fortios need host, username, password in every "- name"

[nbctcp]

Hi,

I have playbook for fortios and working.

But is that possible

1. I don't want to put password in playbook, but put that in group_vars/forti.yml

2. In cisco I can apply playbook to group name in hosts

i.e.

# cat playbooks/cisco.yml

---

- name: show

  connection: network_cli

  hosts: cisco

INSTEAD OF

---

- name: show

  connection: network_cli

  hosts: cisco1

How to do the same in fortios

# cat ../hosts

[cisco]

cisco1 ansible_host=10.0.10.121

[forti]

fgt1 ansible_host=10.0.10.123

# cat playbooks/forti.yml

---

- name: fortios command

  connection: local

  hosts: forti

  tasks:

    - name: backup

      fortios_config:

        host: fgt1

        username: admin

        password: admin

        backup: yes

        backup_path: "backup/forti"

        backup_filename: "{{inventory_hostname}}_{{ansible_date_time.date}}.cfg"

    - name: dns

      fortios_address:

        host: fgt1

        username: admin

        password: admin

        state: present

        name: "google_dns"

        type: ipmask

        value: 8.8.8.8

[Kai Stian Olstad]

On Monday, 20 August 2018 05.58.58 CEST nbctcp wrote:
> I have playbook for fortios and working.
> But is that possible
> 1. I don't want to put password in playbook, but put that in
> group_vars/forti.yml
>

> # cat ../hosts
> [cisco]
> cisco1 ansible_host=10.0.10.121
>
> [forti]
> fgt1 ansible_host=10.0.10.123

In group_vars/forti.yml you can have any variable you like, so lets say forti_password.

group_vars/forti.yml
---
forti_password: admin

> # cat playbooks/forti.yml
> ---
> - name: fortios command
> connection: local
> hosts: forti
> tasks:
> - name: backup
> fortios_config:
> host: fgt1
> username: admin
> password: admin
> backup: yes
> backup_path: "backup/forti"
> backup_filename:
> "{{inventory_hostname}}_{{ansible_date_time.date}}.cfg"

Instead of
password: admin
you use
password: '{{ forti_password }}'


You also have host_vars that you can use, host_vars will overwrite the same variable in group_vars that way you can easily have unique password on all or some of your hosts and use the same playbook.

--
Kai Stian Olstad

[Jonathan Lozada De La Matta]

also check out ansible vault

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/3056363.FfUnUlk6MR%40x1.
For more options, visit https://groups.google.com/d/optout.

--

Jonathan lozada de la matta

AUTOMATION CONSULTANT - AUTOMATION PRACTICE

Red Hat Consulting Services

jloz...@redhat.com   

 

[nbctcp]

QUESTION1: SOLVED

QUESTION2: Here my goal

I have 2 fortigate (fgt1 and fgt2 with their respective ip)

I want to backup both using 1 group name "forti" instead issuing 1 backup task to each fgt1 and fgt2

Is that possible?

tq

# cat hosts

[forti]

fgt1 ansible_host=10.0.10.123

fgt2 ansible_host=10.0.10.124

# cat group_vars/forti.yml

---

ansible_user: admin

ansible_ssh_pass: admin

# cat playbooks/forti.yml

---

- name: fortios command

  connection: local

  hosts: forti

  tasks:

    - name: backup

      fortios_config:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        backup: yes

        backup_path: "backup/forti"

[Jonathan Lozada De La Matta]

have you run it this way yet? it should do both host in that group

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a598bddc-d70b-4063-b760-8b2cec213cb1%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[nbctcp]

with this setting, I got this erro

# cat playbooks/forti.yml

---

- name: fortios command

  connection: local

  hosts: forti

  tasks:

    - name: backup

      fortios_config:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        backup: yes

        backup_path: "backup/forti"

        backup_filename: "{{inventory_hostname}}_{{ansible_date_time.date}}.cfg"

    - name: dns

      fortios_address:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        state: present

        name: "google_dns"

        type: ipmask

        value: 8.8.8.8

    - name: allow external dns call

      fortios_ipv4_policy:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        id: 51

        src_addr: LAN

        dst_addr: all

        service: DNS

        nat: True

        state: present

        policy_action: accept

        logtraffic: disable

# ansible-playbook playbooks/forti.yml -vvv

ansible-playbook 2.6.3

  config file = /home/admin2/ansible.cfg

  configured module search path = [u'/root/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']

  ansible python module location = /usr/lib/python2.7/dist-packages/ansible

  executable location = /usr/bin/ansible-playbook

  python version = 2.7.15rc1 (default, Apr 15 2018, 21:51:34) [GCC 7.3.0]

