ansible-collections / cisco.asa Goto Github PK

Ansible Security Collection for Cisco ASA

License: GNU General Public License v3.0

Python 99.93% Jinja 0.07%

cisco.asa's Introduction

CISCO ASA Ansible Collection

The Ansible Cisco ASA collection includes a variety of Ansible content to help automate the management of Cisco ASA firewall appliances.

Ansible version compatibility

This collection has been tested against following Ansible versions: >=2.14.0.

For collections that support Ansible 2.9, please ensure you update your network_os to use the fully qualified collection name (for example, cisco.ios.ios). Plugins and modules within a collection may be tested with only specific Ansible versions. A collection may contain metadata that identifies these versions. PEP440 is the schema used to describe the versions of Ansible.

Tested with Ansible

This collection has been tested against Cisco ASA 9.10(1)11 and Cisco ASA image configured over Zuul with version 9.12.3.

External requirements

Supported connections

The Cisco ASA collection supports network_cli connections.

Included content

Cliconf plugins

Name	Description
cisco.asa.asa	Use asa cliconf to run command on Cisco ASA platform

Modules

Name	Description
cisco.asa.asa_acls	Access-Lists resource module
cisco.asa.asa_command	Run arbitrary commands on Cisco ASA devices
cisco.asa.asa_config	Manage configuration sections on Cisco ASA devices
cisco.asa.asa_facts	Collect facts from remote devices running Cisco ASA
cisco.asa.asa_ogs	Object Group resource module

Installing this collection

You can install the Cisco ASA collection with the Ansible Galaxy CLI:

ansible-galaxy collection install cisco.asa

You can also include it in a requirements.yml file and install it with ansible-galaxy collection install -r requirements.yml, using the format:

---
collections:
  - name: cisco.asa

Using this collection

This collection includes security resource modules. Similar to Network resource modules introduced in Ansible 2.9

Using Cisco ASA Ansible Collection

An example for using this collection to manage a ACL resource Cisco ASA is as follows:

inventory.ini (Note the password should be managed by a Vault for a production environment.

[asa01]
host_asa.example.com

[asa01:vars]
ansible_user=admin
ansible_ssh_pass=password
ansible_become=true
ansible_become_method=ansible.netcommon.enable
ansible_become_pass=become_password
ansible_connection=ansible.netcommon.network_cli
ansible_network_os=cisco.asa.asa
ansible_python_interpreter=python

Using the modules with Fully Qualified Collection Name (FQCN)

You can either call modules by their Fully Qualified Collection Name (FQCN), like cisco.asa.asa_acls, or you can call modules by their short name if you list the cisco.asa collection in the playbook's collections, as follows:

---
- hosts: asa01
  gather_facts: false
  connection: network_cli

  collections:
    - cisco.asa

  tasks:
    - name: Merge the provided configuration with the existing running configuration
      register: result
      cisco.asa.asa_acls: &id001
        config:
          - acls:
              - name: test_global_access
                acl_type: extended
                aces:
                  - grant: deny
                    line: 1
                    protocol: tcp
                    protocol_options:
                      tcp: true
                    source:
                      address: 192.0.2.0
                      netmask: 255.255.255.0
                    destination:
                      address: 192.0.3.0
                      netmask: 255.255.255.0
                      port_protocol:
                        eq: www
                    log: default
              - name: test_R1_traffic
                acl_type: extended
                aces:
                  - grant: deny
                    line: 1
                    protocol_options:
                      tcp: true
                    source:
                      address: 2001:db8:0:3::/64
                      port_protocol:
                        eq: www
                    destination:
                      address: 2001:fc8:0:4::/64
                      port_protocol:
                        eq: telnet
                    inactive: true
        state: merged

The following example task replaces configuration changes in the existing configuration on a Cisco ASA firewall device, using the FQCN:

---
- name: Replace device configurations of listed ACLs with provided configurations
  register: result
  cisco.asa.asa_acls: &id001
    config:
      - acls:
          - name: test_global_access
            acl_type: extended
            aces:
              - grant: deny
                line: 1
                protocol_options:
                tcp: true
                source:
                  address: 192.0.4.0
                  netmask: 255.255.255.0
                  port_protocol:
                    eq: telnet
                destination:
                  address: 192.0.5.0
                  netmask: 255.255.255.0
                  port_protocol:
                    eq: www
    state: replaced

Contributing to this collection

We welcome community contributions to this collection. If you find problems, please open an issue or create a PR against the Cisco ASA collection repository. See Contributing to Ansible-maintained collections for complete details.

You can also join us on:

IRC - the #ansible-security libera.chat channel

See the Ansible Community Guide for details on contributing to Ansible.

