Question about module "fortios_firewall_addrgrp"

[ricewu2020]

Hi, support team, I've a question when using the module "fortios_firewall_addrgrp". First of all, my versions are: ansible 2.9.0 config file = None configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules'] ansible python module location = /xxxxx/lib/python3.6/site-packages/ansible executable location = /xxxx/bin/ansible python version = 3.6.8 (default, Apr 2 2020, 13:34:55) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

Then, I understand that under: firewall_addrgrp: name: test_group member:

• name: testday1
• name: testday2 It will create an address group "test_group" with members "testday1" and "testday2". However, I don't think it makes much sense not to be able to automate it with raw data input such as csv. For example, the csv file is as follows and it means these inputs only cover A1,B1,A2,B2 in the csv (regard it as excel). "testday1,testday2" is in B2. group_name, members test_group, "testday1,testday2"

Suppose I create a variable called "temp" which is equal to this B2 "testday1,testday2", making "temp" to be a list type. Then in the script, I wish I could make it like the following: firewall_addrgrp: name: test_group member: "{{ temp }}" ---------->>> In this way, the whole script could automate address group creation based on a large csv input file with ansible loop such as "with_dict".

Based on the existing design of the module, it's impossible to realize the automation. You have to enter many lines of "- name: xxx" based on how many members in one address group.

At the same time, for "fortios_ipv4_policy" module (https://docs.ansible.com/ansible/2.9/modules/fortios_ipv4_policy_module.html#fortios-ipv4-policy-module), it works pretty well. Eg, for "service" input, it mentions "Specifies policy service(s), could be a list (ex: ['MAIL','DNS'])". for others such as "src_addr", "src_intf" and the like, although they don't mention a list can be accepted, from my test, they all work with list input. The full automation can be achieved for firewall policy creation. In my "with_dict" loop: src_addr: "{{ item.value.source_address }}" -----> it corresponds to "testday1,testday2" in csv file

Could you please take a check on "fortios_firewall_addrgrp" source code and let me know if the full automation I mentioned above can be achieved? Appreciate it!

[JieX19]

@ricewu2020,

Thanks for your question! At this moment, the backend API is defined this way and it would be backwards incompatible change to switch from taking a list of objects to a list of strings. I will bring up this improvement internally.

[ricewu2020]

@JieX19 Thanks for the reply! What you mean is that the API structure (fortiosapi) on Fortigate is written like that? For the well-working "fortios_ipv4_policy" module to accept a list of strings, are you aware what kind of API is being used by Fortigate? I'm still new to these automation stuff. The source code seems to be using the fortios python module. To accept a list of strings will be truly helpful when we have a large number of entries in a csv spreadsheet to be pushed to Fortigate :)

[JieX19]

@ricewu2020

It's true the python module is triggered while processing the YAMLs, but it's actually the backend APIs to do the CRUD operations. Fortiosapi communicates with fortigate devices through the http-based APIs, which are shared by both the both fortigate UI and ansible modules.

[ricewu2020]

@JieX19 Is it possible that what I requested can be modified shortly by accepting a list of strings? Otherwise to achieve real automation with csv input file, these httpapi based ansible modules can't be used actually. From client's side, it's quite common and user-friendly to prepare all inputs in a csv file first and then loaded to a playbook. A list of strings can't be avoided. If it is possible, normally how long does it take to modify the API? Thanks.

[chillancezen]

hello @ricewu2020 ,

we realized it's very hard for API team to modify current logic basing on our requirement. we decide to work this issue around by processing input content ourselves. could you try Ansible native data processing methods:

here is an example of mine:

$cat fortios_firewall_addrgrp.yml
- hosts: fortigate03
  connection: httpapi
  collections:
  - fortinet.fortios
  vars:
   vdom: "root"
   ansible_httpapi_use_ssl: no
   ansible_httpapi_validate_certs: no
   ansible_httpapi_port: 80
   #demo_input_path: './my_datasource'
   #demo_input: "{{ lookup( 'file', demo_input_path) }}"
   demo_input: 'login.microsoftonline.com, login.microsoft.com, login.windows.net'
   demo_members: []
  tasks:
   - name: 'process input content'
     set_fact:
        demo_members: "{{ demo_members + [{'name': item.strip(' ')}] }}"
     with_items:
        - "{{demo_input.split(',')}}"

   - debug:
      var: demo_members

   - name: Configure Firewall Schedule Recurring
     fortios_firewall_addrgrp:
        vdom:  "{{ vdom }}"
        state: "present"
        firewall_addrgrp:
            name: "firwalladdressgroup0"
            comment: 'created via Ansible'
            visibility: 'enable'
            member: "{{ demo_members }}"

[chillancezen]

Ansible playbook is flexible enough to process data in all ways. the syntax here is much like python/jinja2, so using python's native library is supposed to be ok.

[chillancezen]

@ricewu2020 hope you are doing fine and getting this issue resolved.

I mark this issue closed. you can feel free to reopen if you need further support from us.

thanks, Link.