Using /home/admin2/ansible.cfg as config file

Parsed /home/admin2/hosts inventory source with ini plugin

PLAYBOOK: forti.yml ************************************************************

1 plays in playbooks/forti.yml

PLAY [fortios command] *********************************************************

TASK [Gathering Facts] *********************************************************

task path: /home/admin2/playbooks/forti.yml:2

<10.0.10.123> ESTABLISH LOCAL CONNECTION FOR USER: root

<10.0.10.123> EXEC /bin/sh -c 'echo ~root && sleep 0'

<10.0.10.123> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488 `" && echo ansible-tmp-1534779254.43-16916669350488="` echo /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488 `" ) && sleep 0'

<10.0.10.124> ESTABLISH LOCAL CONNECTION FOR USER: root

<10.0.10.124> EXEC /bin/sh -c 'echo ~root && sleep 0'

<10.0.10.124> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642 `" && echo ansible-tmp-1534779254.45-169933572556642="` echo /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642 `" ) && sleep 0'

Using module file /usr/lib/python2.7/dist-packages/ansible/modules/system/setup.py

Using module file /usr/lib/python2.7/dist-packages/ansible/modules/system/setup.py

<10.0.10.123> PUT /root/.ansible/tmp/ansible-local-21928tnYti6/tmpRXZMWj TO /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488/setup.py

<10.0.10.123> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488/ /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488/setup.py && sleep 0'

<10.0.10.124> PUT /root/.ansible/tmp/ansible-local-21928tnYti6/tmpciiAer TO /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642/setup.py

<10.0.10.124> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642/ /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642/setup.py && sleep 0'

<10.0.10.123> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488/setup.py && sleep 0'

<10.0.10.124> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642/setup.py && sleep 0'

<10.0.10.124> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1534779254.45-169933572556642/ > /dev/null 2>&1 && sleep 0'

<10.0.10.123> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1534779254.43-16916669350488/ > /dev/null 2>&1 && sleep 0'

ok: [fgt2]

ok: [fgt1]

META: ran handlers

TASK [backup] ******************************************************************

task path: /home/admin2/playbooks/forti.yml:6

<10.0.10.123> ESTABLISH LOCAL CONNECTION FOR USER: root

<10.0.10.123> EXEC /bin/sh -c 'echo ~root && sleep 0'

<10.0.10.123> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779 `" && echo ansible-tmp-1534779255.48-268549543286779="` echo /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779 `" ) && sleep 0'

<10.0.10.124> ESTABLISH LOCAL CONNECTION FOR USER: root

<10.0.10.124> EXEC /bin/sh -c 'echo ~root && sleep 0'

<10.0.10.124> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915 `" && echo ansible-tmp-1534779255.53-240639271872915="` echo /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915 `" ) && sleep 0'

Using module file /usr/lib/python2.7/dist-packages/ansible/modules/network/fortios/fortios_config.py

Using module file /usr/lib/python2.7/dist-packages/ansible/modules/network/fortios/fortios_config.py

<10.0.10.123> PUT /root/.ansible/tmp/ansible-local-21928tnYti6/tmppMHw05 TO /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779/fortios_config.py

<10.0.10.124> PUT /root/.ansible/tmp/ansible-local-21928tnYti6/tmptnVRou TO /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915/fortios_config.py

<10.0.10.124> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915/ /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915/fortios_config.py && sleep 0'

<10.0.10.123> EXEC /bin/sh -c 'chmod u+x /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779/ /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779/fortios_config.py && sleep 0'

<10.0.10.123> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779/fortios_config.py && sleep 0'

<10.0.10.124> EXEC /bin/sh -c '/usr/bin/python /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915/fortios_config.py && sleep 0'

<10.0.10.124> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1534779255.53-240639271872915/ > /dev/null 2>&1 && sleep 0'

The full traceback is:

  File "/tmp/ansible_9zRRFw/ansible_module_fortios_config.py", line 126, in main

    f.open()

  File "/usr/local/lib/python2.7/dist-packages/pyFG/fortios.py", line 103, in open

    self.ssh.connect(**cfg)

  File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 296, in connect

    to_try = list(self._families_and_addresses(hostname, port))

