cisco.aci.aci_rest module – Direct access to the Cisco APIC REST API

Note

This module is part of the cisco.aci collection (version 2.12.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.aci. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.aci.aci_rest.

Synopsis

  • Enables the management of the Cisco ACI fabric through direct access to the Cisco APIC REST API.

  • Thanks to the idempotent nature of the APIC, this module is idempotent and reports changes.

Requirements

The below requirements are needed on the host that executes this module.

  • lxml (when using XML payload)

  • xmljson >= 0.1.8 (when using XML payload)

  • python 2.7+ (when using xmljson)

Parameters

Parameter

Comments

annotation

string

User-defined string for annotating an object.

If the value is not specified in the task, the value of environment variable ACI_ANNOTATION will be used instead.

If the value is not specified in the task and environment variable ACI_ANNOTATION then the default value will be used.

Default: "orchestrator:ansible"

certificate_name

aliases: cert_name

string

The X.509 certificate name attached to the APIC AAA user used for signature-based authentication.

If a private_key filename was provided, this defaults to the private_key basename, without extension.

If PEM-formatted content was provided for private_key, this defaults to the username value.

If the value is not specified in the task, the value of environment variable ACI_CERTIFICATE_NAME will be used instead.

content

any

When used instead of src, sets the payload of the API request directly.

This may be convenient to template simple requests.

For anything complex use the template lookup plugin (see examples) or the template module with parameter src.

host

aliases: hostname

string

IP Address or hostname of APIC resolvable by Ansible control host.

If the value is not specified in the task, the value of environment variable ACI_HOST will be used instead.

method

aliases: action

string

The HTTP method of the request.

Using delete is typically used for deleting objects.

Using get is typically used for querying objects.

Using post is typically used for modifying objects.

Choices:

  • "delete"

  • "get" ← (default)

  • "post"

output_level

string

Influence the output of this ACI module.

normal means the standard output, incl. current dict

info adds informational output, incl. previous, proposed and sent dicts

debug adds debugging output, incl. filter_string, method, response, status and url information

If the value is not specified in the task, the value of environment variable ACI_OUTPUT_LEVEL will be used instead.

Choices:

  • "debug"

  • "info"

  • "normal" ← (default)

output_path

string

Path to a file that will be used to dump the ACI JSON configuration objects generated by the module.

If the value is not specified in the task, the value of environment variable ACI_OUTPUT_PATH will be used instead.

page

integer

The page number to return.

page_size

integer

The number of items to return in a single page.

password

string

The password to use for authentication.

This option is mutual exclusive with private_key. If private_key is provided too, it will be used instead.

If the value is not specified in the task, the value of environment variables ACI_PASSWORD or ANSIBLE_NET_PASSWORD will be used instead.

path

aliases: uri

string / required

URI being used to execute API calls.

Must end in .xml or .json.

port

integer

Port number to be used for REST connection.

The default value depends on parameter use_ssl.

If the value is not specified in the task, the value of environment variable ACI_PORT will be used instead.

private_key

aliases: cert_key

string

Either a PEM-formatted private key file or the private key content used for signature-based authentication.

This value also influences the default certificate_name that is used.

This option is mutual exclusive with password. If password is provided too, it will be ignored.

If the value is not specified in the task, the value of environment variable ACI_PRIVATE_KEY or ANSIBLE_NET_SSH_KEYFILE will be used instead.

rsp_subtree_preserve

boolean

Preserve the response for the provided path.

Choices:

  • false ← (default)

  • true

src

aliases: config_file

path

Name of the absolute path of the filename that includes the body of the HTTP request being sent to the ACI fabric.

If you require a templated payload, use the content parameter together with the template lookup plugin, or use template.

suppress_previous

aliases: no_previous, ignore_previous

boolean

If true, a GET to check previous will not be sent before a POST update to APIC.

If the value is not specified in the task, the value of environment variable ACI_SUPPRESS_PREVIOUS will be used instead.

The default value is false.

WARNING - This causes the previous return value to be empty.

The previous state of the object will not be checked and the POST update will contain all properties.

Choices:

  • false

  • true

suppress_verification

aliases: no_verification, no_verify, suppress_verify, ignore_verify, ignore_verification

boolean

If true, a verifying GET will not be sent after a POST update to APIC.

If the value is not specified in the task, the value of environment variable ACI_SUPPRESS_VERIFICATION will be used instead.

The default value is false.

WARNING - This causes the current return value to be set to the proposed value.

The current object including default values will be unverifiable in a single task.

Choices:

  • false

  • true

timeout

integer

The socket level timeout in seconds.

If the value is not specified in the task, the value of environment variable ACI_TIMEOUT will be used instead.

The default value is 30.

use_proxy

boolean

If false, it will not use a proxy, even if one is defined in an environment variable on the target hosts.

If the value is not specified in the task, the value of environment variable ACI_USE_PROXY will be used instead.

The default value is true.

Choices:

  • false

  • true

use_ssl

boolean

If false, an HTTP connection will be used instead of the default HTTPS connection.

If the value is not specified in the task, the value of environment variable ACI_USE_SSL will be used instead.

The default value is true when the connection is local.

Choices:

  • false

  • true

username

aliases: user

string

The username to use for authentication.

If the value is not specified in the task, the value of environment variables ACI_USERNAME or ANSIBLE_NET_USERNAME will be used instead.

The default value is admin.

validate_certs

boolean

If false, SSL certificates will not be validated.