Code of Conduct

This collection follows the Ansible project's Code of Conduct. Please read and familiarize yourself with this document.

Release notes

Release notes are available here.

Roadmap

More information

Licensing

GNU General Public License v3.0 or later.

See LICENSE to see the full text.

cisco.asa's People

Contributors

Stargazers

Watchers

Forkers

pabelanger capttrews justjais ganeshrn ikhan2010 gomathiselvis lvrfrc87 samccann qalthos jvanderaa nilashishc buratina sebrower pawlowjp ksaegusa aegiacometti jejrichardson andersson007 doge-tech zcoderowl davchos fufe9712 wadevw79 matt852 dericcrago goneri bradgfromdabu kb-perbyte pranav-bhatt techiewarrior farodin91 digitalfriends python-repository-hub omegafoo alex-pimperton jozzus sojusms som2016 kaiseranton dahook sd-miles matheuskshn nleiva roverflow rohitthakur2590 akira6592 viehoang68

cisco.asa's Issues

Cisco ASA Acls resource module rename param giving traceback

SUMMARY

Cisco ASA Acls resource module rename param giving traceback

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls

ANSIBLE VERSION

devel

CONFIGURATION

OS / ENVIRONMENT

macos

STEPS TO REPRODUCE

- cisco.asa.asa_acls:
      config:
        - acls:
            - name: test_access
              rename: test_rename_global_access
      state: merged

EXPECTED RESULTS

Want ACL name should be renamed to input want name

ACTUAL RESULTS

Traceback error thrown: TypeError: 'NoneType' object is not iterable

asa_config: Default settings configuration may not be idempotent

SUMMARY

When a setting is at the default already, and the asa_config module is provided that same configuration in the "lines" parameter, it appears to implement the configuration even though it exists already, with the "defaults" parameter set to "yes".

Collection Version

ansible.netcommon 2.0.0
ansible.utils 2.0.1
cisco.asa 2.0.0

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_config

ANSIBLE VERSION

ansible 2.10.3
  config file = None
  configured module search path = ['/Users/xxx/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/xxx/Library/Python/3.8/lib/python/site-packages/ansible
  executable location = /Users/xxx/Library/Python/3.8/bin/ansible
  python version = 3.8.2 (default, Dec 21 2020, 15:06:04) [Clang 12.0.0 (clang-1200.0.32.29)]

CONFIGURATION

OS / ENVIRONMENT

Targets tested on:
Cisco Adaptive Security Appliance Software Version 9.12(4)4
Cisco Adaptive Security Appliance Software Version 9.8(4)29

Ansible engine host is MacOS 11.2.3

STEPS TO REPRODUCE

Configure asa_config module task with "lines" including a default configuration (password-policy lifetime 0, for example)
Use parameter "defaults: yes" in order to force module to get "show run all" data for configuration comparison
If the configuration already exists, the module appears to implement it anyway

- name: implement the change on the device
      cisco.asa.asa_config:
        lines:
          - password-policy lifetime 0
        save: yes
        defaults: yes

EXPECTED RESULTS

Command is not implemented / "updates" is empty

ACTUAL RESULTS

Command appears to be implemented / "updates" is populated
Monitoring with "terminal monitor" also confirms the command is implemented:
%ASA-5-111007: Begin configuration: x.x.x.x reading from terminal
%ASA-5-111008: User 'enable_15' executed the 'configure terminal' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'configure terminal'
%ASA-5-111008: User 'enable_15' executed the 'password-policy lifetime 0' command.
%ASA-5-111010: User 'enable_15', running 'CLI' from IP x.x.x.x, executed 'password-policy lifetime 0'
%ASA-5-111005: x.x.x.x end configuration: OK

changed: [x.x.x.x] => {
    "changed": true,
    "invocation": {
        "module_args": {
            "after": null,
            "authorize": null,
            "backup": false,
            "backup_options": null,
            "before": null,
            "config": null,
            "context": null,
            "defaults": true,
            "lines": [
                "password-policy lifetime 0"
            ],
            "match": "line",
            "parents": null,
            "passwords": null,
            "provider": null,
            "replace": "line",
            "save": true,
            "src": null
        }
    },
    "updates": [
        "password-policy lifetime 0"
    ]
}

asa_ogs: Error when parsing object-group protocol containing an integer value

SUMMARY

When a "protocol" object-group contains a member like:
protocol-object 16
the asa_ogs task fails with a fatal error

