Object Group resource module
Version added: 1.0.0
- This module configures and manages Objects and Groups on ASA platforms.
Note
- Tested against Cisco ASA Version 9.10(1)11
- This module works with connection
network_cli
. See ASA Platform Options.
# Using merged
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_network_og
# network-object host 198.51.100.1
- name: "Merge module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: group_network_obj
group_object:
- test_og_network
- name: test_og_network
description: test_og_network
network_object:
host:
- 192.0.2.1
- 192.0.2.2
address:
- 192.0.2.0 255.255.255.0
- 198.51.100.0 255.255.255.0
- name: test_network_og
description: test_network_og
network_object:
host:
- 198.51.100.1
- 198.51.100.2
ipv6_address:
- 2001:db8:3::/64
- object_type: security
object_groups:
- name: test_og_security
description: test_security
security_group:
sec_name:
- test_1
- test_2
tag:
- 10
- 20
- object_type: service
object_groups:
- name: O-Worker
services_object:
- protocol: tcp
destination_port:
range:
start: 100
end: 200
- protocol: tcp-udp
source_port:
eq: 1234
destination_port:
gt: nfs
- name: O-UNIX-TCP
protocol: tcp
port_object:
- eq: https
- range:
start: 100
end: 400
- object_type: user
object_groups:
- name: test_og_user
description: test_user
user_object:
user:
- name: new_user_1
domain: LOCAL
- name: new_user_2
domain: LOCAL
state: merged
# Commands fired:
# ---------------
#
# object-group security test_og_security
# description test_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group network group_network_obj
# group-object test_og_network
# object-group network test_og_network
# description test_og_network
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# object-group network test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:3::/64
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# description test_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# After state:
# ------------
#
# ciscoasa# sh running-config object-group
# object-group network group_network_obj
# group-object test_og_network
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# network-object host 198.51.100.1
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# description test_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# Using Replaced
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: "Replace module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network_replace
network_object:
host:
- 198.51.100.1
address:
- 198.51.100.0 255.255.255.0
- object_type: protocol
object_groups:
- name: test_og_protocol
description: test_og_protocol
protocol_object:
protocol:
- tcp
- udp
state: replaced
# Commands Fired:
# ---------------
#
# object-group protocol test_og_protocol
# description test_og_protocol
# protocol tcp
# protocol udp
# object-group network test_og_network
# description test_og_network_replace
# no network-object 192.0.2.0 255.255.255.0
# no network-object 198.51.100.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# no network-object host 192.0.2.1
# no network-object host 192.0.2.2
# network-object host 198.51.100.1
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network_replace
# network-object host 198.51.100.1
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# object-group protocol test_og_protocol
# protocol-object tcp
# protocol-object udp
# Using Overridden
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: "Overridden module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network_override
network_object:
host:
- 198.51.100.1
address:
- 198.51.100.0 255.255.255.0
- name: ANSIBLE_TEST
network_object:
object:
- TEST1
- TEST2
- object_type: protocol
object_groups:
- name: test_og_protocol
description: test_og_protocol
protocol_object:
protocol:
- tcp
- udp
state: overridden
# Commands Fired:
# ---------------
#
# no object-group security test_og_security
# no object-group service O-Worker
# no object-group service O-UNIX-TCP
# no object-group user test_og_user
# object-group protocol test_og_protocol
# description test_og_protocol
# protocol tcp
# protocol udp
# object-group network test_og_network
# description test_og_network_override
# no network-object 192.0.2.0 255.255.255.0
# no network-object 198.51.100.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# no network-object host 192.0.2.1
# no network-object host 192.0.2.2
# network-object host 198.51.100.1
# no object-group network test_network_og
# object-group network ANSIBLE_TEST
# network-object object TEST1
# network-object object TEST2
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network_override
