Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
Simon_Macpherso
Advisor

Ansible - Add Host Object to Existing Network Group

Hi Checkmates,

Is it possible to use the Ansible check_point.mgmt.cp_mgmt_group module to add a host object to an existing group, retaining the existing members? 

The can be done using the mgmt set group api call i.e. mgmt_cli set group name "New Group 1" members.add "New Host 2"

The set group API endpoint has the add and remove methods on the members parameter

https://sc1.checkpoint.com/documents/latest/APIs/?#cli/set-group~v1.8%20

But in the Ansible check_point.mgmt.cp_mgmt_group documentation the add and remove methods are not there. 

https://docs.ansible.com/ansible/latest/collections/check_point/mgmt/cp_mgmt_group_module.html

Below is an example playbook.

The following runs but doesn't retain the existing members of the group. It removes the existing members and only adds those members specified.  

- name: set-group
  cp_mgmt_group:
    members:
    - New Host 1
    - My Test Host 3
    name: New Group 5
    state: present

Regards,

Simon

0 Kudos
19 Replies
PhoneBoy
Admin
Admin

If you define any sort of object in Ansible, the configuration of that object will be as described in Ansible. 
It also means you cannot use Ansible to manipulate objects not defined in Ansible.
This includes groups and is by design.

0 Kudos
Simon_Macpherso
Advisor

So I can't add a new host object, defined in Ansible referenced by the host UID, to an existing network group, referenced by name, retaining the existing group membership?

In other words, all changes I want to make have to be defined in the current playbook. And all changes that aren't defined will be purged? I can see the purpose of that and it would be useful if that is what your requirement was i.e. baselining group access. But it also seems like a limitation. 

I want to integrate our CMS with Ansible/AWX to automate updating of network group membership. The groups already have existing host members and these need to be retained when the group is updated. 

 

0 Kudos
PhoneBoy
Admin
Admin

From the Ansible website:

Ansible features an state-driven resource model that describes the desired state of computer systems and services, not the paths to get them to this state. No matter what state a system is in, Ansible understands how to transform it to the desired state (and also supports a "dry run" mode to preview needed changes). This allows reliable and repeatable IT infrastructure configuration, avoiding the potential failures from scripting and script-based solutions that describe explicit and often irreversible actions rather than the end goal.

In other words, an Anisible playbook describes what you want the end state to be, not how you want the state to be manipulated.
Manipulating objects that exist outside of Ansible is not consistent with the Ansible philosophy.
This is why our module does not provide these functions.

If you want to manipulate existing objects without redefining them entirely in Ansible, the REST API might be a better choice. 

0 Kudos
Simon_Macpherso
Advisor

I understand its declarative and the benefits that are attached to that. 

I'll try to achieve this another way. 

0 Kudos
Luis_Miguel_Mig
Advisor

In ansible, I can add an object to an existent group created via smartconsole with:

---
- hosts: check_point
connection: httpapi
tasks:
- name: set-session
check_point.mgmt.cp_mgmt_set_session:
description: "api test"
new_name: "api test"
- name: Create host object
cp_mgmt_host:
color: dark green
ipv4_address: 192.0.2.2
groups: [ group1 ]
name: ansibletest1
state: present
auto_publish_session: true

I would expect to be able to delete from the group with something like this.  It is totally compatible with the ansible philosophy, isn't it? And it make sense to allow revert  an action executed in ansible.

The execution of the command is actually successful but it doesn't do anything.



---
- hosts: check_point
connection: httpapi
tasks:
- name: set-session
check_point.mgmt.cp_mgmt_set_session:
description: "api test"
new_name: "api test"
- name: Delete host object
cp_mgmt_host:
name: ansibletest1
groups: [ ]
state: prensent
auto_publish_session: true

0 Kudos
PhoneBoy
Admin
Admin

In the case of an existing group, adding an object is fairly straightforward and not as destructive as removing an object from an existing group. 
A human could have easily added that object and Ansible would have no way of knowing that was the case.

Bottom line: Don’t use Ansible to modify pre-existing objects.

