search

CiscoISE / ansible-ise

Official repository for Cisco's Ansible collection for ISE
https://ciscoise.github.io/ansible-ise/
GNU General Public License v3.0
45 stars 12 forks source link

cisco.ise.egress_matrix_cell module returns 400 error if cell already exists #108

Open grg1bbs opened 11 months ago

grg1bbs commented 11 months ago

Prerequisites

Describe the bug When running a play with module 'cisco.ise.egress_matrix_cell' to create a CTS egress matrix cell for the first time, the play completes and the configuration change is successful. When running the same play a subsequent time, the playbook fails with a 400 error such as:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: } fatal: [ise32-3.ise.trappedunderise.com]: FAILED! => {"changed": false, "msg": "An error occured when executing operation. The error was: [400] - Operation Egress Policy Matrix Create failed: Error : Cell Already Exsits !\n MATRIX_CELL failed. Look at the debug logs for more information\n{\n \"ERSResponse\" : {\n \"operation\" : \"POST-create-egressmatrixcell\",\n \"messages\" : [ {\n \"title\" : \"Operation Egress Policy Matrix Create failed: Error : Cell Already Exsits !\n MATRIX_CELL failed. Look at the debug logs for more information\",\n \"type\" : \"ERROR\",\n \"code\" : \"CRUD operation exception\"\n } ],\n \"link\" : {\n \"rel\" : \"related\",\n \"href\" : \"https://ise32-3.ise.trappedunderise.com/ers/config/egressmatrixcell\",\n \"type\" : \"application/xml\"\n }\n }\n}"}

Expected behavior The expected behaviour would be that the module recognises that the configuration already exists and skip the attempt to create the object again.

Environment (please complete the following information):

Ansible Playbook Code Example

  tasks:

#
# Get Security Group and SGACL IDs
#

  - name: Get default SGT ID - Employees
    cisco.ise.sgt_info:
      <<: *ise_login
      filter:
        - name.EQ.Employees
      filterType: AND
    register: sgt_employees

  - name: Get default SGT ID - Developers
    cisco.ise.sgt_info:
      <<: *ise_login
      filter:
        - name.EQ.Developers
      filterType: AND
    register: sgt_developers

#
# Create New SGTs & SGACLs
#

  - name: Create SGT - Shared_Services
    cisco.ise.sgt:
      <<: *ise_login
      state: present
      name: "Shared_Services"
      value: -1
    register: sgt_shared_services

  - name: Create SGACL - DENY_IP_ANY
    cisco.ise.sg_acl:
      <<: *ise_login
      state: present
      name: "DENY_IP_ANY"
      aclcontent: "deny ip any any"
      description: "Deny IP Any"
      ipVersion: "IPV4"
    register: sgacl_deny_ip_any

  - name: Create SGACL - PERMIT_IP_ANY
    cisco.ise.sg_acl:
      <<: *ise_login
      state: present
      name: "PERMIT_IP_ANY"
      aclcontent: "permit ip any any"
      description: "Permit IP Any"
      ipVersion: "IPV4"
    register: sgacl_permit_ip_any

#
# Create Egress Matrix
#

  - name: Create Egress Cell - Employees to Developers
    cisco.ise.egress_matrix_cell:
      <<: *ise_login
      state: present
      description: "Deny Emp to Dev"
      sourceSgtId: "{{ sgt_employees.ise_response[0].id }}"
      destinationSgtId: "{{ sgt_developers.ise_response[0].id }}"
      matrixCellStatus: "ENABLED"
      name: "EMP-DEV"
      sgacls:
      - "{{ sgacl_deny_ip_any.ise_response.id }}"

  - name: Create Egress Cell - Employees to Shared_Services
    cisco.ise.egress_matrix_cell:
      <<: *ise_login
      state: present
      description: "Permit Emp to Shared Svc"
      sourceSgtId: "{{ sgt_employees.ise_response[0].id }}"
      destinationSgtId: "{{ sgt_shared_services.ise_response.id }}"
      matrixCellStatus: "ENABLED"
      name: "EMP-SHARED"
      sgacls:
      - "{{ sgacl_permit_ip_any.ise_response.id }}"

The previous plays execute without error when running multiple times, so the following modules exhibit the expected behaviour.

fmunozmiranda commented 1 day ago

Please provide us collection Debug