This website uses Cookies. Click Accept to agree to our website's cookie use as described in our Privacy Policy. Click Preferences to customize your cookie settings.
Accept
Reject
Preferences
ABOUT CHECKMATES CYBER SECURITY COMMUNITY & FAQ
Create a Post
Help
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 

Are you a member of CheckMates?

×
Sign in with your Check Point UserCenter/PartnerMap account to access more great content and get a chance to win some Apple AirPods! If you don't have an account, create one now for free!
rkcp
Participant
‎2020-03-05 05:06 PM

Ansible automation module host deletion

Hi All

I am trying to do automation using Ansible(cp_mgmt_host) and am running into an issue with a call to delete a host. I am getting an error that the object I am trying to delete is part of some other groups. I have set the  ignore_errors and ignore_warnings paramets to true in the cp_mgmt_host function so that the script can run if this condition is met. I am unable to move past because of this. Does the host need to be removed from the group first and if yes, I do not see that as an option in the cp_mgmt_group call?  I am getting the below. I am trying to delete the object TESTHOST

"msg": {
"code": "err_validation_failed",
"message": "Validation failed with 1 warning",
"warnings": [
{
"message": "Object TESTHOST is used by the following objects: xxxxxxxx, yyyyyyyy"

Any help would be appreciated. 

 

Thanks

0 Kudos
5 Replies
PhoneBoy
Admin
Admin
‎2020-03-06 04:43 PM

The way Ansible works is the entire configuration you wish to work with must be defined in your Ansible playbook.
The way you delete something from the configuration is to modify the playbook and re-execute it.
As such, there is no explicit "delete" command in Ansible.

Which means to delete the object from the group in Ansible, you'd have to define the group as it exists in Ansible, run the playbook, remove the host from the group in the playbook.

Of course, this assumes that's the only dependency with that particular object.
There may be others, and to resolve them in Ansible, you'd have to go through a similar process.
0 Kudos
rkcp
Participant
‎2020-03-06 06:38 PM
In response to PhoneBoy

Thanks Phoneboy. Let me explain further. I am using the cp_mgmt_host task of the Checkpoint ansible module to delete the host. One of the parameters it takes is "State" and the possible values are "Present" or "Absent". Present for addition and Absent for deletion. In addition, there are 2 other parameters "ignore_errors" and "ignore_warnings" which can be true or false.

I am doing the below in my playbook 


 - name: delete-host
    cp_mgmt_host:
        name: TESTHOST
        ignore_errors: true
        ignore_warnings: true
       state: absent

 Per the documentation, this is what is needed to delete the host and ignore any warnings or errors but I am unable to delete as the host is a member of a  group object. My understanding from the documentation is that having ignore_errors set to true and state to "Absent" the host should be deleted.

What am I missing?

PhoneBoy
Admin
Admin
‎2020-03-06 11:11 PM
In response to rkcp

Ignore Errors or Ignore Warnings will not overcome the requirement to remove all references to the object in groups or other objects before you can remove it.
ThIs applies whether you're using Ansible or not.

My guess is you are working with an object that was not defined by your Ansible playbook to begin with.
Ansible can only remove objects where Ansible was used to create the object along with all the objects that might depend on it (e.g. groups).
That means either defining all those dependencies in your playbook or removing the dependencies outside Ansible.
rkcp
Participant
‎2020-03-14 09:51 AM
In response to PhoneBoy

The host I am trying to delete was added by the ansible playbook to add host using the cp_mgmt_host library. This was set by setting the value of the variable "State" to "Present". I am now trying to delete the same host as a test to see how to do this via Ansible. So I am using the same cp_mgmt_host library and setting the "State" parameter to "absent" to delete it. The host I have added is part of 2 groups and I am trying to delete it and the message I am getting is that these objects belong to 2 groups. Below is the message I am getting

atal: [x.x.x.x]: FAILED! => {
"changed": false,
"invocation": {
"module_args": {
"auto_publish_session": true,
"color": null,
"comments": null,
"details_level": null,
"groups": null,
"host_servers": null,
"ignore_errors": null,
"ignore_warnings": null,
"interfaces": null,
"ip_address": null,
"ipv4_address": null,
"ipv6_address": null,
"name": "TEST123",
"nat_settings": null,
"state": "absent",
"tags": null,
"version": null,
"wait_for_task": true
}
},
"msg": {
"code": "err_validation_failed",
"message": "Validation failed with 1 warning",
"warnings": [
{
"message": "Object TEST123 is used by the following objects: Domain-xxxxx-Group, OS-xxxxxxx-Server-Group"
}
]
}
}

Do I need to first find out what groups the host belongs to and take it out from the groups and then delete it? If I have to take it out of groups do I use the cp_mgmtgroup library and does have any example if they have used it as I am concerned that I do not want to delete the group by mistake.

 

Thanks

0 Kudos
PhoneBoy
Admin
Admin
‎2020-03-14 04:03 PM
In response to rkcp

You can either remove the object from the groups outside of Ansible OR define the groups in Ansible as they exist currently on your management station with the exception of the object you wish to remove.
Either approach will work.
You will not be able to delete the object in Ansible—or via any other mechanism—until you do that.
0 Kudos

Leaderboard

Epsum factorial non deposit quid pro quo hic escorol.

View All ≫
Upcoming Events

    CheckMates Events