#!/usr/bin/python # # This file is part of Ansible # # Ansible is free software: you can redistribute it and/or modify # it under the terms of the GNU General Public License as published by # the Free Software Foundation, either version 3 of the License, or # (at your option) any later version. # # Ansible is distributed in the hope that it will be useful, # but WITHOUT ANY WARRANTY; without even the implied warranty of # MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the # GNU General Public License for more details. # # You should have received a copy of the GNU General Public License # along with Ansible. If not, see . # ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'network'} DOCUMENTATION = """ --- module: nxos_nxapi extends_documentation_fragment: nxos version_added: "2.1" author: "Peter Sprygada (@privateip)" short_description: Manage NXAPI configuration on an NXOS device. description: - Configures the NXAPI feature on devices running Cisco NXOS. The NXAPI feature is absent from the configuration by default. Since this module manages the NXAPI feature it only supports the use of the C(Cli) transport. options: http_port: description: - Configure the port with which the HTTP server will listen on for requests. By default, NXAPI will bind the HTTP service to the standard HTTP port 80. This argument accepts valid port values in the range of 1 to 65535. required: false default: 80 http: description: - Controls the operating state of the HTTP protocol as one of the underlying transports for NXAPI. By default, NXAPI will enable the HTTP transport when the feature is first configured. To disable the use of the HTTP transport, set the value of this argument to False. required: false default: yes type: bool aliases: ['enable_http'] https_port: description: - Configure the port with which the HTTPS server will listen on for requests. By default, NXAPI will bind the HTTPS service to the standard HTTPS port 443. This argument accepts valid port values in the range of 1 to 65535. required: false default: 443 https: description: - Controls the operating state of the HTTPS protocol as one of the underlying transports for NXAPI. By default, NXAPI will disable the HTTPS transport when the feature is first configured. To enable the use of the HTTPS transport, set the value of this argument to True. required: false default: no type: bool aliases: ['enable_https'] sandbox: description: - The NXAPI feature provides a web base UI for developers for entering commands. This feature is initially disabled when the NXAPI feature is configured for the first time. When the C(sandbox) argument is set to True, the developer sandbox URL will accept requests and when the value is set to False, the sandbox URL is unavailable. This is supported on NX-OS 7K series. required: false default: no type: bool aliases: ['enable_sandbox'] state: description: - The C(state) argument controls whether or not the NXAPI feature is configured on the remote device. When the value is C(present) the NXAPI feature configuration is present in the device running-config. When the values is C(absent) the feature configuration is removed from the running-config. choices: ['present', 'absent'] required: false default: present ssl_strong_ciphers: description: - Controls the use of whether strong or weak ciphers are configured. By default, this feature is disabled and weak ciphers are configured. To enable the use of strong ciphers, set the value of this argument to True. required: false default: no type: bool version_added: "2.7" tlsv1_0: description: - Controls the use of the Transport Layer Security version 1.0 is configured. By default, this feature is enabled. To disable the use of TLSV1.0, set the value of this argument to True. required: false default: yes type: bool version_added: "2.7" tlsv1_1: description: - Controls the use of the Transport Layer Security version 1.1 is configured. By default, this feature is disabled. To enable the use of TLSV1.1, set the value of this argument to True. required: false default: no type: bool version_added: "2.7" tlsv1_2: description: - Controls the use of the Transport Layer Security version 1.2 is configured. By default, this feature is disabled. To enable the use of TLSV1.2, set the value of this argument to True. required: false default: no type: bool version_added: "2.7" """ EXAMPLES = """ - name: Enable NXAPI access with default configuration nxos_nxapi: state: present - name: Enable NXAPI with no HTTP, HTTPS at port 9443 and sandbox disabled nxos_nxapi: enable_http: false https_port: 9443 https: yes enable_sandbox: no - name: remove NXAPI configuration nxos_nxapi: state: absent """ RETURN = """ updates: description: - Returns the