Git Product home page Git Product logo

terraform-provider-iosxe's Introduction

Tests

Terraform Provider IOS-XE

Requirements

Building The Provider

  1. Clone the repository
  2. Enter the repository directory
  3. Build the provider using the Go install command:
go install

Adding Dependencies

This provider uses Go modules. Please see the Go documentation for the most up to date information about using Go modules.

To add a new dependency github.com/author/dependency to your Terraform provider:

go get github.com/author/dependency
go mod tidy

Then commit the changes to go.mod and go.sum.

Using the provider

This Terraform Provider is available to install automatically via terraform init. If you're building the provider, follow the instructions to install it as a plugin. After placing it into your plugins directory, run terraform init to initialize it.

Additional documentation, including available resources and their arguments/attributes can be found on the Terraform documentation website.

Developing the Provider

If you wish to work on the provider, you'll first need Go installed on your machine (see Requirements above).

To compile the provider, run go install. This will build the provider and put the provider binary in the $GOPATH/bin directory.

To generate or update documentation, run go generate.

In order to run the full suite of Acceptance tests, run make testacc. Make sure the respective environment variables are set (e.g., IOSXE_USERNAME, IOSXE_PASSWORD, IOSXE_URL).

Note: Acceptance tests create real resources.

make testacc

terraform-provider-iosxe's People

Contributors

akashg-crest avatar cmistry-crest avatar danischm avatar dependabot[bot] avatar jabielecki avatar jeremycohoe avatar mekarajesh avatar muhammad-rafi avatar narasing01 avatar pranjadh avatar robertcsapo avatar rutviks-crest avatar sdeweese avatar swarudka avatar

Stargazers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Watchers

avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar avatar

Forkers

jeremycohoe akashg-crest simgit123 jamalua wkimandu muhammad-rafi monteago30 boxops redashu techiewarrior medoukou elongstreet88 mcumming17 swarudka narasing01 pranjadh mekarajesh llsz22 orhanergun mahendras25 dga-nagra jabielecki

terraform-provider-iosxe's Issues

Add support for bgp network statements

One large thing that's missing from the provider is the ability to add BGP networks. We need this for VRF and non-VRF network statements

i'm able to add them with something like this:

resource "iosxe_restconf" "bgp_networks" {
  for_each = {
    for bgp_network in local.bgp_networks_configs : bgp_network.key => bgp_network
  }
  device     = each.value.device
  path       = "Cisco-IOS-XE-native:native/router/Cisco-IOS-XE-bgp:bgp=${each.value.asn}/address-family/no-vrf/ipv4=unicast/ipv4-unicast/network/with-mask"
  attributes = {
    "number" = each.value.network_address
    "mask"   = each.value.mask
  }
}

This works for putting the network statements in, but throws an error when i try to remove it from the config.

│ Error: Client Error
│
│ Failed to delete object, got error: HTTP Request failed: StatusCode 400, RESTCONF errors {Error:[{ErrorType:application ErrorTag:malformed-message ErrorAppTag: ErrorPath: ErrorMessage:Operation not allowed. ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false      
│ Errors:{Error:[]}} EditStatus:{Edit:[]} Errors:{Error:[]}}

support for speed nonegotiate in iosxe_interface_ethernet

Hi,

Is it possible to add support for speed nonegotiate in resource iosxe_interface_ethernet?

CLI:

interface TwentyFiveGigE1/0/1
speed nonegotiate

On a C9500-48Y4C (fiber ony) you cannot specify the speed.
Only nonegotiate.

regards

Issues with `iosxe_interface_tunnel` resource

When using the new tunnel resource, i get the following error

╷
│ Error: Client Error
│
│   with iosxe_interface_tunnel.Tunnel_Interface["router_2-11"],
│   on main.tf line 287, in resource "iosxe_interface_tunnel" "Tunnel_Interface":
│  287: resource "iosxe_interface_tunnel" "Tunnel_Interface" {
│
│ Failed to configure object (PATCH), got error: HTTP Request failed: StatusCode 400, RESTCONF errors {Error:[{ErrorType:application ErrorTag:malformed-message ErrorAppTag: ErrorPath:/Cisco-IOS-XE-native:native/interface/Tunnel
│ ErrorMessage:unknown element: tunnel in /ios:native/ios:interface/ios:Tunnel[ios:name='11']/ios:tunnel ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false Errors:{Error:[]}} EditStatus:{Edit:[]} Errors:{Error:[]}}
╵

In testing, i found this error to be specific to the tunnel_destination_ipv4 attribute of the resource

Here is the call Terraform is making to the box:

 https://192.168.0.157/restconf/data/Cisco-IOS-XE-native:native/interface/Tunnel, {{"Cisco-IOS-XE-native:Tunnel":
{"name":"12","description":"test tunnel","ip":{"proxy-arp":false,"redirects":false,"Cisco-IOS-XE-icmp:unreachables":false,"address":{"primary":{"address":"12.1.1.2","mask":"255.255.255.0"}}},"Cisco-IOS-XE-tunnel:tunnel":{"source":"2.1.1.1"},"tunnel":{"destination-config":{"ipv4":"7.1.1.1"}}}}}

I tested this in postman and did confirm that there is something weird about the call the resource is making as i got the same error in postman. Running the resource without the tunnel destination corrects the issue and i'm able to create the interface. Obviously we need to set a destination on the tunnel

spanning-tree portfast edge trunk on resource iosxe_template

Hi,
When I'm creating a iosxe_template and set mode trunk + portfast edge, is expected that the result mode will be "spanning-tree portfast edge trunk", but is only configured as "spanning-tree portfast edge"

-/+ resource "iosxe_template" "port-profile" {
      + load_interval                           = 30
      + spanning_tree_bpduguard_enable          = true
      + spanning_tree_portfast                  = true
      **+ spanning_tree_portfast_edge             = true**
      + spanning_tree_portfast_network          = false
      + storm_control_broadcast_level_threshold = 5
      + storm_control_multicast_level_threshold = 3
      + switchport_mode_access                  = false
      **+ switchport_mode_trunk                   = true**
      + switchport_nonegotiate                  = true
      + switchport_trunk_native_vlan_vlan_id    = 999
      + template_name                           = "TRUNK-SERVERS"
    }

The result on switch configuration is:

template TRUNK-SERVERS
 storm-control broadcast level 5.00
 storm-control multicast level 3.00
 **spanning-tree portfast edge**
 spanning-tree bpduguard enable
 switchport trunk native vlan 999
 switchport mode trunk
 switchport nonegotiate
 load-interval 30

Unable to set interface speed to 10G

The provider does not seem to support setting the network interface speeds yet.

We have a Cisco 8000V. After applying licenses (etc.), you need to set the interface speed of the "GigabitEthernet" interfaces to 10G. The interface name remains the same.

Can you please support interface speed settings?

