search

JonTheNiceGuy / fortigate_policy

An Ansible Role to deliver FortiGate Firewall policy changes. THIS ROLE CAN BE DESTRUCTIVE - PLEASE ENSURE YOU HAVE A BACKUP OF YOUR CONFIG BEFORE USING THIS ROLE!
MIT License
2 stars 0 forks source link

Enhancement: Create "forced" groups and objects regex, rather than searching for the value "force: yes" #12

Open JonTheNiceGuy opened 5 years ago

JonTheNiceGuy commented 5 years ago

To create a forced address object, you can use the following snippet:

---
example_address_objects:
  example_com:
    fqdn: "example.com"
    force: true

This method does not work with address groups, as these are "just" a list.

example_address_groups:
  example_sites:
  - example_com

This enhancement suggests creating a new regex check with a suffix _[Ff][Oo][Rr][Cc][Ee][d]* that would trigger the "forced" flag, as follows:

example_address_objects_forced:
  example_com:
    fqdn: "example.com"

example_address_groups_force:
  example_sites:
  - example_com

This requires modification of vars/main.yml and adding a new check to the address_objects_USED_INTERNAL and address_groups_USED_INTERNAL loops to include the forced objects and groups.