0 Kudos
Luis_Miguel_Mig
Advisor

My point was that I still don't understand why something like this doesn't work to reset a host:

 

 

---
- hosts: check_point
connection: httpapi
tasks:
- name: set-session
check_point.mgmt.cp_mgmt_set_session:
description: "api test"
new_name: "api test"
- name: Delete host object
cp_mgmt_host:
name: ansibletest1
groups: [ ]
state: present
auto_publish_session: true

0 Kudos
_Val_
Admin
Admin

Ansible is using modules, not directly performing API calls. Modules for ansible are developed by R&D, which has also other, sometimes more important tasks. I would raise an RFE for this if I were you. 

0 Kudos
Art_Zalenekas
Employee
Employee

Luis,
I just tested that against API version 1.7.1 and it works as expected.


Kind regards,
Art Zalenekas

0 Kudos
Luis_Miguel_Mig
Advisor

What do you mean by expected? What have you tested?
If I call set-host with these parameters below , the execution seems to be successful, but it doesn't actually do anything. I would expect ansibletest1 host to belong to no group after setting groups to []

{
  "name" : "ansibletest1",
  "groups" : [  ]
}





 

 

0 Kudos
Luis_Miguel_Mig
Advisor

Sorry I made a mistake publishing with the API.

So the previous example it works as you said.

So it the api works for set-host 

{
  "name" : "ansibletest1",
  "groups" : [  ]
}


I don't understand why the following ansible task doesn't work.  It should work, right?

- name: Delete host object
cp_mgmt_host:
name: ansibletest1
groups: [ ]
state: present
auto_publish_session: true

0 Kudos
Art_Zalenekas
Employee
Employee

It should. I don't do auto_publish_session, I always use a handler for that that I notify. Also, I use ip_address too. Else, all the same and works on my side. Here is the code for adding to groups, and then if you keep empty list ([]) then it will remove from all or some groups.

---
- name: Test Playbook
  hosts: fw
  gather_facts: false
  connection: httpapi
  collections:
    - check_point.mgmt
  tasks:
    - name: Add network group
      cp_mgmt_group:
        name: '{{ item }}'
        state: present
        comments: 'test'
      loop:
        - gtest3
        - gtest4
      notify: publish
    - name: Add network object
      cp_mgmt_host:
        name: 'test3'
        ip_address: "192.0.2.1"
        state: present
        groups: ["gtest3", "gtest4"]
        comments: 'test'
      notify: publish

  handlers:
    - name: publish
      cp_mgmt_publish:

 

0 Kudos
Luis_Miguel_Mig
Advisor

Thanks Zalenekas. It works this way.

0 Kudos
Simon_Macpherso
Advisor

Thanks @Art_Zalenekas.

I hadn't used loops in a playbook before.

0 Kudos
Art_Zalenekas
Employee
Employee

You are welcome!
For me all about Automation is to make the most efficient calls. So instead of singular Task calls, I always try to make it as compact as possible, without increasing the complexity too much.

If you have not worked with Ansible loop keyword before, take a look here:
https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html

Good luck and have fun with your Automation journey!

Kind regards,
Art

0 Kudos
Liviu_Munteanu
Explorer

To be honest...only Check Point would be able to come up with such mindset like adding is less destructive than removing. The thing is that the guys who worked on the modules came up only with half of the solution. It's basic functionality to be able to add or remove elements to groups.

I can't wait to switch to another vendor as the Check Point way of doing things, from lots of obscure log files, debugs and commands, to all the bugs and millions of HFs and JHFs that come up like mushrooms after the rain is not right at all. Wasted half of a day to figure out how to remove an object from a group...

0 Kudos
_Val_
Admin
Admin

Thank you for your opinion.

I personally think it may deserve a separate post. At least, it would look much better than hijacking someone else's discussion, to express your frustration.

0 Kudos
Simon_Macpherso
Advisor

Thanks for your input @Luis_Miguel_Mig 

0 Kudos
Luis_Miguel_Mig
Advisor

I think it would be  nice if ansible supported the  api  set-host groups "add" option.
I am deploying  a bit of code in ansible to check if the host belongs to any group and if it does I add the new group to the list of groups.

But instead of us deploying that little code I think it would be nicer if the collection was able to do it directly.

0 Kudos
Upcoming Events

    CheckMates Events