cisco.catalystcenter.device_credential_playbook_config_generator module -- Generate YAML configurations playbook for 'device_credential_workflow_manager' module.
Note
This module is part of the cisco.catalystcenter collection (version 2.9.0).
To install it, use: ansible-galaxy collection install cisco.catalystcenter.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cisco.catalystcenter.device_credential_playbook_config_generator.
New in cisco.catalystcenter 6.44.0
Synopsis
Automates brownfield YAML playbook generation for device credential configurations deployed in Cisco Catalyst Center infrastructure.
Extracts global device credentials (CLI, HTTPS Read/Write, SNMPv2c Read/Write, SNMPv3) and site-specific credential assignments via REST APIs.
Generates YAML files compatible with device_credential_workflow_manager module for configuration documentation, credential auditing, disaster recovery, and multi-site credential standardization.
Supports auto-discovery mode for complete credential infrastructure extraction or component-based filtering for targeted extraction (global credentials, site assignments).
Masks sensitive fields (passwords, community strings, auth credentials) with Jinja2 variable placeholders for secure playbook generation.
Transforms camelCase API responses to snake_case YAML format with comprehensive header comments and metadata.
Requirements
The below requirements are needed on the host that executes this module.
catalystcentersdk >= 3.1.6.0.2
python >= 3.9
PyYAML >= 5.1
Parameters
Parameter |
Comments |
|---|---|
Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged. Default: :ansible-option-default:`1200` |
|
Indicates whether debugging is enabled in the Cisco Catalyst Center SDK. Choices: |
|
The hostname of the Cisco Catalyst Center. |
|
Flag to enable/disable playbook execution logging. When true and catalystcenter_log_file_path is provided, - Create the log file at the execution location with the specified name. When true and catalystcenter_log_file_path is not provided, - Create the log file at the execution location with the name 'catalystcenter.log'. When false, - Logging is disabled. If the log file doesn't exist, - It is created in append or write mode based on the "catalystcenter_log_append" flag. If the log file exists, - It is overwritten or appended based on the "catalystcenter_log_append" flag. Choices: |
|
Determines the mode of the file. Set to True for 'append' mode. Set to False for 'write' mode. Choices: |
|
Governs logging. Logs are recorded if catalystcenter_log is True. If path is not specified, - When 'catalystcenter_log_append' is True, 'catalystcenter.log' is generated in the current Ansible directory; logs are appended. - When 'catalystcenter_log_append' is False, 'catalystcenter.log' is generated; logs are overwritten. If path is specified, - When 'catalystcenter_log_append' is True, the file opens in append mode. - When 'catalystcenter_log_append' is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True. |
|
Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG]. CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages. ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages. WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages. INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages. DEBUG provides detailed diagnostic info. Displays all log messages. Default: :ansible-option-default:`"WARNING"` |
|
The password for authentication at the Cisco Catalyst Center. |
|
Specifies the port number associated with the Cisco Catalyst Center. Default: :ansible-option-default:`"443"` |
|
Specifies the interval in seconds between successive calls to the API to retrieve task details. Default: :ansible-option-default:`2` |
|
The username for authentication at the Cisco Catalyst Center. Default: :ansible-option-default:`"admin"` |
|
Flag to enable or disable SSL certificate verification. Choices: |
|
Specifies the version of the Cisco Catalyst Center that the SDK should use. Default: :ansible-option-default:`"2.3.7.6"` |
|
Top-level configuration block that controls the scope and filtering of the generated YAML playbook for the Contains If This is useful for complete brownfield infrastructure discovery and documentation. |
|
Container for all component-level and credential-level filters that control what is included in the generated YAML playbook. Holds If If per-component filters are provided without explicitly including them in At least one of |
|
Site-level credential assignments that map global credentials to specific sites in the Catalyst Center site hierarchy. This parameter accepts a list of site hierarchical path strings to control which site assignments are extracted into the generated YAML playbook. Each string must be a full hierarchical site path starting from "Global" (e.g., "Global/Region/Building"). Site names are case-sensitive and must match exact paths configured in Catalyst Center. If not specified when component is included in For example: ["Global/India/Assam", "Global/India/Haryana"] |
|
Selector that determines which top-level credential components are extracted from Catalyst Center and written to the YAML playbook. Valid values are If specified, only the listed components are included in the generated YAML file. If not specified but per-component filters ( If neither Choices: |
|
List of credential filter entries for global device credential extraction. Each entry specifies a credential
If When multiple entries with different If For example, [{"type": "cli_credential", "description": ["WLC", "Router_CLI"]}, {"type": "https_read"}, {"type": "snmp_v3", "description": ["SNMPv3_Admin"]}] |
|
Human-readable labels assigned to credentials in Catalyst Center, used here as filter values to select specific credentials of the given Each value must match a Catalyst Center credential description exactly (case-sensitive). If omitted or empty, all credentials of the specified When multiple entries share the same For example: ["WLC", "Router_CLI"] |
|
Credential type to filter. Must be one of cli_credential, https_read, https_write, snmp_v2c_read, snmp_v2c_write, snmp_v3. Choices: |
|
Controls how config is written to the YAML file.
