Initial Policy Framework

plugins/action/common/prepare_plugins/prep_001_list_defaults.py

@@ -172,5 +172,33 @@ def prepare(self):
 
             list_index += 1
 
+        # --------------------------------------------------------------------
+        # Fabric Policy List Defaults
+        # --------------------------------------------------------------------
+
+        # Check vxlan.policy list elements
+        parent_keys = ['vxlan', 'policy']
+        dm_check = data_model_key_check(self.model_data, parent_keys)
+        if 'policy' in dm_check['keys_not_found'] or 'policy' in dm_check['keys_no_data']:
+            self.model_data['vxlan']['policy'] = {}
+            self.model_data['vxlan']['policy'].update({'policies': []})
+            self.model_data['vxlan']['policy'].update({'groups': []})
+            self.model_data['vxlan']['policy'].update({'switches': []})
+
+        parent_keys = ['vxlan', 'policy', 'policies']
+        dm_check = data_model_key_check(self.model_data, parent_keys)
+        if 'policies' in dm_check['keys_not_found'] or 'policies' in dm_check['keys_no_data']:
+            self.model_data['vxlan']['policy']['policies'] = []
+
+        parent_keys = ['vxlan', 'policy', 'groups']
+        dm_check = data_model_key_check(self.model_data, parent_keys)
+        if 'groups' in dm_check['keys_not_found'] or 'groups' in dm_check['keys_no_data']:
+            self.model_data['vxlan']['policy']['groups'] = []
+
+        parent_keys = ['vxlan', 'policy', 'switches']
+        dm_check = data_model_key_check(self.model_data, parent_keys)
+        if 'switches' in dm_check['keys_not_found'] or 'switches' in dm_check['keys_no_data']:
+            self.model_data['vxlan']['policy']['switches'] = []
+
         self.kwargs['results']['model_extended'] = self.model_data
         return self.kwargs['results']

plugins/action/common/prepare_plugins/prep_107_policy.py

@@ -0,0 +1,43 @@
+# Copyright (c) 2024 Cisco Systems, Inc. and its affiliates
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+
+class PreparePlugin:
+    def __init__(self, **kwargs):
+        self.kwargs = kwargs
+        self.keys = []
+
+    def prepare(self):
+        model_data = self.kwargs['results']['model_extended']
+
+        # Ensure that vrf_lite's switches are mapping to their respective
+        # management IP address from topology switches
+        topology_switches = model_data['vxlan']['topology']['switches']
+        for switch in model_data['vxlan']['policy']['switches']:
+            if any(sw['name'] == switch['name'] for sw in topology_switches):
+                found_switch = next((item for item in topology_switches if item["name"] == switch['name']))
+                if found_switch.get('management').get('management_ipv4_address'):
+                    switch['name'] = found_switch['management']['management_ipv4_address']
+                elif found_switch.get('management').get('management_ipv6_address'):
+                    switch['name'] = found_switch['management']['management_ipv6_address']
+
+        self.kwargs['results']['model_extended'] = model_data
+        return self.kwargs['results']

roles/common_global/vars/main.yml

@@ -29,6 +29,7 @@ nac_tags:
     - cr_manage_vpc_peers
     - cr_manage_interfaces
     - cr_manage_vrfs_networks
+    - cr_manage_policy
     # -------------------------
     - rr_manage_interfaces
     - rr_manage_networks
@@ -48,6 +49,7 @@ nac_tags:
     - cr_manage_vpc_peers
     - cr_manage_interfaces
     - cr_manage_vrfs_networks
+    - cr_manage_policy
   create_fabric:
     - cr_manage_fabric
   create_switches:
@@ -58,6 +60,8 @@ nac_tags:
     - cr_manage_interfaces
   create_vrfs_networks:
     - cr_manage_vrfs_networks
+  create_policy:
+    - cr_manage_policy
   # All Remove Tags
   remove:
     - rr_manage_interfaces

