search

fortinet-ansible-dev / ansible-galaxy-fortios-collection

GNU General Public License v3.0
84 stars 48 forks source link

unable to use proxy from yaml file to communicate with a fortigate firewall #240

Closed SoundGoof closed 2 months ago

SoundGoof commented 1 year ago

Hi

We unable to use proxy when trying to change password on a fortigate firewall the problem we are facing is that we have different proxy servers depending on which fortigate firewall we want to access

the only way we got it working was to export a HTTPS_PROXY variable on the ansible-server looking at tcpdump the traffic tries to go directly to the firewall unless the export is done beforehand

export HTTPS_PROXY=https://proxy.example.com:3128
ansible-playbook fortigate.yaml -i inventory.yaml

fortigate.yaml file

- name: change password on local user in fortigate
  hosts: fortigate.example.com
  gather_facts: false
  connection: httpapi
  collections:
    - fortinet.fortios
  vars:
    ansible_network_os: fortinet.fortios.fortios
    ansible_httpapi_use_proxy: true
    ansible_httpapi_use_ssl: true
    ansible_httpapi_validate_certs: false
    ansible_httpapi_port: 443
  environment:
    https_proxy: "http://proxy.example.com:3128"
    http_proxy: "http://proxy.example.com:3128"
    HTTPS_PROXY: "http://proxy.example.com:3128"
    HTTP_PROXY: "http://proxy.example.com:3128"

  tasks:
  - name: Configure local users.
    fortios_user_local:
      vdom:  "root"
      state: "present"
      user_local:
        name: "testuser"
        passwd: 'testpassword'
        status: "enable"

inventory.yaml

all:
  hosts:
    fortigate.example.com:
      ansible_user: adminuser
      ansible_password: adminpassword
$ ansible --version
ansible [core 2.13.3]
  python version = 3.9.14 (main, Jan  9 2023, 00:00:00) [GCC 11.3.1 20220421 (Red Hat 11.3.1-2)]
  jinja version = 3.1.2

$ ansible-galaxy collection list
Collection            Version
--------------------- -------
ansible.netcommon     5.0.0
ansible.utils         2.9.0
f5networks.f5_modules 1.22.1
fortinet.fortios      2.2.2
yodzeb commented 1 year ago

Same issue on my side, the workaround is working but not solving the problem as i also need different proxy settings depending on the fortigate to contact.

ansible [core 2.11.12]

Collection Version

ansible.netcommon 5.1.0 fortinet.fortios 2.2.3

yodzeb commented 1 year ago

It looks like to be a "by-design" issue. https://docs.ansible.com/ansible/latest/playbook_guide/playbooks_environment.html#setting-the-remote-environment

The environment: keyword does not affect Ansible itself, Ansible configuration settings, the environment for other users, or the execution of other plugins like lookups and filters.

and httpapi fall into that category like other plugin, its part of Ansible.

Verified with this example playbook:

---
- name: xxx
  hosts:
    - xxx
  gather_facts: True
  collections:
    - fortinet.fortios
  vars:
    ansible_httpapi_port: 443
    ansible_httpapi_use_ssl: True
    ansible_httpapi_validate_certs: False
    ansible_httpapi_use_proxy: True
    ansible_network_os: fortinet.fortios.fortios
    ansible_network_import_modules: False
  connection: httpapi
  environment:
    XXX: "YYY"

  tasks:
    - name: debug
      debug:
        msg: "{{ lookup('pipe', 'env') }}"
      environment:
        XXX: "YYY"

Output does not show any XXX variable.