ACI: Adding an ACI connection plugin for communication

[dagwieers]

ISSUE TYPE

• Feature Idea

COMPONENT NAME

ACI

ANSIBLE VERSION

v2.6

SUMMARY

The general idea is that the ACI modules would feel more native and better integrated with how Ansible works. This means that the information/credentials to connect to the APIC is stored in the inventory (using ansible_host, ansible_port, ansible_user and ansible_password) and the playbook tasks only take into account the parameters required for its specific use.

Other benefits of using an ACI connection plugin include:

• It would manage the connection and could handle HTTP errors more gracefully
• On connection problems it can rebuild the session transparantly
• During maintenance or APIC cluster issues the connection plugin would switch between APICs (provides high-availability)
• It would centralize connection information per node or per group, keeping credentials out of playbooks
• It avoids too many consecutive auth API calls which may result in connection throttling and playbook failure

Currently we do:

- hosts: apic_cluster01
  tasks:
  - aci_tenant:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      description: Customer XYZ
      state: present

  - aci_vrf:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      vrf: lab
      description: Lab VRF
      policy_control_preference: enforced
      policy_control_direction: ingress

  - aci_bd:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      vrf: lab
      bd: app01
      enable_routing: yes

  - aci_bd_subnet:
      hostname: 10.1.2.1
      username: admin
      password: SecretPassword
      tenant: customer-xyz
      bd: app01
      gateway: 10.10.10.1
      mask: 24
      scope: private
...

A typical playbook would then look much more concise and readable:

- hosts: apic_cluster01
  tasks:
  - aci_tenant:
      tenant: customer-xyz
      description: Customer XYZ
      state: present

  - aci_vrf:
      tenant: customer-xyz
      vrf: lab
      description: Lab VRF
      policy_control_preference: enforced
      policy_control_direction: ingress

  - aci_bd:
      tenant: customer-xyz
      vrf: lab
      bd: app01
      enable_routing: yes

  - aci_bd_subnet:
      tenant: customer-xyz
      bd: app01
      gateway: 10.10.10.1
      mask: 24
      scope: private
...

The inventory for an ACI cluster would then look like:

all:
    apic_cluster01:
        ansible_host: [ 10.1.2.1, 10.1.2.2, 10.1.2.3 ]
        ansible_connection: aci
        ansible_user: admin
        ansible_password: SuperSecret
        proxy_env:
          http_proxy: http://proxy.example.com:8080

This relates to #33887

[ansibot]

cc @Qalthos @brunocalogero @ganeshrn @gundalow @jmcgill298 @kedarX @privateip @rcarrillocruz @schunduri @trishnaguha
click here for bot help

[ansibot]

cc @gdpak
click here for bot help

[Gittins]

Hi, Is there any update on when it's likely that this feature/functionality will be committed in?

[ansibot]

cc @justjais
click here for bot help

[dagwieers]

We are waiting for a clear roadmap for the httpapi framework, which at this point lacks documentation or code-annotations, and it is unclear how this ought to be extended by contributors.
This is going to be discussed at AnsibleFest 2018 in Austin AFAICT.

[ansibot]

cc @acozine
click here for bot help

[ansibot]

cc @koladiya @mtorelli @rsmeyers @smnmtzgr
click here for bot help

[ansibot]

Files identified in the description:

• lib/ansible/modules/network/aci

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

[ansibot]

cc @devarshishah3 @fadallar
click here for bot help

[fhlmbrg]

This feature would be very useful. We ran into this issue yesterday on 3.2(2l) when doing a mass BD update using the aci_bd module. Had to apply a delay factor to not hit the REST API auth calls limit.

[AlyAwad]

Any update on this yet ?
Even if there is no dedicated ACI connection type can the modules simply use the variables defined in the inventory file by default
all:
hosts:
apic1:
ansible_host: apic1.com
ansible_user: username
ansible_password: password
ansible_connection: local
ansible_use_proxy: no
ansible_validate_certs: no

It can be even more generic for any module where any variables defined in the inventory file using the special "ansible_variable" keyword is used by the module directly as default

[ansibot]

cc @aciguru
click here for bot help

[ansibot]

Files identified in the description:

• lib/ansible/modules/network/aci/aci_aep.py
• lib/ansible/modules/network/aci/aci_ap.py
• lib/ansible/modules/network/aci/aci_bd.py
• lib/ansible/modules/network/aci/aci_epg.py
• lib/ansible/modules/network/aci/aci_vrf.py
• test/integration/targets/aci_

If these files are incorrect, please update the component name section of the description or use the !component bot command.

click here for bot help

[aciguru]

Moved to

CiscoDevNet/ansible-aci#25