search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
85 stars 49 forks source link

Problems at adding fortios_firewall_service_group #228

Closed Snickers1337 closed 1 year ago

Snickers1337 commented 1 year ago

Hello,

I tried to add Firewall service groups, but cannot use this feature because i always get errors. I tried many diffrent ways, so i dont know if it is a Problem by the module or if it is a Syntax error. I checked different things many times and if i look at the ansible docs example of this module i cannot find any problem with my syntax. https://docs.ansible.com/ansible/latest/collections/fortinet/fortios/fortios_firewall_service_group_module.html

I also checked the result of some custom service group objects by using the get fact module. The result tells me that the correct member format is somethin like this:

"results": [
            {
                "color": 0,
                "comment": "",
                "fabric-object": "disable",
                "member": [
                    {
                        "name": "DNS",
                        "q_origin_key": "DNS"
                    },
                    {
                        "name": "IMAP",
                        "q_origin_key": "IMAP"
                    },
                    {
                        "name": "IMAPS",
                        "q_origin_key": "IMAPS"
                    },
                    {
                        "name": "POP3",
                        "q_origin_key": "POP3"
                    },
                    {
                        "name": "POP3S",
                        "q_origin_key": "POP3S"
                    },
                    {
                        "name": "SMTP",
                        "q_origin_key": "SMTP"
                    },
                    {
                        "name": "SMTPS",
                        "q_origin_key": "SMTPS"
                    }
                ],
                "name": "Email Access",
                "proxy": "disable",
                "q_origin_key": "Email Access"
            }
        ],

The Web Application API tool also tells me that the format of the members attribute has to look like this:

method : "POST"
url : "/api/v2/cmdb/firewall.service/group"
params : 
datasource : 1
vdom : "root"
data : 
color : "0"
member : 
0 : 
name : "AFS3"
1 : 
name : "ALL_ICMP"
name : "Test"

I outsourced some parameters into another files, this worked for me with other modules like create custom service object. outsourced parameters:

- hosts: fortigates
  collections:
    - fortinet.fortios
  connection: httpapi
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: yes
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 443

My Syntax:

- name: Set-Service-Group
  fortios_firewall_service_group:
    vdom:  "root"
    state: "present"
    firewall_service_group:
      name: "test"
      member: 
        -
          name: "DNS"
        -
          name: "DHCP"

alternative Syntax:

- name: Set-Service-Group
  fortios_firewall_service_group:
    vdom:  "root"
    state: "present"
    firewall_service_group:
      name: "test"
      member: [{"name":"DNS"}, {"name":"HTTPS"}]

also i Tested different ways at the "member" parameter but after my research i think one of these or both has to be correct.

The error i get looks like this:

