aci_rest - Direct access to the Cisco APIC REST API

New in version 2.4.

Synopsis

  • Enables the management of the Cisco ACI fabric through direct access to the Cisco APIC REST API.
  • Thanks to the idempotent nature of the APIC, this module is idempotent and reports changes.

Requirements

The below requirements are needed on the host that executes this module.

  • lxml (when using XML payload)
  • xmljson >= 0.1.8 (when using XML payload)
  • python 2.7+ (when using xmljson)

Parameters

Parameter Choices/Defaults Comments
certificate_name Default:
C(private_key) basename
The X.509 certificate name attached to the APIC AAA user used for signature-based authentication.
It defaults to the private_key basename, without extension.

aliases: cert_name
content
When used instead of src, sets the payload of the API request directly.
This may be convenient to template simple requests, for anything complex use the template module.
host
required
IP Address or hostname of APIC resolvable by Ansible control host.

aliases: hostname
method
    Choices:
  • delete
  • get
  • post
The HTTP method of the request.
Using delete is typically used for deleting objects.
Using get is typically used for querying objects.
Using post is typically used for modifying objects.

aliases: action
output_level
    Choices:
  • debug
  • info
  • normal
Influence the output of this ACI module.
normal means the standard output, incl. current dict
info means informational output, incl. previous, proposed and sent dicts
debug means debugging output, incl. filter_string, method, response, status and url information
password
required
The password to use for authentication.
path
required
URI being used to execute API calls.
Must end in .xml or .json.

aliases: uri
port Default:
443 (for https) and 80 (for http)
Port number to be used for REST connection.
private_key
PEM formatted file that contains your private key to be used for signature-based authentication.
The name of the key (without extension) is used as the certificate name in ACI, unless certificate_name is specified.

aliases: cert_key
src
Name of the absolute path of the filname that includes the body of the http request being sent to the ACI fabric.

aliases: config_file
timeout Default:
30
The socket level timeout in seconds.
use_proxy
    Choices:
  • no
  • yes
If no, it will not use a proxy, even if one is defined in an environment variable on the target hosts.
use_ssl
    Choices:
  • no
  • yes
If no, an HTTP connection will be used instead of the default HTTPS connection.
username
required
Default:
admin
The username to use for authentication.

aliases: user
validate_certs
    Choices:
  • no
  • yes
If no, SSL certificates will not be validated.
This should only set to no used on personally controlled sites using self-signed certificates.

Notes

Note

  • Certain payloads are known not to be idempotent, so be careful when constructing payloads, e.g. using status="created" will cause idempotency issues, use status="modified" instead. More information in the ACI documentation.
  • Certain payloads (and used paths) are known to report no changes happened when changes did happen. This is a known APIC problem and has been reported to the vendor. A workaround for this issue exists. More information in the ACI documentation.
  • XML payloads require the lxml and xmljson python libraries. For JSON payloads nothing special is needed.
  • More information regarding the APIC REST API is available from the Cisco APIC REST API Configuration Guide.
  • By default, if an environment variable <protocol>_proxy is set on the target host, requests will be sent through that proxy. This behaviour can be overridden by setting a variable for this task (see setting the environment), or by using the use_proxy option.
  • HTTP redirects can redirect from HTTP to HTTPS so you should be sure that your proxy environment for both protocols is correct.

Examples

- name: Add a tenant using certifcate authentication
  aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    method: post
    path: /api/mo/uni.xml
    src: /home/cisco/ansible/aci/configs/aci_config.xml
  delegate_to: localhost

- name: Add a tenant using inline YAML
  aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: no
    path: /api/mo/uni.json
    method: post
    content:
      fvTenant:
        attributes:
          name: Sales
          descr: Sales departement
  delegate_to: localhost

- name: Add a tenant using a JSON string
  aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: no
    path: /api/mo/uni.json
    method: post
    content:
      {
        "fvTenant": {
          "attributes": {
            "name": "Sales",
            "descr": "Sales departement"
          }
        }
      }
  delegate_to: localhost

- name: Add a tenant using an XML string
  aci_rest:
    host: apic
    username: admin
    private_key: pki/{{ aci_username}}.key
    validate_certs: no
    path: /api/mo/uni.xml
    method: post
    content: '<fvTenant name="Sales" descr="Sales departement"/>'
  delegate_to: localhost

- name: Get tenants using password authentication
  aci_rest:
    host: apic
    username: admin
    password: SomeSecretPassword
    method: get
    path: /api/node/class/fvTenant.json
  delegate_to: localhost

- name: Configure contracts
  aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    method: post
    path: /api/mo/uni.xml
    src: /home/cisco/ansible/aci/configs/contract_config.xml
  delegate_to: localhost

- name: Register leaves and spines
  aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: no
    method: post
    path: /api/mo/uni/controller/nodeidentpol.xml
    content: |
      <fabricNodeIdentPol>
        <fabricNodeIdentP name="{{ item.name }}" nodeId="{{ item.nodeid }}" status="{{ item.status }}" serial="{{ item.serial }}"/>
      </fabricNodeIdentPol>
  with_items:
  - '{{ apic_leavesspines }}'
  delegate_to: localhost

- name: Wait for all controllers to become ready
  aci_rest:
    host: apic
    username: admin
    private_key: pki/admin.key
    validate_certs: no
    path: /api/node/class/topSystem.json?query-target-filter=eq(topSystem.role,"controller")
  register: apics
  until: "'totalCount' in apics and apics.totalCount|int >= groups['apic']|count"
  retries: 120
  delay: 30
  delegate_to: localhost
  run_once: yes

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
error_code
int
always
The REST ACI return code, useful for troubleshooting on failure

Sample:
122
error_text
string
always
The REST ACI descriptive text, useful for troubleshooting on failure

Sample:
unknown managed object class foo
imdata
string
always
Converted output returned by the APIC REST (register this for post-processing)

Sample:
[{'error': {'attributes': {'text': 'unknown managed object class foo', 'code': '122'}}}]
payload
string
always
The (templated) payload send to the APIC REST API (xml or json)

Sample:
<foo bar="boo"/>
raw
string
parse error
The raw output returned by the APIC REST API (xml or json)

Sample:
<?xml version="1.0" encoding="UTF-8"?><imdata totalCount="1"><error code="122" text="unknown managed object class foo"/></imdata>
response
string
always
HTTP response string

Sample:
HTTP Error 400: Bad Request
status
int
always
HTTP status code

Sample:
400
totalCount
string
always
Number of items in the imdata array

Sample:
0
url
string
success
URL used for APIC REST call

Sample:
https://1.2.3.4/api/mo/uni/tn-[Dag].json?rsp-subtree=modified


Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

Author

  • Dag Wieers (@dagwieers)

Hint

If you notice any issues in this documentation you can edit this document to improve it.

© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.5/modules/aci_rest_module.html