diff --git a/lib/ansible/modules/network/nxos/nxos_ntp_auth.py b/lib/ansible/modules/network/nxos/nxos_ntp_auth.py
new file mode 100644
index 00000000000..2cd6b7ded3b
--- /dev/null
+++ b/lib/ansible/modules/network/nxos/nxos_ntp_auth.py
@@ -0,0 +1,566 @@
+#!/usr/bin/python
+#
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible. If not, see .
+#
+
+DOCUMENTATION = '''
+---
+
+module: nxos_ntp_auth
+version_added: "2.2"
+short_description: Manages NTP authentication.
+description:
+ - Manages NTP authentication.
+extends_documentation_fragment: nxos
+author:
+ - Jason Edelman (@jedelman8)
+notes:
+ - If C(state=absent), the moudle will attempt to remove the given key configuration.
+ If a matching key configuration isn't found on the device, the module will fail.
+ - If C(state=absent) and C(authentication=on), authentication will be turned off.
+ - If C(state=absent) and C(authentication=off), authentication will be turned on.
+options:
+ key_id:
+ description:
+ - Authentication key identifier (numeric).
+ required: true
+ md5string:
+ description:
+ - MD5 String.
+ required: true
+ default: null
+ auth_type:
+ description:
+ - Whether the given md5string is in cleartext or
+ has been encrypted. If in cleartext, the device
+ will encrypt it before storing it.
+ required: false
+ default: text
+ choices: ['text', 'encrypt']
+ trusted_key:
+ description:
+ - Whether the given key is required to be supplied by a time source
+ for the device to synchronize to the time source.
+ required: false
+ default: false
+ choices: ['true', 'false']
+ authentication:
+ description:
+ - Turns NTP authenication on or off.
+ required: false
+ default: null
+ choices: ['on', 'off']
+ state:
+ description:
+ - Manage the state of the resource.
+ required: false
+ default: present
+ choices: ['present','absent']
+'''
+
+EXAMPLES = '''
+# Basic NTP authentication configuration
+- nxos_ntp_auth:
+ key_id=32
+ md5string=hello
+ auth_type=text
+ host={{ inventory_hostname }}
+ username={{ un }}
+ password={{ pwd }}
+'''
+
+RETURN = '''
+proposed:
+ description: k/v pairs of parameters passed into module
+ returned: always
+ type: dict
+ sample: {"auth_type": "text", "authentication": "off",
+ "key_id": "32", "md5string": "helloWorld",
+ "trusted_key": "true"}
+existing:
+ description:
+ - k/v pairs of existing ntp authentication
+ type: dict
+ sample: {"authentication": "off", "trusted_key": "false"}
+end_state:
+ description: k/v pairs of ntp autherntication after module execution
+ returned: always
+ type: dict
+ sample: {"authentication": "off", "key_id": "32",
+ "md5string": "kapqgWjwdg", "trusted_key": "true"}
+state:
+ description: state as sent in from the playbook
+ returned: always
+ type: string
+ sample: "present"
+updates:
+ description: command sent to the device
+ returned: always
+ type: list
+ sample: ["ntp authentication-key 32 md5 helloWorld 0", "ntp trusted-key 32"]
+changed:
+ description: check to see if a change was made on the device
+ returned: always
+ type: boolean
+ sample: true
+'''
+
+
+import json
+
+# COMMON CODE FOR MIGRATION
+import re
+
+from ansible.module_utils.basic import get_exception
+from ansible.module_utils.netcfg import NetworkConfig, ConfigLine
+from ansible.module_utils.shell import ShellError
+
+try:
+ from ansible.module_utils.nxos import get_module
+except ImportError:
+ from ansible.module_utils.nxos import NetworkModule
+
+
+def to_list(val):
+ if isinstance(val, (list, tuple)):
+ return list(val)
+ elif val is not None:
+ return [val]
+ else:
+ return list()
+
+
+class CustomNetworkConfig(NetworkConfig):
+
+ def expand_section(self, configobj, S=None):
+ if S is None:
+ S = list()
+ S.append(configobj)
+ for child in configobj.children:
+ if child in S:
+ continue
+ self.expand_section(child, S)
