ansible-aci icon indicating copy to clipboard operation
ansible-aci copied to clipboard

Published 20 hours ago verified publisher icon CiscoDevNet

ACI: Adding an ACI connection plugin for communication

Open aciguru opened this issue 5 years ago • 3 comments

ISSUE TYPE Feature Idea

COMPONENT NAME ACI

ANSIBLE VERSION v2.6

SUMMARY The general idea is that the ACI modules would feel more native and better integrated with how Ansible works. This means that the information/credentials to connect to the APIC is stored in the inventory (using ansible_host, ansible_port, ansible_user and ansible_password) and the playbook tasks only take into account the parameters required for its specific use.

Other benefits of using an ACI connection plugin include:

It would manage the connection and could handle HTTP errors more gracefully On connection problems it can rebuild the session transparantly During maintenance or APIC cluster issues the connection plugin would switch between APICs (provides high-availability) It would centralize connection information per node or per group, keeping credentials out of playbooks It avoids too many consecutive auth API calls which may result in connection throttling and playbook failure Currently we do:

- hosts: apic_cluster01
  tasks:
  - aci_tenant:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      description: Customer XYZ
      state: present

  - aci_vrf:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      vrf: lab
      description: Lab VRF
      policy_control_preference: enforced
      policy_control_direction: ingress

  - aci_bd:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      vrf: lab
      bd: app01
      enable_routing: yes

  - aci_bd_subnet:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      bd: app01
      gateway: 10.10.10.1
      mask: 24
      scope: private
...

A typical playbook would then look much more concise and readable:

- hosts: apic_cluster01
  tasks:
  - aci_tenant:
      tenant: customer-xyz
      description: Customer XYZ
      state: present

  - aci_vrf:
      tenant: customer-xyz
      vrf: lab
      description: Lab VRF
      policy_control_preference: enforced
      policy_control_direction: ingress

  - aci_bd:
      tenant: customer-xyz
      vrf: lab
      bd: app01
      enable_routing: yes

  - aci_bd_subnet:
      tenant: customer-xyz
      bd: app01
      gateway: 10.10.10.1
      mask: 24
      scope: private
...

The inventory for an ACI cluster would then look like:

all:
    apic_cluster01:
        ansible_host: [ 10.1.2.1, 10.1.2.2, 10.1.2.3 ]
        ansible_connection: aci
        ansible_user: admin
        ansible_password: SuperSecret
        proxy_env:
          http_proxy: http://proxy.example.com:8080

This relates to #33887

aciguru avatar Apr 14 '20 01:04 aciguru

https://github.com/ansible/ansible/issues/36100

aciguru avatar Apr 14 '20 01:04 aciguru

@shrsr or @lhercot are there any updates on this, help that could be provided?

netgirard avatar Mar 30 '22 13:03 netgirard

@netgirard It is still in the works but we have it in our to-do-list

shrsr avatar Mar 31 '22 16:03 shrsr

@aciguru For a nicer playbook you could use anchors and module_defaults. E.g.

  vars:
    aci_generic_dict: &aci_generic
      host: "{{ APIC_HOST }}"
      username: "{{ APIC_USER }}"
      password: "{{ APIC_PASSWORD }}"
      use_proxy: no
      output_level: debug
      validate_certs: yes

  module_defaults:
    cisco.aci.aci_vrf:
      <<: *aci_generic
    cisco.aci.aci_bd:
      <<: *aci_generic

velotiger avatar Oct 19 '22 05:10 velotiger