ios_snmp_server readonly community idempotency

[exeral]

SUMMARY

when creating a read-only community, the task is always status changed despite there is no change to do

ISSUE TYPE

• Bug Report

COMPONENT NAME

cisco.ios.ios_snmp_server

ANSIBLE VERSION

ansible [core 2.11.12]
  config file = /home/ansible/ansible-cisco/ansible.cfg
  configured module search path = ['/home/ansible/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/ansible/.local/lib/python3.7/site-packages/ansible
  ansible collection location = /home/ansible/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/ansible/.local/bin/ansible
  python version = 3.7.12 (default, Nov 16 2021, 18:14:49) [GCC 6.3.0 20170516]
  jinja version = 3.1.2
  libyaml = True

COLLECTION VERSION

# /home/ansible/.local/lib/python3.7/site-packages/ansible_collections
Collection Version
---------- -------
cisco.ios  2.6.0

# /home/ansible/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.ios  3.2.0

CONFIGURATION

CACHE_PLUGIN(/home/ansible/ansible-cisco/ansible.cfg) = jsonfile
CACHE_PLUGIN_CONNECTION(/home/ansible/ansible-cisco/ansible.cfg) = /tmp/ansible.cache
CACHE_PLUGIN_TIMEOUT(/home/ansible/ansible-cisco/ansible.cfg) = 86400
DEFAULT_HOST_LIST(/home/ansible/ansible-cisco/ansible.cfg) = ['/home/ansible/ansible-cisco/inventory/production']
DEFAULT_INVENTORY_PLUGIN_PATH(/home/ansible/ansible-cisco/ansible.cfg) = ['/home/ansible/ansible-cisco/inventory/plugins']
HOST_KEY_CHECKING(/home/ansible/ansible-cisco/ansible.cfg) = False
INVENTORY_CACHE_ENABLED(/home/ansible/ansible-cisco/ansible.cfg) = True
INVENTORY_CACHE_PLUGIN_CONNECTION(/home/ansible/ansible-cisco/ansible.cfg) = /tmp/ansible.cache

OS / ENVIRONMENT

debian 9

Cisco IOS Software, C2960 Software (C2960-LANBASEK9-M), Version 15.0(2)SE10a, RELEASE SOFTWARE (fc3) WS-C2960G-48TC-L

STEPS TO REPRODUCE

- name: snmp settings
  cisco.ios.ios_snmp_server:
    config:
      location: "in the racks"
      contact: [email protected]
      packet_size: 500
      communities:
        - acl_v4: ADMIN-SUP
          name: community_name
          rw: false
          ro: true

EXPECTED RESULTS

after two consecutive runs, task should not have the status "changed"

ACTUAL RESULTS

task status is always "changed"

TASK [dv-cisco : snmp settings] *************************************************************************************************************************************************************************************************************
changed: [switch] => {"after": {"communities": [{"acl_v4": "ADMIN-SUP", "name": "community_name", "ro": true}], "contact": "[email protected]", "location": "in the racks", "packet_size": 500}, "before": {"communities": [{"acl_v4": "ADMIN-SUP", "name": "community_name", "ro": true}], "contact": "[email protected]", "location": "in the racks", "packet_size": 500}, "changed": true, "commands": ["snmp-server community community_name ro ADMIN-SUP"]}

I think the issue is that: on Cisco running config it's: snmp-server community community_name RO ADMIN-SUP while ansible try to match this commands ?: snmp-server community community_name ro ADMIN-SUP

Cisco config wants the readonly parameter UPPERCASE

[TheRealBecks]

I found out that 'Legacy IOS' uses RO and RW, but IOS XE uses ro and rw instead. I tested it with my legacy IOS devices and it's working idempotentely as expected.

@exeral Can you please check again with a newer version of cisco.ios? Your newest version is 3.2.0, but the current one in 6.0.0, so it could be that it's already been fixed.

[exeral]

I tested with cisco.ios 6.0.0

➜  ansible-cisco git:(main) ✗ ansible --version
ansible [core 2.14.5]
  config file = /home/avittecoq/ansible-cisco/ansible.cfg
  configured module search path = ['/home/avittecoq/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/avittecoq/.local/lib/python3.10/site-packages/ansible
  ansible collection location = /home/avittecoq/.ansible/collections:/usr/share/ansible/collections
  executable location = /home/avittecoq/.local/bin/ansible
  python version = 3.10.12 (main, Jun 11 2023, 05:26:28) [GCC 11.4.0] (/usr/bin/python3)
  jinja version = 3.1.2
  libyaml = True
➜  ansible-cisco git:(main) ✗ cat /etc/debian_version
bookworm/sid
➜  ansible-cisco git:(main) ✗ ansible-galaxy collection list cisco.ios

