ok      github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/helpers       0.010s [no tests to run]

Multi-Platform Validation

• Catalyst 8000V (Router, IOS-XE 17.15.1): ✅ Crypto engine compliance shield disable validated successfully (5.03s)
• Catalyst 9000V (Switch, IOS-XE 17.15.1): ✅ Crypto engine compliance shield disable validated successfully (3.80s)
• Catalyst 8000V (Router, IOS-XE 17.12.x): ✅ Crypto engine compliance shield disable validated successfully (4.22s)

Terraform Testing

• ✅ terraform plan - Correctly identifies crypto engine configuration changes
• ✅ terraform apply - Successfully applies crypto engine compliance shield configuration
• ✅ terraform destroy - Cleanly removes crypto engine configuration
• ✅ State management - Properly tracks resource state across apply/refresh/destroy lifecycle
• ✅ Import support - Terraform import command included in examples

RESTCONF API Validation

• ✅ HTTP 204/201 responses for all configuration operations
• ✅ Proper YANG namespace handling (Cisco-IOS-XE-crypto:engine)
• ✅ Correct XML/JSON payload structure for crypto engine configuration
• ✅ Idempotent updates with no configuration drift
• ✅ Standard PATCH operation works (no put_only required)
• ✅ Configuration successfully queried via RESTCONF GET after CLI configuration

YANG Model Validation

• ✅ Verified feature availability in IOS-XE 17.15.1 YANG model (Cisco-IOS-XE-crypto.yang, revision 2023-11-01)
• ✅ Verified feature availability in IOS-XE 17.12.1 YANG model (Cisco-IOS-XE-crypto.yang, revision 2023-07-01)
• ✅ Validated crypto engine configuration via engine container augmented to /native/crypto
• ✅ Confirmed compliance/shield/disable leaf of type "empty" (boolean in Terraform)
• ✅ Tested RESTCONF path against actual device responses on all platforms

CLI Validation

• ✅ Configuration applied successfully via CLI on all tested platforms
• ✅ Configuration persists in running-config
• ✅ show running-config | include crypto engine displays correct configuration

Example Usage

resource "iosxe_crypto_engine" "example" {
  compliance_shield_disable = true
}

Resulting CLI Configuration:

crypto engine compliance shield disable

Documentation

• ✅ Resource documentation: docs/resources/crypto_engine.md
• ✅ Data source documentation: docs/data-sources/crypto_engine.md
• ✅ Example usage: examples/resources/iosxe_crypto_engine/resource.tf
• ✅ Import documentation included
• ✅ CHANGELOG updated with feature addition