+ return S
+
+ def get_object(self, path):
+ for item in self.items:
+ if item.text == path[-1]:
+ parents = [p.text for p in item.parents]
+ if parents == path[:-1]:
+ return item
+
+ def to_block(self, section):
+ return '\n'.join([item.raw for item in section])
+
+ def get_section(self, path):
+ try:
+ section = self.get_section_objects(path)
+ return self.to_block(section)
+ except ValueError:
+ return list()
+
+ def get_section_objects(self, path):
+ if not isinstance(path, list):
+ path = [path]
+ obj = self.get_object(path)
+ if not obj:
+ raise ValueError('path does not exist in config')
+ return self.expand_section(obj)
+
+
+ def add(self, lines, parents=None):
+ """Adds one or lines of configuration
+ """
+
+ ancestors = list()
+ offset = 0
+ obj = None
+
+ ## global config command
+ if not parents:
+ for line in to_list(lines):
+ item = ConfigLine(line)
+ item.raw = line
+ if item not in self.items:
+ self.items.append(item)
+
+ else:
+ for index, p in enumerate(parents):
+ try:
+ i = index + 1
+ obj = self.get_section_objects(parents[:i])[0]
+ ancestors.append(obj)
+
+ except ValueError:
+ # add parent to config
+ offset = index * self.indent
+ obj = ConfigLine(p)
+ obj.raw = p.rjust(len(p) + offset)
+ if ancestors:
+ obj.parents = list(ancestors)
+ ancestors[-1].children.append(obj)
+ self.items.append(obj)
+ ancestors.append(obj)
+
+ # add child objects
+ for line in to_list(lines):
+ # check if child already exists
+ for child in ancestors[-1].children:
+ if child.text == line:
+ break
+ else:
+ offset = len(parents) * self.indent
+ item = ConfigLine(line)
+ item.raw = line.rjust(len(line) + offset)
+ item.parents = ancestors
+ ancestors[-1].children.append(item)
+ self.items.append(item)
+
+
+def get_network_module(**kwargs):
+ try:
+ return get_module(**kwargs)
+ except NameError:
+ return NetworkModule(**kwargs)
+
+def get_config(module, include_defaults=False):
+ config = module.params['config']
+ if not config:
+ try:
+ config = module.get_config()
+ except AttributeError:
+ defaults = module.params['include_defaults']
+ config = module.config.get_config(include_defaults=defaults)
+ return CustomNetworkConfig(indent=2, contents=config)
+
+def load_config(module, candidate):
+ config = get_config(module)
+
+ commands = candidate.difference(config)
+ commands = [str(c).strip() for c in commands]
+
+ save_config = module.params['save']
+
+ result = dict(changed=False)
+
+ if commands:
+ if not module.check_mode:
+ try:
+ module.configure(commands)
+ except AttributeError:
+ module.config(commands)
+
+ if save_config:
+ try:
+ module.config.save_config()
+ except AttributeError:
+ module.execute(['copy running-config startup-config'])
+
+ result['changed'] = True
+ result['updates'] = commands
+
+ return result
+# END OF COMMON CODE
+
+
+def execute_config_command(commands, module):
+ try:
+ module.configure(commands)
+ except ShellError:
+ clie = get_exception()
+ module.fail_json(msg='Error sending CLI commands',
+ error=str(clie), commands=commands)
+ except AttributeError:
+ try:
+ commands.insert(0, 'configure')
+ module.cli.add_commands(commands, output='config')
+ module.cli.run_commands()
+ except ShellError:
+ clie = get_exception()
+ module.fail_json(msg='Error sending CLI commands',
+ error=str(clie), commands=commands)
+
+
+def get_cli_body_ssh(command, response, module):
+ """Get response for when transport=cli. This is kind of a hack and mainly
+ needed because these modules were originally written for NX-API. And
+ not every command supports "| json" when using cli/ssh. As such, we assume
+ if | json returns an XML string, it is a valid command, but that the
+ resource doesn't exist yet. Instead, the output will be a raw string
+ when issuing commands containing 'show run'.
