cisco.asa icon indicating copy to clipboard operation
cisco.asa copied to clipboard

Published 20 hours ago verified publisher icon ansible-collections

asa_acls: No support for user identity

Open doge-tech opened this issue 3 years ago • 0 comments

SUMMARY

The asa_acls module cannot work with ACEs that use user identity, since the acls dictionary does not contain any parameters pertaining to identity. Additionally, any existing ASA access-list commands containing the "user" or "user-group" keywords are not parsed correctly when gathered.

ISSUE TYPE
  • Bug Report
COMPONENT NAME

asa_acls

ANSIBLE VERSION
ansible 2.9.16
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.1+ (default, Jan 20 2021, 14:49:22) [GCC 10.2.1 20210110]
CONFIGURATION
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/hosts']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 600
OS / ENVIRONMENT

Ansible running on Debian testing. Tested against ASA 5516-X running software 9.8(4)10.

STEPS TO REPRODUCE

Apply an access-list command to an ASA that uses either the "user" or "user-group" keywords, e.g.:

access-list TEST-ACL extended permit object-group HTTP-HTTPS_sg user-group "DOMAIN\\Domain Users" object-group LocalNetworks_og object-group RFC1918_og

Then attempt to gather the ACL config from the ASA and save as YAML:

---
- name: convert interface to structured data
  connection: network_cli
  hosts: TESTING
  gather_facts: false
  vars:
    ansible_network_os: asa

  tasks:
    - name: Gather facts
      cisco.asa.asa_acls:
        state: gathered
      register: gather

    - name: Create inventory directory
      become: true
      delegate_to: localhost
      file:
        path: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}"
        state: directory

    - name: Write each resource to a file
      become: true
      delegate_to: localhost
      copy:
        content: "{{ gather['gathered'] | to_nice_yaml }}"
        dest: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/acls.yaml"
EXPECTED RESULTS

Generated YAML file describes all aspects of the ACE, including user identity information.

ACTUAL RESULTS

Generated YAML is missing the identity information. Additionally, several non-identity parameters are also missing from the output and the single object-group retrieved from the config has been assigned to an incorrect parameter (presumably as the access-list command has not been parsed correctly).

acls:
-   aces:
    -   grant: permit
        line: 1
        source:
            object_group: HTTP-HTTPS_sg
    acl_type: extended
    name: TEST-ACL

doge-tech avatar Feb 05 '21 14:02 doge-tech