FR: Update workflows to skip steps, fail conditions, set next step manually

PaloAltoNetworks / panhandler

Panhandler is a tool to manage config snippets and Skillets for PAN-OS devices

Apache License 2.0

41 stars 19 forks source link

FR: Update workflows to skip steps, fail conditions, set next step manually #86

Closed nembery closed 4 years ago

nembery commented 5 years ago

Current implementation only allows a list of skillets to execute in order. This FR should at least do the following:

allow a skillet to be skipped
allow a skillet output to exit the workflow with a defined message to the user
allow setting the next_step based on some logic

nembery commented 5 years ago

Example: snippets:

name: get_system_info when: "{% 'true' if sw_version is not defined else 'false' %}"
name: load_iron_skillet_v80 when: "{% 'true' if sw_version == '8.0' else 'false' %}"
name: load_iron_skillet_v81 when: "{% 'true' if sw_version == '8.1' else 'false' %}"
name: load_iron_skillet_v90 when: "{% 'true' if sw_version == '9.0' else 'false' %}"

nembery commented 5 years ago

Example of when to fail with fail_message: snippets:

name: get_system_info when: "{% 'true' if sw_version is not defined else 'false' %}"
name: get_policy_objects when: "{% 'true' if model == 'vm-50' else 'false' %}" fail_when: "{% 'true' if length(policy_objects) > 3 else 'false' %}" fail_message: Too many policy objects exist for this
name: some_other_skillet

This example will run get_system_info only if it hasn't been run before. We know that because sw_version is a variable that will be captured when it's run. If it is not defined, then run this again so we know all the device facts.

Next run 'get_policy_objects' if the model == vm-50. Once run, count the output to see if we have more than 3 policy objects already and if so, fail with the fail_message

finally, run some_other_skillet. Note that if we do not have a vm-50, then the second skillet will be skipped and we can go directly to the last step

nembery commented 5 years ago

Also, Ansible has a very nice concept where they only take the conditional from the yaml and automatically wrap it in the 'if' 'else', 'endif' stuff. Example here: https://github.com/ansible/ansible/blob/421d67f1ee6e03d9768c5ab966ed3ee8fa3e36df/lib/ansible/playbook/conditional.py#L192

We should look at this and see if we can just wrap the conditional, or if we should also do the additional checks as well for various safety reasons...

nembery commented 5 years ago

example in that case would just be something like: snippets:

name: get_system_info when: sw_version is not defined instead of the long form of: "{% 'true' if sw_version is not defined else 'false' %}"