search

IBM-Security / isam-ansible-roles

DEPRECATED Ansible Custom Modules, Handlers and Tasks for ISAM. Requires "ibmsecurity" python package.
Apache License 2.0
24 stars 43 forks source link

Static route management isn't idempotent #171

Closed Warkdev closed 4 years ago

Warkdev commented 4 years ago

Hello,

I'm trying to create a playbook to manage our static routes (and we have appliances with many of them). First of all, the roles that exists allow only to add or update route, which is a bit contradictory towards the principle of idempotency, I would expect add and update to be actually merged in a single function.

Secondly, using only the add method seems to not doing anything when Force = False. Let's take the following inventory host.yml variables:

`

routes:
  - add_static_route_address: 'default'
    # Override the rest as needed
    add_static_route_enabled: True
    #add_static_route_maskOrPrefix: null
    add_static_route_gateway: '10.9.136.127'
    add_static_route_label: '1.1'
    #add_static_route_vlanId: null
    add_static_route_metric: 4
    add_static_route_comment: 'This is a test'
    add_static_route_table: 'main'
  - add_static_route_address: 'default'
    # Override the rest as needed
    add_static_route_enabled: True
    #add_static_route_maskOrPrefix: null
    add_static_route_gateway: '10.9.136.126'
    add_static_route_label: '1.1'
    #add_static_route_vlanId: null
    add_static_route_metric: 1
    #add_static_route_comment: ''
    add_static_route_table: 'main'

And the following playbook:

`

---

- name: "Set Static routes configuration"
  gather_facts: no
  hosts: "all"
  connection: local

  roles:
    - role: start_config
  post_tasks:
    - name: Set static routes configuration
      isam:
        appliance: "{{ inventory_hostname }}"
        username:  "{{ username }}"
        password:  "{{ password }}"
        lmi_port:  "{{ lmi_port | default(omit) }}"
        log:       "{{ log_level | default(omit) }}"
        force:     "{{ force }}"
        action: "ibmsecurity.isam.base.network.static_routes.add"
        isamapi:
          address:       "{{ item.add_static_route_address }}"
          enabled:       "{{ item.add_static_route_enabled | default(True) }}"
          #interfaceUUID: "{{ item.add_static_route_interfaceUUID | default('') }}"
          maskOrPrefix:  "{{ item.add_static_route_maskOrPrefix | default(omit) }}"
          gateway:       "{{ item.add_static_route_gateway | default('') }}"
          label:         "{{ item.add_static_route_label | default('') }}"
          vlanId:        "{{ item.add_static_route_vlanId | default(omit) }}"
          metric:        "{{ item.add_static_route_metric | default(0) }}"
          comment:       "{{ item.add_static_route_comment | default('') }}"
          table:         "{{ item.add_static_route_table | default('main') }}"
      loop:  "{{ routes }}"
      loop_control:
        label: "Processing route {{ item.add_static_route_address }} and gateway {{ item.add_static_route_gateway }} in table {{ item.add_static_route_table }}"
      notify: Commit Changes

Ansible is well looping through the routes but nothing is pushed towards the appliance. When I'm reading the code https://github.com/IBM-Security/ibmsecurity/blob/e3dd3f930bcd9f151e30eff0a394c50f98d3eccb/ibmsecurity/isam/base/network/static_routes.py, I would expect that:

Switching the flag "Force" to True will actually create both of them.

Do you confirm this is a feature to be ? :)

Regards, Cédric Servais

Warkdev commented 4 years ago

Answer to myself, use the method SET instead of ADD or UPDATE.