"Hardware" speed supports 10G
Primarily meant to show that licenses are effectively applied.

router#show platform hardware throughput level
The current throughput level is 20000000 kb/s

Initial state of one interface

router#show running-config interface GigabitEthernet 4                       
Building configuration...

Current configuration : 107 bytes
!
interface GigabitEthernet4
 no ip address
 shutdown
 negotiation auto
 no mop enabled
 no mop sysid
end

router#show running-config interface GigabitEthernet 4 | format restconf-json
{
  "data": {
    "Cisco-IOS-XE-native:native": {
      "interface": {
        "GigabitEthernet": [
          {
            "name": "4",
            "shutdown": [null],
            "mop": {
              "enabled": false,
              "sysid": false
            },
            "Cisco-IOS-XE-ethernet:negotiation": {
              "auto": true
            }
          }
        ]
      }
    }
  }
}

Manual 10G configuration of the same interface

router#conf t
Enter configuration commands, one per line.  End with CNTL/Z.
router(config)#interface gigabitEthernet 4
router(config-if)#no negotiation auto        
router(config-if)#speed 10000                
router(config-if)#exit
router(config)#exit
router#show running-config interface GigabitEthernet 4                       
Building configuration...

Current configuration : 123 bytes
!
interface GigabitEthernet4
 no ip address
 shutdown
 speed 10000
 no negotiation auto
 no mop enabled
 no mop sysid
end

router#show running-config interface GigabitEthernet 4 | format restconf-json
{
  "data": {
    "Cisco-IOS-XE-native:native": {
      "interface": {
        "GigabitEthernet": [
          {
            "name": "4",
            "shutdown": [null],
            "mop": {
              "enabled": false,
              "sysid": false
            },
            "Cisco-IOS-XE-ethernet:speed": {
              "value-10000": [null]
            },
            "Cisco-IOS-XE-ethernet:negotiation": {
              "auto": false
            }
          }
        ]
      }
    }
  }
}

Resource iosxe_aaa - source interface

group_server_radius and group_server_tacacsplus should have the ability to configure the optional argument ip_radius_source_interface_loopback in a generic manner, meaning it could be also a VLAN or L3 interface itself that can be the source.

would suggest the attribute to be 'ip_radius_source_interface'/'ip_tacacsplus_source_interface' with 'type' and 'name' as option.

switch(config-sg-radius)#ip radius source-interface ?
AccessTunnel Access Tunnel interface
AppGigabitEthernet App-hosting Gigabit Ethernet
Auto-Template Auto-Template interface
BDI Bridge-Domain interface
Bluetooth Bluetooth interface
CEM-PG Circuit Emulation interface with Protection group
CEOBC Cluster EOBC Interface
FortyGigabitEthernet Forty Gigabit Ethernet
GMPLS MPLS interface
GigabitEthernet GigabitEthernet IEEE 802.3z
InternalInterface Internal Interface
L2LISP L2 Locator/ID Separation Protocol Virtual Interface
LISP Locator/ID Separation Protocol Virtual Interface
Loopback Loopback interface
Lspvif LSP virtual interface
Null Null interface
PROTECTION_GROUP Protection-group controller
Port-channel Ethernet Channel of interfaces
SDH_ACR Virtual SDH-ACR controller
SERIAL-ACR Serial interface with ACR
Serial-PG Serial interface with Protection Group
TLS-VIF TLS Virtual Interface
TenGigabitEthernet Ten Gigabit Ethernet
Tunnel Tunnel interface
Tunnel-tp MPLS Transport Profile interface
TwentyFiveGigE Twenty Five Gigabit Ethernet
VirtualPortGroup Virtual Port Group
Vlan Catalyst Vlans
nve Network virtualization endpoint interface

Resource iosxe_ntp is not replacing ntp servers

After make some changes on resource "iosxe_ntp" we notice that the old NTP Servers are never removed...

Before the change, we have the following configurations on router:
sw1#show runn | inc ntp
ntp source GigabitEthernet0/0
ntp server vrf Mgmt-vrf 1.1.1.1 prefer version 2
ntp server vrf Mgmt-vrf 2.2.2.2 version 2

Here the changes on terraform:
Terraform will perform the following actions:

iosxe_ntp.ntp_servers["sw1"] will be updated in-place

~ resource "iosxe_ntp" "ntp_servers" {
id = "Cisco-IOS-XE-native:native/ntp"
~ server_vrfs = [
~ {
name = "Mgmt-vrf"
~ servers = [
~ {
~ ip_address = "1.1.1.1" -> "ntp1.domain"
},
~ {
~ ip_address = "2.2.2.2" -> "ntp2.domain"
},
]
},
]
}

iosxe_ntp.ntp_servers["sw1"]: Modifying... [id=Cisco-IOS-XE-native:native/ntp]
iosxe_ntp.ntp_servers["sw1"]: Modifications complete after 2s [id=Cisco-IOS-XE-native:native/ntp]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

After the change, we have the following configurations on router:
sw1#show runn | inc ntp
ntp source GigabitEthernet0/0
ntp server vrf Mgmt-vrf 1.1.1.1 prefer version 2
ntp server vrf Mgmt-vrf 2.2.2.2 version 2
ntp server vrf Mgmt-vrf ntp1.domain prefer version 2
ntp server vrf Mgmt-vrf ntp2.domain version 2

$ terraform version
Terraform v1.5.3

Resource code:

resource "iosxe_ntp" "ntp_servers" {
    for_each                            = toset([for router in local.routers : router.name])
    device                              = each.key
    authenticate                    = false
    logging                             = false
    trap_source_gigabit_ethernet = "0/0"
    server_vrfs = [
    {
      name                              = "Mgmt-vrf"
      servers = [ for ntp in local.global.NTPServers :
        {
          ip_address                = ntp.Server
          prefer                        = ntp.Prefer
          version                       = 2
        }
      ]
    }
    ]
}

Please add BGP redistribution for non-vrf address-familys.

Currently, the provider has a way of managing redistribution for BGP VRFs, but i don't see a way to do it for the default (global) address-family. Can you please add to the iosxe_bgp_address_family_ipv4 resource an option to manage static and connected route redistribution?

