How to skip must validation on first time creation

YANG
1

We have a scenario in the below yang model where image can’t be modified when the running-state is deployed. We are trying to achieve this using “must” statement as in the yang model.

In our case, during first time tenant creation we should allow image set with running-state as deployed. The must statement is not allowing to create tenant with image and running-state deployed.

How can we skip must statement validation during the first time creation or what would be the
appropriate must statement in below?

module koti-tenant {
  
    yang-version "1";

    namespace "http://xyz.com/yang/koti-tenant";

    prefix koti;

    import tailf-common { prefix tailf; }

    //meta 
    organization "xyz";
    
    contact
        "XYZ TBD@xyz.com";

    description
        "Model for Configuring and Querying status of Tenants.";

    typedef tenant-config-state {
        type enumeration {
            enum configured {
                description 
                    "VM is configured, but no resources allocated.";
            }
            enum provisioned {
                description 
                    "VM resources have been allocated, and the VM is runnable.";
            }
            enum deployed {
                description
                    "VM is running.";
            }
        }
        description
            "VM deployment state.";
    }  


    container koti {
        list tenant {
            key "name";

            leaf name {
                type leafref {
                    path "../config/name";
                }
            }

            container config {
                leaf name {
                    description "User-specified name for tenant.";
                    type string; 
                }

                leaf running-state {
                    type tenant-config-state;
                    description "tenant provisioning and execution.";                    
                }

                leaf image {
                    type string; 
                    mandatory true;
                    description "Image and version for tenant.";

                    must "((current() = '') or ((current() != '') and (../running-state != 'deployed')))" {
                        error-message "Image can't be modified in deployed state";
                        tailf:dependency ".";
                        tailf:override-auto-dependencies;
                    }
                }
            }
        }
    }
}

Scenario-1: tenant creation should allow image setting and running-state deployed. (Not working)

simulator-1(config)# koti tenant test1 config name test1 image test1image running-state deployed 
simulator-1(config-tenant-test1)# commit
Aborted: 'koti tenant test1 config image' (value "test1image"): Image can't be modified in deployed state
simulator-1(config-tenant-test1)#

Scenario-2: tenant image modification should not be allowed when running-state is deployed. (this is working with the below must)

simulator-1(config)# koti tenant test config name test image testImage running-state configured 
simulator-1(config-tenant-test)# commit
Commit complete.
simulator-1(config-tenant-test)#  top                  
simulator-1(config)# koti tenant test config running-state deployed 
simulator-1(config-tenant-test)# commit
Commit complete.
simulator-1(config-tenant-test)# top
simulator-1(config)# koti tenant test config image test1image
simulator-1(config-tenant-test)# commit
Aborted: 'koti tenant test config image' (value "test1image"): Image can't be modified in deployed state
simulator-1(config-tenant-test)#
2

A validation point + some code is required here instead of a must statement.

3

Thanks for your quick response. I will get back if I have any further questions.

4

A NACM rule that prohibits “update” operation can be used in similar scenarios, maybe it would work for you too.