one common acl name with unique ip per device

[Josh Karki]

I have about 5 ASAs and they all have one common ACL name say for example "allow_test"

now I need to add one more entry in the list for all 5 ASAs but each with different IP. Eg. 

access-list allow_test standard permit host 1.1.1.1 (for asa1)

access-list allow_test standard permit host 2.2.2.2 (for asa2 and so on)

I tired it with_item loop and the variable set for hostname and then the ip for acl, but it doesn't seem to work. 

Have you guys come across of similar situation and have addressed this challenge? I would appreciate if you could share your solution with me. 

Thanks!

[Clint Denham]

Not sure if this would help, but maybe a different way of looking at it using with_subelements?

I have one Task that creates some ACLs for OpenStack

    - name: Add Rules to the Security Groups
      tags: security_groups
      os_security_group_rule:
        security_group: "{{item.0.group}}"
        direction: "{{item.1.direction}}"
        protocol: "{{item.1.protocol}}"
        remote_ip_prefix: "{{item.1.remote_ip}}"
        ethertype: "{{ (item.1.remote_ip | search(':')) | ternary('IPv6','IPv4') }}"
      with_subelements:
        - "{{ security_groups }}"
        - rules
      run_once: true

The Dictionary security_groups looks like this

security_groups:
  - group: prod_traffic_plane
    rules:
      - { "direction":"ingress", "protocol": "tcp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"ingress", "protocol": "udp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"ingress", "protocol": "icmp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"ingress", "protocol": "tcp", "remote_ip": "::/0" }
      - { "direction":"ingress", "protocol": "udp", "remote_ip": "::/0" }
      - { "direction":"ingress", "protocol": "icmp", "remote_ip": "::/0" }
      - { "direction":"egress", "protocol": "tcp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"egress", "protocol": "udp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"egress", "protocol": "icmp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"egress", "protocol": "tcp", "remote_ip": "::/0" }
      - { "direction":"egress", "protocol": "udp", "remote_ip": "::/0" }
      - { "direction":"egress", "protocol": "icmp", "remote_ip": "::/0" }
  - group: dev_traffic_plane
    rules:
      - { "direction":"ingress", "protocol": "tcp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"ingress", "protocol": "udp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"ingress", "protocol": "icmp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"ingress", "protocol": "tcp", "remote_ip": "::/0" }
      - { "direction":"ingress", "protocol": "udp", "remote_ip": "::/0" }
      - { "direction":"ingress", "protocol": "icmp", "remote_ip": "::/0" }
      - { "direction":"egress", "protocol": "tcp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"egress", "protocol": "udp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"egress", "protocol": "icmp", "remote_ip": "0.0.0.0/0" }
      - { "direction":"egress", "protocol": "tcp", "remote_ip": "::/0" }
      - { "direction":"egress", "protocol": "udp", "remote_ip": "::/0" }
      - { "direction":"egress", "protocol": "icmp", "remote_ip": "::/0" }

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9d147ace-ca67-409d-b33e-13eeec27e923n%40googlegroups.com.

[Josh Karki]

Thanks Clint!

I fixed this with: 

vars: 

  asas: 

     asa1: 1.1.1.1

     asa2: 2.2.2.2

 - name: get hostname

   asa_command:

     commands: 

        - show hostname

  register: hostname

 - name: update acl

   asa_config:

     lines: 

     - access-list test1 remark test-test

     - access-list test1 standard permit host {{asas[hostname.stdout[0]]}}

    match: strict