This should only set to false when used on personally controlled sites using self-signed certificates.

If the value is not specified in the task, the value of environment variable ACI_VALIDATE_CERTS will be used instead.

The default value is true.

Choices:

  • false

  • true

Notes

Note

  • Certain payloads are known not to be idempotent, so be careful when constructing payloads, e.g. using status="created" will cause idempotency issues, use status="modified" instead. More information in :ref:`the ACI documentation <aci_guide_known_issues>`.

  • Certain payloads (and used paths) are known to report no changes happened when changes did happen. This is a known APIC problem and has been reported to the vendor. A workaround for this issue exists. More information in :ref:`the ACI documentation <aci_guide_known_issues>`.

  • XML payloads require the lxml and xmljson python libraries. For JSON payloads nothing special is needed.

  • If you do not have any attributes, it may be necessary to add the “attributes” key with an empty dictionnary “{}” for value as the APIC does expect the entry to precede any children.

  • Annotation set directly in c(src) or content will take precedent over the annotation parameter.

See Also

See also

cisco.aci.aci_tenant

Manage tenants (fv:Tenant).

Cisco APIC REST API Configuration Guide

More information about the APIC REST API.

Cisco ACI Guide

Detailed information on how to manage your ACI infrastructure using Ansible.

Developing Cisco ACI modules

Detailed guide on how to write your own Cisco ACI modules to contribute.

Examples

- name: Add a tenant using certificate authentication
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    method: post
    path: /api/mo/uni.xml
    src: /home/cisco/ansible/aci/configs/aci_config.xml
  delegate_to: localhost

- name: Add a tenant from a templated payload file from templates/
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    method: post
    path: /api/mo/uni.xml
    content: "{{ lookup('template', 'aci/tenant.xml.j2') }}"
  delegate_to: localhost

- name: Add a tenant using inline YAML
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: false
    path: /api/mo/uni.json
    method: post
    content:
      fvTenant:
        attributes:
          name: Sales
          descr: Sales department
  delegate_to: localhost

- name: Add a tenant using a JSON string
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: false
    path: /api/mo/uni.json
    method: post
    content:
      {
        "fvTenant": {
          "attributes": {
            "name": "Sales",
            "descr": "Sales department"
          }
        }
      }
  delegate_to: localhost

- name: Add a tenant using an XML string
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/{{ aci_username }}.key
    validate_certs: false
    path: /api/mo/uni.xml
    method: post
    content: '<fvTenant name="Sales" descr="Sales departement"/>'
  delegate_to: localhost

- name: Get tenants using password authentication
  cisco.aci.aci_rest:
    host: apic
    username: admin
    password: SomeSecretPassword
    method: get
    path: /api/node/class/fvTenant.json
  delegate_to: localhost
  register: query_result

- name: Get first 5 tenants using password authentication and pagination
  cisco.aci.aci_rest:
    host: apic
    username: admin
    password: SomeSecretPassword
    method: get
    page_size: 5
    path: /api/node/class/fvTenant.json
  delegate_to: localhost
  register: query_result

- name: Configure contracts
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    method: post
    path: /api/mo/uni.xml
    src: /home/cisco/ansible/aci/configs/contract_config.xml
  delegate_to: localhost

- name: Register leaves and spines
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: false
    method: post
    path: /api/mo/uni/controller/nodeidentpol.xml
    content:
      <fabricNodeIdentPol>
        <fabricNodeIdentP name="{{ item.name }}" nodeId="{{ item.nodeid }}" status="{{ item.status }}" serial="{{ item.serial }}"/>
      </fabricNodeIdentPol>
  with_items:
    - '{{ apic_leavesspines }}'
  delegate_to: localhost

- name: Wait for all controllers to become ready
  cisco.aci.aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: false
    path: /api/node/class/topSystem.json?query-target-filter=eq(topSystem.role,"controller")
  register: apics
  until: "'totalCount' in apics and apics.totalCount|int >= groups['apic']|count"
  retries: 120
  delay: 30
  delegate_to: localhost
  run_once: true

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

error_code

integer

The REST ACI return code, useful for troubleshooting on failure

Returned: always

Sample: 122

error_text

string

The REST ACI descriptive text, useful for troubleshooting on failure

Returned: always

Sample: "unknown managed object class foo"

imdata

string

Converted output returned by the APIC REST (register this for post-processing)

Returned: always

Sample: "[{'error': {'attributes': {'code': '122', 'text': 'unknown managed object class foo'}}}]"

payload

string

The (templated) payload send to the APIC REST API (xml or json)

Returned: always

Sample: "<foo bar=\"boo\"/>"

raw

string

The raw output returned by the APIC REST API (xml or json)

Returned: parse error

Sample: "<?xml version=\"1.0\" encoding=\"UTF-8\"?><imdata totalCount=\"1\"><error code=\"122\" text=\"unknown managed object class foo\"/></imdata>"

response

string

HTTP response string

Returned: always

Sample: "HTTP Error 400: Bad Request"

status

integer

HTTP status code

Returned: always

Sample: 400

totalCount

string

Number of items in the imdata array

Returned: always

Sample: "0"

url

string

URL used for APIC REST call

Returned: success

Sample: "https://1.2.3.4/api/mo/uni/tn-[Dag].json?rsp-subtree=modified"

Authors

  • Dag Wieers (@dagwieers)

  • Cindy Zhao (@cizhao)

  • Samita Bhattacharjee (@samitab)