# /home/avittecoq/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.ios  6.0.0

but it's the same, here is the debug output:

TASK [dv-cisco : snmp settings] *************************************************************************************************************************************************************************************************************
task path: /home/avittecoq/ansible-cisco/roles/dv-cisco/tasks/ios.yaml:25
redirecting (type: connection) ansible.builtin.network_cli to ansible.netcommon.network_cli
redirecting (type: terminal) ansible.builtin.ios to cisco.ios.ios
redirecting (type: cliconf) ansible.builtin.ios to cisco.ios.ios
redirecting (type: become) ansible.builtin.enable to ansible.netcommon.enable
redirecting (type: action) cisco.ios.ios_snmp_server to cisco.ios.ios
redirecting (type: action) cisco.ios.ios_snmp_server to cisco.ios.ios
changed: [cisco-device] => {
    "after": {
        "communities": [
            {
                "acl_v4": "community_name",
                "name": "RO",
                "ro": true
            },
            {
                "acl_v4": "ADMIN-SUP",
                "name": "community_name",
                "ro": true
            }
        ],
        "contact": "[email protected]",
        "location": "in the racks",
        "packet_size": 500
    },
    "before": {
        "communities": [
            {
                "acl_v4": "community_name",
                "name": "RO",
                "ro": true
            },
            {
                "acl_v4": "ADMIN-SUP",
                "name": "community_name",
                "ro": true
            }
        ],
        "contact": "[email protected]",
        "location": "in the racks",
        "packet_size": 500
    },
    "changed": true,
    "commands": [
        "snmp-server community community_name ro ADMIN-SUP"
    ],
    "invocation": {
        "module_args": {
            "config": {
                "accounting": null,
                "cache": null,
                "chassis_id": null,
                "communities": [
                    {
                        "acl_v4": "ADMIN-SUP",
                        "acl_v6": null,
                        "name": "community_name",
                        "ro": true,
                        "rw": false,
                        "view": null
                    }
                ],
                "contact": "[email protected]",
                "context": null,
                "drop": null,
                "engine_id": null,
                "file_transfer": null,
                "groups": null,
                "hosts": null,
                "if_index": null,
                "inform": null,
                "ip": null,
                "location": "in the racks",
                "manager": null,
                "packet_size": 500,
                "password_policy": null,
                "queue_length": null,
                "source_interface": null,
                "system_shutdown": null,
                "trap_source": null,
                "trap_timeout": null,
                "traps": null,
                "users": null,
                "views": null
            },
            "running_config": null,
            "state": "merged"
        }
    }
}

the before/after are identical but the "commands" show it tries in lowercase nayway

I'm also surprised ansible ends creating two communities where one have the community name in the acl field. but that's maybe another story

[TheRealBecks]

@exeral That looks indeed weird^^ Can you also show use the task configuration and YAML values?

[exeral]

Yes it's weird. it's not very critical but a bit annoying, so I'm curious what is the cause

The task is:

- name: snmp settings
  cisco.ios.ios_snmp_server:
    config:
      location: "{{ snmp_location_datacenter }}"
      contact: [email protected]
      packet_size: 500
      communities:
        - acl_v4: ADMIN-SUP
          name: community_name
          rw: false
          ro: true

snmp_location_datacenter is pulled from inventory and has value "in the racks" community value is hardcoded in the task (as you can see)

[shepherdjay]

I found out that 'Legacy IOS' uses RO and RW, but IOS XE uses ro and rw instead. I tested it with my legacy IOS devices and it's working idempotentely as expected.

On my IOS-XE devices they also show in the config as RO though the command help when configuring shows it in lowercase ro

I'm also running into this. Actually hit -vvvv and wound up with two scenarios that both reporting needing changes but different commands for each.

In the first case is as @exeral reported with rw: true and rw: false it then tries to send the command set of

    "changed": true,
    "commands": [
        "no snmp-server community community ro",
        "snmp-server community community ro"

However if you have the boolean of rw: false only leaving ro: null which is what the documentation shows it doesn't send the ro in the configlet. Cisco defaults at least on the platform I'm testing to read only but I don't know if this would also cause more idempotency issues

    "changed": true,
    "commands": [
        "no snmp-server community community ro",
        "snmp-server community community"

[shepherdjay]

For reference our pip is locked to

ansible-core==2.16.3
ansible==9.2.0

and collection is set to

collections:
- name: cisco.ios
  version: 6.1.2
  type: galaxy