Choices: |
|
Absolute or relative path for YAML configuration file output. If not provided, generates default filename in current working directory with pattern Example default filename Directory created automatically if path does not exist. Supports YAML file extension (.yml or .yaml). |
|
Desired state for YAML playbook generation workflow. Only 'gathered' state supported for brownfield credential extraction. Choices: |
|
Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema. Choices: |
Notes
Note
SDK methods utilized - discovery.get_all_global_credentials, site_design.get_sites, network_settings.get_device_credential_settings_for_a_site
API paths utilized - GET /dna/intent/api/v2/global-credential, GET /dna/intent/api/v1/sites, GET /dna/intent/api/v1/sites/${id}/deviceCredentials
Module is idempotent; multiple runs generate identical YAML content except timestamp in header comments.
Check mode supported; validates parameters without file generation.
Sensitive credential fields (passwords, community strings, auth credentials) masked with Jinja2 variable placeholders (e.g., {{ cli_credential_wlc_password }}).
Generated YAML uses OrderedDumper for consistent key ordering enabling version control.
Description-based filtering is case-sensitive and requires exact matches.
Site hierarchical paths must match exact Catalyst Center site structure.
Auto-population of components_list: If component-specific filters (such as global_credential_details or assign_credentials_to_site) are provided without explicitly including them in components_list, those components will be automatically added to components_list. This simplifies configuration by eliminating the need to redundantly specify components in both places.
Example of auto-population behavior: If you provide filters for global_credential_details without including global_credential_details in components_list, the module will automatically add global_credential_details to components_list before processing. This allows you to write more concise playbooks.
Validation requirements: If component_specific_filters is provided, at least one of the following must be true - (1) components_list contains at least one component, OR (2) Component-specific filters (e.g., global_credential_details, assign_credentials_to_site) are provided. If neither condition is met, the module will fail with a validation error.
Does not support
check_modeThe plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK
See Also
See also
- cisco.catalystcenter.device_credential_workflow_manager
Module for managing device credential workflows in Cisco Catalyst Center.
Examples
- name: Generate YAML playbook for device credential workflow manager
which includes all global credentials and site assignments
cisco.catalystcenter.device_credential_playbook_config_generator:
catalystcenter_host: "{{ catalystcenter_host }}"
catalystcenter_username: "{{ catalystcenter_username }}"
catalystcenter_password: "{{ catalystcenter_password }}"
catalystcenter_verify: "{{ catalystcenter_verify }}"
catalystcenter_port: "{{ catalystcenter_port }}"
catalystcenter_version: "{{ catalystcenter_version }}"
catalystcenter_debug: "{{ catalystcenter_debug }}"
catalystcenter_log: true
catalystcenter_log_level: DEBUG
state: gathered
file_mode: "overwrite"
- name: Generate YAML Configuration with File Path specified
cisco.catalystcenter.device_credential_playbook_config_generator:
catalystcenter_host: "{{ catalystcenter_host }}"
catalystcenter_username: "{{ catalystcenter_username }}"
catalystcenter_password: "{{ catalystcenter_password }}"
catalystcenter_verify: "{{ catalystcenter_verify }}"
catalystcenter_port: "{{ catalystcenter_port }}"
catalystcenter_version: "{{ catalystcenter_version }}"
catalystcenter_debug: "{{ catalystcenter_debug }}"
catalystcenter_log: true
catalystcenter_log_level: DEBUG
state: gathered
file_mode: "append"
file_path: "device_credential_config.yml"
- name: Generate YAML Configuration with specific component global credential filters
cisco.catalystcenter.device_credential_playbook_config_generator:
catalystcenter_host: "{{ catalystcenter_host }}"
catalystcenter_username: "{{ catalystcenter_username }}"
catalystcenter_password: "{{ catalystcenter_password }}"
catalystcenter_verify: "{{ catalystcenter_verify }}"
catalystcenter_port: "{{ catalystcenter_port }}"
catalystcenter_version: "{{ catalystcenter_version }}"
catalystcenter_debug: "{{ catalystcenter_debug }}"
