search

netascode / terraform-aci-nac-aci

Terraform Cisco ACI Nexus-as-Code Module
https://registry.terraform.io/modules/netascode/nac-aci/aci
Apache License 2.0
17 stars 14 forks source link

Question - Pod Policies and auto generation. #71

Open jorgenspange opened 3 months ago

jorgenspange commented 3 months ago

While trying to apply pod policies it fails like this:

╷
│ Error: The post rest request failed
│
│   with module.aci.module.aci_fabric_pod_profile_auto["1"].aci_rest_managed.fabricRsPodPGrp["pod-1"],
│   on .terraform/modules/aci/modules/terraform-aci-fabric-pod-profile/main.tf line 35, in resource "aci_rest_managed" "fabricRsPodPGrp":
│   35: resource "aci_rest_managed" "fabricRsPodPGrp" {
│
│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Validation failed: Validation failed: there is POD selector of type ALL and one of type range. Last considered for validation:
│ Dn0=uni/fabric/podprof-default/pods-default-typ-ALL, ]]]], err: %!s(<nil>). Please report this issue to the provider developers.

Here is my pod policy config:

---
apic:
 pod_policies:
   pods:
     - id: 1
       tep_pool: 10.4.96.0/19
       policy: default

If I try to add this to the fabric policies:

---
apic:
 fabric_policies:
   pod_profiles:
     - name: default
       selectors:
         - name: default 
           type: all
 pod_policies:
   pods:
     - id: 1
       tep_pool: 10.4.96.0/19
       policy: default

It fails like this:

│ Error: The post rest request failed
│
│   with module.aci.module.aci_fabric_pod_profile_manual["pod-1"].aci_rest_managed.fabricPodS["pod-1"],
│   on .terraform/modules/aci/modules/terraform-aci-fabric-pod-profile/main.tf line 25, in resource "aci_rest_managed" "fabricPodS":
│   25: resource "aci_rest_managed" "fabricPodS" {
│
│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Validation failed: POD Ids overlap. Dn0=uni/fabric/podprof-pod-1, ]]]], err: %!s(<nil>). Please report this issue to the provider developers.
╵

I'm having this enabled:

apic:
  auto_generate_switch_pod_profiles: true
  auto_generate_pod_profiles: true
  fabric_policies:
    pod_profile_name: "pod-\\g<id>"
    pod_profile_pod_selector_name: "pod-\\g<id>"

Not quite sure about how the auto generation things work either so if someone could explain that aswell it would be awesome.

juchowan commented 3 months ago

auto_generate_switch_pod_profiles - will auto generate all your switch profiles, switch selectors, interface profiles, interface selectors and pod profile auto_generate_pod_profiles - will auto generate pod profile The auto generated pod profile will have in this case "pod-1" name and "pod-1" selector name with type "range" and selector "1" taken from the pod policies configuration.

On a fresh fabric there is usually some pre-created pod profile, that should have no policy group applied. Please verify in your setup if there is no policy group applied there, if there is the same policy, you might see the first error you pasted.

Not sure what you pasted in fabric_policies, the code seems to be copy of pod_policies, but if you want to create manually the pod profile, you need to disable the auto generation

jorgenspange commented 3 months ago

@juchowan thanks for your answer:

This is the entire file:

---
apic:
  version: "5.2.8h"
  auto_generate_switch_pod_profiles: true
  auto_generate_pod_profiles: true
  # auto_generate_fabric_leaf_switch_interface_profiles: true
  # auto_generate_fabric_spine_switch_interface_profiles: true
  # auto_generate_access_leaf_switch_interface_profiles: true
  # auto_generate_access_spine_switch_interface_profiles: true
  # new_interface_configuration: true
  fabric_policies:
    leaf_switch_profile_name: "leaf-\\g<id>"
    leaf_interface_profile_name: "leaf-\\g<id>"
    leaf_switch_selector_name: "leaf-\\g<id>"
    spine_switch_profile_name: "spine-\\g<id>"
    spine_interface_profile_name: "spine-\\g<id>"
    spine_switch_selector_name: "spine-\\g<id>"
    pod_profile_name: "pod-\\g<id>"
    pod_profile_pod_selector_name: "pod-\\g<id>"
  access_policies:
    leaf_switch_profile_name: "leaf-\\g<id>"
    leaf_interface_profile_name: "leaf-\\g<id>"
    leaf_switch_selector_name: "leaf-\\g<id>"
    leaf_interface_selector_name: "eth-\\g<mod>-\\g<port>"
    leaf_interface_selector_sub_port_name: "eth-\\g<mod>-\\g<port>-\\g<sport>"
    fex_profile_name: "leaf-\\g<id>-fex-    \\g<fex>"
    fex_interface_selector_name: "eth-\\g<mod>-\\g<port>"
    spine_switch_profile_name: "spine-\\g<id>"
    spine_interface_profile_name: "spine-\\g<id>"
    spine_switch_selector_name: "spine-\\g<id>"
    spine_interface_selector_name: "eth-\\g<mod>-\\g<port>"
    vpc_group_name: "vpc-\\g<switch1_id>-\\g<switch2_id>"

I would like to auto generate things, but would also be nice to override some values, it seems like the selector being range or all.

Sorry realized now that i had pasted the wrong thing in my initial post, here is the correct one (also edited in the original post):

---
apic:
 fabric_policies:
   pod_profiles:
     - name: default
       selectors:
         - name: default 
           type: all
 pod_policies:
   pods:
     - id: 1
       tep_pool: 10.4.96.0/19
       policy: default

this will make it fail. is it not possible to have selector being type all when auto-generating the pod-policies?

juchowan commented 3 months ago

If you want to configure range "all" under pod_profiles block manually, you need to disable auto-generation. For auto-generated pod profiles selector is always set to range, and will add each pod that you configure in pod policies. What's the use case that you need "all" to be added with auto generated profiles considering that each pod will get added there automatically?

jorgenspange commented 3 months ago

@juchowan it fails when i try to define v-tep pool in the code, because: «Validation failed: there is POD selector of type ALL and one of type range»

So I guessee the best way was to define ALL, but if it’s possible to do it another way, I’m more than happy.

juchowan commented 3 months ago

Can you share the code? The error you mention seems to be caused because you have one auto generated pod profile and another one either done manually from pod_profiles sections or manually in the fabric itself

andbyrne commented 1 month ago 
---
apic:
 fabric_policies:
   pod_profiles:
     - name: default
       selectors:
         - name: default 
           type: all
 pod_policies:
   pods:
     - id: 1
       tep_pool: 10.4.96.0/19
       policy: default

You need to remove the pod_profiles section. This is not needed when using auto generation.

You also need to use a different policy group name than default. If you are just using the default policy group, then the existing default pod profile will already be taking effect and you don't need to configure anything.

If that is your intention, also remove the policy line from the pod configuration. Then update your auto generation lines to look as follows:

  # auto_generate_switch_pod_profiles: true
  # auto_generate_pod_profiles: true
  auto_generate_fabric_leaf_switch_interface_profiles: true
  auto_generate_fabric_spine_switch_interface_profiles: true
  auto_generate_access_leaf_switch_interface_profiles: true
  auto_generate_access_spine_switch_interface_profiles: true
danischm commented 1 month ago

Does that answer your question?