Port-channel

Hi,
Thank you for this new provider.
I m looking for the googd method to obtain a int Po in trunk mode(ok), with two physical interfaces(ok), to transport , One or more vlans(not ok)

Regards

iosxe_username cannot update user informations

iosxe_username is not able to update the remote user. (Also, the "description" variable does not work)

Steps to reproduce

Define the provider and a new user:

provider "iosxe" {
  alias = "test"
  devices = [
    {
      name = "test"
      url  = "https://10.11.12.13"
    },
  ]
}

resource "iosxe_username" "test_user" {
  provider = iosxe.test

  name      = "test_user"
  privilege = 15
  # description         = ""  # Description is not supported
  secret            = "mysuperpassword"
}

Now change the secret value, e.g.:

...

resource "iosxe_username" "test_user" {
  provider = iosxe.test

  name      = "test_user"
  privilege = 15
  secret            = "my_NEW_superpassword"  # <----------------------------------------------------
}

If I run terraform with TF_LOG=DEBUG terraform apply -auto-approve, I will see:

2024/02/21 10:45:20 [DEBUG] HTTP Request: PATCH, https://10.11.12.13/restconf/data/Cisco-IOS-XE-native:native/username, {{"Cisco-IOS-XE-native:username":{"name":"test_user","privilege":"15","secret":{"secret":"my_NEW_superpassword"}}}}
2024/02/21 10:45:22 [DEBUG] HTTP Response: {
  "errors": {
    "error": [
      {
        "error-message": "inconsistent value: Device refused one or more commands",
        "error-path": "/Cisco-IOS-XE-native:native/username",
        "error-tag": "invalid-value",
        "error-type": "application"
      }
    ]
  }
}

Workaround

We can force to replace the user instead of updating him using lifecycle:replace_triggered_by and lifecycle:ignore_changes meta-arguments but this is still not optimal

locals {
    username = "test_user"
}

resource "null_resource" "local_admin_replace_trigger" {
  triggers = {
    username = local.username
    password = module.password.result
  }
}

resource "iosxe_username" "test_user" {
  provider = iosxe.test

  name      =  local.username
  privilege = 15
  secret            = "mysuperpassword"  
  lifecycle {
    ignore_changes = all
    replace_triggered_by = [      # <----------------------------------------------------
      aws_secretsmanager_secret_version.this.secret_string
    ]
  }
}

Especially, replace_triggered_by meta-argument only allows resources/count/each sources, meaning we cannot use a variable inside of it. ignore_changes is required because, with state refreshing, the secret on the device is not the same as provided unencrypted because the value; the value in the configuration is not encrypted, while the value on the remote is. This means that, even if the secret does not change, terraform will think there is a change

NOTE: In this workaround, I first only used the password as a trigger, but for an unknown reason, terraform always think that the username changed as well, therefore I also must ensure that the username triggers a replacement

Cisco version

Nb: This bug was confirmed with one specific version, but it may also impact others

#show version
Cisco IOS XE Software, Version 16.12.07
Cisco IOS Software [Gibraltar], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.12.7, RELEASE SOFTWARE (fc2)

Additional information

  • The first creation of the user work even if the user already exists on the device prior to terraform execution. I therefore think there is an issue with the "PATCH" requrest

ip bgp-community new-format

Description

The option to configure ip bgp-community new-format seems to be missing.

Can you please tell us how to configure or implement this feature?

show running-config | section ip bgp-community
This is part of an example running config:

ip bgp-community new-format

json path: .data["Cisco-IOS-XE-native:native"].ip
This is the restconf-json formatted running config:

{
  "bgp-community": {
    "new-format": [
      null
    ]
  }
}

Request for add configurations on template and interfaces resources

Please is it possible to add the options

  • "auto qos voip trust"
  • "switchport trunk allowed vlan all | none"
  • "spanning-tree guard root"
    on templates and interfaces resources, once is allowed at CLI:
sw1(config-if)#template UPLINK-SWITCHES
sw1(config-template)#switchport trunk allowed vlan ?
  WORD    VLAN IDs of the allowed VLANs when this port is in trunking mode
  add     add VLANs to the current list
  all     all VLANs
  except  all VLANs except the following
  none    no VLANs
  remove  remove VLANs from the current list

sw1(config-template)#trust ?
  cos      cos
  device   trusted device class
  dscp     dscp
  ip-prec  ip precedence
  up       user priority

sw1(config-template)#trust device ?
  cisco-phone   Cisco IP Phone
  cts           CTS
  ip-camera     IPVSC
  media-player  DMP

sw1(config-template)#trust cos ?
  <cr>  <cr>

sw1(config-template)#spanning-tree guard ?
  loop  Set guard mode to loop guard on interface
  none  Set guard mode to none
  root  Set guard mode to root guard on interface

The idea is configure generic templates for some types of interfaces (uplinks, access trunk, access edge, routers) and configure the allowed vlans directly on interfaces.

Thank you.

speed_nonegotiate not working

Hi,

We get the following error when trying to configure no negotiation auto in TF.
We are using provider 0.5.5.

It looks like nonegotiate in the patch may need to be Cisco-IOS-XE-ethernet:negotiation one level higher.

Can you please look at this?

 Failed to configure object (PATCH), got error: HTTP Request failed: StatusCode 400, RESTCONF errors
│ {Error:[{ErrorType:application ErrorTag:invalid-value ErrorAppTag:
│ ErrorPath:/Cisco-IOS-XE-native:native/interface/GigabitEthernet ErrorMessage:inconsistent value: Device refused
│ one or more commands ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false Errors:{Error:[]}} EditStatus:{Edit:[]}
│ Errors:{Error:[]}}

Terraform code

resource "iosxe_interface_ethernet" "router01_interface_ethernet_10" {
  provider          = iosxe.router01_provider
  type              = "GigabitEthernet"
  name              = "10"
  description       = "HELLO_ERROR"
  shutdown          = true
  speed_nonegotiate = true
  speed_10000 = true
}

Running config before plan:

show running-config interface gigabitEthernet 10 | format restconf-json

{
  "data": {
    "Cisco-IOS-XE-native:native": {
      "interface": {
        "GigabitEthernet": [
          {
            "name": "10",
            "description": "HELLO_ERROR",
            "shutdown": [null],
            "mop": {
              "enabled": false,
              "sysid": false
            },
            "Cisco-IOS-XE-ethernet:speed": {
              "value-10000": [null]
            },
            "Cisco-IOS-XE-ethernet:negotiation": {
              "auto": false
            }
          }
        ]
      }
    }
  }
}

restconf in the trace (before)

2024/01/16 14:10:52 [DEBUG] HTTP Response: {
  "Cisco-IOS-XE-native:GigabitEthernet": [
    {
      "name": "10",
      "description": "HELLO_ERROR",
      "shutdown": [null],
      "logging": {
        "event": {
          "link-status": [null]
        }
      },
      "mop": {
        "enabled": false,
        "sysid": false
      },
      "access-session": {
        "host-mode": "multi-auth"
      },
      "Cisco-IOS-XE-ethernet:speed": {
        "value-10000": [null]
      },
      "Cisco-IOS-XE-ethernet:negotiation": {
        "auto": false
      }
    }
  ]
}