The full traceback is:
Traceback (most recent call last):
  File "/home/ms/.ansible/tmp/ansible-local-15400jpeyv4zz/ansible-tmp-1676385235.4891324-15556-46958556283091/AnsiballZ_fortios_firewall_service_group.py", line 107, in <module>
    _ansiballz_main()
  File "/home/ms/.ansible/tmp/ansible-local-15400jpeyv4zz/ansible-tmp-1676385235.4891324-15556-46958556283091/AnsiballZ_fortios_firewall_service_group.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/ms/.ansible/tmp/ansible-local-15400jpeyv4zz/ansible-tmp-1676385235.4891324-15556-46958556283091/AnsiballZ_fortios_firewall_service_group.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_firewall_service_group', init_globals=dict(_module_fqn='ansible_collections.fortinet.fortios.plugins.modules.fortios_firewall_service_group', _modlib_path=modlib_path),
  File "/usr/lib/python3.10/runpy.py", line 224, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.10/runpy.py", line 96, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib/python3.10/runpy.py", line 86, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_service_group.py", line 778, in <module>
  File "/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_service_group.py", line 740, in main
  File "/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py", line 216, in check_schema_versioning
  File "/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
ansible.module_utils.connection.ConnectionError: Expecting value: line 1 column 1 (char 0)
fatal: [Laborgeraet]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/ms/.ansible/tmp/ansible-local-15400jpeyv4zz/ansible-tmp-1676385235.4891324-15556-46958556283091/AnsiballZ_fortios_firewall_service_group.py\", line 107, in <module>\n    _ansiballz_main()\n  File \"/home/ms/.ansible/tmp/ansible-local-15400jpeyv4zz/ansible-tmp-1676385235.4891324-15556-46958556283091/AnsiballZ_fortios_firewall_service_group.py\", line 99, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/ms/.ansible/tmp/ansible-local-15400jpeyv4zz/ansible-tmp-1676385235.4891324-15556-46958556283091/AnsiballZ_fortios_firewall_service_group.py\", line 47, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.fortinet.fortios.plugins.modules.fortios_firewall_service_group', init_globals=dict(_module_fqn='ansible_collections.fortinet.fortios.plugins.modules.fortios_firewall_service_group', _modlib_path=modlib_path),\n  File \"/usr/lib/python3.10/runpy.py\", line 224, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.10/runpy.py\", line 96, in _run_module_code\n    _run_code(code, mod_globals, init_globals,\n  File \"/usr/lib/python3.10/runpy.py\", line 86, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_service_group.py\", line 778, in <module>\n  File \"/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible_collections/fortinet/fortios/plugins/modules/fortios_firewall_service_group.py\", line 740, in main\n  File \"/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible_collections/fortinet/fortios/plugins/module_utils/fortios/fortios.py\", line 216, in check_schema_versioning\n  File \"/tmp/ansible_fortios_firewall_service_group_payload_e4at6kc6/ansible_fortios_firewall_service_group_payload.zip/ansible/module_utils/connection.py\", line 200, in __rpc__\nansible.module_utils.connection.ConnectionError: Expecting value: line 1 column 1 (char 0)\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

Please can anyone post a working example of this module? Or tell me my Mistake? Possibly is there a Problem in the Module?

My environment:

pip list
Package Version

ansible 7.2.0
ansible-core 2.14.2
anyio 3.6.2
certifi 2022.12.7
cffi 1.15.1
charset-normalizer 3.0.1
click 8.1.3
cryptography 39.0.0
fastapi 0.88.0
flake8 6.0.0
greenlet 2.0.2
h11 0.14.0
idna 3.4
Jinja2 3.1.2
MarkupSafe 2.1.2
mccabe 0.7.0
netaddr 0.8.0
packaging 23.0
passlib 1.7.4
pip 23.0
pycodestyle 2.10.0
pycparser 2.21
pydantic 1.10.4
pyflakes 3.0.1
pyvmomi 7.0.3
PyYAML 6.0
requests 2.28.2
resolvelib 0.8.1
setuptools 67.1.0
six 1.16.0
sniffio 1.3.0
SQLAlchemy 1.4.46
starlette 0.22.0
typing_extensions 4.4.0
urllib3 1.26.14
uvicorn 0.20.0

ansible --version
ansible [core 2.14.2]
config file = None
configured module search path = ['/home/ms/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /home/ms/avamation/.venv/lib/python3.10/site-packages/ansible
ansible collection location = /home/ms/.ansible/collections:/usr/share/ansible/collections
executable location = /home/ms/avamation/.venv/bin/ansible
python version = 3.10.6 (main, Nov 14 2022, 16:10:14) [GCC 11.3.0] (/home/ms/avamation/.venv/bin/python)
jinja version = 3.1.2
libyaml = True

ansible-galaxy collection list

/home/ms/avamation/.venv/lib/python3.10/site-packages/ansible_collections
Collection Version