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_ogs

ANSIBLE VERSION

ansible-playbook 2.10.3
  config file = None
  configured module search path = ['path/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = path/Library/Python/3.8/lib/python/site-packages/ansible
  executable location = path/Library/Python/3.8/bin/ansible-playbook
  python version = 3.8.2 (default, Apr  8 2021, 23:19:18) [Clang 12.0.5 (clang-1205.0.22.9)]

CONFIGURATION

[empty]

OS / ENVIRONMENT

MacOS using python 3.8, but also tested from Ansible Tower using python 2.7

path/.ansible/collections/ansible_collections

Collection Version

ansible.netcommon 2.1.0
ansible.utils 2.2.0
cisco.asa 2.0.2
paloaltonetworks.panos 2.5.0

STEPS TO REPRODUCE

Configure a protocol object-group similar to:
test_asa_fw_01/admin# show run object-group protocol
object-group protocol proto1
protocol-object tcp
protocol-object 16
protocol-object udp
test_asa_fw_01/admin#

tasks:
    - name: Get network object groups only
      cisco.asa.asa_ogs:
        config:
        state: gathered

EXPECTED RESULTS

Expectation is the groups will be parsed without an error. Integers between 0 and 255 are valid (test firewall version 9.12(4)18):

test_asa_fw_01/admin(config-protocol-object-group)# protocol-object ?

protocol-object-group mode commands/options:
<0-255> Enter protocol number (0 - 255)
ah
eigrp
esp
gre
icmp
icmp6
igmp
igrp
ip
ipinip
ipsec
nos
ospf
pcp
pim
pptp
sctp
snp
tcp
udp
test_asa_fw_01/admin(config-protocol-object-group)#

ACTUAL RESULTS

fatal error. Note also that the "state" provided in the task is "gathered", but the task output says, "merged"

...
    "invocation": {
        "module_args": {
            "running_config": null,
            "state": "merged",
            "config": [
		...
            ]
        }
    },
    "changed": false,
    "msg": "value of protocol must be one or more of: ah, eigrp, esp, gre, icmp, icmp6, igmp, igrp, ip, ipinip, ipsec, nos, ospf, pcp, pim, pptp, sctp, snp, tcp, udp. Got no match for: 16 found in config -> object_groups -> protocol_object"
}

state: merged fails on standard ACL creation

SUMMARY

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_acls

ANSIBLE VERSION

ansible 2.9.15
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

ANSIBLE COLLECTION VERSION

{
 "collection_info": {
  "namespace": "cisco",
  "name": "asa",
  "version": "1.0.3",
  "authors": [
   "Ansible Security Community (ansible-security)"
  ],
  "readme": "README.md",
  "tags": [
   "cisco",
   "asa",
   "networking",
   "security"
  ],
  "description": "Ansible Security Collection for Cisco ASA devices.",
  "license": [],
  "license_file": "LICENSE",
  "dependencies": {
   "ansible.netcommon": "*"
  },
  "repository": "https://github.com/ansible-collections/cisco.asa",
  "documentation": null,
  "homepage": null,
  "issues": null
 },
 "file_manifest_file": {
  "name": "FILES.json",
  "ftype": "file",
  "chksum_type": "sha256",
  "chksum_sha256": "a6419bbb09c3eae9741a5fab9efe4b35c43990b1d5b327b872509cbb1ab35b68",
  "format": 1
 },
 "format": 1
}

CONFIGURATION

DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/inventory']
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
DEFAULT_TERMINAL_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/usr/share/ansible/plugins/terminal', '/etc/ansible/plugins/terminal']
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Red Hat Enterprise Linux release 8.2 (Ootpa)
Cisco ASA 5525X running ASA code 9.4(4)37

STEPS TO REPRODUCE

This is an attempt to add a new standard ACL to a Cisco ASA 5525X

# Configure Test ACL
- name: test acl
  cisco.asa.asa_acls:
    config:
      - acls:
        - name: test_temp
          acl_type: standard
          aces:
          - grant: permit
            source:
              host: 10.1.1.1
            line: 1
     state: merged

The documentation isn't clear as to whether a standard ACL should be done with source or destination host/prefix and I have tried both with the same results when attempting to generate a standard acl

# Configure Test ACL
- name: test acl
  cisco.asa.asa_acls:
    config:
      - acls:
        - name: test_temp
          acl_type: standard
          aces:
          - grant: permit
            destination:
              host: 10.1.1.1
            line: 1
     state: merged