catalystcenter_log: true
catalystcenter_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
file_mode: "overwrite"
config:
component_specific_filters:
components_list: ["global_credential_details"]
global_credential_details:
- type: cli_credential
description:
- WLC
- Router_CLI
- type: https_read
description:
- http_read
- type: https_write
description:
- http_write
- type: snmp_v2c_read
- type: snmp_v2c_write
- type: snmp_v3
- name: Generate YAML Configuration with specific component assign credentials to site filters
cisco.catalystcenter.device_credential_playbook_config_generator:
catalystcenter_host: "{{ catalystcenter_host }}"
catalystcenter_username: "{{ catalystcenter_username }}"
catalystcenter_password: "{{ catalystcenter_password }}"
catalystcenter_verify: "{{ catalystcenter_verify }}"
catalystcenter_port: "{{ catalystcenter_port }}"
catalystcenter_version: "{{ catalystcenter_version }}"
catalystcenter_debug: "{{ catalystcenter_debug }}"
catalystcenter_log: true
catalystcenter_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
file_mode: "append"
config:
component_specific_filters:
components_list: ["assign_credentials_to_site"]
assign_credentials_to_site:
- "Global/India/Assam"
- "Global/India/Haryana"
- name: Generate YAML with aggregated duplicate type filters
cisco.catalystcenter.device_credential_playbook_config_generator:
catalystcenter_host: "{{ catalystcenter_host }}"
catalystcenter_username: "{{ catalystcenter_username }}"
catalystcenter_password: "{{ catalystcenter_password }}"
catalystcenter_verify: "{{ catalystcenter_verify }}"
catalystcenter_port: "{{ catalystcenter_port }}"
catalystcenter_version: "{{ catalystcenter_version }}"
catalystcenter_debug: "{{ catalystcenter_debug }}"
catalystcenter_log: true
catalystcenter_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
config:
component_specific_filters:
components_list:
- global_credential_details
global_credential_details:
# Two entries for same type — descriptions are merged
- type: cli_credential
description:
- WLC
- type: cli_credential
description:
- Router_CLI
# Omitting description extracts all of this type
- type: snmp_v3
- name: Generate YAML Configuration with both global credential and assign credentials to site filters
cisco.catalystcenter.device_credential_playbook_config_generator:
catalystcenter_host: "{{ catalystcenter_host }}"
catalystcenter_username: "{{ catalystcenter_username }}"
catalystcenter_password: "{{ catalystcenter_password }}"
catalystcenter_verify: "{{ catalystcenter_verify }}"
catalystcenter_port: "{{ catalystcenter_port }}"
catalystcenter_version: "{{ catalystcenter_version }}"
catalystcenter_debug: "{{ catalystcenter_debug }}"
catalystcenter_log: true
catalystcenter_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
file_mode: "append"
config:
component_specific_filters:
components_list: ["global_credential_details", "assign_credentials_to_site"]
global_credential_details:
- type: cli_credential
description:
- WLC
- type: https_read
description:
- http_read
- type: https_write # No description filter — extracts all
assign_credentials_to_site:
- "Global/India/Assam"
- "Global/India/TamilNadu"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Human-readable message describing the operation result. Indicates success, failure, or informational status of YAML generation. Provides high-level summary with file path and configuration counts for success scenarios. Provides error details for validation or generation failures. Returned: always |
|
Response returned when YAML configuration generation completes successfully with all requested credentials and site assignments extracted and written to file. Includes operation summary with component counts, configuration counts, and file path details. Generated YAML file contains formatted playbook compatible with Returned: always |
|
Response returned when no device credentials or site assignments are found matching the specified filters or in the Catalyst Center system. Operation status is No YAML file is created when no configurations are found.
Returned: always |
|
Response returned when playbook configuration parameters fail validation before YAML generation begins. Occurs when invalid filter parameters, incorrect data types, or unsupported component names are provided. No API calls executed and no file generation attempted. Error message provides specific validation failure details and allowed parameter values. Returned: always |