search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
85 stars 49 forks source link

Issue with Access Token in Role #125

Closed danieldeno closed 3 years ago

danieldeno commented 3 years ago

Hi there,

My issue is that when i'm including a role in a playbook i can't get the access_token to work properly

Setup

I have the following playbook. 

- name: Configure system
  hosts: fortigate
  gather_facts: no
  collections:
   - fortinet.fortios
  connection: httpapi
  roles:
    - fortigate/system

The role defined in this playbook consist of a main.yml which includes a task system.yml

main.yml

---
- include_tasks: system.yml

system.yml

---
################################
### Tasks file for system ######
################################
- name: Configure global attributes.
  fortios_system_global:
    vdom: "{{ system.vdom }}"
    access_token: "{{ system.api_user.api_admin.api_key2 }}"
    system_global:
      admintimeout: "{{ system.admintimeout }}"
      cli_audit_log: "{{ system.cli_audit_log }}"
      hostname: "{{ system.hostname }}"

I have a couple of group_vars and host_vars defined in there respective locations

group_vars:

---
# ansible_user: admin
# ansible_password: !vault |
       $ANSIBLE_VAULT;1.1;AES256
       38636138646135663236333136303833376537373062663931363632663437393838313139383738
       3061323064623362373133346233363631353036323832370a656433393634313736623537366635
       66376537356564613635373065613865663735633863386539633038343464396433363830613035
       3063313837353563640a613535383966356335666566366130636134656139636532386663333462
       6565
ansible_network_os: fortinet.fortios.fortios
ansible_httpapi_use_ssl: yes
ansible_httpapi_validate_certs: no
ansible_httpapi_port: 443

host_vars:

---
### System
system:
  api_user:
    api_admin:
      api_key: "3spHyddG1gggmpxG53Hj7qkbpQsmbN"
      api_key2: "zG3cHx88kHz46dy8s7jhy53p7h4pmc"
  admintimeout: "60"
  cli_audit_log: "enable"
  hostname: "fw1a-vpn-cab1a"
  vdom: "root"

Error

Whenever i run this playbook i get the following error message:

<fw1a-vpn-cab1a.3dc.triple.lan> attempting to start connection
<fw1a-vpn-cab1a.3dc.triple.lan> using connection plugin httpapi
<fw1a-vpn-cab1a.3dc.triple.lan> local domain socket does not exist, starting it
<fw1a-vpn-cab1a.3dc.triple.lan> control socket path is /root/.ansible/pc/6748f7ff90
<fw1a-vpn-cab1a.3dc.triple.lan> local domain socket listeners started successfully
<fw1a-vpn-cab1a.3dc.triple.lan> loaded API plugin ansible_collections.fortinet.fortios.plugins.httpapi.fortios from path /root/.ansible/collections/ansible_collections/fortinet/fortios/plugins/httpapi/fortios.py for network_os fortinet.fortios.fortios
<fw1a-vpn-cab1a.3dc.triple.lan>
<fw1a-vpn-cab1a.3dc.triple.lan> local domain socket path is /root/.ansible/pc/6748f7ff90
<fw1a-vpn-cab1a.3dc.triple.lan> ESTABLISH LOCAL CONNECTION FOR USER: root
<fw1a-vpn-cab1a.3dc.triple.lan> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879 `" && echo ansible-tmp-1626265034.3034377-215715713071879="` echo /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879 `" ) && sleep 0'
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/connection.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/network/fortios/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/network/fortimanager/common.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/basic.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/network/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/network/fortimanager/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/network/fortios/fortios.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/_text.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/json.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/six/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/collections.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/_collections_compat.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/text/formatters.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/validation.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/_json_compat.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/parsing/convert_bool.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/_utils.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/text/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/parameters.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/pycompat24.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/process.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/text/converters.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/sys_info.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/parsing/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/common/file.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/distro/__init__.py
Using module_utils file /usr/lib/python3/dist-packages/ansible/module_utils/distro/_distro.py
Using module file /usr/lib/python3/dist-packages/ansible/modules/network/fortios/fortios_system_global.py
<fw1a-vpn-cab1a.3dc.triple.lan> PUT /root/.ansible/tmp/ansible-local-117373sooquiio/tmp7_rr9dat TO /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879/AnsiballZ_fortios_system_global.py
<fw1a-vpn-cab1a.3dc.triple.lan> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879/ /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879/AnsiballZ_fortios_system_global.py && sleep 0'
<fw1a-vpn-cab1a.3dc.triple.lan> EXEC /bin/sh -c '/usr/bin/python3 /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879/AnsiballZ_fortios_system_global.py && sleep 0'
<fw1a-vpn-cab1a.3dc.triple.lan> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-local-117373sooquiio/ansible-tmp-1626265034.3034377-215715713071879/ > /dev/null 2>&1 && sleep 0'
fatal: [fw1a-vpn-cab1a.3dc.triple.lan]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "access_token": "zG3cHx88kHz46dy8s7jhy53p7h4pmc",
            "system_global": {
                "admintimeout": "60",
                "cli_audit_log": "enable",
                "hostname": "fw1a-vpn-cab1a"
            },
            "vdom": "root"
        }
    },
    "msg": "Unsupported parameters for (fortios_system_global) module: access_token Supported parameters include: host, https, password, ssl_verify, system_global, username, vdom"
}

