Boolean for MCP action (access policies) when set to false not clearing the flag

[alexanderdeca]

MCP action boolean when set to false, the expectation is that the flag is cleared on the APIC controller.
Setting the boolean to true is setting correctly the flag on the APIC controller.

mcp:
action: false
admin_state: true
key: password
frequency_sec: 5
initial_delay: 300
loop_detection: 5
per_vlan: true

[guilinyan]

Hi,
if you could provide test environment information like APIC version, terraform-aci-nac-aci version, that would be very helpful.
Tested with latest terraform-aci-nac-aci on APIC v6.0(2h) and APIC v5.2(7f), MCP action boolean when set to false, the flag is cleared on the APIC controller.

[guilinyan]

Enabling MisCabling Protocol (MCP) is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device.

https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-using-mcp-mis-cabling-protocol.pdf

[alexanderdeca]

Hello, I am well aware of the best practice; in my case MCP is enabled; however, I would like to set the flag to false (it is there for a reason) for disabling the port as, in my opinion, it is too aggressive. Best regards Alexander From: Guilin Yan ***@***.***> Date: Sunday, 10 December 2023 at 02:12 To: netascode/terraform-aci-nac-aci ***@***.***> Cc: Alexander Deca ***@***.***>, Author ***@***.***> Subject: Re: [netascode/terraform-aci-nac-aci] Boolean for MCP action (access policies) when set to false not clearing the flag (Issue #39) Enabling MisCabling Protocol (MCP) is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-using-mcp-mis-cabling-protocol.pdf — Reply to this email directly, view it on GitHub<#39 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEAJEUIIFB5IBUZJQGCEL2LYIUD6PAVCNFSM6AAAAAA73CGJ76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBYHAYDGNBVGQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[alexanderdeca]

Hello, APIC version is 6.0(3d) [simulator] , terraform aci version is 0.8.0 (latest). Many thanks Alexander From: Guilin Yan ***@***.***> Date: Saturday, 9 December 2023 at 13:30 To: netascode/terraform-aci-nac-aci ***@***.***> Cc: Alexander Deca ***@***.***>, Author ***@***.***> Subject: Re: [netascode/terraform-aci-nac-aci] Boolean for MCP action (access policies) when set to false not clearing the flag (Issue #39) Hi, if you could provide test environment information like APIC version, terraform-aci-nac-aci version, that would be very helpful. Tested with latest terraform-aci-nac-aci on APIC v6.0() and APIC v5.2(), — Reply to this email directly, view it on GitHub<#39 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEAJEUPRXDJKPE52BG4OXYTYIRKXXAVCNFSM6AAAAAA73CGJ76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBYGM4TMOBYGQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[alexanderdeca]

Grateful for the work you guys are doing, in my case setting the flag to false in the yaml code does not change actually the flag in the gui. The other way around when the flag is disabled in the gui and in the terraform yaml file it is set to true the flag is set correctly in the gui. So it seems to me that the flag false is not pushed correctly ? Working: Gui before : [A screenshot of a computer Description automatically generated] mcp: action: true admin_state: true key: password frequency_sec: 5 initial_delay: 300 loop_detection: 5 per_vlan: true Gui after terraform apply: [A screenshot of a computer Description automatically generated] Not working: Gui before: [A screenshot of a computer Description automatically generated] mcp: action: false admin_state: true key: password frequency_sec: 5 initial_delay: 300 loop_detection: 5 per_vlan: true Gui after terraform apply: [A screenshot of a computer Description automatically generated] Thanks Alexander From: Alexander Deca ***@***.***> Date: Sunday, 10 December 2023 at 09:33 To: netascode/terraform-aci-nac-aci ***@***.***>, netascode/terraform-aci-nac-aci ***@***.***> Cc: Author ***@***.***> Subject: Re: [netascode/terraform-aci-nac-aci] Boolean for MCP action (access policies) when set to false not clearing the flag (Issue #39) Hello, I am well aware of the best practice; in my case MCP is enabled; however, I would like to set the flag to false (it is there for a reason) for disabling the port as, in my opinion, it is too aggressive. Best regards Alexander From: Guilin Yan ***@***.***> Date: Sunday, 10 December 2023 at 02:12 To: netascode/terraform-aci-nac-aci ***@***.***> Cc: Alexander Deca ***@***.***>, Author ***@***.***> Subject: Re: [netascode/terraform-aci-nac-aci] Boolean for MCP action (access policies) when set to false not clearing the flag (Issue #39) Enabling MisCabling Protocol (MCP) is a best practice, and it should be enabled globally and on all interfaces, regardless of the end device. https://www.cisco.com/c/dam/en/us/solutions/collateral/data-center-virtualization/application-centric-infrastructure/aci-guide-using-mcp-mis-cabling-protocol.pdf — Reply to this email directly, view it on GitHub<#39 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEAJEUIIFB5IBUZJQGCEL2LYIUD6PAVCNFSM6AAAAAA73CGJ76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNBYHAYDGNBVGQ>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[danischm]

