Hello, does anyone have a working ansible playbook to create an administrator on and R81.20 SMS?
I want to create the user "ansible" in my Lab SMS using Ansible. I will then use ansible to automated must of my lab creating. Full details of how environment set up: https://github.com/doritoes/NUC-Labs/blob/xcp-ng-improvement/XCP-ng/Appendix-Ansible.md
Using the inventory file below (with ansible_checkpoint_domain=System Data commented out)
1. I can use cp_mgmt_host without problem
2. When I try to use cp_mgmt_administrator to create an administrator i get the error
Checkpoint device returned error 400 with message {'code': 'err_inappropriate_domain_type', 'message': 'This command can only work on domains of type MDS. Cannot execute it in the current domain (current domain type is Domain).'} Unpublished changes were discarded.
From links here and looking at the API documentation I have found that the domain should be specified as "System Data" for an SMS. When I uncomment the line ansible_checkpoint_domain=System Data in the inventory file, I get a new error. ansible.module_utils.connection.ConnectionError: Server returned response without token info during the connection authentication: 400
The odd thing is that I tried a couple dozen varieties of configuration got it working 2 times, but I can't get it working again to document what works.
File: inventory
[check_point]
#sms IP
192.168.41.20
[check_point:vars]
ansible_httpapi_use_ssl_True
ansible_httpapi_validate_certs=False
ansible_user=cpadmin
ansible_password=supersecret
#ansible_checkpoint_domain=System Data
ansible_network_os=check_point.mgmt.checkpoint
File: add_user.yml
---
- name: Test playbook
hosts: check_point
connection:httpapi
tasks:
- name: add-administrator
cp_mgmt_administrator:
authentication_method: check point password
email: admin@gmail.com
must_change_password: False
name: ansible
password: anothersecret
permissions_profile: read write all
phone_number: 1800-800-800
state: present
auto_publish_session: True
Command:
ansible-playbook -i inventory add_user.yml
FAQs
1) how did you install the ansible module?
- sudo apt update && sudo apt upgrade -y && sudo apt autoremove -y
- sudo apt install -y ansible python3-paramiko python3-pip
- ansible-galaxy collection install community.general vyos.vyos check_point.mgmt
- python3 -m pip install XenAPI
2) did you set up ssh keys? yes i did and that playbook to complete the FTW using ansible uses a separate inventory file and playbook. this is specifically using the mgmt API using ansible
3) Did you enable the API in smartconsole?
Yes. Manage & Settings > Blades > Management API > Advanced Settings > All IP addresses. And then publish. The other playbook task to add a host object works fine. Without specifying the domain.
- name: Create host object
cp_mgmt_host:
color: dark green
ipv4_address: 192.168.41.100
name: Manager
comments: management workstation
state: present
auto_publish_session: True4) Did you read the docs?
Yes. For example: https://sc1.checkpoint.com/documents/latest/APIs/?#cli/add-administrator~v1.9.1%20
This is were the "System Data" domain is mentioned.
5) Why not just created the administrator manually?
I am using automation to build the enter lab to speed up testing. I use terraform with XCP-ng to deploy networks, routers, firewalls, servers, and workstations. I use ansible to complete FTW on firewalls. I will use ansible to deploy policies and configurations on the SMS and push to the firewalls. I really want to
EDIT: Yes mgmt_cli can be run using ansible to do the same thing
mgmt_cli -f json -r true login -d "System Data" > session.txt
mgmt_cli -s session.txt add administrator name "ansible2" password "secret" must-change-password false email "admin@gmail.com" phone-number "1800-800-800" authentication-method "check point password" permissions-profile "read write all" --domain 'System Data' --format json
mgmt_cli -f json -s session.txt publish
rm session.txt
