1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
|
#!/usr/bin/python
#
# This file is part of Ansible
#
# Ansible is free software: you can redistribute it and/or modify
# it under the terms of the GNU General Public License as published by
# the Free Software Foundation, either version 3 of the License, or
# (at your option) any later version.
#
# Ansible is distributed in the hope that it will be useful,
# but WITHOUT ANY WARRANTY; without even the implied warranty of
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
# GNU General Public License for more details.
#
# You should have received a copy of the GNU General Public License
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
# pylint: skip-file
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = """
module: nxos_nxapi
extends_documentation_fragment:
- cisco.nxos.nxos
author: Peter Sprygada (@privateip)
short_description: Manage NXAPI configuration on an NXOS device.
notes:
- Limited Support for Cisco MDS
description:
- Configures the NXAPI feature on devices running Cisco NXOS. The NXAPI feature is
absent from the configuration by default. Since this module manages the NXAPI feature
it only supports the use of the C(Cli) transport.
version_added: 1.0.0
options:
http_port:
description:
- Configure the port with which the HTTP server will listen on for requests. By
default, NXAPI will bind the HTTP service to the standard HTTP port 80. This
argument accepts valid port values in the range of 1 to 65535.
required: false
default: 80
type: int
http:
description:
- Controls the operating state of the HTTP protocol as one of the underlying transports
for NXAPI. By default, NXAPI will enable the HTTP transport when the feature
is first configured. To disable the use of the HTTP transport, set the value
of this argument to False.
required: false
default: true
type: bool
aliases:
- enable_http
https_port:
description:
- Configure the port with which the HTTPS server will listen on for requests. By
default, NXAPI will bind the HTTPS service to the standard HTTPS port 443. This
argument accepts valid port values in the range of 1 to 65535.
required: false
default: 443
type: int
https:
description:
- Controls the operating state of the HTTPS protocol as one of the underlying
transports for NXAPI. By default, NXAPI will disable the HTTPS transport when
the feature is first configured. To enable the use of the HTTPS transport,
set the value of this argument to True.
required: false
default: false
type: bool
aliases:
- enable_https
sandbox:
description:
- The NXAPI feature provides a web base UI for developers for entering commands. This
feature is initially disabled when the NXAPI feature is configured for the first
time. When the C(sandbox) argument is set to True, the developer sandbox URL
will accept requests and when the value is set to False, the sandbox URL is
unavailable. This is supported on NX-OS 7K series.
required: false
type: bool
aliases:
- enable_sandbox
state:
description:
- The C(state) argument controls whether or not the NXAPI feature is configured
on the remote device. When the value is C(present) the NXAPI feature configuration
is present in the device running-config. When the values is C(absent) the feature
configuration is removed from the running-config.
choices:
- present
- absent
required: false
default: present
type: str
ssl_strong_ciphers:
description:
- Controls the use of whether strong or weak ciphers are configured. By default,
this feature is disabled and weak ciphers are configured. To enable the use
of strong ciphers, set the value of this argument to True.
required: false
default: false
type: bool
tlsv1_0:
description:
- Controls the use of the Transport Layer Security version 1.0 is configured. By
default, this feature is enabled. To disable the use of TLSV1.0, set the value
of this argument to True.
required: false
default: true
type: bool
tlsv1_1:
description:
- Controls the use of the Transport Layer Security version 1.1 is configured. By
default, this feature is disabled. To enable the use of TLSV1.1, set the value
of this argument to True.
required: false
default: false
type: bool
tlsv1_2:
description:
- Controls the use of the Transport Layer Security version 1.2 is configured. By
default, this feature is disabled. To enable the use of TLSV1.2, set the value
of this argument to True.
