Closed alexanderdeca closed 5 months ago
Are you trying to update an existing MCP key that was previously provisioned using NaC?
Hi,
Yes through NaC or when a key is already set manually on the GUI so wasn’t sure this would work or we need to clear the key first through the gui ?
Cheers
Alexander
From: Daniel Schmidt @.> Date: Wednesday, 20 March 2024 at 11:41 To: netascode/terraform-aci-nac-aci @.> Cc: Alexander Deca @.>, Author @.> Subject: Re: [netascode/terraform-aci-nac-aci] MCP key configuration not pushed to ACI (Issue #64)
Are you trying to update an existing MCP key that was previously provisioned using NaC?
— Reply to this email directly, view it on GitHubhttps://github.com/netascode/terraform-aci-nac-aci/issues/64#issuecomment-2009246678, or unsubscribehttps://github.com/notifications/unsubscribe-auth/AEAJEUMOXRCGQHR5OBK6FT3YZFRUFAVCNFSM6AAAAABD3ZPHFKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGI2DMNRXHA. You are receiving this because you authored the thread.Message ID: @.***>
I believe this is because of:
lifecycle {
ignore_changes = [content["key"]]
}
So Terraform ignores "key" even though it is set in datamodel.
https://github.com/netascode/terraform-aci-nac-aci/blob/main/modules/terraform-aci-mcp/main.tf
BTW. Can we remove mcpInstPol from defaults? I don't like it's generated automatically when i started managing access policies. Same applies to QOS Policy.
defaults.yml
mcp:
admin_state: true
per_vlan: true
action: true
key: cisco
loop_detection: 3
initial_delay: 180
frequency_sec: 2
frequency_msec: 0
This is what was generated once I set manage_access_policies
to True without specifying anything under "access_policies" in data model:
# module.aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol will be created
+ resource "aci_rest_managed" "mcpInstPol" {
+ annotation = "orchestrator:terraform"
+ class_name = "mcpInstPol"
+ content = {
+ "adminSt" = "enabled"
+ "ctrl" = "pdu-per-vlan"
+ "initDelayTime" = "180"
+ "key" = (sensitive value)
+ "loopDetectMult" = "3"
+ "loopProtectAct" = "port-disable"
+ "txFreq" = "2"
+ "txFreqMsec" = "0"
}
+ dn = "uni/infra/mcpInstP-default"
+ id = (known after apply)
}
# module.aci.module.aci_qos[0].aci_rest_managed.qosInstPol will be created
+ resource "aci_rest_managed" "qosInstPol" {
+ annotation = "orchestrator:terraform"
+ class_name = "qosInstPol"
+ content = {
+ "ctrl" = ""
}
+ dn = "uni/infra/qosinst-default"
+ id = (known after apply)
}
Defaults also pose the risk of changing MCP secret (default to "cisco") on an environment that is up and running. Somebody who's not aware about this might deploy a new secret unintentionally.
Also this was mentioned on a community forum, so I think this becomes a road blocker for more people: https://community.cisco.com/t5/other-data-center-subjects/nac-issue-with-module-quot-aci-rest-managed-mcpinstpol-quot/m-p/5051450#M23
There are a few limitations due to the fact that we cannot read/retrieve an MCP key, which equally applies to other sensitive information like BGP passwords for example. Because of this, we have to use the ignore_changes
option, as we would otherwise always have a diff in every plan. When using ignore_changes
for a specific attribute (like the MCP key), it will ignore any changes to that attribute (either in config or infra). If you want to change the MCP key after having created the resource already, we can use the following CLI option to push the updated config again:
terraform apply -replace="module.aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol"
The other question is, why are we pushing the MCP configuration by default (in case manage_access_policies
is enabled). This is because it is a best practice to enable MCP and we want NaC to configure the global settings according to best practices by default. The same is true for fabric policies. In case you don't want NaC to configure a specific part of the configuration you can always selectively disable modules by adding a configuration like the one below to the data model:
modules:
aci_mcp: false
A list of all modules can be found here: https://github.com/netascode/terraform-aci-nac-aci/blob/main/defaults/modules.yaml
I will close this for now.
apic: access_policies: mcp: action: false admin_state: true frequency_sec: 5 initial_delay: 300 loop_detection: 5 per_vlan: true key: $ECRETKEY1
Error: The post rest request failed 29s 10149│ 29s 10150│ with module.nac-aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol, 29s 10151│ on .terraform/modules/nac-aci/modules/terraform-aci-mcp/main.tf line 1, in resource "aci_rest_managed" "mcpInstPol": 29s 10152│ 1: resource "aci_rest_managed" "mcpInstPol" { 29s 10153│ 29s 10154│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Password is 29s 10155│ required for MCP Instance Policy.]]]], err: %!s(). Please report this 29s
10156│ issue to the provider developers.
Not taking into account when pushing this configuration or when changing the key it is not changing anything when hitting terraform apply.
Not sure if this is expected behavior ?
NaC version = 0.8.1 Terraform module = v2.13.2