list of commands that need to be pushed into the remote device to satisfy the arguments returned: always type: list sample: ['no feature nxapi'] """ import re from distutils.version import LooseVersion from ansible.module_utils.network.nxos.nxos import run_commands, load_config from ansible.module_utils.network.nxos.nxos import nxos_argument_spec from ansible.module_utils.network.nxos.nxos import get_capabilities from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.six import iteritems def check_args(module, warnings, capabilities): network_api = capabilities.get('network_api', 'nxapi') if network_api == 'nxapi': module.fail_json(msg='module not supported over nxapi transport') os_platform = capabilities['device_info']['network_os_platform'] if '7K' not in os_platform and module.params['sandbox']: module.fail_json(msg='sandbox or enable_sandbox is supported on NX-OS 7K series of switches') state = module.params['state'] if state == 'started': module.params['state'] = 'present' warnings.append('state=started is deprecated and will be removed in a ' 'a future release. Please use state=present instead') elif state == 'stopped': module.params['state'] = 'absent' warnings.append('state=stopped is deprecated and will be removed in a ' 'a future release. Please use state=absent instead') for key in ['http_port', 'https_port']: if module.params[key] is not None: if not 1 <= module.params[key] <= 65535: module.fail_json(msg='%s must be between 1 and 65535' % key) return warnings def map_obj_to_commands(want, have, module, warnings, capabilities): send_commands = list() commands = dict() os_platform = None os_version = None device_info = capabilities.get('device_info') if device_info: os_version = device_info.get('network_os_version') if os_version: os_version = os_version[:3] os_platform = device_info.get('network_os_platform') if os_platform: os_platform = os_platform[:3] def needs_update(x): return want.get(x) is not None and (want.get(x) != have.get(x)) if needs_update('state'): if want['state'] == 'absent': return ['no feature nxapi'] send_commands.append('feature nxapi') elif want['state'] == 'absent': return send_commands for parameter in ['http', 'https']: port_param = parameter + '_port' if needs_update(parameter): if want.get(parameter) is False: commands[parameter] = 'no nxapi %s' % parameter else: commands[parameter] = 'nxapi %s port %s' % (parameter, want.get(port_param)) if needs_update(port_param) and want.get(parameter) is True: commands[parameter] = 'nxapi %s port %s' % (parameter, want.get(port_param)) if needs_update('sandbox'): commands['sandbox'] = 'nxapi sandbox' if not want['sandbox']: commands['sandbox'] = 'no %s' % commands['sandbox'] if os_platform and os_version: if (os_platform == 'N9K' or os_platform == 'N3K') and LooseVersion(os_version) >= "9.2": if needs_update('ssl_strong_ciphers'): commands['ssl_strong_ciphers'] = 'nxapi ssl ciphers weak' if want['ssl_strong_ciphers'] is True: commands['ssl_strong_ciphers'] = 'no nxapi ssl ciphers weak' have_ssl_protocols = '' want_ssl_protocols = '' for key, value in {'tlsv1_2': 'TLSv1.2', 'tlsv1_1': 'TLSv1.1', 'tlsv1_0': 'TLSv1'}.items(): if needs_update(key): if want.get(key) is True: want_ssl_protocols = " ".join([want_ssl_protocols, value]) elif have.get(key) is True: have_ssl_protocols = " ".join([have_ssl_protocols, value]) if len(want_ssl_protocols) > 0: commands['ssl_protocols'] = 'nxapi ssl protocols%s' % (" ".join([want_ssl_protocols, have_ssl_protocols])) else: warnings.append('os_version and/or os_platform keys from ' 'platform capabilities are not available. ' 'Any NXAPI SSL optional arguments will be ignored') send_commands.extend(commands.values()) return send_commands def parse_http(data): http_res = [r'nxapi http port (\d+)'] http_port = None for regex in http_res: match = re.search(regex, data, re.M) if match: http_port = int(match.group(1)) break return {'http': http_port is not None, 'http_port': http_port} def parse_https(data): https_res = [r'nxapi https port (\d+)'] https_port = None for regex in https_res: match = re.search(regex, data, re.M) if match: https_port = int(match.group(1)) break return {'https': https_port is not None, 'https_port': https_port} def parse_sandbox(data): sandbox = [item for item in data.split('\n') if re.search(r'.*sandbox.*', item)] value = False if sandbox and sandbox[0] == 'nxapi sandbox': value = True return {'sandbox': value} def parse_ssl_strong_ciphers(data): ciphers_res = [r'(\w+) nxapi ssl ciphers weak'] value = None for regex in ciphers_res: match = re.search(regex, data, re.M) if match: value = match.group(1) break return {'ssl_strong_ciphers': value == 'no'} def parse_ssl_protocols(data): tlsv1_0 = re.search(r'(?