PATCH that fails

provider.terraform-provider-iosxe_v0.5.5: 2024/01/16 14:10:59 [DEBUG] HTTP Request: PATCH, https://cisco.some_nice_url.com/restconf/data/Cisco-IOS-XE-native:native/interface/GigabitEthernet, 
{
    {
        "Cisco-IOS-XE-native:GigabitEthernet": {
            "name": "10",
            "description": "HELLO_ERROR",
            "shutdown": {},
            "Cisco-IOS-XE-ethernet:speed": {
                "value-10000": {},
                "nonegotiate": {}
            }
        }
    }
}
provider.terraform-provider-iosxe_v0.5.5: 2024/01/16 14:10:59 [DEBUG] HTTP Response: {
provider.terraform-provider-iosxe_v0.5.5:   "ietf-restconf:errors": {
provider.terraform-provider-iosxe_v0.5.5:     "error": [
provider.terraform-provider-iosxe_v0.5.5:       {
provider.terraform-provider-iosxe_v0.5.5:         "error-type": "application",
provider.terraform-provider-iosxe_v0.5.5:         "error-tag": "invalid-value",
provider.terraform-provider-iosxe_v0.5.5:         "error-path": "/Cisco-IOS-XE-native:native/interface/GigabitEthernet",
provider.terraform-provider-iosxe_v0.5.5:         "error-message": "inconsistent value: Device refused one or more commands"
provider.terraform-provider-iosxe_v0.5.5:       }
provider.terraform-provider-iosxe_v0.5.5:     ]
provider.terraform-provider-iosxe_v0.5.5:   }
provider.terraform-provider-iosxe_v0.5.5: }
provider.terraform-provider-iosxe_v0.5.5: 2024/01/16 14:10:59 [DEBUG] Transient error detected
provider.terraform-provider-iosxe_v0.5.5: 2024/01/16 14:10:59 [DEBUG] Begining backoff method: attempts 0 on 10

ip http options

Description

The ability to configure these features seem to be missing:

  • ip http secure-ciphersuite
  • ip http tls-version
  • no ip http server
  • ip http client source-interface

Furthermore ip http access-class ipv4 seems to missing also.
Note: after configuring this option from cli, it does not seem to show up with a show running-config | format restconf-json. It does show up with a regular show running

Can you please tell us how to configure or implement these features?
show run | section http
This is part of the running config:

no ip http server
ip http access-class ipv4 12345
ip http secure-server
ip http secure-ciphersuite tls13-aes256-gcm-sha384 
ip http tls-version TLSv1.2 
ip http client source-interface GigabitEthernet2
  destination transport-method http

json path: .data["Cisco-IOS-XE-native:native"].ip["Cisco-IOS-XE-http:http"]
This is the restconf-json formatted running config:

{
  "server": false,
  "secure-server": true,
  "tls-version": "TLSv1.2",
  "client": {
    "source-interface": "GigabitEthernet2"
  },
  "secure-ciphersuite": {
    "tls13-aes256-gcm-sha384": [
      null
    ]
  }
}

No resource for "enable secret" command and "iosxe_cli" not working

There is no resource for configuring enable secret mysecret. This should be a resource available.
I tried to find how to use `iosxe_restconf``resource but I was unable to find a decent documentation about how to use restconf...

Workaround attempt (not working)

I finally decided to create a custom module using iosxe_cli this way:

variable "secret" {
  type        = string
  description = "Secret to gain enable privileges"
  sensitive = true
}

resource "iosxe_cli" "example" {
  cli = <<-EOT
  enable secret ${var.secret}
  EOT
}

Error output

Running it in debug mode produced the following error:

Beginning to send CLI commands: tf_req_id=c469a2c6-3883-50c3-f99d-5c460e1687ba tf_resource_type=iosxe_cli @caller=github.com/CiscoDevNet/terraform-provider-iosxe/internal/provider/resource_iosxe_cli.go:95 @module=iosxe tf_provider_addr=registry.terraform.io/CiscoDevNet/iosxe tf_rpc=ApplyResourceChange timestamp="2024-02-27T11:01:38.168+0100"
2024/02/27 11:01:38 [DEBUG] HTTP Request: POST, https://10.11.12.13/restconf/operations/Cisco-IOS-XE-cli-rpc:config-ios-cli-rpc, {{"Cisco-IOS-XE-cli-rpc:input":{"config-clis":"enable secret mysecret\n"}}}
2024/02/27 11:01:40 [DEBUG] HTTP Response: {
  "errors": {
    "error": [
      {
        "error-message": "invalid path",
        "error-tag": "malformed-message",
        "error-type": "application"
      }
    ]
  }
}
2024/02/27 11:01:40 [ERROR] HTTP Request failed: StatusCode 400, RESTCONF errors {Error:[{ErrorType:application ErrorTag:malformed-message ErrorAppTag: ErrorPath: ErrorMessage:invalid path ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false Errors:{Error:[]}} EditStatus:{Edit:[]} Errors:{Error:[]}}
2024/02/27 11:01:40 [DEBUG] Exit from Do method

Expected behaviour

  1. A resource should exist for enable secret command
  2. iosxe_cli should work

Multiple hosts

Wondering if there is an easy technique in order to apply the same configuration to multiple hosts.
One approach is to use multiple alias but it is a bit too convoluted.

Thank you so much.

iosxe_system attributes are not removed

Hi,

The settings from iosxe_system do not seem to be removed from the Cisco device after removing them from the terraform config.
I am using Cisco IOS XE Software, Version 17.11.01a and iosxe provider 0.4.0.

The following takes you through a test scenario:

Starting terraform config:

terraform {
    required_providers {
        iosxe = {
        source  = "CiscoDevNet/iosxe"
        }
    }
}

provider "iosxe" {
    alias = "router8001"
    insecure = true
    username = "username"
    password = "password"
    url      = "https://1.2.3.4"
}

resource "iosxe_system" "example" {
  provider = iosxe.router8001
  hostname             = "ROUTER8001"
  ipv6_unicast_routing = true
  ip_source_route      = false
  ip_domain_lookup     = false
  ip_domain_name       = "test.com"
  login_delay          = 1
  login_on_failure     = true
  login_on_failure_log = true
  login_on_success     = true
  login_on_success_log = true
  multicast_routing_vrfs = []
}

Config after apply:

ROUTER8001#show run | i domain name
ip domain name test.com
ROUTER8001#show run | i delay      
login delay 1
ROUTER8001#

Modified terraform config:
ip_domain_name and login_delay have been commented out

resource "iosxe_system" "example" {
  provider = iosxe.router8001
  hostname             = "ROUTER8001"
  ipv6_unicast_routing = true
  ip_source_route      = false
  ip_domain_lookup     = false
  # ip_domain_name       = "test.com"
  # login_delay          = 1
  login_on_failure     = true
  login_on_failure_log = true
  login_on_success     = true
  login_on_success_log = true
  multicast_routing_vrfs = []
}

Apply output of the modified terraform config:
Both changes are detected and are promised to be applied.

jan@Jans-MBP cisco % terraform apply -auto-approve
iosxe_system.example: Refreshing state... [id=Cisco-IOS-XE-native:native]

Terraform used the selected providers to generate the following execution plan. Resource actions are
indicated with the following symbols:
  ~ update in-place

Terraform will perform the following actions:

  # iosxe_system.example will be updated in-place
  ~ resource "iosxe_system" "example" {
        id                     = "Cisco-IOS-XE-native:native"
      - ip_domain_name         = "test.com" -> null
      - login_delay            = 1 -> null
        # (9 unchanged attributes hidden)
    }

Plan: 0 to add, 1 to change, 0 to destroy.
iosxe_system.example: Modifying... [id=Cisco-IOS-XE-native:native]
iosxe_system.example: Modifications complete after 0s [id=Cisco-IOS-XE-native:native]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

Config after apply:
Both options are still present.

