Solved: NAC: Issue with Module "aci_rest_managed.mcpInstPol" during apply

matze123 · ‎03-27-2024

Hi guys,

since a few days i have the issue that my terraform apply don't work anymore. A few weeks ago it worked fine and i don't changed any versions.

Anytime when i try to deploy Access Policies is see the following change:

  # module.aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol will be updated in-place
  ~ resource "aci_rest_managed" "mcpInstPol" {
      ~ content    = {
          ~ "adminSt"        = "disabled" -> "enabled"
            # (7 unchanged elements hidden)
        }
        id         = "uni/infra/mcpInstP-default"
        # (3 unchanged attributes hidden)
    }

But i don't configure the MCP Policy in my yaml files and I want it to stay default (disabled).
During the deploy, I got this error:

Error: The post rest request failed
│ 
│   with module.aci.module.aci_mcp[0].aci_rest_managed.mcpInstPol,
│   on .terraform/modules/aci/modules/terraform-aci-mcp/main.tf line 1, in resource "aci_rest_managed" "mcpInstPol":
│    1: resource "aci_rest_managed" "mcpInstPol" {
│ 
│ Code: 400 Response: [map[error:map[attributes:map[code:182 text:Password is required for MCP Instance Policy.]]]], err: %!s(<nil>). Please report this issue to the provider developers.

I know that I need a key for MCP configurations, but I don't even configure anything for MCP. I just want it to stay default.
Can someone help me with this issue?
Here is my main.tf:

terraform {
  required_providers {
    aci = {
      source = "CiscoDevNet/aci"
      version = "2.13.2"
    }
  }
}

provider "aci" {
  username = "admin"
  password = "xxx"
  url      = "https://xx.xx.xx.xx/"
}

module "aci" {
  source  = "netascode/nac-aci/aci"
  version = "0.8.1"

  yaml_directories = ["data"]

  manage_access_policies    = true
  manage_fabric_policies    = false
  manage_pod_policies       = false
  manage_node_policies      = true
  manage_interface_policies = false
  manage_tenants            = true
}

Thanks in advance.

Greets,
Mathias

danischm · ‎03-28-2024

I have added an explanation to the GitHub issue here: https://github.com/netascode/terraform-aci-nac-aci/issues/64#issuecomment-2024852152

Hopefully this clarifies the behavior.

View solution in original post

mfr-6 · ‎03-27-2024

hi @matze123

I've got the same issue, I added my 2 cents to the issue already reported, you can see it here: https://github.com/netascode/terraform-aci-nac-aci/issues/64

I'll try to contact the team if no further action is taken since this also blocks me a bit.

But i don't configure the MCP Policy in my yaml files and I want it to stay default (disabled).

The problem is that "defaults" in NAC makes terraform deploy this resource with predefined parameters as shown below:

      mcp:
        admin_state: true
        per_vlan: true
        action: true
        key: cisco
        loop_detection: 3
        initial_delay: 180
        frequency_sec: 2
        frequency_msec: 0

Mateusz Frak NetDevOps | DevNet | Automation
Please mark this post as helpful if it solves your issue, to make this visible for other users, thank you!

matze123 · ‎03-28-2024

Hi Mateusz,
thanks for your reply and for the github issue.. hopefully this will solve our problems.

What surprises me a little is that this problem is occurring now and it wasn't 4 weeks ago (before my vacation). With the same code, same versions and the same aci simulator to test the code.

danischm · ‎03-28-2024

I have added an explanation to the GitHub issue here: https://github.com/netascode/terraform-aci-nac-aci/issues/64#issuecomment-2024852152

Hopefully this clarifies the behavior.