cisco.ise.egress_matrix_cell module returns 400 error if cell already exists #108
Description
Prerequisites
- Have you tested the operation in the API directly?
- Do you have the latest ISE Collection version?
- Review the compatibility matrix before opening an issue.
Describe the bug
When running a play with module 'cisco.ise.egress_matrix_cell' to create a CTS egress matrix cell for the first time, the play completes and the configuration change is successful.
When running the same play a subsequent time, the playbook fails with a 400 error such as:
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: }
fatal: [ise32-3.ise.trappedunderise.com]: FAILED! => {"changed": false, "msg": "An error occured when executing operation. The error was: [400] - Operation Egress Policy Matrix Create failed: Error : Cell Already Exsits !\n MATRIX_CELL failed. Look at the debug logs for more information\n{\n "ERSResponse" : {\n "operation" : "POST-create-egressmatrixcell",\n "messages" : [ {\n "title" : "Operation Egress Policy Matrix Create failed: Error : Cell Already Exsits !\n MATRIX_CELL failed. Look at the debug logs for more information",\n "type" : "ERROR",\n "code" : "CRUD operation exception"\n } ],\n "link" : {\n "rel" : "related",\n "href" : "https://ise32-3.ise.trappedunderise.com/ers/config/egressmatrixcell\",\n "type" : "application/xml"\n }\n }\n}"}
Expected behavior
The expected behaviour would be that the module recognises that the configuration already exists and skip the attempt to create the object again.
Environment (please complete the following information):
- ISE version and patch: 3.2 patch 4
- Ansible version: 2.15.5
- ISE collection version: 2.6.1
- ciscoisesdk version: 2.1.2
- Cisco ISE version: 3.2_beta
- OS version: MacOS 13.6.1
Ansible Playbook Code Example
tasks:
#
# Get Security Group and SGACL IDs
#
- name: Get default SGT ID - Employees
cisco.ise.sgt_info:
<<: *ise_login
filter:
- name.EQ.Employees
filterType: AND
register: sgt_employees
- name: Get default SGT ID - Developers
cisco.ise.sgt_info:
<<: *ise_login
filter:
- name.EQ.Developers
filterType: AND
register: sgt_developers
#
# Create New SGTs & SGACLs
#
- name: Create SGT - Shared_Services
cisco.ise.sgt:
<<: *ise_login
state: present
name: "Shared_Services"
value: -1
register: sgt_shared_services
- name: Create SGACL - DENY_IP_ANY
cisco.ise.sg_acl:
<<: *ise_login
state: present
name: "DENY_IP_ANY"
aclcontent: "deny ip any any"
description: "Deny IP Any"
ipVersion: "IPV4"
register: sgacl_deny_ip_any
- name: Create SGACL - PERMIT_IP_ANY
cisco.ise.sg_acl:
<<: *ise_login
state: present
name: "PERMIT_IP_ANY"
aclcontent: "permit ip any any"
description: "Permit IP Any"
ipVersion: "IPV4"
register: sgacl_permit_ip_any
#
# Create Egress Matrix
#
- name: Create Egress Cell - Employees to Developers
cisco.ise.egress_matrix_cell:
<<: *ise_login
state: present
description: "Deny Emp to Dev"
sourceSgtId: "{{ sgt_employees.ise_response[0].id }}"
destinationSgtId: "{{ sgt_developers.ise_response[0].id }}"
matrixCellStatus: "ENABLED"
name: "EMP-DEV"
sgacls:
- "{{ sgacl_deny_ip_any.ise_response.id }}"
- name: Create Egress Cell - Employees to Shared_Services
cisco.ise.egress_matrix_cell:
<<: *ise_login
state: present
description: "Permit Emp to Shared Svc"
sourceSgtId: "{{ sgt_employees.ise_response[0].id }}"
destinationSgtId: "{{ sgt_shared_services.ise_response.id }}"
matrixCellStatus: "ENABLED"
name: "EMP-SHARED"
sgacls:
- "{{ sgacl_permit_ip_any.ise_response.id }}"
The previous plays execute without error when running multiple times, so the following modules exhibit the expected behaviour.
- cisco.ise.sgt
- cisco.ise.sg_acl