ROUTER8001#show run | i domain name
ip domain name test.com
ROUTER8001#show run | i delay 
login delay 1

Please advise

Jan

Declarative

Hello,

Testing this provider, it looks like everything is imperative at this time. Is there any plans to release declarative features(as opposed to imperative)?
This would be really helpful (in my opinion) in environments like EVPN/VXLAN fabric where adding/editing/deleting L2VNI/L3VNI services happens often.

Nevertheless, happy to see Terraform coming to Cisco devices!

ip community-list

Description

The option to create an ip community-list seems to be missing.

Can you please tell us how to configure or implement this feature?

show running-config | section include community-list
This is part of an example running config:

ip community-list standard TEST permit 65000:500

json path: .data["Cisco-IOS-XE-native:native"].ip
This is the restconf-json formatted running config:

{
  "Cisco-IOS-XE-bgp:ip-community-list": {
    "community-list": {
      "standard": [
        {
          "name": "TEST",
          "action": [
            {
              "action": "permit",
              "bgp-community": [
                {
                  "bgp-community": "65000:500"
                }
              ]
            }
          ]
        }
      ]
    }
  }
}

resource to configure flow monitor and flow exporter and flow record

Hi,

Would it be possible to create a resource to configure:

  • flow record
  • flow monitor
  • flow exporter

CLI:

flow record FNF-input
description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface input
match ipv4 tos
match flow direction
collect interface output
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
flow record FNF-output
description IPv4 NetFlow
match ipv4 source address
match ipv4 destination address
match transport source-port
match transport destination-port
match ipv4 protocol
match interface output
match ipv4 tos
match flow direction
collect interface input
collect counter bytes long
collect counter packets long
collect transport tcp flags
collect timestamp absolute first
collect timestamp absolute last
!
flow exporter Scrutinizer
description Export to Scrutinizer
destination x.x.x.x
source Loopback0
transport udp 2055
template data timeout 60

!
flow monitor Scrut_mon_input
description IPv4 FNF ingress exports
exporter Scrutinizer
cache timeout active 60
record FNF-input
!
flow monitor Scrut_mon_output
description IPv4 FNF egress exports
exporter Scrutinizer
cache timeout active 60
record FNF-output
!

kind regards

iosxe_policy_map resource support for qos

Hi,

Is it possible to add support to the iosxe_policy_map resource

I currently need to use CLI:

resource "iosxe_cli" "policymap_uzl-shape-nxh" {
cli = <<-EOT
policy-map PM-UZL-SHAPE-NXH
class CM-UZL-JWS
shape average percent 70
class CM-UZL-ROUTING
priority level 1
class class-default
EOT
}

Resource iosxe_line missing authorization/transport input

Resource iosxe_line is missing two common needed parts which are /native/line/vty/authorization/exec and /native/line/vty/transport/input

CLI Configuration
line vty 0 4
authorization exec 'authorization list name'
transport input ssh

Add support for static VRF route

We need the ability to add static routes to a VRF. It would be helpful if this was added to the native provider.

Thanks again for all the work on this

BGP neighbour soft-reconfiguration inbound

Description

The option to set soft-reconfiguration inbound for a BGP neighbour seems to be missing.
Can you please tell us how to configure or implement this feature?

show running-config | section router
This is part of an example running config:

router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.1.2 remote-as 65001
 neighbor 192.168.1.2 fall-over bfd
 !
 address-family ipv4
  neighbor 192.168.1.2 activate
  neighbor 192.168.1.2 soft-reconfiguration inbound
  neighbor 192.168.1.2 route-map TEST-OUT out
 exit-address-family

json path: .data["Cisco-IOS-XE-native:native"].router
This is the restconf-json formatted running config:

{
  "Cisco-IOS-XE-bgp:bgp": [
    {
      "id": 65000,
      "bgp": {
        "log-neighbor-changes": true
      },
      "neighbor": [
        {
          "id": "192.168.1.2",
          "remote-as": 65001,
          "fall-over": {
            "bfd": {}
          }
        }
      ],
      "address-family": {
        "no-vrf": {
          "ipv4": [
            {
              "af-name": "unicast",
              "ipv4-unicast": {
                "neighbor": [
                  {
                    "id": "192.168.1.2",
                    "activate": [
                      null
                    ],
                    "route-map": [
                      {
                        "inout": "out",
                        "route-map-name": "TEST-OUT"
                      }
                    ],
                    "soft-reconfiguration": "inbound"
                  }
                ]
              }
            }
          ]
        }
      }
    }
  ]
}

support for qos in iosxe_class_map

Hi,

Is it possible to add support to the iosxe_class_map resource

I currently need to use CLI:

resource "iosxe_cli" "classmap-routing" {
cli = <<-EOT
class-map match-any CM-ROUTING
match ip dscp ef
match ip dscp af41
match ip dscp cs6
EOT
}

kind regards

What does this mean

Why is my location showing null? The public ip6 address is showing as unregistered domain. Would this be why no calls or texts messages are coming to my device. How do I fix? I'm not interested in any domain. Just wanted my device to work

ip prefix-list description

Description
The option to configure the description of a prefix list (ip prefix-list NAME description) seems to be missing.

Please note that the description and the actual prefix list data are on different data levels.

show running-config | section ip prefix-list
This is part of the running config:

ip prefix-list TEST description TEST_TEST_TEST
ip prefix-list TEST seq 10 permit 1.2.3.4/30 le 32

json path: .data["Cisco-IOS-XE-native:native"].ip["prefix-lists"]
This is the restconf-json formatted running config:

{
  "prefixes": [
    {
      "name": "TEST",
      "no": 10,
      "action": "permit",
      "ip": "1.2.3.4/30",
      "le": 32
    }
  ],
  "prefix-list-description": [
    {
      "name": "TEST",
      "description": "TEST_TEST_TEST"
    }
  ]
}

BGP neighbor fall-over bfd without any extra options

Description

The option to set BGP neighbor fall-over bfd without any extra options seems to be missing.