roles/dtc/common/tasks/ndfc_policy.yml

@@ -0,0 +1,78 @@
+# Copyright (c) 2024 Cisco Systems, Inc. and its affiliates
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+---
+
+- name: Initialize changes_detected Var
+  ansible.builtin.set_fact:
+    changes_detected_policy: false
+  delegate_to: localhost
+
+- name: Set file_name Var
+  ansible.builtin.set_fact:
+    file_name: "{{ MD.vxlan.global.name }}_ndfc_policy.yml"
+  delegate_to: localhost
+
+- name: Stat Previous File If It Exists
+  ansible.builtin.stat:
+    path: "{{ role_path }}/files/{{ file_name }}"
+  register: data_file_previous
+  delegate_to: localhost
+  # TODO: Add capability to overridde path variable above for CI/CD pipeline
+
+- name: Backup Previous Data File If It Exists
+  ansible.builtin.copy:
+    src: "{{ role_path }}/files/{{ file_name }}"
+    dest: "{{ role_path }}/files/{{ file_name }}.old"
+  when: data_file_previous.stat.exists
+
+- name: Delete Previous Data File If It Exists
+  ansible.builtin.file:
+    state: absent
+    path: "{{ role_path }}/files/{{ file_name }}"
+  delegate_to: localhost
+  when: data_file_previous.stat.exists
+
+- name: Build Policy List From Template
+  ansible.builtin.template:
+    src: ndfc_policy.j2
+    dest: "{{ role_path }}/files/{{ file_name }}"
+  delegate_to: localhost
+
+- ansible.builtin.set_fact:
+    policy_config: "{{ lookup('file', file_name) | from_yaml }}"
+  when: (MD_Extended.vxlan.policy.policies | default([])) | length > 0
+  delegate_to: localhost
+
+- name: Diff Previous and Current Data Files
+  cisco.nac_dc_vxlan.dtc.diff_model_changes:
+    file_name_previous: "{{ role_path }}/files/{{ file_name }}.old"
+    file_name_current: "{{ role_path }}/files/{{ file_name }}"
+  register: file_diff_result
+  delegate_to: localhost
+
+- name: Set File Change Flag Based on File Diff Result
+  ansible.builtin.set_fact:
+    changes_detected_policy: true
+  delegate_to: localhost
+  when:
+    - file_diff_result.file_data_changed
+    - check_roles['save_previous']

roles/dtc/common/tasks/ndfc_vrfs.yml

@@ -80,4 +80,4 @@
   delegate_to: localhost
   when:
     - file_diff_result.file_data_changed
-    - check_roles['save_previous']
+    - check_roles['save_previous']

roles/dtc/common/tasks/sub_main.yml

@@ -145,6 +145,13 @@
 - name: Build Fabric interface All List From Template
   ansible.builtin.include_tasks: ndfc_interface_all.yml
 
+# --------------------------------------------------------------------
+# Build Fabric Policy List From Template
+# --------------------------------------------------------------------
+
+- name: Build Fabric Policy List From Template
+  ansible.builtin.include_tasks: ndfc_policy.yml
+
 - name: Run Diff Flags
   ansible.builtin.debug:
     msg:
@@ -168,7 +175,8 @@
       - "+     ----- All Interfaces -----"
       - "+     VRFs Changes Detected -                 [ {{ changes_detected_vrfs }} ]"
       - "+     Networks Changes Detected -             [ {{ changes_detected_networks }} ]"
+      - "+     Policy Changes Detected -               [ {{ changes_detected_policy }} ]"
       - "+     ----- Run Map -----"
       - "+     Run Map Diff Run -                      [ {{ run_map_read_result.diff_run }} ]"
-      - " +    Force Run Flag  -                       [ {{ force_run_all }} ]"
+      - "+     Force Run Flag  -                       [ {{ force_run_all }} ]"
       - "----------------------------------------------------------------"

roles/dtc/common/templates/ndfc_policy.j2

@@ -0,0 +1,41 @@
+---
+# This NDFC policy and switch attachments config data structure is auto-generated
+# DO NOT EDIT MANUALLY
+#
+- switch:
+{% for switch in MD_Extended.vxlan.policy.switches %}
+    - ip: {{ switch.name }}
+      policies:
+{% for group_entry in switch.groups %}
+{% set query = "[?(@.name==`" ~ group_entry ~ "`)]" %}
+{% set policy_group_match = MD_Extended.vxlan.policy.groups | community.general.json_query(query) | first %}
+{% for policy in policy_group_match.policies %}
+{% set query = "[?(@.name==`" ~ policy.name ~ "`)]" %}
+{% set policy_match = MD_Extended.vxlan.policy.policies | community.general.json_query(query) | first %}
+        - create_additional_policy: False
+          description: {{ policy_match.name }}
+{% if (policy_match.template_name is defined and policy_match.template_name) or (policy_match.filename is defined and policy_match.filename and (".yaml" in policy_match.filename or ".yml" in policy_match.filename)) %}
+          name: {{ policy_match.template_name | default(defaults.vxlan.policy.template_name) }}
+{% elif policy_match.filename is defined and policy_match.filename and ".cfg" in policy_match.filename %}
+          name: {{ defaults.vxlan.policy.template_name }}
+{% endif %}
+          policy_vars:
+{% if policy_match.template_vars is defined and policy_match.template_vars %}
+{% for key, value in policy_match.template_vars.items() %}
+{% if key == 'CONF' %}
+            {{ key }}: |-
+              {{ value | indent(14) }}
+{% else %}
+              {{ key }}: {{ value | to_nice_yaml(indent=2) | indent(10) | trim }}
+{% endif %}
+{% endfor %}
+{% elif policy_match.filename is defined and policy_match.filename and (".yaml" in policy_match.filename or ".yml" in policy_match.filename) %}
+            {{ lookup('ansible.builtin.file', policy_match.filename) | indent(12) }}
+{% elif policy_match.filename is defined and policy_match.filename and ".cfg" in policy_match.filename %}
+            CONF: |-
+              {{ lookup('ansible.builtin.file', policy_match.filename) | indent(14) | trim }}
+{% endif %}
+          priority: {{ policy.priority | default(policy_group_match.priority) | default(defaults.vxlan.policy.priority) }}
+{% endfor %}
+{% endfor %}
+{% endfor %}