EXPECTED RESULTS

This should generate a new access-list formatted as:

access-list test_temp standard permit host 10.1.1.1

ACTUAL RESULTS

Got a traceback error for acl configuration

ansible-playbook 2.9.15
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible-playbook
  python version = 3.6.8 (default, Aug 18 2020, 08:33:21) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /etc/ansible/inventory/bes as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory/bes as it did not pass its verify_file() method
auto declined parsing /etc/ansible/inventory/bes as it did not pass its verify_file() method
Parsed /etc/ansible/inventory/bes inventory source with ini plugin
setting up inventory plugins
host_list declined parsing /etc/ansible/inventory/firewalls as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory/firewalls as it did not pass its verify_file() method
auto declined parsing /etc/ansible/inventory/firewalls as it did not pass its verify_file() method
Parsed /etc/ansible/inventory/firewalls inventory source with ini plugin
setting up inventory plugins
host_list declined parsing /etc/ansible/inventory/routers as it did not pass its verify_file() method
script declined parsing /etc/ansible/inventory/routers as it did not pass its verify_file() method
auto declined parsing /etc/ansible/inventory/routers as it did not pass its verify_file() method
Parsed /etc/ansible/inventory/routers inventory source with ini plugin
Trying secret FileVaultSecret(filename='/home/user/.ansible/.vault-pass.user') for vault_id=user
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
Trying secret FileVaultSecret(filename='/home/user/.ansible/.vault-pass.user') for vault_id=user
Tried to use the vault secret (user) to decrypt (/etc/ansible/roles/vpn_anyconnect/vars/main/vpn_vault.yml) but it failed. Error: HMAC verification failed: Signature did not match digest.
Trying secret FileVaultSecret(filename='/home/user/.ansible/.vault-pass.vpn') for vault_id=vpn
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
statically imported: /etc/ansible/roles/vpn_anyconnect/tasks/anyconnect_image.yml
Loading callback plugin yaml of type stdout, v2.0 from /usr/lib/python3.6/site-packages/ansible/plugins/callback/yaml.py

PLAYBOOK: vpn.yml ***************************************************************************************************************************************************************************************************************************************
Positional arguments: /etc/ansible/playbooks/cisco/vpn.yml
verbosity: 4
connection: smart
timeout: 10
become_method: sudo
tags: ('all',)
inventory: ('/etc/ansible/inventory',)
subset: fw-test
vault_ids: ('user@~/.ansible/.vault-pass.user', 'vpn@~/.ansible/.vault-pass.vpn')
forks: 5
1 plays in /etc/ansible/playbooks/cisco/vpn.yml
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'

PLAY [Configure Test firewall] ***********************************************************************************************************************************************************************************************************************
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
<fw-test> attempting to start connection
<fw-test> using connection plugin ansible.netcommon.network_cli
<fw-test> local domain socket does not exist, starting it
<fw-test> control socket path is /home/user/.ansible/pc/dca9d2a8b8
<fw-test> local domain socket listeners started successfully
<fw-test> loaded cliconf plugin ansible_collections.cisco.asa.plugins.cliconf.asa from path /usr/share/ansible/collections/ansible_collections/cisco/asa/plugins/cliconf/asa.py for network_os cisco.asa.asa
<fw-test> 
<fw-test> local domain socket path is /home/user/.ansible/pc/dca9d2a8b8
[WARNING]: Ignoring timeout(10) for cisco.asa.asa_facts
<fw-test> ESTABLISH LOCAL CONNECTION FOR USER: user
<fw-test> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161 `" && echo ansible-tmp-1605644961.43957-1819730-200278910582161="` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161 `" ) && sleep 0'
<fw-test> Attempting python interpreter discovery
<fw-test> EXEC /bin/sh -c 'echo PLATFORM; uname; echo FOUND; command -v '"'"'/usr/bin/python'"'"'; command -v '"'"'python3.7'"'"'; command -v '"'"'python3.6'"'"'; command -v '"'"'python3.5'"'"'; command -v '"'"'python2.7'"'"'; command -v '"'"'python2.6'"'"'; command -v '"'"'/usr/libexec/platform-python'"'"'; command -v '"'"'/usr/bin/python3'"'"'; command -v '"'"'python'"'"'; echo ENDFOUND && sleep 0'
<fw-test> EXEC /bin/sh -c '/usr/bin/python3.6 && sleep 0'
Using module file /usr/share/ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_facts.py
<fw-test> PUT /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/tmpg6g55mza TO /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/AnsiballZ_asa_facts.py
<fw-test> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/ /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/AnsiballZ_asa_facts.py && sleep 0'
<fw-test> EXEC /bin/sh -c '/usr/libexec/platform-python /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/AnsiballZ_asa_facts.py && sleep 0'
<fw-test> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644961.43957-1819730-200278910582161/ > /dev/null 2>&1 && sleep 0'