The help during a configure terminal shows 5 scenarios: The default (<CR>) + 4 optional parameters:

awesome_router(config-router)#neighbor 192.168.1.4 fall-over bfd ?                           
  check-control-plane-failure  Retreive control plane dependent failure (c-bit) information from BFD for BGP GR/NSF operation
  multi-hop                    Force BFD multi-hop to detect failure
  single-hop                   Force BFD single-hop to detect failure
  strict-mode                  Enable BFD strict-mode
  <cr>                         <cr>

The provider documention specifies the 4 optional parameters:

  • fall_over_bfd_check_control_plane_failure
  • fall_over_bfd_multi_hop
  • fall_over_bfd_single_hop
  • fall_over_bfd_strict_mode

However, it does not seem possible to configure without the optional parameters.

Can you please tell us how to configure or implement this feature?

show running-config | section router
This is part of an example running config. It has all variations off the possible configuration.

router bgp 65000
 bgp log-neighbor-changes
 neighbor 192.168.1.2 remote-as 65001
 neighbor 192.168.1.2 fall-over bfd
 neighbor 192.168.1.3 remote-as 65002
 neighbor 192.168.1.3 fall-over bfd check-control-plane-failure
 neighbor 192.168.1.4 remote-as 65003
 neighbor 192.168.1.4 fall-over bfd multi-hop
 neighbor 192.168.1.5 remote-as 65004
 neighbor 192.168.1.5 fall-over bfd single-hop
 neighbor 192.168.1.6 remote-as 65005
 neighbor 192.168.1.6 fall-over bfd strict-mode
 !
 address-family ipv4
  neighbor 192.168.1.2 activate
  neighbor 192.168.1.2 soft-reconfiguration inbound
  neighbor 192.168.1.2 route-map TEST-OUT out
  neighbor 192.168.1.3 activate
  neighbor 192.168.1.4 activate
  neighbor 192.168.1.5 activate
  neighbor 192.168.1.6 activate
 exit-address-family

json path: .data["Cisco-IOS-XE-native:native"].router
This is the restconf-json formatted running config:

{
  "Cisco-IOS-XE-bgp:bgp": [
    {
      "id": 65000,
      "bgp": {
        "log-neighbor-changes": true
      },
      "neighbor": [
        {
          "id": "192.168.1.2",
          "remote-as": 65001,
          "fall-over": {
            "bfd": {}
          }
        },
        {
          "id": "192.168.1.3",
          "remote-as": 65002,
          "fall-over": {
            "bfd": {
              "check-control-plane-failure": [
                null
              ]
            }
          }
        },
        {
          "id": "192.168.1.4",
          "remote-as": 65003,
          "fall-over": {
            "bfd": {
              "multi-hop": [
                null
              ]
            }
          }
        },
        {
          "id": "192.168.1.5",
          "remote-as": 65004,
          "fall-over": {
            "bfd": {
              "single-hop": [
                null
              ]
            }
          }
        },
        {
          "id": "192.168.1.6",
          "remote-as": 65005,
          "fall-over": {
            "bfd": {
              "strict-mode": [
                null
              ]
            }
          }
        }
      ],
      "address-family": {
        "no-vrf": {
          "ipv4": [
            {
              "af-name": "unicast",
              "ipv4-unicast": {
                "neighbor": [
                  {
                    "id": "192.168.1.2",
                    "activate": [
                      null
                    ],
                    "route-map": [
                      {
                        "inout": "out",
                        "route-map-name": "TEST-OUT"
                      }
                    ],
                    "soft-reconfiguration": "inbound"
                  },
                  {
                    "id": "192.168.1.3",
                    "activate": [
                      null
                    ]
                  },
                  {
                    "id": "192.168.1.4",
                    "activate": [
                      null
                    ]
                  },
                  {
                    "id": "192.168.1.5",
                    "activate": [
                      null
                    ]
                  },
                  {
                    "id": "192.168.1.6",
                    "activate": [
                      null
                    ]
                  }
                ]
              }
            }
          ]
        }
      }
    }
  ]
}

Newly added `iosxe_bgp_ipv4_unicast_vrf_neighbor` issue

i'm getting the following error when using the newly added iosxe_bgp_ipv4_unicast_vrf_neighbor resource

iosxe_bgp_ipv4_unicast_vrf_neighbor.bgp_neighbors_set_vrf["router_2-192.168.0.154"]: Creating...
╷
│ Error: Client Error
│
│   with iosxe_bgp_ipv4_unicast_vrf_neighbor.bgp_neighbors_set_vrf["router_2-192.168.0.154"],
│   on main.tf line 179, in resource "iosxe_bgp_ipv4_unicast_vrf_neighbor" "bgp_neighbors_set_vrf":
│  179: resource "iosxe_bgp_ipv4_unicast_vrf_neighbor" "bgp_neighbors_set_vrf" {
│
│ Failed to configure object (PATCH), got error: HTTP Request failed: StatusCode 400, RESTCONF errors {Error:[{ErrorType:application ErrorTag:malformed-message ErrorAppTag:
│ ErrorPath:/Cisco-IOS-XE-native:native/router/Cisco-IOS-XE-bgp:bgp[id='65000']/address-family/with-vrf/ipv4[af-name='unicast']/vrf[name='VRF-11']/ipv4-unicast/neighbor[id='192.168.0.154'] ErrorMessage:missing element: ipv4-unicast in
│ /ios:native/ios:router/ios-bgp:bgp[ios-bgp:id='65000']/ios-bgp:address-family/ios-bgp:with-vrf/ios-bgp:ipv4[ios-bgp:af-name='unicast']/ios-bgp:vrf[ios-bgp:name='VRF-11']/ios-bgp:ipv4-unicast/ios-bgp:neighbor[ios-bgp:id='192.168.0.154'] ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false Errors:{Error:[]}}      
│ EditStatus:{Edit:[]} Errors:{Error:[]}}

ip as-path access-list

Description

The option to create an ip as-path access-list seems to be missing.

Can you please tell us how to configure or implement this feature?

show running-config | section include as-path
This is part of an example running config:

ip as-path access-list 1 permit _12345_

json path: .data["Cisco-IOS-XE-native:native"].ip
This is the restconf-json formatted running config:

{
  "as-path": {
    "Cisco-IOS-XE-bgp:access-list": [
      {
        "name": 1,
        "extended-grouping": {
          "extended_grouping": [
            {
              "action": "permit",
              "string": "_12345_"
            }
          ]
        }
      }
    ]
  }
}

Add support for BGP aggregate addresses in global and VRF address-families

We need to be able to add aggregate addresses to our BGP config.

router bgp 65000
 bgp log-neighbor-changes
 !
 address-family ipv4
  network 12.1.1.0 mask 255.255.255.0
  network 13.1.1.0 mask 255.255.255.0
  aggregate-address 12.1.0.0 255.255.0.0
  aggregate-address 13.1.0.0 255.255.0.0
 !
 address-family ipv4 vrf VRF-12
  network 14.1.1.0 mask 255.255.255.0
  network 15.1.1.0 mask 255.255.255.0
  aggregate-address 14.1.0.0 255.255.0.0
  aggregate-address 15.1.0.0 255.255.0.0
 exit-address-family

It would be great if you could add this to the provider. And as always, thank you for your support on this

iosxe_route_map / match_source_protocol_bgp behaviour

Dear,

We have an issue regarding the iosxe_route_map / match_source_protocol_bgp behaviour statement.
Changes and Deletions do not seem to be handled properly.

