search

netascode / terraform-aci-nac-aci

Terraform Cisco ACI Nexus-as-Code Module
https://registry.terraform.io/modules/netascode/nac-aci/aci
Apache License 2.0
17 stars 14 forks source link

MCP key configuration not pushed to ACI #64

Closed alexanderdeca closed 1 month ago

alexanderdeca commented 4 months ago

apic: access_policies: mcp: action: false admin_state: true frequency_sec: 5 initial_delay: 300 loop_detection: 5 per_vlan: true key: $ECRETKEY1

Error: The post rest request failed 29s 10149│ 29s 10150│ with module.nac-aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol, 29s 10151│ on .terraform/modules/nac-aci/modules/terraform-aci-mcp/main.tf line 1, in resource "aci_rest_managed" "mcpInstPol": 29s 10152│ 1: resource "aci_rest_managed" "mcpInstPol" { 29s 10153│ 29s 10154│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Password is 29s 10155│ required for MCP Instance Policy.]]]], err: %!s(). Please report this 29s 10156│ issue to the provider developers.

Not taking into account when pushing this configuration or when changing the key it is not changing anything when hitting terraform apply.

Not sure if this is expected behavior ?

NaC version = 0.8.1 Terraform module = v2.13.2

danischm commented 3 months ago

Are you trying to update an existing MCP key that was previously provisioned using NaC?

alexanderdeca commented 3 months ago

Hi,

Yes through NaC or when a key is already set manually on the GUI so wasn’t sure this would work or we need to clear the key first through the gui ?

Cheers

Alexander

From: Daniel Schmidt @.> Date: Wednesday, 20 March 2024 at 11:41 To: netascode/terraform-aci-nac-aci @.> Cc: Alexander Deca @.>, Author @.> Subject: Re: [netascode/terraform-aci-nac-aci] MCP key configuration not pushed to ACI (Issue #64)

Are you trying to update an existing MCP key that was previously provisioned using NaC?

— Reply to this email directly, view it on GitHubhttps://github.com/netascode/terraform-aci-nac-aci/issues/64#issuecomment-2009246678, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEAJEUMOXRCGQHR5OBK6FT3YZFRUFAVCNFSM6AAAAABD3ZPHFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGI2DMNRXHA. You are receiving this because you authored the thread.Message ID: @.***>

mfr-6 commented 3 months ago

I believe this is because of:

  lifecycle {
    ignore_changes = [content["key"]]
  }

So Terraform ignores "key" even though it is set in datamodel.

https://github.com/netascode/terraform-aci-nac-aci/blob/main/modules/terraform-aci-mcp/main.tf

BTW. Can we remove mcpInstPol from defaults? I don't like it's generated automatically when i started managing access policies. Same applies to QOS Policy.

defaults.yml

      mcp:
        admin_state: true
        per_vlan: true
        action: true
        key: cisco
        loop_detection: 3
        initial_delay: 180
        frequency_sec: 2
        frequency_msec: 0

This is what was generated once I set manage_access_policies to True without specifying anything under "access_policies" in data model:

  # module.aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol will be created
  + resource "aci_rest_managed" "mcpInstPol" {
      + annotation = "orchestrator:terraform"
      + class_name = "mcpInstPol"
      + content    = {
          + "adminSt"        = "enabled"
          + "ctrl"           = "pdu-per-vlan"
          + "initDelayTime"  = "180"
          + "key"            = (sensitive value)
          + "loopDetectMult" = "3"
          + "loopProtectAct" = "port-disable"
          + "txFreq"         = "2"
          + "txFreqMsec"     = "0"
        }
      + dn         = "uni/infra/mcpInstP-default"
      + id         = (known after apply)
    }

  # module.aci.module.aci_qos[0].aci_rest_managed.qosInstPol will be created
  + resource "aci_rest_managed" "qosInstPol" {
      + annotation = "orchestrator:terraform"
      + class_name = "qosInstPol"
      + content    = {
          + "ctrl" = ""
        }
      + dn         = "uni/infra/qosinst-default"
      + id         = (known after apply)
    }

Defaults also pose the risk of changing MCP secret (default to "cisco") on an environment that is up and running. Somebody who's not aware about this might deploy a new secret unintentionally.

mfr-6 commented 3 months ago

Also this was mentioned on a community forum, so I think this becomes a road blocker for more people: https://community.cisco.com/t5/other-data-center-subjects/nac-issue-with-module-quot-aci-rest-managed-mcpinstpol-quot/m-p/5051450#M23

danischm commented 3 months ago

There are a few limitations due to the fact that we cannot read/retrieve an MCP key, which equally applies to other sensitive information like BGP passwords for example. Because of this, we have to use the ignore_changes option, as we would otherwise always have a diff in every plan. When using ignore_changes for a specific attribute (like the MCP key), it will ignore any changes to that attribute (either in config or infra). If you want to change the MCP key after having created the resource already, we can use the following CLI option to push the updated config again:

 terraform apply -replace="module.aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol"

The other question is, why are we pushing the MCP configuration by default (in case manage_access_policies is enabled). This is because it is a best practice to enable MCP and we want NaC to configure the global settings according to best practices by default. The same is true for fabric policies. In case you don't want NaC to configure a specific part of the configuration you can always selectively disable modules by adding a configuration like the one below to the data model:

modules:
  aci_mcp: false

A list of all modules can be found here: https://github.com/netascode/terraform-aci-nac-aci/blob/main/defaults/modules.yaml

danischm commented 1 month ago

I will close this for now.