TASK [Gathering Facts] **********************************************************************************************************************************************************************************************************************************
task path: /etc/ansible/playbooks/cisco/vpn.yml:2
ok: [fw-test]
META: ran handlers
Read vars_file '{{ lookup('ansible.builtin.env', 'HOME') }}/.ansible/myvault.yml'
<fw-test> attempting to start connection
<fw-test> using connection plugin ansible.netcommon.network_cli
<fw-test> found existing local domain socket, using it!
<fw-test> invoked shell using ssh_type: paramiko
<fw-test> ssh type is set to paramiko
<fw-test> ssh connection done, setting terminal
<fw-test> loaded terminal plugin for network_os cisco.asa.asa
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> firing event: on_become
<fw-test> firing event: on_open_shell()
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> ssh connection has completed successfully
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<fw-test> updating play_context for connection
<fw-test> 
<fw-test> local domain socket path is /home/user/.ansible/pc/dca9d2a8b8
<fw-test> ESTABLISH LOCAL CONNECTION FOR USER: user
<fw-test> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z `"&& mkdir "` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276 `" && echo ansible-tmp-1605644964.7193863-1819769-138475429746276="` echo /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276 `" ) && sleep 0'
Using module file /usr/share/ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_acls.py
<fw-test> PUT /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/tmp99tka15l TO /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py
<fw-test> EXEC /bin/sh -c 'chmod u+x /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/ /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py && sleep 0'
<fw-test> EXEC /bin/sh -c '/usr/libexec/platform-python /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py && sleep 0'
<fw-test> EXEC /bin/sh -c 'rm -f -r /home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/ > /dev/null 2>&1 && sleep 0'

TASK [vpn_anyconnect : Configure split tunnel ACLs] *****************************************************************************************************************************************************************************************************
task path: /etc/ansible/roles/vpn_anyconnect/tasks/main.yml:13
The full traceback is:
Traceback (most recent call last):
  File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 102, in <module>
    _ansiballz_main()
  File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1238, in <module>
  File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1233, in main
  File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 77, in execute_module
  File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 121, in set_config
  File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 150, in set_state
  File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 390, in _state_merged
TypeError: 'NoneType' object is not iterable
fatal: [fw-test]: FAILED! => changed=false 
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 102, in <module>
        _ansiballz_main()
      File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/user/.ansible/tmp/ansible-local-1819723jy3tqp7z/ansible-tmp-1605644964.7193863-1819769-138475429746276/AnsiballZ_asa_acls.py", line 40, in invoke_module
        runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
      File "/usr/lib64/python3.6/runpy.py", line 205, in run_module
        return _run_module_code(code, init_globals, run_name, mod_spec)
      File "/usr/lib64/python3.6/runpy.py", line 96, in _run_module_code
        mod_name, mod_spec, pkg_name, script_name)
      File "/usr/lib64/python3.6/runpy.py", line 85, in _run_code
        exec(code, run_globals)
      File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1238, in <module>
      File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1233, in main
      File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 77, in execute_module
      File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 121, in set_config
      File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 150, in set_state
      File "/tmp/ansible_cisco.asa.asa_acls_payload_u_0iiuyy/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 390, in _state_merged
    TypeError: 'NoneType' object is not iterable
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

PLAY RECAP **********************************************************************************************************************************************************************************************************************************************
fw-test        : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Add PyProject.toml for Black Configuration

SUMMARY

Running black executable should format python as expected.

ISSUE TYPE

Bug Report

COMPONENT NAME

black

ANSIBLE VERSION

Python, not Ansible issue

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

Run black . which reformats the documents
Submit PR
Tox fails due to line length differing from 88 characters that defaults in black, tox has manual configuration of 79 char length

EXPECTED RESULTS

black . would reformat all Python files as expected

ACTUAL RESULTS

Reformat works, tox linter fails in Zuul

/cisco.asa/plugins/modules/asa_og.py
All done! 💥 💔 💥
1 file would be reformatted, 66 files would be left unchanged.

Multiple context support for asa_acls and asa_ogs

SUMMARY

support for multiple context

ISSUE TYPE

since multiple context is supported in asa_config module, it would be great to extend that to asa_acls and asa_ogs modules too

COMPONENT NAME

This would be presented as a parameter in each module, same as asa_config

ADDITIONAL INFORMATION

Right now if the ASA is running in multiple context mode, these modules are only usable on the context that you see when you first log in which is normally "admin" context and you're not able to change context. The idea is to be able to change context and manipulate ACLs or Object Groups:

        cisco.asa.asa_acls:
            state: gathered
            context: ansible

save_when feature

SUMMARY

It would be nice if asa_config module had save_when functionality present in ios_config module.
https://docs.ansible.com/ansible/latest/modules/ios_config_module.html#parameter-save_when

ISSUE TYPE

I would like to be able to save config only if it has been modified.