roles/dtc/create/tasks/main.yml

@@ -23,7 +23,7 @@
 
 - name: Import Role Tasks
   ansible.builtin.import_tasks: sub_main.yml
-  when: changes_detected_fabric or changes_detected_inventory or changes_detected_vpc_peering or changes_detected_interfaces or changes_detected_link_vpc_peering or changes_detected_vrfs or changes_detected_networks
+  when: changes_detected_fabric or changes_detected_inventory or changes_detected_vpc_peering or changes_detected_interfaces or changes_detected_link_vpc_peering or changes_detected_vrfs or changes_detected_networks or changes_detected_policy
 
 - name: Mark Stage Role Create Completed
   cisco.nac_dc_vxlan.common.run_map:

roles/dtc/create/tasks/policies.yml

@@ -0,0 +1,41 @@
+# Copyright (c) 2024 Cisco Systems, Inc. and its affiliates
+#
+# Permission is hereby granted, free of charge, to any person obtaining a copy of
+# this software and associated documentation files (the "Software"), to deal in
+# the Software without restriction, including without limitation the rights to
+# use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of
+# the Software, and to permit persons to whom the Software is furnished to do so,
+# subject to the following conditions:
+#
+# The above copyright notice and this permission notice shall be included in all
+# copies or substantial portions of the Software.
+#
+# THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+# IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS
+# FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR
+# COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER
+# IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
+# CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+#
+# SPDX-License-Identifier: MIT
+
+---
+
+- name: Manage Policies Entry Point
+  ansible.builtin.debug:
+    msg:
+      - "----------------------------------------------------------------"
+      - "+     Manage Policies Fabric {{ MD.vxlan.global.name }}"
+      - "----------------------------------------------------------------"
+
+# --------------------------------------------------------------------
+# Manage VRF Configuration on NDFC
+# --------------------------------------------------------------------
+- name: Manage NDFC Fabric Policies
+  cisco.dcnm.dcnm_policy:
+    fabric: "{{ MD.vxlan.global.name }}"
+    use_desc_as_key: true
+    config: "{{ policy_config }}"
+    deploy: false
+    state: merged
+  register: manage_policies_result

roles/dtc/create/tasks/sub_main.yml

@@ -65,4 +65,11 @@
   when:
     - (MD.vxlan.overlay_services is defined) and (MD_Extended.vxlan.topology.switches | length > 0)
     - changes_detected_vrfs or changes_detected_networks
-  tags: "{{ nac_tags.create_vrfs_networks }}"
+  tags: "{{ nac_tags.create_vrfs_networks }}"
+
+- name: Manage NDFC Fabric Policies
+  ansible.builtin.import_tasks: policies.yml
+  when: 
+    - (MD_Extended.vxlan.policy is defined) and (MD_Extended.vxlan.policy.policies | length > 0)
+    - changes_detected_policy
+  tags: "{{ nac_tags.create_policy }}"

roles/dtc/deploy/tasks/main.yml

@@ -24,7 +24,7 @@
 - name: Import Role Tasks
   ansible.builtin.import_tasks: sub_main.yml
   tags: "{{ nac_tags.create }}" # Tags defined in roles/common_global/vars/main.yml
-  when: changes_detected_fabric or changes_detected_inventory or changes_detected_vpc_peering or changes_detected_interfaces or changes_detected_link_vpc_peering or changes_detected_vrfs or changes_detected_networks
+  when: changes_detected_fabric or changes_detected_inventory or changes_detected_vpc_peering or changes_detected_interfaces or changes_detected_link_vpc_peering or changes_detected_vrfs or changes_detected_networks or changes_detected_policy
 
 - name: Mark Stage Role Deploy Completed
   cisco.nac_dc_vxlan.common.run_map:

roles/render/tasks/main.yml

@@ -20,4 +20,4 @@
 # SPDX-License-Identifier: MIT
 
 ---
-# tasks file for render
+# tasks file for render

roles/validate/defaults/main.yml

@@ -253,3 +253,6 @@ defaults:
               disable_connected_check: false
               remove_private_as: false
               remove_private_as_all: false
+    policy:
+      template_name: switch_freeform
+      priority: 500