-
Notifications
You must be signed in to change notification settings - Fork 58
/
Copy pathnatm_playbook.yml
92 lines (81 loc) · 3.69 KB
/
natm_playbook.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
---
# This play encompasses all NAT routers and makes changes to the NAT config
# on each device (assumine ci_test is false).
- name: "Manage NAT configuration on IOS routers"
hosts: "cisco_ios"
tasks:
# When 'log' is true, execute the log preparation
- name: "INCLUDE >> Perform logging preparation if 'log' is true"
ansible.builtin.include_tasks: "tasks/log_setup.yml"
when: "log"
# Ensure inputs are correct and ready for processing
- name: "INCLUDE >> Perform preliminary error checking on inputs"
ansible.builtin.include_tasks: "tasks/pre_check.yml"
# When CI testing is false (the general case), then log into the routers,
# collect their NAT information, and make appropriate updates.
- name: "INCLUDE >> Manage NAT statements on router"
ansible.builtin.include_tasks: "tasks/manage_nat.yml"
when: "not ci_test"
# When CI testing is true, mock up a NAT table for checking later in the
# playbook based on what is specified in the group/host variables file.
- name: "INCLUDE >> Generate mock data for CI testing"
ansible.builtin.include_tasks: "tasks/mock_{{ inventory_hostname }}.yml"
when: "ci_test"
# Print the table to stdout in raw format for troubleshooting
- name: "DEBUG >> Print NAT translation table"
ansible.builtin.debug:
msg: "{{ NAT_TABLE.stdout[0] }}"
verbosity: 1
# Entries that are supposed to be present, per the state selector,
# must be present at this point. If they are not, the task fails.
- name: "SYS >> Verify present entries are present"
ansible.builtin.assert:
that:
- "item.inside_private in NAT_TABLE.stdout[0]"
- "item.outside_public in NAT_TABLE.stdout[0]"
msg: "NAT entry not found when state was present"
when: "item.state == 'present'"
loop: "{{ static_nats }}"
loop_control:
label: "Present? {{ item.name }}"
# Entries that are supposed to be absent, per the state selector,
# must be absent at this point. If they are not, the task fails.
- name: "SYS >> Verify absent entries are absent"
ansible.builtin.assert:
that:
- "not item.inside_private in NAT_TABLE.stdout[0]"
- "not item.outside_public in NAT_TABLE.stdout[0]"
msg: "NAT entry found when state was absent"
when: "item.state == 'absent'"
loop: "{{ static_nats }}"
loop_control:
label: "Absent? {{ item.name }}"
# If these handlers are invoked, it means that changes to the state
# table occurred, and these changes should be appropriately logged.
handlers:
- name: "BLOCK >> Log changes when updates exist"
block:
# The updates will be assembled into one text blob using newlines
# and written to the screen for interested users.
- name: "LOG >> Print updates written to device to stdout"
listen: "updates exist"
ansible.builtin.debug:
var: "NAT_CONFIG.updates"
# Based on the LOG_PATH variable, create the per-run log directory
- name: "LOG >> Build logging directory"
listen: "updates exist"
ansible.builtin.file:
path: "{{ LOG_PATH }}"
state: "directory"
mode: "0775"
changed_when: false
# Next, the updates are templated through the 'natlog' template for
# longer term storage and reference for troubleshooting.
- name: "LOG >> Print updates written to device to log file"
listen: "updates exist"
ansible.builtin.template:
src: "templates/log_nat.j2"
dest: "{{ LOG_PATH }}{{ inventory_hostname }}.txt"
mode: "0444"
delegate_to: "localhost"
...