New example: sample compliance report

Sample-Compliance-Check/.gitignore

@@ -0,0 +1 @@
+/results

Sample-Compliance-Check/ansible.cfg

@@ -0,0 +1,5 @@
+[defaults]
+inventory=./hosts
+gathering=explicit
+transport=local
+retry_files_enabled=false

Sample-Compliance-Check/breakConfig.yml

@@ -0,0 +1,56 @@
+#
+# Break configuration on various devices in the network
+#
+---
+- name: Disable SNMP community
+  hosts: all
+  tasks:
+  - ios_config:
+      provider: "{{ios_provider}}"
+      lines:
+      - "no snmp-server community cisco"
+      - "no snmp-server community myPass"
+    ignore_errors: true
+
+- name: Enable SNMP community
+  hosts: E2,E4,PE1,PE2
+  tasks:
+  - ios_config:
+      provider: "{{ios_provider}}"
+      lines:
+      - "snmp-server community myPass"
+
+- name: Disable SNMP traps
+  hosts: all
+  tasks:
+  - ios_config:
+      provider: "{{ios_provider}}"
+      lines:
+      - "no snmp-server host 10.0.0.1 traps cisco"
+    ignore_errors: true
+
+- name: Enable SNMP traps
+  hosts: E1,E2,E4,PE2
+  tasks:
+  - ios_config:
+      provider: "{{ios_provider}}"
+      lines:
+      - "snmp-server host 10.0.0.1 traps cisco"
+
+- name: Disable syslog
+  hosts: all
+  tasks:
+  - ios_config:
+      provider: "{{ios_provider}}"
+      lines:
+      - "no logging host 10.0.0.1"
+    ignore_errors: true
+
+- name: Enable syslog
+  hosts: E3,E4,PE1,PE2
+  tasks:
+  - ios_config:
+      provider: "{{ios_provider}}"
+      lines:
+      - "logging host 10.0.0.1"
+

Sample-Compliance-Check/check-community-report.yml

@@ -0,0 +1,18 @@
+---
+- name:  Check whether SNMP community is configured on devices. Report missing communities
+  hosts: all
+  vars:
+  - results: results
+  tasks:
+  - ios_command: 
+      provider: "{{ios_provider}}"
+      commands: "show snmp community"
+    register: result
+  - set_fact: error_no_community=1
+    when: "not('name: '~snmp_community in result.stdout[0])"
+  - file: path={{results}} state=directory
+    run_once: true
+  - template: src=reports/missing-community.j2 dest={{results}}/errors.log
+    vars: 
+      allhosts: "{{hostvars}}"
+    run_once: true

Sample-Compliance-Check/check-community.yml

@@ -0,0 +1,10 @@
+---
+- name:  Check whether SNMP community is configured on devices. Report missing communities
+  hosts: all
+  tasks:
+  - ios_command: 
+      provider: "{{ios_provider}}"
+      commands: "show snmp community"
+    register: result
+  - set_fact: error_no_community=1
+    when: "not('name: '~snmp_community in result.stdout[0])"

Sample-Compliance-Check/check-final.yml

@@ -0,0 +1,11 @@
+---
+- name:  Check whether SNMP community is configured on devices. Report missing communities
+  hosts: all
+  vars:
+  - results: "{{inventory_dir}}/results"
+  tasks:
+  - set_fact: report=errors.j2
+    when: report is not defined
+  - include: "{{item}}"
+    with_fileglob: [ "tests/*.yml" ] 
+  - include: "reports/{{fmt|default('template')}}.yml"

Sample-Compliance-Check/check-refactor.yml

@@ -0,0 +1,9 @@
+---
+- name:  Check whether SNMP community is configured on devices. Report missing communities
+  hosts: all
+  vars:
+  - results: "{{inventory_dir}}/results"
+  tasks:
+  - include: "checks/{{item}}.yml"
+    with_items: [ "snmp-community", "snmp-server" ] 
+  - include: "reports/{{fmt|default('template')}}.yml"

Sample-Compliance-Check/checks/snmp-community.yml

@@ -0,0 +1,10 @@
+#
+# Check whether SNMP community is configured on devices
+#
+---
+- ios_command: 
+    provider: "{{ios_provider}}"
+    commands: "show snmp community"
+  register: result
+- set_fact: error_no_community=1
+  when: "not('name: '~snmp_community in result.stdout[0])"

