[ignore_changes] Added comments for mac_sec_keys.

plugins/module_utils/constants.py

@@ -25,8 +25,17 @@
 NDO_API_VERSION_FORMAT = "/mso/api/{api_version}"
 NDO_API_VERSION_PATH_FORMAT = "/mso/api/{api_version}/{path}"
 
-NDO_CIPHER_SUITE_MAP = {"128_gcm_aes": "128GcmAes", "128_gcm_aes_xpn": "128GcmAesXpn", "256_gcm_aes": "256GcmAes", "256_gcm_aes_xpn": "256GcmAesXpn"}
-NDO_SECURITY_POLICY_MAP = {"should_secure": "shouldSecure", "must_secure": "mustSecure"}
+NDO_CIPHER_SUITE_MAP = {
+    "128_gcm_aes": "128GcmAes",
+    "128_gcm_aes_xpn": "128GcmAesXpn",
+    "256_gcm_aes": "256GcmAes",
+    "256_gcm_aes_xpn": "256GcmAesXpn",
+}
+
+NDO_SECURITY_POLICY_MAP = {
+    "should_secure": "shouldSecure",
+    "must_secure": "mustSecure",
+}
 
 EPG_U_SEG_ATTR_TYPE_MAP = {
     "ip": "ip",

plugins/modules/ndo_mac_sec_policy.py

@@ -96,6 +96,8 @@
   mac_sec_key:
     description:
     - List of the MACSec Keys.
+    - Providing an empty list will remove the O(mac_sec_key) from the MACSec Policy.
+    - The old O(mac_sec_key) entries will be replaced with the new entries during update.
     type: list
     elements: dict
     suboptions:
@@ -232,9 +234,9 @@ def main():
             description=dict(type="str"),
             admin_state=dict(type="str", choices=["enabled", "disabled"]),
             interface_type=dict(type="str", choices=["fabric", "access"], default="fabric"),
-            cipher_suite=dict(type="str", choices=["128_gcm_aes", "128_gcm_aes_xpn", "256_gcm_aes", "256_gcm_aes_xpn"]),
+            cipher_suite=dict(type="str", choices=list(NDO_CIPHER_SUITE_MAP)),
             window_size=dict(type="int"),
-            security_policy=dict(type="str", choices=["should_secure", "must_secure"]),
+            security_policy=dict(type="str", choices=list(NDO_SECURITY_POLICY_MAP)),
             sak_expiry_time=dict(type="int"),
             confidentiality_offset=dict(type="int", choices=[0, 30, 50]),
             key_server_priority=dict(type="int"),
@@ -257,7 +259,7 @@ def main():
         argument_spec=argument_spec,
         supports_check_mode=True,
         required_if=[
-            ["state", "present", ["mac_sec_policy"]],
+            ["state", "present", ["mac_sec_policy", "mac_sec_policy_uuid"], True],
             ["state", "absent", ["mac_sec_policy", "mac_sec_policy_uuid"], True],
         ],
     )
@@ -270,9 +272,9 @@ def main():
     description = module.params.get("description")
     admin_state = module.params.get("admin_state")
     interface_type = module.params.get("interface_type")
-    cipher_suite = module.params.get("cipher_suite")
+    cipher_suite = NDO_CIPHER_SUITE_MAP.get(module.params.get("cipher_suite"))
     window_size = module.params.get("window_size")
-    security_policy = module.params.get("security_policy")
+    security_policy = NDO_SECURITY_POLICY_MAP.get(module.params.get("security_policy"))
     sak_expiry_time = module.params.get("sak_expiry_time")
     confidentiality_offset = module.params.get("confidentiality_offset")
     key_server_priority = module.params.get("key_server_priority")
@@ -302,8 +304,6 @@ def main():
 
     if state == "present":
 
-        mso.existing = {}
-
         if match:
 
             if mac_sec_policy and match.details.get("name") != mac_sec_policy:
@@ -322,18 +322,16 @@ def main():
                 mso.fail_json(msg="Type cannot be changed for an existing MACSec Policy.")
 
