cisco.aci.aci_aaa_user module – Manage AAA users (aaa:User)

Note

This module is part of the cisco.aci collection (version 2.10.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install cisco.aci. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: cisco.aci.aci_aaa_user.

Synopsis

  • Manage AAA users on Cisco ACI fabrics.

Requirements

The below requirements are needed on the host that executes this module.

  • python-dateutil

Parameters

Parameter

Comments

aaa_password

string

The password of the locally-authenticated user.

Providing this option will always result in a change because it is a secure property that cannot be retrieved from APIC.

aaa_password_lifetime

integer

The lifetime of the locally-authenticated user password.

aaa_password_update_required

boolean

Whether this account needs password update.

Choices:

  • false

  • true

aaa_user

aliases: name

string

The name of the locally-authenticated user user to add.

annotation

string

User-defined string for annotating an object.

If the value is not specified in the task, the value of environment variable ACI_ANNOTATION will be used instead.

If the value is not specified in the task and environment variable ACI_ANNOTATION then the default value will be used.

Default: "orchestrator:ansible"

certificate_name

aliases: cert_name

string

The X.509 certificate name attached to the APIC AAA user used for signature-based authentication.

If a private_key filename was provided, this defaults to the private_key basename, without extension.

If PEM-formatted content was provided for private_key, this defaults to the username value.

If the value is not specified in the task, the value of environment variable ACI_CERTIFICATE_NAME will be used instead.

clear_password_history

boolean

Whether to clear the password history of a locally-authenticated user.

Choices:

  • false

  • true

description

aliases: descr

string

Description for the AAA user.

email

string

The email address of the locally-authenticated user.

enabled

boolean

The status of the locally-authenticated user account.

Choices:

  • false

  • true

expiration

string

The expiration date of the locally-authenticated user account.

expires

boolean

Whether to enable an expiration date for the locally-authenticated user account.

Choices:

  • false

  • true

first_name

string

The first name of the locally-authenticated user.

host

aliases: hostname

string

IP Address or hostname of APIC resolvable by Ansible control host.

If the value is not specified in the task, the value of environment variable ACI_HOST will be used instead.

last_name

string

The last name of the locally-authenticated user.

name_alias

string

The alias for the current object. This relates to the nameAlias field in ACI.

output_level

string

Influence the output of this ACI module.

normal means the standard output, incl. current dict

info adds informational output, incl. previous, proposed and sent dicts

debug adds debugging output, incl. filter_string, method, response, status and url information

If the value is not specified in the task, the value of environment variable ACI_OUTPUT_LEVEL will be used instead.

Choices:

  • "debug"

  • "info"

  • "normal" ← (default)

output_path

string

Path to a file that will be used to dump the ACI JSON configuration objects generated by the module.

If the value is not specified in the task, the value of environment variable ACI_OUTPUT_PATH will be used instead.

owner_key

string

User-defined string for the ownerKey attribute of an ACI object.

This attribute represents a key for enabling clients to own their data for entity correlation.

If the value is not specified in the task, the value of environment variable ACI_OWNER_KEY will be used instead.

owner_tag

string

User-defined string for the ownerTag attribute of an ACI object.

This attribute represents a tag for enabling clients to add their own data.

For example, to indicate who created this object.

If the value is not specified in the task, the value of environment variable ACI_OWNER_TAG will be used instead.

password

string

The password to use for authentication.

This option is mutual exclusive with private_key. If private_key is provided too, it will be used instead.

If the value is not specified in the task, the value of environment variables ACI_PASSWORD or ANSIBLE_NET_PASSWORD will be used instead.

phone

string

The phone number of the locally-authenticated user.

port

integer

Port number to be used for REST connection.

The default value depends on parameter use_ssl.

If the value is not specified in the task, the value of environment variable ACI_PORT will be used instead.

private_key

aliases: cert_key

string

Either a PEM-formatted private key file or the private key content used for signature-based authentication.

This value also influences the default certificate_name that is used.

This option is mutual exclusive with password. If password is provided too, it will be ignored.

If the value is not specified in the task, the value of environment variable ACI_PRIVATE_KEY or ANSIBLE_NET_SSH_KEYFILE will be used instead.

state

string

Use present or absent for adding or removing.

Use query for listing an object or multiple objects.

Choices:

  • "absent"

  • "present" ← (default)

  • "query"

suppress_previous

aliases: no_previous, ignore_previous

boolean

If true, a GET to check previous will not be sent before a POST update to APIC.

If the value is not specified in the task, the value of environment variable ACI_SUPPRESS_PREVIOUS will be used instead.

The default value is false.

WARNING - This causes the previous return value to be empty.

The previous state of the object will not be checked and the POST update will contain all properties.

Choices:

  • false

  • true

suppress_verification

aliases: no_verification, no_verify, suppress_verify, ignore_verify, ignore_verification

boolean

If true, a verifying GET will not be sent after a POST update to APIC.

