So I can't add a new host object, defined in Ansible referenced by the host UID, to an existing network group, referenced by name, retaining the existing group membership?

In other words, all changes I want to make have to be defined in the current playbook. And all changes that aren't defined will be purged? I can see the purpose of that and it would be useful if that is what your requirement was i.e. baselining group access. But it also seems like a limitation. 

I want to integrate our CMS with Ansible/AWX to automate updating of network group membership. The groups already have existing host members and these need to be retained when the group is updated. 

From the Ansible website:

Ansible features an state-driven resource model that describes the desired state of computer systems and services, not the paths to get them to this state. No matter what state a system is in, Ansible understands how to transform it to the desired state (and also supports a "dry run" mode to preview needed changes). This allows reliable and repeatable IT infrastructure configuration, avoiding the potential failures from scripting and script-based solutions that describe explicit and often irreversible actions rather than the end goal.

In other words, an Anisible playbook describes what you want the end state to be, not how you want the state to be manipulated.
Manipulating objects that exist outside of Ansible is not consistent with the Ansible philosophy.
This is why our module does not provide these functions.

If you want to manipulate existing objects without redefining them entirely in Ansible, the REST API might be a better choice. 

I understand its declarative and the benefits that are attached to that. 

I'll try to achieve this another way. 

In ansible, I can add an object to an existent group created via smartconsole with:

---
- hosts: check_point
connection: httpapi
tasks:
- name: set-session
check_point.mgmt.cp_mgmt_set_session:
description: "api test"
new_name: "api test"
- name: Create host object
cp_mgmt_host:
color: dark green
ipv4_address: 192.0.2.2
groups: [ group1 ]
name: ansibletest1
state: present
auto_publish_session: true

I would expect to be able to delete from the group with something like this.  It is totally compatible with the ansible philosophy, isn't it? And it make sense to allow revert  an action executed in ansible.

The execution of the command is actually successful but it doesn't do anything.

---
- hosts: check_point
connection: httpapi
tasks:
- name: set-session
check_point.mgmt.cp_mgmt_set_session:
description: "api test"
new_name: "api test"
- name: Delete host object
cp_mgmt_host:
name: ansibletest1
groups: [ ]
state: prensent
auto_publish_session: true

In the case of an existing group, adding an object is fairly straightforward and not as destructive as removing an object from an existing group. 
A human could have easily added that object and Ansible would have no way of knowing that was the case.

Bottom line: Don’t use Ansible to modify pre-existing objects.

My point was that I still don't understand why something like this doesn't work to reset a host:

---
- hosts: check_point
connection: httpapi
tasks:
- name: set-session
check_point.mgmt.cp_mgmt_set_session:
description: "api test"
new_name: "api test"
- name: Delete host object
cp_mgmt_host:
name: ansibletest1
groups: [ ]
state: present
auto_publish_session: true

Ansible is using modules, not directly performing API calls. Modules for ansible are developed by R&D, which has also other, sometimes more important tasks. I would raise an RFE for this if I were you. 

Luis,
I just tested that against API version 1.7.1 and it works as expected.


Kind regards,
Art Zalenekas

What do you mean by expected? What have you tested?
If I call set-host with these parameters below , the execution seems to be successful, but it doesn't actually do anything. I would expect ansibletest1 host to belong to no group after setting groups to []

Sorry I made a mistake publishing with the API.

So the previous example it works as you said.

So it the api works for set-host 

I don't understand why the following ansible task doesn't work.  It should work, right?

- name: Delete host object
cp_mgmt_host:
name: ansibletest1
groups: [ ]
state: present
auto_publish_session: true

It should. I don't do auto_publish_session, I always use a handler for that that I notify. Also, I use ip_address too. Else, all the same and works on my side. Here is the code for adding to groups, and then if you keep empty list ([]) then it will remove from all or some groups.

---
- name: Test Playbook
  hosts: fw
  gather_facts: false
  connection: httpapi
  collections:
    - check_point.mgmt
  tasks:
    - name: Add network group
      cp_mgmt_group:
        name: '{{ item }}'
        state: present
        comments: 'test'
      loop:
        - gtest3
        - gtest4
      notify: publish
    - name: Add network object
      cp_mgmt_host:
        name: 'test3'
        ip_address: "192.0.2.1"
        state: present
        groups: ["gtest3", "gtest4"]
        comments: 'test'
      notify: publish

  handlers:
    - name: publish
      cp_mgmt_publish:

Thanks Zalenekas. It works this way.

Thanks @Art_Zalenekas.

I hadn't used loops in a playbook before.

You are welcome!
For me all about Automation is to make the most efficient calls. So instead of singular Task calls, I always try to make it as compact as possible, without increasing the complexity too much.

If you have not worked with Ansible loop keyword before, take a look here:
https://docs.ansible.com/ansible/latest/user_guide/playbooks_loops.html

Good luck and have fun with your Automation journey!

Kind regards,
Art

To be honest...only Check Point would be able to come up with such mindset like adding is less destructive than removing. The thing is that the guys who worked on the modules came up only with half of the solution. It's basic functionality to be able to add or remove elements to groups.

I can't wait to switch to another vendor as the Check Point way of doing things, from lots of obscure log files, debugs and commands, to all the bugs and millions of HFs and JHFs that come up like mushrooms after the rain is not right at all. Wasted half of a day to figure out how to remove an object from a group...

Thank you for your opinion.

I personally think it may deserve a separate post. At least, it would look much better than hijacking someone else's discussion, to express your frustration.

Thanks for your input @Luis_Miguel_Mig 

I think it would be  nice if ansible supported the  api  set-host groups "add" option.
I am deploying  a bit of code in ansible to check if the host belongs to any group and if it does I add the new group to the list of groups.

But instead of us deploying that little code I think it would be nicer if the collection was able to do it directly.