ansible-collections/cisco.nxos

ACLs idempotency

jorgenspange opened this issue · 1 comments

jorgenspange commented

When applying access lists with
address:
wildcard_bits:

It breaks idempotency as it applies it like this:

  - ip access-list MGMT-VTY
  - no 10 permit tcp 10.10.10.248/29 any eq 22
  - 10 permit tcp 10.10.10.248 0.0.0.7 any eq 22

Best regards

NilashishC commented

@jorgenspange Since you haven't included the playbook, initial configuration on the box and the expected results, it is hard for me to figure out what exactly you're reporting in this ticket. However, based on the information you shared, it seems that you're expecting that a prefix in existing ACE should get converted to address + wildcard_bits format before calculating the diff. Something such as follows:

Before config:

# show running-config | section 'ip(v6)* access-list'
ip access-list ACL1
ip access-list MGMT-VTY
  10 permit tcp 10.10.10.248/29 any eq 22

Task:

   - cisco.nxos.nxos_acls:
        state: replaced
        config:
          - acls:
              - name: ACL1
              - aces:
                - destination:
                    any: true
                    port_protocol:
                      eq: '22'
                  grant: permit
                  protocol: tcp
                  sequence: 10
                  source:
                    #prefix: 10.10.10.248/29
                    address: 10.10.10.248
                    wildcard_bits: 0.0.0.7
                name: MGMT-VTY
            afi: ipv4

commands:

  - ip access-list MGMT-VTY
  - no 10 permit tcp 10.10.10.248/29 any eq 22
  - 10 permit tcp 10.10.10.248 0.0.0.7 any eq 22

If that's the case, then the recommend way is to always provide the task input in the same format as the CLI renders. Since the CLI clearly differentiates between 10 permit tcp 10.10.10.248/29 any eq 22 and 10 permit tcp 10.10.10.248 0.0.0.7 any eq 22, the nxos_acls module will behave the same way. You can also generate the prefix in CIDR notation from the address and wildcard_bits by using the ipaddr Ansible filter on the fly such as the following. The output of this can then be used in the task.

      - ansible.builtin.set_fact:
          address: 10.10.10.248
          wildcard_bits: 0.0.0.7

      - ansible.builtin.set_fact:
          prefix: "{{ (address + '/' + wildcard_bits) | ansible.builtin.ipaddr('net') }}"

With that, I'm going to close this ticket. If you want to discuss this further or if you have a different problem, please open another ticket and kindly follow the issue submission guideline providing all the request details mentioned in the template.

Thank you!

  • ❤️1