From dfe9d915e2dffbf1d67a90671c445cb1e4187c34 Mon Sep 17 00:00:00 2001 From: akinross Date: Mon, 23 Oct 2023 17:05:57 +0200 Subject: [PATCH] [minor_change] add support for configuration of system fabric wide settings with aci_fabric_wide_settings module --- plugins/module_utils/constants.py | 2 + plugins/modules/aci_fabric_wide_settings.py | 318 ++++++++++++++++++ .../targets/aci_fabric_wide_settings/aliases | 2 + .../aci_fabric_wide_settings/tasks/main.yml | 229 +++++++++++++ 4 files changed, 551 insertions(+) create mode 100644 plugins/modules/aci_fabric_wide_settings.py create mode 100644 tests/integration/targets/aci_fabric_wide_settings/aliases create mode 100644 tests/integration/targets/aci_fabric_wide_settings/tasks/main.yml diff --git a/plugins/module_utils/constants.py b/plugins/module_utils/constants.py index 2a6a3e883..7cd558744 100644 --- a/plugins/module_utils/constants.py +++ b/plugins/module_utils/constants.py @@ -88,3 +88,5 @@ MATCH_SMU_OPERATION_MAPPING = dict(smu_install="smuInstall", smu_uninstall="smuUninstall") MATCH_SMU_OPERATION_FLAGS_MAPPING = dict(smu_reload_immediate="smuReloadImmediate", smu_reload_skip="smuReloadSkip") + +TLS_MAPPING = {"tls_v1.0": "TLSv1", "tls_v1.1": "TLSv1.1", "tls_v1.2": "TLSv1.2"} diff --git a/plugins/modules/aci_fabric_wide_settings.py b/plugins/modules/aci_fabric_wide_settings.py new file mode 100644 index 000000000..1bc7c28eb --- /dev/null +++ b/plugins/modules/aci_fabric_wide_settings.py @@ -0,0 +1,318 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2023, Tim Cragg (@timcragg) +# Copyright: (c) 2023, Akini Ross (@akinross) +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = {"metadata_version": "1.1", "status": ["preview"], "supported_by": "certified"} + +DOCUMENTATION = r""" +--- +module: aci_fabric_wide_settings +short_description: Manage Fabric Wide Settings (infra:SetPol) +description: +- Manage Fabric Wide Settings on Cisco ACI fabrics. +options: + disable_remote_ep_learning: + description: + - Whether to disable remote endpoint learning in VRFs containing external bridged/routed domains. + - The APIC defaults to C(false) when unset during creation. + type: bool + enforce_subnet_check: + description: + - Whether to disable IP address learning on the outside of subnets configured in a VRF, for all VRFs. + - The APIC defaults to C(false) when unset during creation. + type: bool + enforce_epg_vlan_validation: + description: + - Whether to perform a validation check that prevents overlapping VLAN pools from being associated to an EPG. + - The APIC defaults to C(false) when unset during creation. + type: bool + enforce_domain_validation: + description: + - Whether to perform a validation check if a static path is added but no domain is associated to an EPG. + - Asking for domain validation is a one time operation. Once enabled, it cannot be disabled. + - The APIC defaults to C(false) when unset during creation. + type: bool + spine_opflex_client_auth: + description: + - Whether to enforce Opflex client certificate authentication on spine switches for GOLF and Linux. + - The APIC defaults to C(true) when unset during creation. + type: bool + leaf_opflex_client_auth: + description: + - Whether to enforce Opflex client certificate authentication on leaf switches for GOLF and Linux. + - The APIC defaults to C(true) when unset during creation. + type: bool + spine_ssl_opflex: + description: + - Whether to enable SSL Opflex transport for spine switches. + - The APIC defaults to C(true) when unset during creation. + type: bool + leaf_ssl_opflex: + description: + - Whether to enable SSL Opflex transport for leaf switches. + - The APIC defaults to C(true) when unset during creation. + type: bool + opflex_ssl_versions: + description: + - Which versions of TLS to enable for Opflex. + - When setting any of the TLS versions, you must explicitly set the state for all of them. + type: list + elements: str + choices: [ tls_v1.0, tls_v1.1, tls_v1.2 ] + reallocate_gipo: + description: + - Whether to