required: false
default: false
type: bool
"""
EXAMPLES = """
- name: Enable NXAPI access with default configuration
cisco.nxos.nxos_nxapi:
state: present
- name: Enable NXAPI with no HTTP, HTTPS at port 9443 and sandbox disabled
cisco.nxos.nxos_nxapi:
enable_http: false
https_port: 9443
https: true
enable_sandbox: false
- name: remove NXAPI configuration
cisco.nxos.nxos_nxapi:
state: absent
"""
RETURN = """
updates:
description:
- Returns the list of commands that need to be pushed into the remote
device to satisfy the arguments
returned: always
type: list
sample: ['no feature nxapi']
"""
import re
from ansible.module_utils.basic import AnsibleModule
from ansible_collections.cisco.nxos.plugins.module_utils.network.nxos.nxos import (
get_capabilities,
load_config,
run_commands,
)
from ansible_collections.cisco.nxos.plugins.module_utils.network.nxos.utils.utils import Version
def check_args(module, warnings, capabilities):
network_api = capabilities.get("network_api", "nxapi")
if network_api == "nxapi":
module.fail_json(msg="module not supported over nxapi transport")
os_platform = capabilities["device_info"]["network_os_platform"]
if "7K" not in os_platform and module.params["sandbox"]:
module.fail_json(
msg="sandbox or enable_sandbox is supported on NX-OS 7K series of switches",
)
state = module.params["state"]
if state == "started":
module.params["state"] = "present"
warnings.append(
"state=started is deprecated and will be removed in a "
"a future release. Please use state=present instead",
)
elif state == "stopped":
module.params["state"] = "absent"
warnings.append(
"state=stopped is deprecated and will be removed in a "
"a future release. Please use state=absent instead",
)
for key in ["http_port", "https_port"]:
if module.params[key] is not None:
if not 1 <= module.params[key] <= 65535:
module.fail_json(msg="%s must be between 1 and 65535" % key)
return warnings
def map_obj_to_commands(want, have, module, warnings, capabilities):
send_commands = list()
commands = dict()
os_platform = None
os_version = None
device_info = capabilities.get("device_info")
if device_info:
os_version = device_info.get("network_os_version")
if os_version:
os_version = os_version[:3]
os_platform = device_info.get("network_os_platform")
if os_platform:
os_platform = os_platform[:3]
def needs_update(x):
return want.get(x) is not None and (want.get(x) != have.get(x))
if needs_update("state"):
if want["state"] == "absent":
return ["no feature nxapi"]
send_commands.append("feature nxapi")
elif want["state"] == "absent":
return send_commands
for parameter in ["http", "https"]:
port_param = parameter + "_port"
if needs_update(parameter):
if want.get(parameter) is False:
commands[parameter] = "no nxapi %s" % parameter
else:
commands[parameter] = "nxapi %s port %s" % (
parameter,
want.get(port_param),
)
if needs_update(port_param) and want.get(parameter) is True:
commands[parameter] = "nxapi %s port %s" % (
parameter,
want.get(port_param),
)
if needs_update("sandbox"):
commands["sandbox"] = "nxapi sandbox"
if not want["sandbox"]:
commands["sandbox"] = "no %s" % commands["sandbox"]
if os_platform and os_version:
if (os_platform == "N9K" or os_platform == "N3K") and Version(os_version) >= "9.2":
if needs_update("ssl_strong_ciphers"):
commands["ssl_strong_ciphers"] = "nxapi ssl ciphers weak"
if want["ssl_strong_ciphers"] is True:
commands["ssl_strong_ciphers"] = "no nxapi ssl ciphers weak"
have_ssl_protocols = ""
want_ssl_protocols = ""
for key, value in {
"tlsv1_2": "TLSv1.2",
"tlsv1_1": "TLSv1.1",
"tlsv1_0": "TLSv1",
}.items():
if needs_update(key):
if want.get(key) is True:
want_ssl_protocols = " ".join([want_ssl_protocols, value])
elif have.get(key) is True:
have_ssl_protocols = " ".join([have_ssl_protocols, value])
if len(want_ssl_protocols) > 0:
commands["ssl_protocols"] = "nxapi ssl protocols%s" % (
" ".join([want_ssl_protocols, have_ssl_protocols])
)
else:
warnings.append(
"os_version and/or os_platform keys from "