If the value is not specified in the task, the value of environment variable ACI_SUPPRESS_VERIFICATION will be used instead.

The default value is false.

WARNING - This causes the current return value to be set to the proposed value.

The current object including default values will be unverifiable in a single task.

Choices:

  • false

  • true

timeout

integer

The socket level timeout in seconds.

If the value is not specified in the task, the value of environment variable ACI_TIMEOUT will be used instead.

The default value is 30.

use_proxy

boolean

If false, it will not use a proxy, even if one is defined in an environment variable on the target hosts.

If the value is not specified in the task, the value of environment variable ACI_USE_PROXY will be used instead.

The default value is true.

Choices:

  • false

  • true

use_ssl

boolean

If false, an HTTP connection will be used instead of the default HTTPS connection.

If the value is not specified in the task, the value of environment variable ACI_USE_SSL will be used instead.

The default value is true when the connection is local.

Choices:

  • false

  • true

username

aliases: user

string

The username to use for authentication.

If the value is not specified in the task, the value of environment variables ACI_USERNAME or ANSIBLE_NET_USERNAME will be used instead.

The default value is admin.

validate_certs

boolean

If false, SSL certificates will not be validated.

This should only set to false when used on personally controlled sites using self-signed certificates.

If the value is not specified in the task, the value of environment variable ACI_VALIDATE_CERTS will be used instead.

The default value is true.

Choices:

  • false

  • true

Notes

Note

  • This module is not idempotent when aaa_password is being used (even if that password was already set identically). This appears to be an inconsistency wrt. the idempotent nature of the APIC REST API. The vendor has been informed. More information in :ref:`the ACI documentation <aci_guide_known_issues>`.

See Also

See also

cisco.aci.aci_aaa_user_certificate

Manage AAA user certificates (aaa:UserCert).

APIC Management Information Model reference

More information about the internal APIC class aaa:User.

Cisco ACI Guide

Detailed information on how to manage your ACI infrastructure using Ansible.

Developing Cisco ACI modules

Detailed guide on how to write your own Cisco ACI modules to contribute.

Examples

- name: Add a user
  cisco.aci.aci_aaa_user:
    host: apic
    username: admin
    password: SomeSecretPassword
    aaa_user: dag
    aaa_password: AnotherSecretPassword
    expiration: never
    expires: false
    email: dag@wieers.com
    phone: 1-234-555-678
    first_name: Dag
    last_name: Wieers
    state: present
  delegate_to: localhost

- name: Remove a user
  cisco.aci.aci_aaa_user:
    host: apic
    username: admin
    password: SomeSecretPassword
    aaa_user: dag
    state: absent
  delegate_to: localhost

- name: Query a user
  cisco.aci.aci_aaa_user:
    host: apic
    username: admin
    password: SomeSecretPassword
    aaa_user: dag
    state: query
  delegate_to: localhost
  register: query_result

- name: Query all users
  cisco.aci.aci_aaa_user:
    host: apic
    username: admin
    password: SomeSecretPassword
    state: query
  delegate_to: localhost
  register: query_result

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

current

list / elements=string

The existing configuration from the APIC after the module has finished

Returned: success

Sample: [{"fvTenant": {"attributes": {"descr": "Production environment", "dn": "uni/tn-production", "name": "production", "nameAlias": "", "ownerKey": "", "ownerTag": ""}}}]

error

dictionary

The error information as returned from the APIC

Returned: failure

Sample: {"code": "122", "text": "unknown managed object class foo"}

filter_string

string

The filter string used for the request

Returned: failure or debug

Sample: "?rsp-prop-include=config-only"

method

string

The HTTP method used for the request to the APIC

Returned: failure or debug

Sample: "POST"

previous

list / elements=string

The original configuration from the APIC before the module has started

Returned: info

Sample: [{"fvTenant": {"attributes": {"descr": "Production", "dn": "uni/tn-production", "name": "production", "nameAlias": "", "ownerKey": "", "ownerTag": ""}}}]

proposed

dictionary

The assembled configuration from the user-provided parameters

Returned: info

Sample: {"fvTenant": {"attributes": {"descr": "Production environment", "name": "production"}}}

raw

string

The raw output returned by the APIC REST API (xml or json)

Returned: parse error

Sample: "<?xml version=\"1.0\" encoding=\"UTF-8\"?><imdata totalCount=\"1\"><error code=\"122\" text=\"unknown managed object class foo\"/></imdata>"

response

string

The HTTP response from the APIC

Returned: failure or debug

Sample: "OK (30 bytes)"

sent

list / elements=string

The actual/minimal configuration pushed to the APIC

Returned: info

Sample: {"fvTenant": {"attributes": {"descr": "Production environment"}}}

status

integer

The HTTP status from the APIC

Returned: failure or debug

Sample: 200

url

string

The HTTP url used for the request to the APIC

Returned: failure or debug

Sample: "https://10.11.12.13/api/mo/uni/tn-production.json"

Authors

  • Dag Wieers (@dagwieers)