Network: ACI

THIS PAGE IS OLD and no longer maintained. For questions, please use the Ansible forum.

Ansible modules for managing Cisco ACI fabrics

News

A total of 95 ACI and ACI Multi-Site modules ship with Ansible v2.8 !
We have an ACI pinboard, subscribe to it to stay informed!
End-user documentation in the Cisco ACI User Guide
Develop your own ACI modules using the Cisco ACI Development Guide
New ideas and brainstorming goes in the community plan

HINT: Functionality missing from the existing modules can be implemented using the idempotent aci_rest module. And if you feel up to it, we made it quite easy to create and contribute your own dedicated ACI modules. Challenge accepted ?

Community

Name	GitHub (/ IRC)	Role	Affiliation
Jacob McGill	jmcgill298	Reviewer	NetworkToCode
Ramses Smeyers	rsmeyers	Reviewer	Cisco
Simon Metzger	smnmtzgr	Reviewer	dmTECH GmbH
Mike Torelli	mtorelli	Reviewer	NetApp
Devarshi Shah	devarshishah3	Reviewer	Cisco
Derrick Johnson	derricktj	Reviewer
Thomas Renzy	trenzy	Reviewer	Cisco
Apoorva Gururaja	aciguru	Reviewer	Cisco
Bruno Calogero	brunocalogero	Member
Swetha Chunduri	schunduri	Member	Cisco
Kamlesh Koladiya	koladiya	Member	Automation
Fabrizio Dall'ara	fadallar	Member	Cisco
Matt Pearson	warriorsoul15	Member

Add yourself to this list as a Reviewer (help review PRs) or as a Member (discuss issues/roadmap).

Action plan

Ideas

Cloud APIC support
An aci_rest action plugin for templating ACI payload -- @rost-d
Document aci_rest payload limit
Persistent connection plugin for ACI and MSO #36100
- Hostname could be a list of APICs so playbooks still work if one is down or in maintenance proposals#97
- Centralize connection information (credentials, proxy, settings) ?
- Handle HTTP errors more gracefully
- Write platform_aci documentation
Provide an implementation for "squashing" (aggregating data) proposals#71
- This would speed up runs with thousands of items using a single module task
- It would make use of the existing looping syntax, and requires core support
Provide an implementation for "pure" state proposals#71
- This would make it possible to define all existing entries, rather than adding/removing items
- Required for real declarative use of Ansible
Run ACI integration tests through Distributed CI -- @devarshishah3 @nilloBE
- Testing multiple Ansible version and ACI versions
- This is required if we want the modules to be tested automatically on every change
- This is mandatory to guarantee quality (fit-for-purpose)
Look into ACI notification handlers
- aci_wait_for -- A generic module for waiting for some event to happen (e.g. fully-fit)
Update aci-model role using ACI modules
Upstream aci_listify as a generic Jinja plugin
Discuss on how we want to provide facts to users
- Make a list of all operational tasks and what facts are required
- Integrate standard facts into ACI gather_facts
- Add specialized facts module(s) (related to ACI, APIC, etc.)
  - Can we structure facts so it matches ACI object model ?
  - Can we feed this back into ACI as well ?
  - Feedback welcome from operational teams !!
New ACI modules:
- aci_bd_dhcp_label/aci_bd_dhcp_association -- @sig9org #32571
New ACI Multi-Site modules
- mso_role_permission
- mso_schema_service_graph (@devarshishah3)
- mso_schema_preferred_group (@devarshishah3)
- mso_self_signed_cert (@devarshishah3)
- mso_log_streaming (@devarshishah3)
- mso_aaa_ldap (@devarshishah3)
- mso_schema_site_anp_epg_selector
- mso_schema_site_anp_epg_selector_expression
- mso_schema_site_anp_epg_usegattr ??
- mso_schema_site_externalepg
- mso_schema_site_externalepg_subnet
- mso_schema_site_intersitel3out
- mso_schema_template_anp_epg_selector
- mso_schema_template_anp_epg_selector_expression
- mso_schema_template_anp_epg_usegattr ??
- mso_schema_template_contract_filter_directive
- mso_schema_template_externalepg_subnet
- mso_schema_template_vrf_contract (incl. consumer and provider)
- mso_tenant_site
- mso_tenant_user
- mso_user_role