Can you please look at this?

IOSXE TF Provider version: self-compiled 0.4.1 unreleased (date Tue Sept 19 2023)
IOS version: Cisco IOS XE Software, Version 17.11.01a

Below is a step-by-step example on howto reproduce and some debug information.

start clean

ROUTER8001#show route-map GITHUB
route-map GITHUB not found

resource source config for creation

resource "iosxe_route_map" "github" {
  provider = iosxe.router8001
  name = "GITHUB"
  entries = [
    {
      seq                                      = 10
      operation                                = "permit"
      description                              = "Entry 10"
      continue                                 = false
      match_source_protocol_bgp                = ["65001"]

    }
  ]
}

Terraform apply output for creation (works fine)

Terraform will perform the following actions:

  # iosxe_route_map.github will be created
  + resource "iosxe_route_map" "github" {
      + entries = [
          + {
              + continue                  = false
              + description               = "Entry 10"
              + match_source_protocol_bgp = [
                  + "65001",
                ]
              + operation                 = "permit"
              + seq                       = 10
            },
        ]
      + id      = (known after apply)
      + name    = "GITHUB"
    }

Plan: 1 to add, 0 to change, 0 to destroy.
iosxe_route_map.github: Creating...
iosxe_route_map.github: Creation complete after 1s [id=Cisco-IOS-XE-native:native/route-map=GITHUB]

Apply complete! Resources: 1 added, 0 changed, 0 destroyed.

running config after creation (looks ok)

ROUTER8001#show route-map GITHUB
route-map GITHUB, permit, sequence 10
  Match clauses:
    source-protocol  bgp 65001
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
ROUTER8001#

resource source config modification #1: replace 65001 with 65002

resource "iosxe_route_map" "github" {
  provider = iosxe.router8001
  name = "GITHUB"
  entries = [
    {
      seq                                      = 10
      operation                                = "permit"
      description                              = "Entry 10"
      continue                                 = false
      match_source_protocol_bgp                = ["65002"]

    }
  ]
}

Terraform apply output suggests correct behaviour

Terraform will perform the following actions:

  # iosxe_route_map.github will be updated in-place
  ~ resource "iosxe_route_map" "github" {
      ~ entries = [
          ~ {
              ~ match_source_protocol_bgp = [
                  - "65001",
                  + "65002",
                ]
                # (4 unchanged attributes hidden)
            },
        ]
        id      = "Cisco-IOS-XE-native:native/route-map=GITHUB"
        name    = "GITHUB"
    }

Plan: 0 to add, 1 to change, 0 to destroy.
iosxe_route_map.github: Modifying... [id=Cisco-IOS-XE-native:native/route-map=GITHUB]
iosxe_route_map.github: Modifications complete after 0s [id=Cisco-IOS-XE-native:native/route-map=GITHUB]

Apply complete! Resources: 0 added, 1 changed, 0 destroyed.

running config after modifcation is unexpected: 65002 has been added instead of replaced

ROUTER8001#show route-map GITHUB
route-map GITHUB, permit, sequence 10
  Match clauses:
    source-protocol  bgp 65001 bgp 65002
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes
ROUTER8001#

running config / partial JSON after modifcation: 65002 has been added instead of replaced

    "route-map": [
      {
        "name": "GITHUB",
        "Cisco-IOS-XE-route-map:route-map-without-order-seq": [
          {
            "seq_no": 10,
            "operation": "permit",
            "descriptions": [
              {
                "description-leaf": "Entry 10"
              }
            ],
            "match": {
              "source-protocol": {
                "bgp": [65001, 65002]
              }
            }
          }
        ]
      },

resource source config modification #2: remove the complete statement

resource "iosxe_route_map" "github" {
  provider = iosxe.router8001
  name = "GITHUB"
  entries = [
    {
      seq                                      = 10
      operation                                = "permit"
      description                              = "Entry 10"
      continue                                 = false
#      match_source_protocol_bgp                = ["65002"]

    }
  ]
}

Terraform apply output suggests correct behaviour ... and fails

Terraform will perform the following actions:

  # iosxe_route_map.github will be updated in-place
  ~ resource "iosxe_route_map" "github" {
      ~ entries = [
          ~ {
              - match_source_protocol_bgp = [
                  - "65001",
                  - "65002",
                ] -> null
                # (4 unchanged attributes hidden)
            },
        ]
        id      = "Cisco-IOS-XE-native:native/route-map=GITHUB"
        name    = "GITHUB"
    }

Plan: 0 to add, 1 to change, 0 to destroy.
iosxe_route_map.github: Modifying... [id=Cisco-IOS-XE-native:native/route-map=GITHUB]
iosxe_route_map.github: Still modifying... [id=Cisco-IOS-XE-native:native/route-map=GITHUB, 10s elapsed]
iosxe_route_map.github: Still modifying... [id=Cisco-IOS-XE-native:native/route-map=GITHUB, 20s elapsed]
╷
│ Error: Client Error
│ 
│   with iosxe_route_map.github,
│   on cisco8001.tf line 237, in resource "iosxe_route_map" "github":
│  237: resource "iosxe_route_map" "github" {
│ 
│ Failed to delete object, got error: HTTP Request failed: StatusCode 400, RESTCONF errors {Error:[{ErrorType:application ErrorTag:invalid-value ErrorAppTag: ErrorPath:
│ ErrorMessage:inconsistent value: Device refused one or more commands ErrorInfo:}]} {PatchId: GlobalStatus:{Ok:false Errors:{Error:[]}} EditStatus:{Edit:[]}
│ Errors:{Error:[]}}

running config after failed attempt

ROUTER8001#show route-map GITHUB
route-map GITHUB, permit, sequence 10
  Match clauses:
    source-protocol  bgp 65002 bgp 65001
  Set clauses:
  Policy routing matches: 0 packets, 0 bytes

Interface commands for authentication and dot1x

Perusing through the docs, I don't see a way to enable port-based authentication commands. The global commands are there, but I am looking for a way to do the following on a port:

authentication host-mode multi-auth
authentication order dot1x mab
authentication priority dot1x mab
authentication port-control auto
authentication periodic
authentication timer reauthenticate server
mab
dot1x pae authenticator
dot1x timeout tx-period 5
dot1x max-req 3
dot1x max-reauth-req 3

Can you enable this functionality or point me to where it might be in the docs? Thanks!