COMPONENT NAME

asa_config

ADDITIONAL INFORMATION

It would work exactly like it works on ios_config, including the diff_ignore_lines

tasks:
   - name: Save config to flash if it has been modified.
     ios_config:
      diff_against: startup
      diff_ignore_lines:
       - '[a-zA-Z0-9]{8}\s[a-zA-Z0-9]{8}\s.*'
       - 'certificate self-signed 01'
       - 'quit'
      save_when: modified

Important information for collection maintainers

SUMMARY

Dear maintainers,

This is important for your collections!

In accordance with the Community decision, we have created the news-for-maintainers repository for announcements of changes impacting collection maintainers (see the examples) instead of Issue 45 that will be closed soon.
- To keep yourself well-informed and, therefore, things in your collection working, please subscribe to the repository by using the Watch button in the upper right corner on the repository's home page.
- If you do not want to get notifications about related discussions, please subscribe only to Issues.
- Please read the brief guidelines on how the repository should be used.
- Please avoid unnecessary discussions in issues, use the Discussions feature. Every comment posted will notify a lot of folks!
Also we would like to remind you about the Bullhorn contributor newsletter which has recently started to be released weekly. To learn what it looks like, see the past releases. Please subscribe and talk to the Community via Bullhorn!
Join us in #ansible-social (for news reporting & chat), #ansible-community (for discussing collection & maintainer topics), and other channels on Matrix/IRC.
Help the Community and the Steering Committee to make right decisions by taking part in discussing and voting on the Community Topics that impact the whole project and the collections in particular. Your opinion there will be much appreciated!

Thank you!

state: gathered only pulling 'host' entries on standard ACLs

SUMMARY

When using module cisco.asa.asa_acls with state:gathered does not correctly parse and collect standard access-list entries. All entries utilizing subnet and netmask are not gathered. Only 'host' entries are gathered.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_acls:
  state: gathered

ANSIBLE VERSION

  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/user/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.6/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.6.8 (default, Dec  5 2019, 15:45:45) [GCC 8.3.1 20191121 (Red Hat 8.3.1-5)]

CONFIGURATION

DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
DEFAULT_TERMINAL_PLUGIN_PATH(/etc/ansible/ansible.cfg) = ['/usr/share/ansible/plugins/terminal', '/etc/ansible/plugins/t>
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Red Hat Enterprise Linux release 8.2 (Ootpa)

I have tested with failures against the following Cisco devices:
Cisco Firepower2110 running ASA code 9.12(3)12
Cisco ASA 5525X running ASA code 9.4(4)37

STEPS TO REPRODUCE

access-list TEST-ACCESS-LIST standard permit 10.0.0.0 255.0.0.0
access-list TEST-ACCESS-LIST standard permit 172.16.0.0 255.240.0.0
access-list TEST-ACCESS-LIST standard permit host 192.168.1.1
access-list TEST-ACCESS-LIST standard permit host 192.168.2.1

- name: Gather ACLs
  cisco.asa.asa_acls:
    state: gathered
  register: acls

- name: Print ACLs
  debug:
    var: acls

EXPECTED RESULTS

ACL parsing should have included address/netmask of acl entries as shown below for line 1 and line 2 aces

PLAY [Configure Test VPN] ***************************************************************************************

TASK [Gather ACLs] ******************************************************************************************************
ok: [10.1.1.1]

TASK [debug] ************************************************************************************************************
ok: [10.1.1.1] => 
  acls:
    ansible_facts:
      discovered_interpreter_python: /usr/libexec/platform-python
    changed: false
    failed: false
    gathered:
    - acls:
      - aces:
        - destination:
            address: 10.0.0.0
            netmask: 255.0.0.0
          line: 1
          grant: permit
        - destination:
            address: 172.16.0.0
            netmask: 255.240.0.0
          line: 2
          grant: permit
          - destination:
            host: 192.168.1.1
          grant: permit
          line: 3
        - destination:
            host: 192.168.2.1
          grant: permit
          line: 4
        acl_type: standard
        name: TEST-ACCESS-LIST

ACTUAL RESULTS

Instead of including line 1 and line 2 aces, the output of gathered did not include them and started with the host entries on line 3 and 4

PLAY [Configure Test VPN] ***************************************************************************************

TASK [Gather ACLs] ******************************************************************************************************
ok: [10.1.1.1]