             if cipher_suite and match.details.get("macsecParams")["cipherSuite"] != cipher_suite:
-                ops.append(dict(op="replace", path="{0}/{1}/macsecParams/cipherSuite".format(path, match.index), value=NDO_CIPHER_SUITE_MAP.get(cipher_suite)))
-                match.details["macsecParams"]["cipherSuite"] = NDO_CIPHER_SUITE_MAP.get(cipher_suite)
+                ops.append(dict(op="replace", path="{0}/{1}/macsecParams/cipherSuite".format(path, match.index), value=cipher_suite))
+                match.details["macsecParams"]["cipherSuite"] = cipher_suite
 
             if window_size and match.details.get("macsecParams")["windowSize"] != window_size:
                 ops.append(dict(op="replace", path="{0}/{1}/macsecParams/windowSize".format(path, match.index), value=window_size))
                 match.details["macsecParams"]["windowSize"] = window_size
 
             if security_policy and match.details.get("macsecParams")["securityPol"] != security_policy:
-                ops.append(
-                    dict(op="replace", path="{0}/{1}/macsecParams/securityPol".format(path, match.index), value=NDO_SECURITY_POLICY_MAP.get(security_policy))
-                )
-                match.details["macsecParams"]["securityPol"] = NDO_SECURITY_POLICY_MAP.get(security_policy)
+                ops.append(dict(op="replace", path="{0}/{1}/macsecParams/securityPol".format(path, match.index), value=security_policy))
+                match.details["macsecParams"]["securityPol"] = security_policy
 
             if sak_expiry_time and match.details.get("macsecParams")["sakExpiryTime"] != sak_expiry_time:
                 ops.append(dict(op="replace", path="{0}/{1}/macsecParams/sakExpiryTime".format(path, match.index), value=sak_expiry_time))
@@ -342,15 +340,16 @@ def main():
             if interface_type == "access":
                 if confidentiality_offset and match.details.get("macsecParams")["confOffSet"] != confidentiality_offset:
                     ops.append(
-                        dict(op="replace", path="{0}/{1}/macsecParams/confOffSet".format(path, match.index), value="offset" + str(confidentiality_offset))
+                        dict(op="replace", path="{0}/{1}/macsecParams/confOffSet".format(path, match.index), value="offset{0}".format(confidentiality_offset))
                     )
-                    match.details["macsecParams"]["confOffSet"] = "offset" + str(confidentiality_offset)
+                    match.details["macsecParams"]["confOffSet"] = "offset{0}".format(confidentiality_offset)
 
                 if key_server_priority and match.details.get("macsecParams")["keyServerPrio"] != key_server_priority:
                     ops.append(dict(op="replace", path="{0}/{1}/macsecParams/keyServerPrio".format(path, match.index), value=key_server_priority))
                     match.details["macsecParams"]["keyServerPrio"] = key_server_priority
 
             if mac_sec_keys:
+                # updating mac_sec_keys modifies the existing list with the new list
                 mac_sec_keys_list = []
                 for mac_sec_key in mac_sec_keys:
                     mac_sec_keys_list.append(
@@ -367,7 +366,7 @@ def main():
             elif mac_sec_keys == []:
                 # remove mac_sec_keys if the list is empty
                 ops.append(dict(op="remove", path="{0}/{1}/macsecKeys".format(path, match.index)))
-                match.details.pop("macsecKeys")
+                match.details.pop("macsecKeys", None)
 
             mso.sanitize(match.details)
 
@@ -382,17 +381,17 @@ def main():
             if admin_state:
                 payload["adminState"] = admin_state
             if cipher_suite:
-                mac_sec_param_map["cipherSuite"] = NDO_CIPHER_SUITE_MAP.get(cipher_suite)
+                mac_sec_param_map["cipherSuite"] = cipher_suite
             if window_size:
                 mac_sec_param_map["windowSize"] = window_size
             if security_policy:
-                mac_sec_param_map["securityPol"] = NDO_SECURITY_POLICY_MAP.get(security_policy)
+                mac_sec_param_map["securityPol"] = security_policy
             if sak_expiry_time:
                 mac_sec_param_map["sakExpiryTime"] = sak_expiry_time
 
             if interface_type == "access":
                 if confidentiality_offset:
-                    mac_sec_param_map["confOffSet"] = "offset" + str(confidentiality_offset)
+                    mac_sec_param_map["confOffSet"] = "offset{0}".format(confidentiality_offset)
                 if key_server_priority:
                     mac_sec_param_map["keyServerPrio"] = key_server_priority
                 payload["macsecParams"] = mac_sec_param_map