Feat(eos_cli_config_gen): Support SA lifetime for IP sec

ansible_collections/arista/avd/molecule/eos_cli_config_gen/documentation/devices/ip-security.md

@@ -54,11 +54,11 @@ interface Management1
 
 ### Security Association policies
 
-| Policy name | ESP Integrity | ESP Encryption | PFS DH Group |
-| ----------- | ------------- | -------------- | ------------ |
-| SA-1 | - | aes128 | 14 |
-| SA-2 | - | aes128 | 14 |
-| SA-3 | disabled | disabled | 17 |
+| Policy name | ESP Integrity | ESP Encryption | Lifetime | PFS DH Group |
+| ----------- | ------------- | -------------- | -------- | ------------ |
+| SA-1 | - | aes128 | - | 14 |
+| SA-2 | - | aes128 | 42 gigabytes | 14 |
+| SA-3 | disabled | disabled | 8 hours | 17 |
 
 ### IPSec profiles
 
@@ -100,11 +100,13 @@ ip security
    !
    sa policy SA-2
       esp encryption aes128
+      sa lifetime 42 gigabytes
       pfs dh-group 14
    !
    sa policy SA-3
       esp integrity null
       esp encryption null
+      sa lifetime 8 hours
       pfs dh-group 17
    !
    profile Profile-1

ansible_collections/arista/avd/molecule/eos_cli_config_gen/intended/configs/ip-security.cfg

@@ -29,11 +29,13 @@ ip security
    !
    sa policy SA-2
       esp encryption aes128
+      sa lifetime 42 gigabytes
       pfs dh-group 14
    !
    sa policy SA-3
       esp integrity null
       esp encryption null
+      sa lifetime 8 hours
       pfs dh-group 17
    !
    profile Profile-1

ansible_collections/arista/avd/molecule/eos_cli_config_gen/inventory/host_vars/ip-security.yml

@@ -21,11 +21,17 @@ ip_security:
     - name: SA-2
       esp:
         encryption: aes128
+      sa_lifetime:
+        value: 42
+        unit: gigabytes
       pfs_dh_group: 14
     - name: SA-3
       esp:
         integrity: disabled
         encryption: disabled
+      sa_lifetime:
+        value: 8
+        # default unit is hours
       pfs_dh_group: 17
   profiles:
     - name: Profile-1

ansible_collections/arista/avd/roles/eos_cli_config_gen/docs/tables/ip-security.md

@@ -17,6 +17,9 @@
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;dh_group</samp>](## "ip_security.ike_policies.[].dh_group") | Integer |  |  | Valid Values:<br>- <code>1</code><br>- <code>2</code><br>- <code>5</code><br>- <code>14</code><br>- <code>15</code><br>- <code>16</code><br>- <code>17</code><br>- <code>20</code><br>- <code>21</code><br>- <code>24</code> | Diffie-Hellman group for the key exchange. |
     | [<samp>&nbsp;&nbsp;sa_policies</samp>](## "ip_security.sa_policies") | List, items: Dictionary |  |  |  | Security Association policies. |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;-&nbsp;name</samp>](## "ip_security.sa_policies.[].name") | String | Required, Unique |  |  | Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0 |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;sa_lifetime</samp>](## "ip_security.sa_policies.[].sa_lifetime") | Dictionary |  |  |  |  |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;value</samp>](## "ip_security.sa_policies.[].sa_lifetime.value") | Integer |  |  |  | Lifetime value for this SA.<br>Valid range depends on the unit.<br><1-24>       Lifetime in hours ( default )<br><1-4000000>  Packet limit in thousands<br><1-6000>     Byte limit in GB ( 1024 MB )<br><1-6144000>  Byte limit in MB ( 1024 KB ) |
+    | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;unit</samp>](## "ip_security.sa_policies.[].sa_lifetime.unit") | String |  | `hours` | Valid Values:<br>- <code>gigabytes</code><br>- <code>hours</code><br>- <code>megabytes</code><br>- <code>thousand-packets</code> |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;esp</samp>](## "ip_security.sa_policies.[].esp") | Dictionary |  |  |  |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;integrity</samp>](## "ip_security.sa_policies.[].esp.integrity") | String |  |  | Valid Values:<br>- <code>disabled</code><br>- <code>sha1</code><br>- <code>sha256</code><br>- <code>null</code> |  |
     | [<samp>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;encryption</samp>](## "ip_security.sa_policies.[].esp.encryption") | String |  |  | Valid Values:<br>- <code>disabled</code><br>- <code>aes128</code><br>- <code>aes128gcm128</code><br>- <code>aes128gcm64</code><br>- <code>aes256</code><br>- <code>aes256gcm128</code><br>- <code>null</code> |  |
@@ -71,6 +74,16 @@
 
           # Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0
         - name: <str; required; unique>
+          sa_lifetime:
+
+            # Lifetime value for this SA.
+            # Valid range depends on the unit.
+            # <1-24>       Lifetime in hours ( default )
+            # <1-4000000>  Packet limit in thousands
+            # <1-6000>     Byte limit in GB ( 1024 MB )
+            # <1-6144000>  Byte limit in MB ( 1024 KB )
+            value: <int>
+            unit: <str; "gigabytes" | "hours" | "megabytes" | "thousand-packets"; default="hours">
           esp:
             integrity: <str; "disabled" | "sha1" | "sha256" | "null">
             encryption: <str; "disabled" | "aes128" | "aes128gcm128" | "aes128gcm64" | "aes256" | "aes256gcm128" | "null">

ansible_collections/arista/avd/roles/eos_cli_config_gen/schemas/schema_fragments/ip_security.schema.yml

@@ -60,6 +60,26 @@ keys:
             name:
               type: str
               description: Name of the SA policy. The "null" value is deprecated and will be removed in AVD 5.0.0
+            sa_lifetime:
+              type: dict
+              keys:
+                value:
+                  type: int
+                  description: |-
+                    Lifetime value for this SA.
+                    Valid range depends on the unit.
+                    <1-24>       Lifetime in hours ( default )
+                    <1-4000000>  Packet limit in thousands
+                    <1-6000>     Byte limit in GB ( 1024 MB )
+                    <1-6144000>  Byte limit in MB ( 1024 KB )
+                unit:
+                  type: str
+                  valid_values:
+                    - gigabytes
+                    - hours
+                    - megabytes
+                    - thousand-packets
+                  default: hours
             esp:
               type: dict
               keys:

ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/documentation/ip-security.j2

@@ -25,10 +25,13 @@
 
 ### Security Association policies
 
-| Policy name | ESP Integrity | ESP Encryption | PFS DH Group |
-| ----------- | ------------- | -------------- | ------------ |
+| Policy name | ESP Integrity | ESP Encryption | Lifetime | PFS DH Group |
+| ----------- | ------------- | -------------- | -------- | ------------ |
 {%         for sa_policy in ip_security.sa_policies | arista.avd.default([]) %}
-| {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} |
+{%             if sa_policy.sa_lifetime.value is arista.avd.defined %}
+{%                 set lifetime = sa_policy.sa_lifetime.value ~ " " ~ sa_policy.sa_lifetime.unit | arista.avd.default("hours") %}
+{%             endif %}
+| {{ sa_policy.name }} | {{ sa_policy.esp.integrity | arista.avd.default("-") }} | {{ sa_policy.esp.encryption | arista.avd.default("-") }} | {{ lifetime | arista.avd.default("-") }} | {{ sa_policy.pfs_dh_group | arista.avd.default("-") }} |
 {%         endfor %}
 {%     endif %}
 {%     if ip_security.profiles is arista.avd.defined %}

ansible_collections/arista/avd/roles/eos_cli_config_gen/templates/eos/ip-security.j2

@@ -42,6 +42,9 @@ ip security
       esp encryption {{ sa_policy.esp.encryption }}
 {%             endif %}
 {%         endif %}
+{%         if sa_policy.sa_lifetime.value is arista.avd.defined %}
+      sa lifetime {{ sa_policy.sa_lifetime.value }} {{ sa_policy.sa_lifetime.unit | arista.avd.default("hours") }}
+{%         endif %}
 {%         if sa_policy.pfs_dh_group is arista.avd.defined %}
       pfs dh-group {{ sa_policy.pfs_dh_group }}
 {%         endif %}