TASK [debug] ************************************************************************************************************
ok: [10.1.1.1] => 
  acls:
    ansible_facts:
      discovered_interpreter_python: /usr/libexec/platform-python
    changed: false
    failed: false
    gathered:
    - acls:
      - aces:
        - destination:
            host: 192.168.1.1
          grant: permit
          line: 3
        - destination:
            host: 192.168.2.1
          grant: permit
          line: 4
        acl_type: standard
        name: TEST-ACCESS-LIST

Add support for Object in ACL source and destination

SUMMARY

Allow support to have objects in the acls like the object-groups.

access-list private_access_in extended permit object-group ansible-inbound object UK-Ansible-Nagios object ansible-net

ISSUE TYPE

Feature Idea

COMPONENT NAME

asa_acls

ADDITIONAL INFORMATION

Currently you have support for object-groups but we also use objects for our acls.

The below may not be correct to the line above but I think the gist is there.

- name: Merge provided configuration with device configuration
  cisco.asa.asa_acls:
    config:
      - acls:
        - name: private_access_in
          acl_type: extended
          aces:
            - grant: permit
              line: 1
              protocol_options:
                tcp: True
              source:
                network-object: UK-Ansible-Nagios
              destination:
                network-object: ansible-net

    state: merged

Cisco ASA ACLs module fails when tryinng to configure ICMP/ICMP6 option

SUMMARY

Cisco ASA ACLs module fails when tryinng to configure ICMP/ICMP6 option

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls.py

ANSIBLE VERSION

devel

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

---
- cisco.asa.asa_acls:
  config:
    - acls:
      - name: test_access
        acl_type: extended
        aces:
          - grant: deny
            line: 1
            protocol: tcp
            protocol_options:
              tcp: true
            source:
              address: 192.0.2.0
              netmask: 255.255.255.0
            destination:
              address: 192.0.3.0
              netmask: 255.255.255.0
              port_protocol:
                eq: www
            log: default
          - grant: deny
            line: 2
            protocol: icmp
            protocol_options:
              icmp:
                alternate_address: true
            source:
              address: 198.51.100.0
              netmask: 255.255.255.0
            destination:
              address: 198.51.110.0
              netmask: 255.255.255.0
            log: errors
  state: merged

EXPECTED RESULTS

The config command is generated properly and ACLs configured as expected

ACTUAL RESULTS

Command generated has missing ICMP option and thus generated command fails

ASA ACLs resource module not working with host info in either source/destination

SUMMARY

ASA ACLs resource module not working with host info in either source/destination

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls

ANSIBLE VERSION

stable-2.9 and devel

CONFIGURATION

OS / ENVIRONMENT

STEPS TO REPRODUCE

---
- hosts: devpn

  connection: network_cli
  gather_facts: no
  become: yes
  become_method: enable
  vars_files:
    - ./credentials.yml

  collections:
    - cisco.asa

  tasks:
    - name: "TASK 1: Create ansible_test ACL"
      asa_acls: &id001
        config:
          - acls:
            - name: ansible_test
              acl_type: extended
              aces:
                - remark: HostA
                - grant: permit
                  protocol: ip
                  source:
                    host: 1.1.1.1
                  destination:
                    any: true
                - remark: HostB
                - grant: permit
                  protocol: ip
                  source:
                    host: 2.2.2.2
                  destination:
                    any: true
        state: replaced

EXPECTED RESULTS

It should pass and create ACL entry with host-specific ACE

ACTUAL RESULTS

$ ansible-playbook -i staging acl.yml --check --ask-vault-pass -v
Using /etc/ansible/ansible.cfg as config file
Vault password:

PLAY [devpn] ***********************************************************************************************************************************

TASK [TASK 1: Create ansible_test ACL] *********************************************************************************************************
fatal: [devpn]: FAILED! => changed=false
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python
  msg: 'Unsupported parameters for (asa_acls) module: host found in config -> acls -> aces -> source. Supported parameters include: address, any, netmask, port_protocol'

PLAY RECAP *************************************************************************************************************************************
devpn                      : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Support for login method of privilege escalation

SUMMARY

Provide a parameter that will enable use of the "login" feature of ASA for privilege escalation.

ISSUE TYPE

Feature Idea

COMPONENT NAME

Applicable to all modules where privilege escalation is used

ADDITIONAL INFORMATION

The "become_method" for ASA seems to be limited to "enable". If a certain aaa command is not configured, this requires a different password than the user who logged in initially, and does not retain the user when escalating privilege. Adding a "login" method would require just one more prompt interaction. Instead of:

some-cisco-asa-fw> enable
Password: *********
some-cisco-asa-fw#

It would be:

some-cisco-asa-fw> login
Username: auser
Password: *********
some-cisco-asa-fw#

With the username and password being the original ansible_user and the password being the original ansible_ssh_pass, and no need for an ansible_become_pass

- name: run some asa commands
  cisco.asa.asa_command:
    commands:
      -  show run aaa
  cisco_login: true

ASA deleted operation not working as expected

SUMMARY

I am creating object-groups on ASA and updating the OGs with merged operation and testing the config by using deleted config, but deleted operation is not working as expected.

