search

CheckPointSW / CheckPointAnsibleMgmtCollection

This Ansible collection provides control over a Check Point Management server using Check Point's web-services APIs.
https://galaxy.ansible.com/check_point/mgmt
Apache License 2.0
40 stars 30 forks source link

cp_mgmt_add_outbound_inspection_certificate - Unrecognized parameter [is-default] #151

Closed doritoes closed 1 month ago

doritoes commented 1 month ago

Trying to test the example from https://galaxy.ansible.com/ui/repo/published/check_point/mgmt/content/module/cp_mgmt_add_outbound_inspection_certificate

- name: add-outbound-inspection-certificate
  cp_mgmt_add_outbound_inspection_certificate:
    base64_password: bXlfcGFzc3dvcmQ=
    is_default: 'false'
    issued_by: www.checkpoint.com
    name: OutboundCertificate
    valid_from: '2021-04-17'
    valid_to: '2028-04-17'

Fails with Unrecognized parameter [is-default]

SMS R81.20 JHF 84

Using check_point.mgmt 6.2.1 (current) in practicing my automation skills I learned in Tim's CCAS class. Ansible 2.17.5 on WSL running Ubuntu 22.04. Full environment build at https://github.com/doritoes/NUC-Labs/blob/xcp-ng-improvement/XCP-ng/Appendix-Ansible.md

sudo apt-add-repository ppa:ansible/ansible sudo apt update && sudo apt install -y ansible ansible --version ansible-galaxy collection install community.general vyos.vyos check_point.mgmt check_point.gaia ansible-galaxy collection install check_point.mgmt --force (this final step upgrades to latest version)

Output of $ ansible-galaxy collection list check_point.mgmt shows 2 collections.

Here is the playbook to select the correct collection and test

---
- name: Enable https inspection
  hosts: check_point
  connection: httpapi
  collections:
    - check_point.mgmt
  tasks:
    - name: add-outbound-inspection-certificate
      cp_mgmt_add_outbound_inspection_certificate:
        base64_password: bXlfcGFzc3dvcmQ=
        is_default: 'false'
        issued_by: www.checkpoint.com
        name: OutboundCertificate
        valid_from: '2021-04-17'
        valid_to: '2028-04-17'
    - name: discard changes
      check_point.mgmt.cp_mgmt_discard:

also tried with same results:

---
- name: Enable https inspection
  hosts: check_point
  connection: httpapi
  collections:
    - check_point.mgmt
  tasks:
    - name: add-outbound-inspection-certificate
      check_point.mgmt.cp_mgmt_add_outbound_inspection_certificate:
        base64_password: bXlfcGFzc3dvcmQ=
        is_default: 'false'
        issued_by: www.checkpoint.com
        name: OutboundCertificate
        valid_from: '2021-04-17'
        valid_to: '2028-04-17'
    - name: discard changes
      check_point.mgmt.cp_mgmt_discard:

Execute: ansible-playbook -i inventory-api dummy.yml

Able to create access objects, policies and rulesets. Only trouble with the https cert creation.

Commenting out "is_default" gives new error Unrecognized parameter [name].

---
- name: Enable https inspection
  hosts: check_point
  connection: httpapi
  collections:
    - check_point.mgmt
  tasks:
    - name: add-outbound-inspection-certificate
      cp_mgmt_add_outbound_inspection_certificate:
        base64_password: bXlfcGFzc3dvcmQ=
        #is_default: 'false'
        issued_by: www.checkpoint.com
        name: OutboundCertificate
        valid_from: '2021-04-17'
        valid_to: '2028-04-17'
    - name: discard changes
      check_point.mgmt.cp_mgmt_discard:

Please note in ansible it's "is_default" and the error is "is-default", pointing to an issue with the collection.

Incidentally it looks like the example should use the boolean false not the string 'false'

EDIT: added information i missed in original post SECOND EDIT: the workaround below Referring to https://sc1.checkpoint.com/documents/latest/APIs/#web/add-outbound-inspection-certificate~v1.9.1%20, remove three parameters in the library are not supported by the API: name, is_default, comments

Omitting these allows the action to complete, 

---
- name: Enable https inspection
  hosts: check_point
  connection: httpapi
  collections:
    - check_point.mgmt
  tasks:
    - name: add-outbound-inspection-certificate
      cp_mgmt_add_outbound_inspection_certificate:
        base64_password: bXlfcGFzc3dvcmQ=
        issued_by: www.checkpoint.com
        valid_from: '2021-04-17'
        valid_to: '2028-04-17'
    - name: discard changes
      check_point.mgmt.cp_mgmt_discard:

The example should be updated to register the output "base64-certificate" (or at least the uid) that is returned. Adding a test for add-outbound-inspection-certificate is also recommended

chkp-edenbr commented 1 month ago

Hi @doritoes This resource module was released in version 6.0.0 of the collection https://github.com/chkp-edenbr/CheckPointAnsibleMgmtCollection/blob/master/CHANGELOG.rst#v6-0-0 and contains fields added in new release R82, such as is-default. I understand you are using a R81.20 machine which explains the error. Regards