+ """
+ if 'xml' in response[0]:
+ body = []
+ elif 'show run' in command:
+ body = response
+ else:
+ try:
+ if isinstance(response[0], str):
+ body = [json.loads(response[0])]
+ else:
+ body = response
+ except ValueError:
+ module.fail_json(msg='Command does not support JSON output',
+ command=command)
+ return body
+
+
+def execute_show(cmds, module, command_type=None):
+ command_type_map = {
+ 'cli_show': 'json',
+ 'cli_show_ascii': 'text'
+ }
+
+ try:
+ if command_type:
+ response = module.execute(cmds, command_type=command_type)
+ else:
+ response = module.execute(cmds)
+ except ShellError:
+ clie = get_exception()
+ module.fail_json(msg='Error sending {0}'.format(cmds),
+ error=str(clie))
+ except AttributeError:
+ try:
+ if command_type:
+ command_type = command_type_map.get(command_type)
+ module.cli.add_commands(cmds, output=command_type)
+ response = module.cli.run_commands()
+ else:
+ module.cli.add_commands(cmds)
+ response = module.cli.run_commands()
+ except ShellError:
+ clie = get_exception()
+ module.fail_json(msg='Error sending {0}'.format(cmds),
+ error=str(clie))
+ return response
+
+
+def execute_show_command(command, module, command_type='cli_show'):
+ if module.params['transport'] == 'cli':
+ if 'show run' not in command:
+ command += ' | json'
+ cmds = [command]
+ response = execute_show(cmds, module)
+ body = get_cli_body_ssh(command, response, module)
+ elif module.params['transport'] == 'nxapi':
+ cmds = [command]
+ body = execute_show(cmds, module, command_type=command_type)
+
+ return body
+
+
+def flatten_list(command_lists):
+ flat_command_list = []
+ for command in command_lists:
+ if isinstance(command, list):
+ flat_command_list.extend(command)
+ else:
+ flat_command_list.append(command)
+ return flat_command_list
+
+
+def get_ntp_auth(module):
+ command = 'show ntp authentication-status'
+
+ body = execute_show_command(command, module)[0]
+ ntp_auth_str = body['authentication']
+
+ if 'enabled' in ntp_auth_str:
+ ntp_auth = True
+ else:
+ ntp_auth = False
+
+ return ntp_auth
+
+
+def get_ntp_trusted_key(module):
+ trusted_key_list = []
+ command = 'show run | inc ntp.trusted-key'
+
+ trusted_key_str = execute_show_command(
+ command, module, command_type='cli_show_ascii')[0]
+ if trusted_key_str:
+ trusted_keys = trusted_key_str.splitlines()
+
+ else:
+ trusted_keys = []
+
+ for line in trusted_keys:
+ if line:
+ trusted_key_list.append(str(line.split()[2]))
+
+ return trusted_key_list
+
+
+def get_ntp_auth_key(key_id, module):
+ authentication_key = {}
+ command = 'show run | inc ntp.authentication-key.{0}'.format(key_id)
+ auth_regex = (".*ntp\sauthentication-key\s(?P\d+)\s"
+ "md5\s(?P\S+).*")
+
+ body = execute_show_command(command, module, command_type='cli_show_ascii')
+
+ try:
+ match_authentication = re.match(auth_regex, body[0], re.DOTALL)
+ group_authentication = match_authentication.groupdict()
+ key_id = group_authentication["key_id"]
+ md5string = group_authentication['md5string']
+ authentication_key['key_id'] = key_id
+ authentication_key['md5string'] = md5string
+ except (AttributeError, TypeError):
+ authentication_key = {}
+
+ return authentication_key
+
+
+def get_ntp_auth_info(key_id, module):
+ auth_info = get_ntp_auth_key(key_id, module)
+ trusted_key_list = get_ntp_trusted_key(module)
+ auth_power = get_ntp_auth(module)
+
+ if key_id in trusted_key_list:
+ auth_info['trusted_key'] = 'true'
+ else:
+ auth_info['trusted_key'] = 'false'
+
+ if auth_power:
+ auth_info['authentication'] = 'on'
+ else:
