cisco.dnac.device_credential_playbook_config_generator module -- Generate YAML configurations playbook for 'device_credential_workflow_manager' module.
Note
This module is part of the cisco.dnac collection (version 6.49.0).
To install it, use: ansible-galaxy collection install cisco.dnac.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: cisco.dnac.device_credential_playbook_config_generator.
New in cisco.dnac 6.44.0
Synopsis
Automates brownfield YAML playbook generation for device credential configurations deployed in Cisco Catalyst Center infrastructure.
Extracts global device credentials (CLI, HTTPS Read/Write, SNMPv2c Read/Write, SNMPv3) and site-specific credential assignments via REST APIs.
Generates YAML files compatible with device_credential_workflow_manager module for configuration documentation, credential auditing, disaster recovery, and multi-site credential standardization.
Supports auto-discovery mode for complete credential infrastructure extraction or component-based filtering for targeted extraction (global credentials, site assignments).
Masks sensitive fields (passwords, community strings, auth credentials) with Jinja2 variable placeholders for secure playbook generation.
Transforms camelCase API responses to snake_case YAML format with comprehensive header comments and metadata.
Requirements
The below requirements are needed on the host that executes this module.
dnacentersdk >= 2.10.10
python >= 3.9
PyYAML >= 5.1
Parameters
Parameter |
Comments |
|---|---|
A dictionary of filters for generating YAML playbook compatible with the `device_credential_workflow_manager` module. Filters specify which components to include in the YAML configuration file. If "components_list" is specified, only those components are included, regardless of the filters. If config is not provided or is empty, all configurations for all global_credential_details and assign_credentials_to_site will be generated. This is useful for complete brownfield infrastructure discovery and documentation. |
|
Filters to specify which components to include in the YAML configuration file. If "components_list" is specified, only those components are included, regardless of other filters. If filters for specific components (e.g., global_credential_details or assign_credentials_to_site) are provided without explicitly including them in components_list, those components will be automatically added to components_list. At least one of components_list or component filters must be provided. |
|
Filters for site-specific credential assignment extraction. Extracts credential assignments for specified site hierarchical paths. Site names must be full hierarchical paths (case-sensitive). If not specified when component included in components_list, extracts all site credential assignments. |
|
List of site hierarchical paths to extract credential assignments. Site names must match exact hierarchical paths in Catalyst Center (case-sensitive). Extracts CLI, HTTPS Read/Write, SNMPv2c Read/Write, and SNMPv3 credential assignments per site. For example, ["Global/India/Assam", "Global/India/Haryana"] |
|
List of credential components to include in YAML configuration. Valid values are 'global_credential_details' for global credentials and 'assign_credentials_to_site' for site-specific assignments. If specified, only the listed components will be included in the generated YAML file. If not specified but component filters (global_credential_details or assign_credentials_to_site) are provided, those components are automatically added to this list. If neither components_list nor any component filters are provided, an error will be raised. Choices: |
|
Filters for global device credential extraction. Extracts only credentials matching specified descriptions. Each credential type (cli_credential, https_read, https_write, snmp_v2c_read, snmp_v2c_write, snmp_v3) can be filtered independently. Description values must match exactly as configured in Catalyst Center (case-sensitive). If credential type not specified, all credentials of that type extracted. |
|
List of CLI credential descriptions to extract. Extracts CLI credentials with matching description field. Each list item contains description key for filtering. For example: [{"description": "WLC_CLI"}, {"description": "Router_CLI"}] |
|
Exact description of CLI credential to extract. Must match Catalyst Center credential description exactly (case-sensitive). |
|
List of HTTPS Read credential descriptions to extract. Extracts HTTPS Read credentials with matching description field. Each list item contains description key for filtering. For example: [{"description": "HTTPS_Read_Admin"}] |
|
Exact description of HTTPS Read credential to extract. Must match Catalyst Center credential description exactly (case-sensitive). |
|
List of HTTPS Write credential descriptions to extract. Extracts HTTPS Write credentials with matching description field. Each list item contains description key for filtering. For example: [{"description": "HTTPS_Write_Admin"}] |
|
Exact description of HTTPS Write credential to extract. Must match Catalyst Center credential description exactly (case-sensitive). |