amazon.aws 5.2.0
ansible.netcommon 4.1.0
ansible.posix 1.5.1
ansible.utils 2.9.0
ansible.windows 1.13.0
arista.eos 6.0.0
awx.awx 21.11.0
azure.azcollection 1.14.0
check_point.mgmt 4.0.0
chocolatey.chocolatey 1.4.0
cisco.aci 2.3.0
cisco.asa 4.0.0
cisco.dnac 6.6.3
cisco.intersight 1.0.23
cisco.ios 4.3.1
cisco.iosxr 4.1.0
cisco.ise 2.5.12
cisco.meraki 2.15.0
cisco.mso 2.2.1
cisco.nso 1.0.3
cisco.nxos 4.0.1
cisco.ucs 1.8.0
cloud.common 2.1.2
cloudscale_ch.cloud 2.2.4
community.aws 5.2.0
community.azure 2.0.0
community.ciscosmb 1.0.5
community.crypto 2.10.0
community.digitalocean 1.23.0
community.dns 2.5.0
community.docker 3.4.0
community.fortios 1.0.0
community.general 6.3.0
community.google 1.0.0
community.grafana 1.5.3
community.hashi_vault 4.1.0
community.hrobot 1.7.0
community.libvirt 1.2.0
community.mongodb 1.4.2
community.mysql 3.5.1
community.network 5.0.0
community.okd 2.2.0
community.postgresql 2.3.2
community.proxysql 1.5.1
community.rabbitmq 1.2.3
community.routeros 2.7.0
community.sap 1.0.0
community.sap_libs 1.4.0
community.skydive 1.0.0
community.sops 1.6.0
community.vmware 3.3.0
community.windows 1.12.0
community.zabbix 1.9.1
containers.podman 1.10.1
cyberark.conjur 1.2.0
cyberark.pas 1.0.17
dellemc.enterprise_sonic 2.0.0
dellemc.openmanage 6.3.0
dellemc.os10 1.1.1
dellemc.os6 1.0.7
dellemc.os9 1.0.4
dellemc.powerflex 1.5.0
dellemc.unity 1.5.0
f5networks.f5_modules 1.22.0
fortinet.fortimanager 2.1.7
fortinet.fortios 2.2.2
frr.frr 2.0.0
gluster.gluster 1.0.2
google.cloud 1.1.2
grafana.grafana 1.1.0
hetzner.hcloud 1.9.1
hpe.nimble 1.1.4
ibm.qradar 2.1.0
ibm.spectrum_virtualize 1.11.0
infinidat.infinibox 1.3.12
infoblox.nios_modules 1.4.1
inspur.ispim 1.2.0
inspur.sm 2.3.0
junipernetworks.junos 4.1.0
kubernetes.core 2.3.2
lowlydba.sqlserver 1.3.1
mellanox.onyx 1.0.0
netapp.aws 21.7.0
netapp.azure 21.10.0
netapp.cloudmanager 21.22.0
netapp.elementsw 21.7.0
netapp.ontap 22.2.0
netapp.storagegrid 21.11.1
netapp.um_info 21.8.0
netapp_eseries.santricity 1.4.0
netbox.netbox 3.10.0
ngine_io.cloudstack 2.3.0
ngine_io.exoscale 1.0.0
ngine_io.vultr 1.1.3
openstack.cloud 1.10.0
openvswitch.openvswitch 2.1.0
ovirt.ovirt 2.4.1
purestorage.flasharray 1.16.2
purestorage.flashblade 1.10.0
purestorage.fusion 1.3.0
sensu.sensu_go 1.13.2
splunk.es 2.1.0
t_systems_mms.icinga_director 1.32.0
theforeman.foreman 3.8.0
vmware.vmware_rest 2.2.0
vultr.cloud 1.7.0
vyos.vyos 4.0.0
wti.remote 1.0.4
MaxxLiu22 commented 1 year ago

Hi @Snickers1337 ,

Thank you for your question, here is an example for your reference. But the error says you fail connecting to FGT, which may caused by not providing a valid IP address or don't have permission to access FGT, for latter reason please check if you use a valid "access_token", and give full permission to that API user. Please let me know if you still have questions.

- hosts: fortigates
  collections:
  - fortinet.fortios
  connection: httpapi
  vars:
    vdom: root
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  tasks:
  - name: Configure service groups.
    fortios_firewall_service_group:
      vdom: root
      state: present
      access_token: 3jGnNqbsdfww47btqw1H5rr7d78dcN
      firewall_service_group:
        color: '3'
        comment: Comment.
        member:
        - name: IMAP
        - name: DNS
        - name: HTTP
        name: ansible_Test

Thanks, Maxx

Snickers1337 commented 1 year ago

Hello Maxx,

Thanks again for your fast and axcellent help. You solved my problem.

There was a problem in my Access Token.

Thanks Snickers