This is a known issue with the current implementation of the ACI provider, which relies on the SDKv2. The provider cannot differentiate between a null (non-existent) value and an empty string. In this case when disabling the "action" the nac-aci module will set the loopProtectAct attribute to an empty string (

terraform-aci-nac-aci/modules/terraform-aci-mcp/main.tf

Line 10 in 53585f8

loopProtectAct = var.disable_port_action == true ? "port-disable" : ""

), where the provider assumes it is now set to null and will therefore not include it in the payload. This issue should be resolved once the ACI provider has been migrated to the new Terraform Plugin Framework. Existing issues: CiscoDevNet/terraform-provider-aci#806, CiscoDevNet/terraform-provider-aci#202

[guilinyan]

Thank you very much for the clarification, Daniel!

[alexanderdeca]

Thanks for the feedback! Follow-up question what is the timeframe to migrate to the new Terraform Plugin Framework? Cheers Alexander From: Daniel Schmidt ***@***.***> Date: Wednesday, 13 December 2023 at 15:53 To: netascode/terraform-aci-nac-aci ***@***.***> Cc: Alexander Deca ***@***.***>, Author ***@***.***> Subject: Re: [netascode/terraform-aci-nac-aci] Boolean for MCP action (access policies) when set to false not clearing the flag (Issue #39) This is a known issue with the current implementation of the ACI provider, which relies on the SDKv2. The provider cannot differentiate between a null (non-existent) value and an empty string. In this case when disabling the "action" the nac-aci module will set the loopProtectAct attribute to an empty string (https://github.com/netascode/terraform-aci-nac-aci/blob/53585f87dc536155a6e083e5ef913f0d94b1a75a/modules/terraform-aci-mcp/main.tf#L10), where the provider assumes it is now set to null and will therefore not include it in the payload. This issue should be resolved once the ACI provider has been migrated to the new Terraform Plugin Framework. Existing issues: CiscoDevNet/terraform-provider-aci#806<CiscoDevNet/terraform-provider-aci#806>, CiscoDevNet/terraform-provider-aci#202<CiscoDevNet/terraform-provider-aci#202> — Reply to this email directly, view it on GitHub<#39 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEAJEUKF2222HRRAAQ7MG2TYJG6PRAVCNFSM6AAAAAA73CGJ76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMYTQNJUGA3DKMZWGM>. You are receiving this because you authored the thread.Message ID: ***@***.***>

[andbyrne]

Follow-up question what is the timeframe to migrate to the new Terraform Plugin Framework?

It is now available. Please update terraform-aci-nac-aci module to 0.8.1 and also run terraform init -upgrade to ensure the ACI provider is upgraded.

[danischm]

@alexanderdeca , can this be closed now?

[alexanderdeca]

Hi, This can be closed thanks! Alexander From: Daniel Schmidt ***@***.***> Date: Wednesday, 20 March 2024 at 11:39 To: netascode/terraform-aci-nac-aci ***@***.***> Cc: Alexander Deca ***@***.***>, Mention ***@***.***> Subject: Re: [netascode/terraform-aci-nac-aci] Boolean for MCP action (access policies) when set to false not clearing the flag (Issue #39) @alexanderdeca<https://github.com/alexanderdeca> , can this be closed now? — Reply to this email directly, view it on GitHub<#39 (comment)>, or unsubscribe<https://github.com/notifications/unsubscribe-auth/AEAJEULMGZFEOPJAFLIZK33YZFRMLAVCNFSM6AAAAAA73CGJ76VHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZDAMBZGI2DGMJVGU>. You are receiving this because you were mentioned.Message ID: ***@***.***>