|
List of SNMPv2c Read credential descriptions to extract. Extracts SNMPv2c Read credentials with matching description field. Each list item contains description key for filtering. For example: [{"description": "SNMP_RO_Community"}] |
|
Exact description of SNMPv2c Read credential to extract. Must match Catalyst Center credential description exactly (case-sensitive). |
|
List of SNMPv2c Write credential descriptions to extract. Extracts SNMPv2c Write credentials with matching description field. Each list item contains description key for filtering. For example: [{"description": "SNMP_RW_Community"}] |
|
Exact description of SNMPv2c Write credential to extract. Must match Catalyst Center credential description exactly (case-sensitive). |
|
List of SNMPv3 credential descriptions to extract. Extracts SNMPv3 credentials with matching description field. Each list item contains description key for filtering. For example: [{"description": "SNMPv3_Admin"}] |
|
Exact description of SNMPv3 credential to extract. Must match Catalyst Center credential description exactly (case-sensitive). |
|
Defines the timeout in seconds for API calls to retrieve task details. If the task details are not received within this period, the process will end, and a timeout notification will be logged. Default: :ansible-option-default:`1200` |
|
Indicates whether debugging is enabled in the Cisco Catalyst Center SDK. Choices: |
|
The hostname of the Cisco Catalyst Center. |
|
Flag to enable/disable playbook execution logging. When true and dnac_log_file_path is provided, - Create the log file at the execution location with the specified name. When true and dnac_log_file_path is not provided, - Create the log file at the execution location with the name 'dnac.log'. When false, - Logging is disabled. If the log file doesn't exist, - It is created in append or write mode based on the "dnac_log_append" flag. If the log file exists, - It is overwritten or appended based on the "dnac_log_append" flag. Choices: |
|
Determines the mode of the file. Set to True for 'append' mode. Set to False for 'write' mode. Choices: |
|
Governs logging. Logs are recorded if dnac_log is True. If path is not specified, - When 'dnac_log_append' is True, 'dnac.log' is generated in the current Ansible directory; logs are appended. - When 'dnac_log_append' is False, 'dnac.log' is generated; logs are overwritten. If path is specified, - When 'dnac_log_append' is True, the file opens in append mode. - When 'dnac_log_append' is False, the file opens in write (w) mode. - In shared file scenarios, without append mode, content is overwritten after each module execution. - For a shared log file, set append to False for the 1st module (to overwrite); for subsequent modules, set append to True. Default: :ansible-option-default:`"dnac.log"` |
|
Sets the threshold for log level. Messages with a level equal to or higher than this will be logged. Levels are listed in order of severity [CRITICAL, ERROR, WARNING, INFO, DEBUG]. CRITICAL indicates serious errors halting the program. Displays only CRITICAL messages. ERROR indicates problems preventing a function. Displays ERROR and CRITICAL messages. WARNING indicates potential future issues. Displays WARNING, ERROR, CRITICAL messages. INFO tracks normal operation. Displays INFO, WARNING, ERROR, CRITICAL messages. DEBUG provides detailed diagnostic info. Displays all log messages. Default: :ansible-option-default:`"WARNING"` |
|
The password for authentication at the Cisco Catalyst Center. |
|
Specifies the port number associated with the Cisco Catalyst Center. Default: :ansible-option-default:`"443"` |
|
Specifies the interval in seconds between successive calls to the API to retrieve task details. Default: :ansible-option-default:`2` |
|
The username for authentication at the Cisco Catalyst Center. Default: :ansible-option-default:`"admin"` |
|
Flag to enable or disable SSL certificate verification. Choices: |
|
Specifies the version of the Cisco Catalyst Center that the SDK should use. Default: :ansible-option-default:`"2.2.3.3"` |
|
Controls how config is written to the YAML file.
Choices: |
|
Absolute or relative path for YAML configuration file output. If not provided, generates default filename in current working directory with pattern Example default filename Directory created automatically if path does not exist. Supports YAML file extension (.yml or .yaml). |
|
Desired state for YAML playbook generation workflow. Only 'gathered' state supported for brownfield credential extraction. Choices: |
|
Flag for Cisco Catalyst Center SDK to enable the validation of request bodies against a JSON schema. Choices: |
Notes
Note
SDK methods utilized - discovery.get_all_global_credentials, site_design.get_sites, network_settings.get_device_credential_settings_for_a_site
API paths utilized - GET /dna/intent/api/v2/global-credential, GET /dna/intent/api/v1/sites, GET /dna/intent/api/v1/sites/${id}/deviceCredentials
Module is idempotent; multiple runs generate identical YAML content except timestamp in header comments.