+ auth_info['authentication'] = 'off'
+
+ return auth_info
+
+
+def auth_type_to_num(auth_type):
+ return '7' if auth_type == 'encrypt' else '0'
+
+
+def set_ntp_auth_key(key_id, md5string, auth_type, trusted_key, authentication):
+ ntp_auth_cmds = []
+ auth_type_num = auth_type_to_num(auth_type)
+ ntp_auth_cmds.append(
+ 'ntp authentication-key {0} md5 {1} {2}'.format(
+ key_id, md5string, auth_type_num))
+
+ if trusted_key == 'true':
+ ntp_auth_cmds.append(
+ 'ntp trusted-key {0}'.format(key_id))
+ elif trusted_key == 'false':
+ ntp_auth_cmds.append(
+ 'no ntp trusted-key {0}'.format(key_id))
+
+ if authentication == 'on':
+ ntp_auth_cmds.append(
+ 'ntp authenticate')
+ elif authentication == 'off':
+ ntp_auth_cmds.append(
+ 'no ntp authenticate')
+
+ return ntp_auth_cmds
+
+
+def remove_ntp_auth_key(key_id, md5string, auth_type, trusted_key, authentication):
+ auth_remove_cmds = []
+ auth_type_num = auth_type_to_num(auth_type)
+ auth_remove_cmds.append(
+ 'no ntp authentication-key {0} md5 {1} {2}'.format(
+ key_id, md5string, auth_type_num))
+
+ if authentication == 'on':
+ auth_remove_cmds.append(
+ 'no ntp authenticate')
+ elif authentication == 'off':
+ auth_remove_cmds.append(
+ 'ntp authenticate')
+
+ return auth_remove_cmds
+
+
+def main():
+ argument_spec = dict(
+ key_id=dict(required=True, type='str'),
+ md5string=dict(required=True, type='str'),
+ auth_type=dict(choices=['text', 'encrypt'], default='text'),
+ trusted_key=dict(choices=['true', 'false'], default='false'),
+ authentication=dict(choices=['on', 'off']),
+ state=dict(choices=['absent', 'present'], default='present'),
+ )
+ module = get_network_module(argument_spec=argument_spec,
+ supports_check_mode=True)
+
+ key_id = module.params['key_id']
+ md5string = module.params['md5string']
+ auth_type = module.params['auth_type']
+ trusted_key = module.params['trusted_key']
+ authentication = module.params['authentication']
+ state = module.params['state']
+
+ args = dict(key_id=key_id, md5string=md5string,
+ auth_type=auth_type, trusted_key=trusted_key,
+ authentication=authentication)
+
+ changed = False
+ proposed = dict((k, v) for k, v in args.iteritems() if v is not None)
+
+ existing = get_ntp_auth_info(key_id, module)
+ end_state = existing
+
+ delta = dict(set(proposed.iteritems()).difference(existing.iteritems()))
+
+ commands = []
+ if state == 'present':
+ if delta:
+ command = set_ntp_auth_key(
+ key_id, md5string, auth_type, trusted_key, delta.get('authentication'))
+ if command:
+ commands.append(command)
+ elif state == 'absent':
+ if existing:
+ auth_toggle = None
+ if authentication == existing.get('authentication'):
+ auth_toggle = authentication
+ command = remove_ntp_auth_key(
+ key_id, md5string, auth_type, trusted_key, auth_toggle)
+ if command:
+ commands.append(command)
+
+ cmds = flatten_list(commands)
+ if cmds:
+ if module.check_mode:
+ module.exit_json(changed=True, commands=cmds)
+ else:
+ try:
+ execute_config_command(cmds, module)
+ except ShellError:
+ clie = get_exception()
+ module.fail_json(msg=str(clie) + ": " + cmds)
+ end_state = get_ntp_auth_info(key_id, module)
+ delta = dict(set(end_state.iteritems()).difference(existing.iteritems()))
+ if delta or (len(existing) != len(end_state)):
+ changed = True
+
+ results = {}
+ results['proposed'] = proposed
+ results['existing'] = existing
+ results['updates'] = cmds
+ results['changed'] = changed
+ results['end_state'] = end_state
+
+ module.exit_json(**results)
+
+if __name__ == '__main__':
+ main()
\ No newline at end of file