Sample-Compliance-Check/checks/snmp-server.yml

@@ -0,0 +1,10 @@
+#
+# Check whether SNMP community is configured on devices
+#
+---
+- ios_command: 
+    provider: "{{ios_provider}}"
+    commands: "show snmp host"
+  register: result
+- set_fact: error_no_snmp_server=1
+  when: "not('host: '~snmp_server in result.stdout[0])"

Sample-Compliance-Check/group_vars/all.yml

@@ -0,0 +1,10 @@
+---
+snmp_server: 10.0.0.1
+snmp_community: myPass
+syslog_server: 10.0.0.1
+
+ios_provider:
+  username:  "{{ansible_user}}"
+  password:  "{{ansible_ssh_pass}}"
+  host:      "{{ip|default(ansible_host)|default(inventory_hostname)}}"
+  transport: cli

Sample-Compliance-Check/hosts

@@ -0,0 +1,10 @@
+E1  ansible_host=172.16.1.110
+E2  ansible_host=172.16.1.111
+PE1 ansible_host=172.16.1.112
+E3  ansible_host=172.16.1.120
+E4  ansible_host=172.16.1.121
+PE2 ansible_host=172.16.1.122
+
+[all:vars]
+ansible_user=cisco
+ansible_ssh_pass=cisco

Sample-Compliance-Check/reports/errors.j2

@@ -0,0 +1,7 @@
+{% for host,facts in allhosts|dictsort %}
+{%   for k,v in facts|dictsort %}
+{%     if 'error' in k %}
+{{facts.inventory_hostname}}: {{v}}
+{%     endif %}
+{%   endfor %}
+{% endfor %}

Sample-Compliance-Check/reports/missing-community.j2

@@ -0,0 +1,5 @@
+{% for host,facts in allhosts|dictsort %}
+{%   if facts.error_no_community is defined %}
+{{facts.inventory_hostname}}: Missing SNMP community {{snmp_community}}
+{%   endif %}
+{% endfor %}

Sample-Compliance-Check/reports/missing.j2

@@ -0,0 +1,8 @@
+{% for host,facts in allhosts|dictsort %}
+{%   if facts.error_no_community is defined %}
+{{facts.inventory_hostname}}: Missing SNMP community {{snmp_community}}
+{%   endif %}
+{%   if facts.error_no_snmp_server is defined %}
+{{facts.inventory_hostname}}: {{snmp_server}} is not SNMP trap host
+{%   endif %}
+{% endfor %}

Sample-Compliance-Check/reports/template.yml

@@ -0,0 +1,12 @@
+#
+# Create a compliance report from specified template
+#
+---
+- file: path="{{results}}" state=directory
+  run_once: true
+- template: 
+    src:  "{{report|default('missing.j2')}}" 
+    dest: "{{results}}/{{output|default('errors.log')}}"
+  vars: 
+    allhosts: "{{hostvars}}"
+  run_once: true

Sample-Compliance-Check/tests/snmp-community.yml

@@ -0,0 +1,10 @@
+#
+# Check whether SNMP community is configured on devices
+#
+---
+- ios_command: 
+    provider: "{{ios_provider}}"
+    commands: "show snmp community"
+  register: result
+- set_fact: error_no_community="SNMP community {{snmp_community}} is not defined"
+  when: "not('name: '~snmp_community in result.stdout[0])"

Sample-Compliance-Check/tests/snmp-server.yml

@@ -0,0 +1,10 @@
+#
+# Check whether SNMP community is configured on devices
+#
+---
+- ios_command: 
+    provider: "{{ios_provider}}"
+    commands: "show snmp host"
+  register: result
+- set_fact: error_no_snmp_server="{{snmp_server}} is not configured as SNMP trap host"
+  when: "not('host: '~snmp_server in result.stdout[0])"

Sample-Compliance-Check/tests/syslog-server.yml

@@ -0,0 +1,10 @@
+#
+# Check whether SNMP community is configured on devices
+#
+---
+- ios_command: 
+    provider: "{{ios_provider}}"
+    commands: "show run | include logging host"
+  register: result
+- set_fact: error_no_syslog_server="{{syslog_server}} is not configured as syslog server"
+  when: "not(syslog_server in result.stdout[0])"