cisco.asa
cisco.asa copied to clipboard
asa_acls: No support for user identity
SUMMARY
The asa_acls module cannot work with ACEs that use user identity, since the acls dictionary does not contain any parameters pertaining to identity. Additionally, any existing ASA access-list commands containing the "user" or "user-group" keywords are not parsed correctly when gathered.
ISSUE TYPE
- Bug Report
COMPONENT NAME
asa_acls
ANSIBLE VERSION
ansible 2.9.16
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /usr/lib/python3/dist-packages/ansible
executable location = /usr/bin/ansible
python version = 3.9.1+ (default, Jan 20 2021, 14:49:22) [GCC 10.2.1 20210110]
CONFIGURATION
DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/hosts']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 600
OS / ENVIRONMENT
Ansible running on Debian testing. Tested against ASA 5516-X running software 9.8(4)10.
STEPS TO REPRODUCE
Apply an access-list command to an ASA that uses either the "user" or "user-group" keywords, e.g.:
access-list TEST-ACL extended permit object-group HTTP-HTTPS_sg user-group "DOMAIN\\Domain Users" object-group LocalNetworks_og object-group RFC1918_og
Then attempt to gather the ACL config from the ASA and save as YAML:
---
- name: convert interface to structured data
connection: network_cli
hosts: TESTING
gather_facts: false
vars:
ansible_network_os: asa
tasks:
- name: Gather facts
cisco.asa.asa_acls:
state: gathered
register: gather
- name: Create inventory directory
become: true
delegate_to: localhost
file:
path: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}"
state: directory
- name: Write each resource to a file
become: true
delegate_to: localhost
copy:
content: "{{ gather['gathered'] | to_nice_yaml }}"
dest: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/acls.yaml"
EXPECTED RESULTS
Generated YAML file describes all aspects of the ACE, including user identity information.
ACTUAL RESULTS
Generated YAML is missing the identity information. Additionally, several non-identity parameters are also missing from the output and the single object-group retrieved from the config has been assigned to an incorrect parameter (presumably as the access-list command has not been parsed correctly).
acls:
- aces:
- grant: permit
line: 1
source:
object_group: HTTP-HTTPS_sg
acl_type: extended
name: TEST-ACL