BGP password on `aci_l3out_bgp_peer` always report a change (Expected?)

[edudppaz]

Community Note

• Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
• Please do not leave "+1" or other comments that do not add relevant new information or questions, they generate extra noise for issue followers and do not help prioritize the request
• If you are interested in working on this issue or have submitted a pull request, please leave a comment

Description

After configuring bgp_password via aci_l3out_bgp_peer the bgp password is properly pushed to the APIC, but in subsequent runs of the same playbook, with the same string as the BGP password, the playbook reports a change

I dont see any value on the APIC managed object to read the bgp password (as this is a "secret") so im guessing is normal that ansible cannot read this value and compare with the invocation. But how are these cases usually handled? Is it the expected behaviour to always report a change?

Based on this lines on the script, seems like this is expected:

        # Only add bgp_password if it is set to handle changed status properly because password is not part of existing config
        if bgp_password:
            class_config["password"] = bgp_password

If thats the case, i think this should be mentioned on the documentation.

• xxxx

Affected Module Name(s):

• aci_l3out_bgp_peer

APIC version and APIC Platform

• V 5.2(8e) and on-prem

Collection versions

• cisco.aci 2.9.0

Output/ Error message

TASK [Add a new BGP peer on a physical interface] **************************************************************************************************************************************************************************************************************************************************************************
changed: [localhost] => (item=tn_cml-l3out_aci_out_DC-101-192.168.10.8) => {
    "ansible_loop_var": "item",
    "changed": true,
    "current": [
        {
            "bgpPeerP": {
                "attributes": {
                    "addr": "192.168.10.8",
                    "addrTCtrl": "af-ucast",
                    "adminSt": "enabled",
                    "allowedSelfAsCnt": "3",
                    "annotation": "orchestrator:ansible",
                    "connectivityType": "tenant",
                    "ctrl": "",
                    "ctrlExt": "",
                    "descr": "",
                    "dn": "uni/tn-tn_cml/out-l3out_aci_out_DC/lnodep-l3out_aci_out_DC-NP/lifp-l3out_aci_out_DC-IP/rspathL3OutAtt-[topology/pod-1/paths-101/pathep-[pc_default_10G_tn_cml_2]]/peerP-[192.168.10.8]",
                    "name": "",
                    "nameAlias": "",
                    "peerCtrl": "bfd",
                    "privateASctrl": "",
                    "ttl": "1",
                    "userdom": ":all:",
                    "weight": "0"
                },
                "children": [
                    {
                        "bgpRsPeerPfxPol": {
                            "attributes": {
                                "annotation": "",
                                "tnBgpPeerPfxPolName": "default",
                                "userdom": "all"
                            }
                        }
                    },
                    {
                        "bgpAsP": {
                            "attributes": {
                                "annotation": "",
                                "asn": "65415",
                                "descr": "",
                                "name": "",
                                "nameAlias": "",
                                "userdom": ":all:"
                            }
                        }
                    }
                ]
            }
        }
    ],
    "invocation": {
        "module_args": {
            "address_type_controls": null,
            "admin_state": null,
            "allow_self_as_count": null,
            "annotation": "orchestrator:ansible",
            "bgp_controls": null,
            "bgp_infra_peer": null,
            "bgp_password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "bgp_peer_prefix_policy": null,
            "certificate_name": "ACIAdmin",
            "description": null,
            "host": "192.168.11.36",
            "interface_profile": "l3out_aci_out_DC-IP",
            "l3out": "l3out_aci_out_DC",
            "local_as_number": null,
            "local_as_number_config": null,
            "node_id": "101",
            "node_profile": "l3out_aci_out_DC-NP",
            "output_level": "normal",
            "output_path": null,
            "password": null,
            "path_ep": "pc_default_10G_tn_cml_2",
            "peer_controls": [
                "bfd"
            ],
            "peer_ip": "192.168.10.8",
            "peer_type": null,
            "pod_id": "1",
            "port": null,
            "private_asn_controls": null,
            "private_key": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
            "protocol": "https",
            "remote_asn": 65415,
            "route_control_profiles": null,
            "state": "present",
            "suppress_verification": null,
            "tenant": "tn_cml",
            "timeout": null,
            "transport_data_plane": null,
            "ttl": null,
            "use_proxy": null,
            "use_ssl": null,
            "username": "admin",
            "validate_certs": false,
            "weight": null
        }
    },
    "item": {
        "tenant_l3outs_domain": "tn_cml_l3out",
        "tenant_l3outs_name": "l3out_aci_out_DC",
        "tenant_l3outs_nodes_interfaces_bgp_peers_bfd": true,
        "tenant_l3outs_nodes_interfaces_bgp_peers_description": "My Desc",
        "tenant_l3outs_nodes_interfaces_bgp_peers_ip": "192.168.10.8",
        "tenant_l3outs_nodes_interfaces_bgp_peers_remote_as": 65415,
        "tenant_l3outs_nodes_interfaces_ip_a": "192.168.10.9/31",
        "tenant_l3outs_nodes_interfaces_mode": "regular",
        "tenant_l3outs_nodes_interfaces_port": "pc_default_10G_tn_cml_2",
        "tenant_l3outs_nodes_interfaces_type": "sub-interface",
        "tenant_l3outs_nodes_interfaces_vlan": 809,
        "tenant_l3outs_nodes_node_id": 101,
        "tenant_l3outs_nodes_router_id": "11.11.11.11",
        "tenant_l3outs_protocol": "bgp",
        "tenant_l3outs_vrf": "vrf_prod_test",
        "tenant_name": "tn_cml"
    },
    "mo": {
        "bgpPeerP": {
            "attributes": {
                "addr": "192.168.10.8",
                "annotation": "orchestrator:ansible",
                "dn": "uni/tn-tn_cml/out-l3out_aci_out_DC/lnodep-l3out_aci_out_DC-NP/lifp-l3out_aci_out_DC-IP/rspathL3OutAtt-[topology/pod-1/paths-101/pathep-[pc_default_10G_tn_cml_2]]/peerP-192.168.10.8",
                "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",
                "peerCtrl": "bfd"
            },
            "children": [
                {
                    "bgpAsP": {
                        "attributes": {
                            "asn": "65415"
                        }
                    }
                }
            ]
        }
    }
}

*

Expected Behavior

The aci_l3out_bgp_peer task should not report a change if the bgp password is already configured

Actual Behavior

aci_l3out_bgp_peer always reporting a change when bgp_password variable is set

*

Playbook tasks to Reproduce

Configure a bgp_password variable on the playbook (have tried both a simple string, and also reading from vault, the same behaviour

*

Important Factoids

References

• 0000

[akinross]

Hi @edudppaz,

Correct the password is not returned during the query of existing so when password is provided this always causes a change. I will make a note of this to the documentation.