As you can see every variable is being passed to the respective field correctly

But when i uncomment the ansible_user & ansible_password variables defined in the group_vars and delete the access_token from the task therefor using username/password combination to log onto the fortigate the role just works.

When i change remove the role from the playbook and instead use an include_task to point to the role's main.yml task file the play just works.

playbook with include_tasks instead of role:

#######################################################
- name: Configure system
  hosts: fortigate
  gather_facts: no
  collections:
   - fortinet.fortios
  connection: httpapi
  tasks:
  - name: Configure global attributes.
    include_tasks: ../../../roles/fortigate/system/tasks/main.yml

output from using include_task to point to role's main.yml

PLAY RECAP **************************************************************************************************************************************************************************
fw1a-vpn-cab1a.3dc.triple.lan : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0

[triple_admin@ansible-test-ddo fortigate ]$ sudo ansible-playbook play_configure_system.yml

PLAY [Configure system] *************************************************************************************************************************************************************

TASK [Configure global attributes.] *************************************************************************************************************************************************
included: /home/triple_admin/ansible/roles/fortigate/system/tasks/main.yml for fw1a-vpn-cab1a.3dc.triple.lan

TASK [include_tasks] ****************************************************************************************************************************************************************
included: /home/triple_admin/ansible/customers/triple/fortigate/../../../roles/fortigate/system/tasks/system.yml for fw1a-vpn-cab1a.3dc.triple.lan

TASK [Configure global attributes.] *************************************************************************************************************************************************
ok: [fw1a-vpn-cab1a.3dc.triple.lan]

PLAY RECAP **************************************************************************************************************************************************************************
fw1a-vpn-cab1a.3dc.triple.lan : ok=3    changed=0    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0
chillancezen commented 3 years ago

hi @danieldeno ,

in role, the task module must be full one:fortinet.fortios.fortios_system_global, otherwise it will seek legacy module path.

danieldeno commented 3 years ago

hi @chillancezen

thanks for the quick update, i can confirm this solved the issue regarding access_token use within a ansible role.

The one thing i don't understand is why this needs to be done ... cause if i'm including the task file the task works like a charm without the need to specify the full module path

JieX19 commented 3 years ago

Hi @danieldeno,

For the question you mentioned "The one thing i don't understand is why this needs to be done."

it's a mandatory requirement by Ansible though. From my point of view, because 'Role' is a complex domain and can be shared among different users, you got to specify the exact module to run the playbook when using 'Role'. This is how Ansible design the 'Role'.