  File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 200, in _families_and_addresses

    addrinfos = socket.getaddrinfo(hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM)

fatal: [fgt2]: FAILED! => {

    "changed": false,

    "invocation": {

        "module_args": {

            "backup": true,

            "backup_filename": "fgt2_2018-08-20.cfg",

            "backup_path": "backup/forti",

            "config_file": null,

            "file_mode": false,

            "filter": "",

            "host": "forti",

            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

            "src": null,

            "timeout": 60,

            "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

            "vdom": null

        }

    },

    "msg": "Error connecting device"

}

<10.0.10.123> EXEC /bin/sh -c 'rm -f -r /root/.ansible/tmp/ansible-tmp-1534779255.48-268549543286779/ > /dev/null 2>&1 && sleep 0'

The full traceback is:

  File "/tmp/ansible_kdXym7/ansible_module_fortios_config.py", line 126, in main

    f.open()

  File "/usr/local/lib/python2.7/dist-packages/pyFG/fortios.py", line 103, in open

    self.ssh.connect(**cfg)

  File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 296, in connect

    to_try = list(self._families_and_addresses(hostname, port))

  File "/usr/lib/python2.7/dist-packages/paramiko/client.py", line 200, in _families_and_addresses

    addrinfos = socket.getaddrinfo(hostname, port, socket.AF_UNSPEC, socket.SOCK_STREAM)

fatal: [fgt1]: FAILED! => {

    "changed": false,

    "invocation": {

        "module_args": {

            "backup": true,

            "backup_filename": "fgt1_2018-08-20.cfg",

            "backup_path": "backup/forti",

            "config_file": null,

            "file_mode": false,

            "filter": "",

            "host": "forti",

            "password": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

            "src": null,

            "timeout": 60,

            "username": "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER",

            "vdom": null

        }

    },

    "msg": "Error connecting device"

}

PLAY RECAP *********************************************************************

fgt1                       : ok=1    changed=0    unreachable=0    failed=1

fgt2                       : ok=1    changed=0    unreachable=0    failed=1

[Jonathan Lozada De La Matta]

are you able to connect to it regularly? at the end you can see this error

  },

    "msg": "Error connecting device"

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/03c2098b-889f-4886-a07b-04259b5b638d%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[nbctcp]

PROBLEMS:

-with working playbook.

backup applied on both fgt1 and fgt2 but

address (LAN) and policy task (LAN2WAN DNS) only applied on fgt1

WORKING

# cat forti.yml

---

- name: fortios command

  connection: local

  hosts: forti

  tasks:

    - name: backup

      fortios_config:

        host: fgt1

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        backup: yes

        backup_path: "backup/forti"

        backup_filename: "{{inventory_hostname}}_{{ansible_date_time.date}}.cfg"

    - name: LAN

      fortios_address:

        host: fgt1

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        state: present

        name: "LAN"

        type: ipmask

        value: 10.0.1.0/24

    - name: LAN2WAN DNS

      fortios_ipv4_policy:

        host: fgt1

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        id: 51

        src_addr: LAN

        dst_addr: all

        service: DNS

        nat: True

        state: present

        policy_action: accept

        logtraffic: disable

NOT WORKING

# cat playbooks/forti.yml

---

- name: fortios command

  connection: local

  hosts: forti

  tasks:

    - name: backup

      fortios_config:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        backup: yes

        backup_path: "backup/forti"

        backup_filename: "{{inventory_hostname}}_{{ansible_date_time.date}}.cfg"

    - name: LAN

      fortios_address:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        state: present

        name: "LAN"

        type: ipmask

        value: 10.0.1.0/24

    - name: LAN2WAN DNS

      fortios_ipv4_policy:

        host: forti

        username: "{{ansible_user}}"

        password: "{{ansible_ssh_pass}}"

        id: 51

        src_addr: LAN

        dst_addr: all

        service: DNS

        nat: True

        state: present

        policy_action: accept

        logtraffic: disable

[Kai Stian Olstad]

On 20.08.2018 18:09, nbctcp wrote:
> PROBLEMS:
> -with working playbook.
> backup applied on both fgt1 and fgt2 but
> address (LAN) and policy task (LAN2WAN DNS) only applied on fgt1
>
> WORKING
> # cat forti.yml
> ---
> - name: fortios command
> connection: local
> hosts: forti
> tasks:
> - name: backup
> fortios_config:
> host: fgt1

Your host n the module need to different for each host so use the
variable ansible_host or inventory_hostanme.

--
Kai Stian Olstad

[nbctcp]

SOLVED

tq

[Philippe Domineaux]

Hello,

how did you managed to make it work?