# network-object host 198.51.100.1
# network-object 198.51.100.0 255.255.255.0
# object-group network ANSIBLE_TEST
# network-object object TEST1
# network-object object TEST2
# object-group protocol test_og_protocol
# protocol-object tcp
# protocol-object udp
# Using Deleted
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: "Delete given module attributes"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
- name: test_network_og
- object_type: security
object_groups:
- name: test_og_security
- object_type: service
object_groups:
- name: O-UNIX-TCP
state: deleted
# Commands Fired:
# ---------------
#
# no object-group network test_og_network
# no object-group network test_network_og
# no object-group security test_og_security
# no object-group service O-UNIX-TCP
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# Using DELETED without any config passed
# "(NOTE: This will delete all of configured resource module attributes)"
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: Delete ALL configured module attributes
cisco.asa.asa_ogs:
config:
state: deleted
# Commands Fired:
# ---------------
#
# no object-group network test_og_network
# no object-group network test_network_og
# no object-group security test_og_security
# no object-group user test_og_user
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# Using Gathered
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: Gather listed OGs with provided configurations
cisco.asa.asa_ogs:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "object_groups": [
# {
# "description": "test_security",
# "name": "test_og_security",
# "security_group": {
# "sec_name": [
# "test_2",
# "test_1"
# ],
# "tag": [
# 10,
# 20
# ]
# }
# }
# ],
# "object_type": "security"
# },
# {
# "object_groups": [
# {
# "description": "test_network_og",
# "name": "test_network_og",
# "network_object": {
# "host": [
# "198.51.100.1",
# "198.51.100.2"
# ],
# "ipv6_address": [
# "2001:db8:3::/64"
# ]
# }
# },
# {
# "description": "test_og_network",
# "name": "test_og_network",
# "network_object": {
# "address": [
# "192.0.2.0 255.255.255.0",
# "198.51.100.0 255.255.255.0"
# ],
# "host": [
# "192.0.2.1",
# "192.0.2.2"
# ]
# }
# }
# ],
# "object_type": "network"
# },
# {
# "object_groups": [
# {
# "description": "test_user",
# "name": "test_og_user",
# "user_object": {
# "user": [
# {
# "domain": "LOCAL",
# "name": "new_user_1"
# },
# {
# "domain": "LOCAL",
# "name": "new_user_2"
# }
# ]
# }
# }
# ],
# "object_type": "user"
# }
# ]
# After state:
# ------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# Using Rendered
- name: Render the commands for provided configuration
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network
network_object:
host:
- 192.0.2.1
- 192.0.2.2
address:
- 192.0.2.0 255.255.255.0
- 198.51.100.0 255.255.255.0
- name: test_network_og
description: test_network_og
network_object:
host:
- 198.51.100.1
- 198.51.100.2
ipv6_address:
- 2001:db8:3::/64
- object_type: security
object_groups:
- name: test_og_security
description: test_security
security_group:
sec_name:
- test_1
- test_2
tag:
- 10
- 20
- object_type: user
object_groups:
- name: test_og_user
description: test_user
user_object:
user:
- name: new_user_1
domain: LOCAL
- name: new_user_2
domain: LOCAL
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "object-group security test_og_security",
# "description test_security",
# "security-group name test_1",
# "security-group name test_2",
# "security-group tag 10",
# "security-group tag 20",
# "object-group network test_og_network",
# "description test_og_network",
# "network-object 192.0.2.0 255.255.255.0",
# "network-object 198.51.100.0 255.255.255.0",
# "network-object host 192.0.2.1",
# "network-object host 192.0.2.2",
# "object-group network test_network_og",
# "description test_network_og",
# "network-object host 198.51.100.1",
# "network-object host 198.51.100.2",
# "network-object 2001:db8:3::/64",
# "object-group user test_og_user",
# "description test_user",
# "user LOCAL\new_user_1",
# "user LOCAL\new_user_2"
# ]
# Using Parsed
# parsed.cfg
#
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object 192.0.2.0 255.255.255.0
# object-group network test_network_og
# network-object 2001:db8:3::/64
# object-group service test_og_service
# service-object tcp-udp
- name: Parse the commands for provided configuration
cisco.asa.asa_ogs:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "object_groups": [
# {
# "name": "test_network_og"
# },
# {
# "description": "test_og_network",
# "name": "test_og_network",
# "network_object": {
# "host": [
# "192.0.2.2"
# ]
# }
# }
# ],
# "object_type": "network"
# },
# {
# "object_groups": [
# {
# "name": "test_og_service",
# "service_object": {
# "protocol": [
# "tcp-udp",
# "ipinip"
# ]
# }
# }
# ],
# "object_type": "service"
# }
# ]
Common return values are documented here, the following are the fields unique to this module:
- Sumit Jaiswal (@justjais)