"platform capabilities are not available. "
"Any NXAPI SSL optional arguments will be ignored",
)
send_commands.extend(commands.values())
return send_commands
def parse_http(data):
http_res = [r"nxapi http port (\d+)"]
http_port = None
for regex in http_res:
match = re.search(regex, data, re.M)
if match:
http_port = int(match.group(1))
break
return {"http": http_port is not None, "http_port": http_port}
def parse_https(data):
https_res = [r"nxapi https port (\d+)"]
https_port = None
for regex in https_res:
match = re.search(regex, data, re.M)
if match:
https_port = int(match.group(1))
break
return {"https": https_port is not None, "https_port": https_port}
def parse_sandbox(data):
sandbox = [item for item in data.split("\n") if re.search(r".*sandbox.*", item)]
value = False
if sandbox and sandbox[0] == "nxapi sandbox":
value = True
return {"sandbox": value}
def parse_ssl_strong_ciphers(data):
ciphers_res = [r"(\w+) nxapi ssl ciphers weak"]
value = None
for regex in ciphers_res:
match = re.search(regex, data, re.M)
if match:
value = match.group(1)
break
return {"ssl_strong_ciphers": value == "no"}
def parse_ssl_protocols(data):
tlsv1_0 = re.search(r"(?<!\S)TLSv1(?!\S)", data, re.M) is not None
tlsv1_1 = re.search(r"(?<!\S)TLSv1.1(?!\S)", data, re.M) is not None
tlsv1_2 = re.search(r"(?<!\S)TLSv1.2(?!\S)", data, re.M) is not None
return {"tlsv1_0": tlsv1_0, "tlsv1_1": tlsv1_1, "tlsv1_2": tlsv1_2}
def map_config_to_obj(module):
out = run_commands(module, ["show run all | inc nxapi"], check_rc=False)[0]
match = re.search(r"no feature nxapi", out, re.M)
# There are two possible outcomes when nxapi is disabled on nxos platforms.
# 1. Nothing is displayed in the running config.
# 2. The 'no feature nxapi' command is displayed in the running config.
if match or out == "":
return {"state": "absent"}
out = str(out).strip()
obj = {"state": "present"}
obj.update(parse_http(out))
obj.update(parse_https(out))
obj.update(parse_sandbox(out))
obj.update(parse_ssl_strong_ciphers(out))
obj.update(parse_ssl_protocols(out))
return obj
def map_params_to_obj(module):
obj = {
"http": module.params["http"],
"http_port": module.params["http_port"],
"https": module.params["https"],
"https_port": module.params["https_port"],
"sandbox": module.params["sandbox"],
"state": module.params["state"],
"ssl_strong_ciphers": module.params["ssl_strong_ciphers"],
"tlsv1_0": module.params["tlsv1_0"],
"tlsv1_1": module.params["tlsv1_1"],
"tlsv1_2": module.params["tlsv1_2"],
}
return obj
def main():
"""main entry point for module execution"""
argument_spec = dict(
http=dict(aliases=["enable_http"], type="bool", default=True),
http_port=dict(type="int", default=80),
https=dict(aliases=["enable_https"], type="bool", default=False),
https_port=dict(type="int", default=443),
sandbox=dict(aliases=["enable_sandbox"], type="bool"),
state=dict(default="present", choices=["present", "absent"]),
ssl_strong_ciphers=dict(type="bool", default=False),
tlsv1_0=dict(type="bool", default=True),
tlsv1_1=dict(type="bool", default=False),
tlsv1_2=dict(type="bool", default=False),
)
module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
warnings = list()
warning_msg = "Module nxos_nxapi currently defaults to configure 'http port 80'. "
warning_msg += "Default behavior is changing to configure 'https port 443'"
warning_msg += " when params 'http, http_port, https, https_port' are not set in the playbook"
module.deprecate(msg=warning_msg, date="2022-06-01", collection_name="cisco.nxos")
capabilities = get_capabilities(module)
check_args(module, warnings, capabilities)
want = map_params_to_obj(module)
have = map_config_to_obj(module)
commands = map_obj_to_commands(want, have, module, warnings, capabilities)
result = {"changed": False, "warnings": warnings, "commands": commands}
if commands:
if not module.check_mode:
load_config(module, commands)
result["changed"] = True
module.exit_json(**result)
if __name__ == "__main__":
main()
|