reallocate some non-stretched BD gipos to make room for stretched BDs. + - Asking for gipo reallocation is a one time operation. Once enabled, it cannot be disabled. + - The APIC defaults to C(false) when unset during creation. + type: bool + restrict_infra_vlan_traffic: + description: + - Whether to restrict infra VLAN traffic to only specified network paths. These enabled network paths are defined by infra security entry policies. + - The APIC defaults to C(false) when unset during creation. + type: bool + state: + description: + - Use C(present) for updating configuration. + - Use C(query) for showing current configuration. + type: str + choices: [ present, query ] + default: present +extends_documentation_fragment: +- cisco.aci.aci +- cisco.aci.annotation +- cisco.aci.owner + +seealso: +- name: APIC Management Information Model reference + description: More information about the internal APIC class B(infra:SetPol). + link: https://developer.cisco.com/docs/apic-mim-ref/ +author: +- Tim Cragg (@timcragg) +- Akini Ross (@akinross) +""" + +EXAMPLES = r""" +- name: Update Fabric Wide Settings + cisco.aci.aci_fabric_wide_settings: + host: apic + username: admin + password: SomeSecretPassword + disable_remote_ep_learning: true + enforce_epg_vlan_validation: true + state: present + delegate_to: localhost + +- name: Update Opflex SSL versions + cisco.aci.aci_fabric_wide_settings: + host: apic + username: admin + password: SomeSecretPassword + opflex_ssl_versions: [ tls_v1.2 ] + state: present + delegate_to: localhost + +- name: Query Fabric Wide Settings + cisco.aci.aci_fabric_wide_settings: + host: apic + username: admin + password: SomeSecretPassword + state: query + delegate_to: localhost + register: query_result +""" + +RETURN = r""" +current: + description: The existing configuration from the APIC after the module has finished + returned: success + type: list + sample: + [ + { + "fvTenant": { + "attributes": { + "descr": "Production environment", + "dn": "uni/tn-production", + "name": "production", + "nameAlias": "", + "ownerKey": "", + "ownerTag": "" + } + } + } + ] +error: + description: The error information as returned from the APIC + returned: failure + type: dict + sample: + { + "code": "122", + "text": "unknown managed object class foo" + } +raw: + description: The raw output returned by the APIC REST API (xml or json) + returned: parse error + type: str + sample: '' +sent: + description: The actual/minimal configuration pushed to the APIC + returned: info + type: list + sample: + { + "fvTenant": { + "attributes": { + "descr": "Production environment" + } + } + } +previous: + description: The original configuration from the APIC before the module has started + returned: info + type: list + sample: + [ + { + "fvTenant": { + "attributes": { + "descr": "Production", + "dn": "uni/tn-production", + "name": "production", + "nameAlias": "", + "ownerKey": "", + "ownerTag": "" + } + } + } + ] +proposed: + description: The assembled configuration from the user-provided parameters + returned: info + type: dict + sample: + { + "fvTenant": { + "attributes": { + "descr": "Production environment", + "name": "production" + } + } + } +filter_string: + description: The filter string used for the request + returned: failure or debug + type: str + sample: ?rsp-prop-include=config-only +method: + description: The HTTP method used for the request to the APIC + returned: failure or debug + type: str + sample: POST +response: + description: The HTTP response from the APIC + returned: failure or debug + type: str + sample: OK (30 bytes) +status: + description: The HTTP status from the APIC + returned: failure or debug + type: int + sample: 200 +url: + description: The HTTP url used for the request to the APIC + returned: failure or debug + type: str + sample: https://10.11.12.13/api/mo/uni/tn-production.json +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.cisco.aci.plugins.module_utils.aci import ACIModule, aci_argument_spec, aci_annotation_spec, aci_owner_spec +from ansible_collections.cisco.aci.plugins.module_utils.constants import TLS_MAPPING + + +def main(): + argument_spec = aci_argument_spec() + argument_spec.update(aci_annotation_spec()) + argument_spec.update(aci_owner_spec()) + argument_spec.update( + disable_remote_ep_learning=dict(type="bool"), + enforce_subnet_check=dict(type="bool"), + enforce_epg_vlan_validation=dict(type="bool"), + enforce_domain_validation=dict(type="bool"), + spine_opflex_client_auth=dict(type="bool"), + leaf_opflex_client_auth=dict(type="bool"), + spine_ssl_opflex=dict(type="bool"), + leaf_ssl_opflex=dict(type="bool"), + opflex_ssl_versions=dict(type="list", choices=list(TLS_MAPPING.keys()), elements="str"), + reallocate_gipo=dict(type="bool"), + restrict_infra_vlan_traffic=dict(type="bool"), + state=dict(type="str", default="present", choices=["present", "query"]), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + aci = ACIModule(module) + + disable_remote_ep_learning = aci.boolean(module.params.get("disable_remote_ep_learning")) + enforce_subnet_check = aci.boolean(module.params.get("enforce_subnet_check")) + enforce_epg_vlan_validation = aci.boolean(module.params.get("enforce_epg_vlan_validation")) + enforce_domain_validation = aci.boolean(module.params.get("enforce_domain_validation")) + spine_opflex_client_auth = aci.boolean(module.params.get("spine_opflex_client_auth")) + leaf_opflex_client_auth = aci.boolean(module.params.get("leaf_opflex_client_auth")) + spine_ssl_opflex = aci.boolean(module.params.get("spine_ssl_opflex")) + leaf_ssl_opflex = aci.boolean(module.params.get("leaf_ssl_opflex")) + opflex_ssl_versions = module.params.get("opflex_ssl_versions") + reallocate_gipo = aci.boolean(module.params.get("reallocate_gipo")) + restrict_infra_vlan_traffic = aci.boolean(module.params.get("restrict_infra_vlan_traffic")) + state = module.params.get("state") + + aci.construct_url( + root_class=dict( + aci_class="infraSetPol", + aci_rn="infra/settings", + ), + ) + + aci.get_existing() + + if state == "present": + class_config = dict( + unicastXrEpLearnDisable=disable_remote_ep_learning, + enforceSubnetCheck=enforce_subnet_check, + validateOverlappingVlans=enforce_epg_vlan_validation, + domainValidation=enforce_domain_validation, + opflexpAuthenticateClients=spine_opflex_client_auth, + leafOpflexpAuthenticateClients=leaf_opflex_client_auth, + opflexpUseSsl=spine_ssl_opflex, + leafOpflexpUseSsl=leaf_ssl_opflex, + reallocateGipo=reallocate_gipo, + restrictInfraVLANTraffic=restrict_infra_vlan_traffic, + ) + if opflex_ssl_versions is not None: + class_config["opflexpSslProtocols"] = ",".join([TLS_MAPPING.get(tls) for tls in sorted(opflex_ssl_versions)]) + + aci.payload( + aci_class="infraSetPol", + class_config=class_config, + ) + + aci.get_diff(aci_class="infraSetPol") + + aci.post_config() + + aci.exit_json() + + +if __name__ == "__main__": + main() diff --git a/tests/integration/targets/aci_fabric_wide_settings/aliases b/tests/integration/targets/aci_fabric_wide_settings/aliases new file mode 100644 index 000000000..209b793f9 --- /dev/null +++ b/tests/integration/targets/aci_fabric_wide_settings/aliases @@ -0,0 +1,2 @@ +# No ACI simulator yet, so not enabled +# unsupported diff --git a/tests/integration/targets/aci_fabric_wide_settings/tasks/main.yml b/tests/integration/targets/aci_fabric_wide_settings/tasks/main.yml new file mode 100644 index 000000000..526c8bee0 --- /dev/null +++ b/tests/integration/targets/aci_fabric_wide_settings/tasks/main.yml @@ -0,0 +1,229 @@ +# Test code for the ACI modules +# Copyright: (c) 2023, Tim Cragg (@timcragg) +# Copyright: (c) 2023, Akini Ross (@akinross) + +# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt) + +- name: Test that we have an ACI APIC host, ACI username and ACI password + fail: + msg: 'Please define the following variables: aci_hostname, aci_username and aci_password.' + when: aci_hostname is not defined or aci_username is not defined or aci_password is not defined + +- name: Set vars + set_fact: + aci_info: &aci_info + host: "{{ aci_hostname }}" + username: "{{ aci_username }}" + password: "{{ aci_password }}" + validate_certs: '{{ aci_validate_certs | default(false) }}' + use_ssl: '{{ aci_use_ssl | default(true) }}' + use_proxy: '{{ aci_use_proxy | default(true) }}' + output_level: '{{ aci_output_level | default("info") }}' + +- name: Verify Cloud and Non-Cloud Sites in use. + include_tasks: ../../../../../../integration/targets/aci_cloud_provider/tasks/main.yml + +- name: Execute tasks only for non-cloud sites + when: query_cloud.current == [] # This condition will skip execution for cloud sites + block: + + # STORE EXISTING FABRIC WIDE SETTINGS + - name: Query system information + cisco.aci.aci_system: + <<: *aci_info + id: 1 + state: query + register: version + + - name: Capture existing Fabric Wide Settings + cisco.aci.aci_fabric_wide_settings: + <<: *aci_info + state: query + register: previous_settings + + - name: Clear existing settings + cisco.aci.aci_fabric_wide_settings: + <<: *aci_info + disable_remote_ep_learning: false + enforce_subnet_check: false + enforce_epg_vlan_validation: false + spine_opflex_client_auth: false + spine_ssl_opflex: false + + # SET FABRIC WIDE SETTINGS + - name: Execute tests for ACI v5+ + when: version.current.0.topSystem.attributes.version is version('5', '>=') + block: + + - name: Clear existing settings for ACI v5+ + cisco.aci.aci_fabric_wide_settings: + <<: *aci_info + leaf_opflex_client_auth: false + leaf_ssl_opflex: false + restrict_infra_vlan_traffic: false + opflex_ssl_versions: [ tls_v1.2 ] + + - name: Update Fabric Wide Settings for ACI v5+ (check_mode) + cisco.aci.aci_fabric_wide_settings: &aci_fab_settings_5 + <<: *aci_info + disable_remote_ep_learning: true + enforce_subnet_check: true + enforce_epg_vlan_validation: true + spine_opflex_client_auth: true + leaf_opflex_client_auth: true + spine_ssl_opflex: true + leaf_ssl_opflex: true + restrict_infra_vlan_traffic: true + opflex_ssl_versions: [ tls_v1.1, tls_v1.2 ] + check_mode: true + register: cm_update_fab_settings + + - name: Update Fabric Wide Settings for ACI v5+ + cisco.aci.aci_fabric_wide_settings: + <<: *aci_fab_settings_5 + register: nm_update_fab_settings + + - name: Update Fabric Wide Settings Again for ACI v5+ + cisco.aci.aci_fabric_wide_settings: + <<: *aci_fab_settings_5 + register: nm_update_fab_settings_again + + - name: Verify Fabric Wide Settings for ACI v5+ + ansible.builtin.assert: + that: + - cm_update_fab_settings is changed + - nm_update_fab_settings is changed + - nm_update_fab_settings.current.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings.current.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings.current.0.infraSetPol.attributes.leafOpflexpAuthenticateClients == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.leafOpflexpUseSsl == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.restrictInfraVLANTraffic == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.opflexpSslProtocols == "TLSv1.1,TLSv1.2" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.unicastXrEpLearnDisable == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.enforceSubnetCheck == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.validateOverlappingVlans == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings.previous.0.infraSetPol.attributes.opflexpAuthenticateClients == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.opflexpUseSsl == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings.previous.0.infraSetPol.attributes.leafOpflexpAuthenticateClients == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.leafOpflexpUseSsl == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.restrictInfraVLANTraffic == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.opflexpSslProtocols == "TLSv1.2" + - nm_update_fab_settings_again is not changed + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.leafOpflexpAuthenticateClients == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.leafOpflexpUseSsl == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.restrictInfraVLANTraffic == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.opflexpSslProtocols == "TLSv1.1,TLSv1.2" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.leafOpflexpAuthenticateClients == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.leafOpflexpUseSsl == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.restrictInfraVLANTraffic == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.opflexpSslProtocols == "TLSv1.1,TLSv1.2" + + - name: Execute tests for ACI + when: version.current.0.topSystem.attributes.version is version('5', '<') + block: + + - name: Update Fabric Wide Settings (check_mode) + cisco.aci.aci_fabric_wide_settings: &aci_fab_settings + <<: *aci_info + disable_remote_ep_learning: true + enforce_subnet_check: true + enforce_epg_vlan_validation: true + spine_opflex_client_auth: true + spine_ssl_opflex: true + check_mode: true + register: cm_update_fab_settings + + - name: Update Fabric Wide Settings + cisco.aci.aci_fabric_wide_settings: + <<: *aci_fab_settings + register: nm_update_fab_settings + + - name: Update Fabric Wide Settings Again + cisco.aci.aci_fabric_wide_settings: + <<: *aci_fab_settings + register: nm_update_fab_settings_again + + - name: Verify Fabric Wide Settings + ansible.builtin.assert: + that: + - cm_update_fab_settings is changed + - nm_update_fab_settings is changed + - nm_update_fab_settings.current.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings.current.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - nm_update_fab_settings.current.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings.previous.0.infraSetPol.attributes.unicastXrEpLearnDisable == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.enforceSubnetCheck == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.validateOverlappingVlans == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings.previous.0.infraSetPol.attributes.opflexpAuthenticateClients == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.opflexpUseSsl == "no" + - nm_update_fab_settings.previous.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings_again is not changed + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - nm_update_fab_settings_again.current.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.domainValidation == previous_settings.current.0.infraSetPol.attributes.domainValidation + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - nm_update_fab_settings_again.previous.0.infraSetPol.attributes.reallocateGipo == previous_settings.current.0.infraSetPol.attributes.reallocateGipo + + # QUERY FABRIC WIDE SETTINGS + - name: Query Fabric Wide Settings + cisco.aci.aci_fabric_wide_settings: + <<: *aci_info + state: query + register: query_fab + + - name: Verify Fabric Wide Settings queries + ansible.builtin.assert: + that: + - query_fab is not changed + - query_fab.current.0.infraSetPol.attributes.unicastXrEpLearnDisable == "yes" + - query_fab.current.0.infraSetPol.attributes.enforceSubnetCheck == "yes" + - query_fab.current.0.infraSetPol.attributes.validateOverlappingVlans == "yes" + - query_fab.current.0.infraSetPol.attributes.domainValidation == query_fab.current.0.infraSetPol.attributes.domainValidation + - query_fab.current.0.infraSetPol.attributes.opflexpAuthenticateClients == "yes" + - query_fab.current.0.infraSetPol.attributes.opflexpUseSsl == "yes" + - query_fab.current.0.infraSetPol.attributes.reallocateGipo == query_fab.current.0.infraSetPol.attributes.reallocateGipo + + - name: Verify Fabric Wide Settings queries + ansible.builtin.assert: + that: + - query_fab is not changed + - query_fab.current.0.infraSetPol.attributes.leafOpflexpAuthenticateClients == "yes" + - query_fab.current.0.infraSetPol.attributes.leafOpflexpUseSsl == "yes" + - query_fab.current.0.infraSetPol.attributes.restrictInfraVLANTraffic == "yes" + - query_fab.current.0.infraSetPol.attributes.opflexpSslProtocols == "TLSv1.1,TLSv1.2" + when: version.current.0.topSystem.attributes.version is version('5', '>=')