Static Routes with Interfaces Specified Don't Apply

There is no support to create static-routes with a interface specified. This is quite important for "Null" routes.

resource "iosxe_static_route_vrf" "static_default_vrf_internet_routeB" { vrf = "internet" routes = [ { prefix = "1.1.1.1" mask = "255.255.255.255" next_hops = [ { next_hop = "null" name = "test null route" } ] } ] }

TERRAFORM APPLY FAILURE

`➜ pe1 git:(main) ✗ terraform apply
iosxe_prefix_list.isp_internet_pl-in: Refreshing state... [id=Cisco-IOS-XE-native:native/ip/prefix-lists]
iosxe_prefix_list.isp_internet_pl-out: Refreshing state... [id=Cisco-IOS-XE-native:native/ip/prefix-lists]
iosxe_static_route_vrf.static_default_vrf_internet_route: Refreshing state... [id=Cisco-IOS-XE-native:native/ip/route/vrf=internet]
iosxe_prefix_list.isp_internet_pl-all: Refreshing state... [id=Cisco-IOS-XE-native:native/ip/prefix-lists]
iosxe_bgp_ipv4_unicast_vrf_neighbor.ce1_to_pe1: Refreshing state... [id=Cisco-IOS-XE-native:native/router/Cisco-IOS-XE-bgp:bgp=4771/address-family/with-vrf/ipv4=unicast/vrf=internet/ipv4-unicast/neighbor=200.1.1.2]
iosxe_interface_ethernet.ge3: Refreshing state... [id=Cisco-IOS-XE-native:native/interface/GigabitEthernet=3]
iosxe_interface_ethernet.ge2: Refreshing state... [id=Cisco-IOS-XE-native:native/interface/GigabitEthernet=2]
iosxe_bgp_address_family_ipv4_vrf.isprouterbgpvrfinternet: Refreshing state... [id=Cisco-IOS-XE-native:native/router/Cisco-IOS-XE-bgp:bgp=4771/address-family/with-vrf/ipv4=unicast]
iosxe_route_map.isp_internet_rm-static: Refreshing state... [id=Cisco-IOS-XE-native:native/route-map=rm-static]
iosxe_route_map.isp_internet_rm-in: Refreshing state... [id=Cisco-IOS-XE-native:native/route-map=rm-pe1-in]
iosxe_bgp.isprouterbgp: Refreshing state... [id=Cisco-IOS-XE-native:native/router/Cisco-IOS-XE-bgp:bgp=4771]
iosxe_vrf.internetvrf: Refreshing state... [id=Cisco-IOS-XE-native:native/vrf/definition=internet]
iosxe_route_map.isp_internet_rm-out: Refreshing state... [id=Cisco-IOS-XE-native:native/route-map=rm-pe1-out]

Terraform used the selected providers to generate the following execution plan. Resource actions are indicated with the following symbols:

  • create

Terraform will perform the following actions:

iosxe_static_route_vrf.static_default_vrf_internet_routeB will be created

  • resource "iosxe_static_route_vrf" "static_default_vrf_internet_routeB" {
    • id = (known after apply)
    • routes = [
      • {
        • mask = "255.255.255.255"
        • next_hops = [
          • {
            • name = "test null route"
            • next_hop = "null"
              },
              ]
        • prefix = "1.1.1.1"
          },
          ]
    • vrf = "internet"
      }

Plan: 1 to add, 0 to change, 0 to destroy.

Do you want to perform these actions?
Terraform will perform the actions described above.
Only 'yes' will be accepted to approve.

Enter a value: yes

iosxe_static_route_vrf.static_default_vrf_internet_routeB: Creating...
iosxe_static_route_vrf.static_default_vrf_internet_routeB: Still creating... [10s elapsed]
iosxe_static_route_vrf.static_default_vrf_internet_routeB: Still creating... [20s elapsed]

│ Error: Client Error

│ with iosxe_static_route_vrf.static_default_vrf_internet_routeB,
│ on resource-static_route.tf line 16, in resource "iosxe_static_route_vrf" "static_default_vrf_internet_routeB":
│ 16: resource "iosxe_static_route_vrf" "static_default_vrf_internet_routeB" {

│ Failed to configure object (PATCH), got error: HTTP Request failed: StatusCode 400, RESTCONF errors {Error:[{ErrorType:application ErrorTag:invalid-value ErrorAppTag: ErrorPath:/Cisco-IOS-XE-native:native/ip/route/vrf ErrorMessage:inconsistent value: Device refused one or more commands ErrorInfo:}]} {PatchId:
│ GlobalStatus:{Ok:false Errors:{Error:[]}} EditStatus:{Edit:[]} Errors:{Error:[]}}

➜ pe1 git:(main) ✗ `

Resource iosxe_aaa_authentication/authorization/accounting should match iosxe logic consistency

When configuring IOS-XE you can use

  • default or named group for login/dot1x authentication.
  • default or named group for exec/network authorization
  • default or named group for exec/network/identity accounting

therefore the resources should not be limited or different

  • iosxe_aaa_authentication only allows dot1x_default (no named list), it should match 'logins'
  • iosxe_aaa_authorization only allows the first entry (a1_group) to be a group, but it should be also able to have a second
  • iosxe_aaa_accounting should have a list structure for identity like it has for networks/execs.

switch(config)#aaa authentication login ?
WORD Named authentication list (max 255 characters, longer will be rejected).
default The default authentication list.

switch(config)#aaa authentication dot1x ?
WORD Named authentication list (max 255 characters, longer will be rejected).
default The default authentication list.

This issue is logged in order to harmonize the terraform resources. Above is just a brief example, there are more auth/authz/accounting methods as well.

Recommend Projects

  • React photo React

    A declarative, efficient, and flexible JavaScript library for building user interfaces.

  • Vue.js photo Vue.js

    🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.

  • Typescript photo Typescript

    TypeScript is a superset of JavaScript that compiles to clean JavaScript output.

  • TensorFlow photo TensorFlow

    An Open Source Machine Learning Framework for Everyone

  • Django photo Django

    The Web framework for perfectionists with deadlines.

  • D3 photo D3

    Bring data to life with SVG, Canvas and HTML. 📊📈🎉

Recommend Topics

  • javascript

    JavaScript (JS) is a lightweight interpreted programming language with first-class functions.

  • web

    Some thing interesting about web. New door for the world.

  • server

    A server is a program made to process requests and deliver data to clients.

  • Machine learning

    Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.

  • Game

    Some thing interesting about game, make everyone happy.

Recommend Org

  • Facebook photo Facebook

    We are working to build community through open source technology. NB: members must have two-factor auth.

  • Microsoft photo Microsoft

    Open source projects and samples from Microsoft.

  • Google photo Google

    Google ❤️ Open Source for everyone.

  • D3 photo D3

    Data-Driven Documents codes.