DONE

Ansible v2.9 release

New modules:
- mso_schema_site_anp_epg_domain -- @nkatarmal-crest

Ansible v2.8 release

Make it possible private_key is the key, not a file -- @DerrickTJ #54251
New ACI modules:
- aci_access_sub_port_block_to_access_port -- @smnmtzgr ~~#51940~~
- aci_access_port_block_to_access_port -- @smnmtzgr ~~#46182~~
- aci_fabric_scheduler -- @sgerhart ~~#48332~~
- aci_firmware_group -- @sgerhart ~~#48346~~
- aci_firmware_group_node -- @sgerhart ~~#48357~~
- aci_firmware_policy -- @sgerhart ~~#48356~~
- aci_maintenance_group -- @sgerhart ~~#48358~~
- aci_maintenance_group_node -- @sgerhart ~~#53094~~
- aci_maintenance_policy -- @sgerhart ~~#48368~~
New ACI Multi-Site modules
- mso_label ~~#47753~~
- mso_role ~~#47757~~
- mso_schema ~~#47758~~
- mso_schema_site_anp ~~#53243~~
- mso_schema_site_anp_epg ~~#53244~~
- mso_schema_site_anp_epg_staticleaf ~~#53245~~
- mso_schema_site_anp_epg_staticport ~~#53246~~
- mso_schema_site_anp_epg_subnet ~~#53247~~
- mso_schema_site_bd ~~#53248~~
- mso_schema_site_bd_l3out ~~#53249~~
- mso_schema_site_bd_subnet ~~#53250~~
- mso_schema_site_vrf ~~#53251~~
- mso_schema_site_vrf_region ~~#53252~~
- mso_schema_site_vrf_region_cidr ~~#53253~~
- mso_schema_site_vrf_region_cidr_subnet ~~#53254~~
- mso_schema_template ~~#51277~~
- mso_schema_template_anp ~~#51274~~
- mso_schema_template_anp_epg ~~#51275~~
- mso_schema_template_anp_epg_contract ~~#51383~~
- mso_schema_template_anp_epg_subnet ~~#51278~~
- mso_schema_template_bd ~~#51279~~
- mso_schema_template_bd_subnet ~~#51282~~
- mso_schema_template_contract_filter ~~#51300~~
- mso_schema_template_deploy ~~#51379~~
- mso_schema_template_externalepg ~~#51285~~
- mso_schema_template_filter_entry ~~#51290~~
- mso_schema_template_l3out ~~#51291~~
- mso_schema_template_vrf ~~#51292~~
- mso_site ~~#47756~~
- mso_tenant ~~#47755~~
- mso_user ~~#47754~~

Ansible v2.7 release

Create a separate ACI development guide -- @jmcgill298 ~~#45588~~
Remove old backup of aci-ansible repository -- @devarshishah3 @schunduri aci-ansible#65
Rewrite of construct_url framework ~~#43441~~
Support for filtering by object property ~~#45088~~
Clarify special feature of ACI modules running locally ~~#43903~~
New ACI modules:
- aci_interface_policy_ospf ~~#42184~~

Ansible v2.6 release (maintenance release)