Check mode supported; validates parameters without file generation.
Sensitive credential fields (passwords, community strings, auth credentials) masked with Jinja2 variable placeholders (e.g., {{ cli_credential_wlc_password }}).
Generated YAML uses OrderedDumper for consistent key ordering enabling version control.
Description-based filtering is case-sensitive and requires exact matches.
Site hierarchical paths must match exact Catalyst Center site structure.
Auto-population of components_list: If component-specific filters (such as global_credential_details or assign_credentials_to_site) are provided without explicitly including them in components_list, those components will be automatically added to components_list. This simplifies configuration by eliminating the need to redundantly specify components in both places.
Example of auto-population behavior: If you provide filters for global_credential_details without including global_credential_details in components_list, the module will automatically add global_credential_details to components_list before processing. This allows you to write more concise playbooks.
Validation requirements: If component_specific_filters is provided, at least one of the following must be true - (1) components_list contains at least one component, OR (2) Component-specific filters (e.g., global_credential_details, assign_credentials_to_site) are provided. If neither condition is met, the module will fail with a validation error.
Does not support
check_modeThe plugin runs on the control node and does not use any ansible connection plugins instead embedded connection manager from Cisco Catalyst Center SDK
The parameters starting with dnac_ are used by the Cisco Catalyst Center Python SDK to establish the connection
See Also
See also
- cisco.dnac.device_credential_workflow_manager
Module for managing device credential workflows in Cisco Catalyst Center.
Examples
- name: Generate YAML playbook for device credential workflow manager
which includes all global credentials and site assignments
cisco.dnac.device_credential_playbook_config_generator:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: true
dnac_log_level: DEBUG
state: gathered
file_mode: "overwrite"
- name: Generate YAML Configuration with File Path specified
cisco.dnac.device_credential_playbook_config_generator:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: true
dnac_log_level: DEBUG
state: gathered
file_mode: "append"
file_path: "device_credential_config.yml"
- name: Generate YAML Configuration with specific component global credential filters
cisco.dnac.device_credential_playbook_config_generator:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: true
dnac_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
file_mode: "overwrite"
config:
component_specific_filters:
components_list: ["global_credential_details"]
global_credential_details:
cli_credential:
- description: test
https_read:
- description: http_read
https_write:
- description: http_write
- name: Generate YAML Configuration with specific component assign credentials to site filters
cisco.dnac.device_credential_playbook_config_generator:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: true
dnac_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
file_mode: "append"
config:
component_specific_filters:
components_list: ["assign_credentials_to_site"]
assign_credentials_to_site:
site_name:
- "Global/India/Assam"
- "Global/India/Haryana"
- name: Generate YAML Configuration with both global credential and assign credentials to site filters
cisco.dnac.device_credential_playbook_config_generator:
dnac_host: "{{ dnac_host }}"
dnac_username: "{{ dnac_username }}"
dnac_password: "{{ dnac_password }}"
dnac_verify: "{{ dnac_verify }}"
dnac_port: "{{ dnac_port }}"
dnac_version: "{{ dnac_version }}"
dnac_debug: "{{ dnac_debug }}"
dnac_log: true
dnac_log_level: DEBUG
state: gathered
file_path: "device_credential_config.yml"
file_mode: "append"
config:
component_specific_filters:
components_list: ["global_credential_details", "assign_credentials_to_site"]
global_credential_details:
cli_credential:
- description: test
https_read:
- description: http_read
https_write:
- description: http_write
assign_credentials_to_site:
site_name:
- "Global/India/Assam"
- "Global/India/TamilNadu"
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Human-readable message describing the operation result. Indicates success, failure, or informational status of YAML generation. Provides high-level summary with file path and configuration counts for success scenarios. Provides error details for validation or generation failures. Returned: always |
|
Response returned when YAML configuration generation completes successfully with all requested credentials and site assignments extracted and written to file. Includes operation summary with component counts, configuration counts, and file path details. Generated YAML file contains formatted playbook compatible with Returned: always |
|
Response returned when no device credentials or site assignments are found matching the specified filters or in the Catalyst Center system. Operation status is No YAML file is created when no configurations are found.
Returned: always |
|
Response returned when playbook configuration parameters fail validation before YAML generation begins. Occurs when invalid filter parameters, incorrect data types, or unsupported component names are provided. No API calls executed and no file generation attempted. Error message provides specific validation failure details and allowed parameter values. Returned: always |