feat(policy): add policy-map type inspect class attributes

[ChristopherJHart]

Summary

• Add class_type, policy_action, policy_log, and policy_parameter_map to the policy_maps classes block in iosxe_policy.tf
• Enables Zone-Based Firewall (ZBF) inspect policy-map configuration through the module

Notes

• Stacked on the class-map type inspect module PR
• No changes needed to the resource block — classes is passed as a whole object

Test Evidence

Data Model

Deployed to xeac-cat8kv-1 (192.0.2.1), IOS-XE 17.15.1:

policy:
  class_maps:
    - name: CM_INSPECT_TRAFFIC
      type: inspect
      prematch: match-any
      match:
        access_groups:
          - ACL_ALLOWED
        protocols:
          - tcp
          - udp
    - name: CM_INSPECT_STRICT
      type: inspect
      prematch: match-all
      match:
        access_groups:
          - ACL_STRICT
        protocols:
          - https
    - name: CM_INSPECT_NESTED
      type: inspect
      prematch: match-all
      match:
        class_maps:
          - CM_INSPECT_TRAFFIC
        access_groups:
          - ACL_INTERNAL
  policy_maps:
    - name: PM_INSIDE_TO_OUTSIDE
      type: inspect
      classes:
        - name: CM_INSPECT_TRAFFIC
          type: inspect
          action: pass
        - name: CM_INSPECT_STRICT
          type: inspect
          action: pass
          log: true
        - name: CM_INSPECT_NESTED
          type: inspect
          action: inspect
        - name: class-default
          action: drop
    - name: PM_OUTSIDE_TO_INSIDE
      type: inspect
      classes:
        - name: CM_INSPECT_TRAFFIC
          type: inspect
          action: drop
          log: true
        - name: class-default
          action: drop

Terraform Apply

module.iosxe.iosxe_policy_map.policy_map["xeac-cat8kv-1/PM_OUTSIDE_TO_INSIDE"]: Creating...
module.iosxe.iosxe_policy_map.policy_map["xeac-cat8kv-1/PM_INSIDE_TO_OUTSIDE"]: Creating...
module.iosxe.iosxe_policy_map.policy_map["xeac-cat8kv-1/PM_OUTSIDE_TO_INSIDE"]: Creation complete after 2s
module.iosxe.iosxe_policy_map.policy_map["xeac-cat8kv-1/PM_INSIDE_TO_OUTSIDE"]: Creation complete after 6s

Apply complete! Resources: 3 added, 0 changed, 1 destroyed.

Device Running-Config

policy-map type inspect PM_OUTSIDE_TO_INSIDE
 class type inspect CM_INSPECT_TRAFFIC
  drop log
 class class-default
  drop
policy-map type inspect PM_INSIDE_TO_OUTSIDE
 class type inspect CM_INSPECT_TRAFFIC
  pass
 class type inspect CM_INSPECT_STRICT
  pass log
 class type inspect CM_INSPECT_NESTED
  inspect
 class class-default
  drop

---

🤖 AI Generation Metadata

• AI Generated: Yes
• AI Tool: claude-code
• AI Model: opus-4.6
• AI Contribution: ~90%
• AI Reason: module HCL for inspect class attributes