New ACI modules:
- aci_l3out -- @rost-d ~~#37570~~

Ansible v2.5 release

Signature-based authentication ~~#34451~~
Modules to manage users and certificates ~~#34602~~ ~~#35543~~
Create ACI Detailed Guide in upstream documentation -- @jmcgill298 ~~#35364~~
- Ansible ACI docs
Decide on RETURN values and document them ~~proposals#93~~ ~~#35304~~ ~~#35617~~
Move development upstream
Add support for ports other than 80 and 443 ~~#35168~~
Deprecate user and hostname parameters ? ~~#35161~~ ~~#35207~~
Add proper examples and integration tests for all ACI modules -- @brunocalogero ~~#34173~~
Rename the aci_intf_* modules into aci_interface_* instead ~~#35170~~
Implement ACI boolean handling for non-standard values ~~#35610~~
Clean up aci-ansible repository ~~aci-ansible#184~~
New ACI modules:
- aci_aaa_user ~~#35543~~
- aci_aaa_user_certificate ~~#34602~~
- aci_access_port_to_interface_policy_leaf_profile -- @brunocalogero ~~#34398~~
- aci_aep_to_domain (infra:RsDomP) ~~#33942~~ ~~#36071~~
- aci_domain ~~#34011~~ ~~#36051~~
- aci_domain_to_vlan_pool ~~#34402~~ ~~#36079~~
- aci_encap_pool -- @jmcgill289 ~~#33219~~
- aci_encap_pool_range -- @jmcgill298 ~~#33758~~
- aci_fabric_node -- @brunocalogero ~~#35586~~ ~~#36422~~
- aci_firmware_source ~~#34670~~ #36246
- aci_interface_policy_leaf_policy_group -- @brunocalogero ~~#34968~~
- aci_interface_policy_leaf_profile -- @brunocalogero ~~#34364~~
- aci_interface_selector_to_switch_policy_leaf_profile -- @brunocalogero ~~#34098~~
- aci_static_binding_to_epg -- @brunocalogero ~~#35581~~ ~~#36542~~
- aci_switch_leaf_policy_profile -- @brunocalogero ~~#33955~~
- aci_switch_leaf_selector -- @brunocalogero ~~#34041~~
- aci_switch_policy_vpc_protection_group -- @brunocalogero ~~#35769~~ ~~#36448~~
- aci_vlan_pool ~~#34650~~
- aci_vlan_pool_encap_block ~~#34653~~

Ansible v2.4 release

Create ACI module_utils library ~~#27070~~
- Make ACI modules idempotent
- Make ACI modules declarative
- Add diff-mode support
Improve ACI module_utils unit tests
Add use_proxy and proxy support to ACI modules ~~#27735~~
Look into certificate-handling
- Parameters for authentication using certificates ~~#27738~~
Check-mode support and improved idempotency
Add Travis python syntax checking, analysis and PEP8 checks
Dynamically construct payload (to avoid null-values)
Generate module documentation on aci-ansible
Subnet to BD mappings are not 1-to-1, so in order to properly manage Subnets, a separate aci_subnet module should be created
Fix proper short_description and description
Set defaults as it was designed in the documentation
Test integer values are within range
New ACI modules:
- aci_aep ~~#27987~~ ~~#33996~~ ~~#36414~~
- aci_ap ~~#27984~~
- aci_bd ~~#28196~~
- aci_bd_subnet ~~#28202~~
- aci_config_rollback ~~#28784~~
- aci_config_snapshot ~~#28811~~
- aci_contract ~~#28093~~
- aci_contract_subject ~~#28620~~
- aci_contract_subject_to_filter ~~#28201~~
- aci_epg ~~#28207~~
- aci_epg_to_contract ~~#28251~~
- aci_epg_to_domain ~~#28203~~
- aci_filter ~~#28094~~ ~~#28256~~
- aci_filter_entry ~~#28200~~
- aci_rest ~~#26029~~
- aci_taboo_contract ~~#28144~~ ~~#36276~~
- aci_tenant ~~#26836~~ ~~#28090~~ ~~#28255~~
- aci_vrf ~~#28091~~
New ACI modules (lacking integration tests):
- aci_bd_to_l3out ~~#28199~~
- aci_epg_monitoring_policy ~~#28140~~
- aci_interface_policy_fc ~~#28095~~
- aci_interface_policy_l2 ~~#28205~~
- aci_interface_policy_lldp ~~#28099~~
- aci_interface_policy_mcp ~~#28206~~
- aci_interface_policy_port_channel ~~#28141~~
- aci_interface_policy_port_security ~~#28142~~
- aci_l3out_route_tag_policy ~~#28204~~
- aci_tenant_action_rule_profile ~~#28139~~
- aci_tenant_ep_retention_policy ~~#28642~~
- aci_tenant_span_dst_group ~~#28143~~
- aci_tenant_span_src_group ~~#28644~~
- aci_tenant_span_src_group_to_dst_group ~~#28645~~

Caveats

ACI Multi-Site

PATCH API has some deficiencies requiring edits/deletes to be referenced by index, this can cause corruption on concurrent access
Undeploy schema template reports "Successfully deployed"
Filter entry names with spaces cause APIC issues
Creating schema's without a template is not possible, so we cannot create a msc_schema and msc_schema_template module
Lookup plugins would be nice, but connection parameters are a problem
There is an issue when using the same template name on different schemas/tenants

This Wiki is used for quick notes, not for support or documentation.