ISSUE TYPE

Bug Report

COMPONENT NAME

Before playbook run config on ASA:

iftyasa(config)# sh run object-group
iftyasa(config)#

Here is my merged operation playbook:

hosts: asa01
gather_facts: false
connection: network_cli

collections:
- cisco.asa
tasks:
- name: "Merge module attributes of given object-group"
  cisco.asa.asa_ogs:
  config:
  - name: test_og_network
    object_type: network
    description: test_og_network
    network_object:
    host:
    - 192.0.2.1
    - 192.0.2.2
    address:
    - 192.0.2.0 255.255.255.0
    - 198.51.100.0 255.255.255.0
  - name: test_network_og
    object_type: network
    description: test network og
    network_object:
    host:
    - 192.0.3.1
    - 192.0.3.2
    ipv6_address:
    - 2001:db8:0:3::/64
    group_object: test_og_network
    state: merged

After running playbook I can see asa with new ogs
iftyasa(config)# sh run object-group
object-group network test_og_network
description test_og_network
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object 192.0.2.0 255.255.255.0
network-object 198.51.100.0 255.255.255.0
object-group network test_network_og
description test network og
network-object host 192.0.3.1
network-object host 192.0.3.2
group-object test_og_network

Here is my deleted operations playbook

hosts: asa01
gather_facts: false
connection: network_cli

collections:
- cisco.asa
tasks:
- name: "Merge module attributes of given object-group"
  cisco.asa.asa_ogs:
  config:
  - name: test_og_network
    object_type: network
    description: test_og_network
    network_object:
    host:
    - 192.0.2.1
    - 192.0.2.2
    address:
    - 192.0.2.0 255.255.255.0
    - 198.51.100.0 255.255.255.0
  - name: test_network_og
    object_type: network
    description: test network og
    network_object:
    host:
    - 192.0.3.1
    - 192.0.3.2
    ipv6_address:
    - 2001:db8:0:3::/64
    group_object: test_og_network
    state: deleted

Here is the playbook output:
[WARNING]: You are running the development version of Ansible. You should only run Ansible from "devel" if you are modifying the Ansible engine, or trying out features under development. This is a rapidly
changing source of code and can become unstable at any point.
ansible-playbook 2.10.0.dev0
config file = /etc/ansible/ansible.cfg
configured module search path = [u'/home/ikhan/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
ansible python module location = /home/ikhan/.local/lib/python2.7/site-packages/ansible
executable location = /home/ikhan/Documents/ansible/bin/ansible-playbook
python version = 2.7.15 (default, Oct 15 2018, 15:24:06) [GCC 8.1.1 20180712 (Red Hat 8.1.1-5)]
Using /etc/ansible/ansible.cfg as config file
setting up inventory plugins
host_list declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
script declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
auto declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
yaml declined parsing /home/ikhan/Documents/inventory.ini as it did not pass its verify_file() method
Parsed /home/ikhan/Documents/inventory.ini inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /home/ikhan/.local/lib/python2.7/site-packages/ansible/plugins/callback/default.pyc

PLAYBOOK: cisco_asa_play2.yml *************************************************************************************************************************************************************************************
Positional arguments: cisco_asa_play2.yml
become_method: sudo
inventory: (u'/home/ikhan/Documents/inventory.ini',)
forks: 5
tags: (u'all',)
verbosity: 5
connection: smart
timeout: 10
1 plays in cisco_asa_play2.yml

PLAY [asa01] ******************************************************************************************************************************************************************************************************
META: ran handlers

TASK [Merge module attributes of given object-group] **************************************************************************************************************************************************************
task path: /home/ikhan/Documents/cisco_asa_play2.yml:20
<192.168.10.1> attempting to start connection
<192.168.10.1> using connection plugin ansible.netcommon.network_cli
Found ansible-connection at path /home/ikhan/Documents/ansible/bin/ansible-connection
<192.168.10.1> local domain socket does not exist, starting it
<192.168.10.1> control socket path is /home/ikhan/.ansible/pc/a5874044ce
<192.168.10.1> local domain socket listeners started successfully
<192.168.10.1> loaded cliconf plugin ansible_collections.cisco.asa.plugins.cliconf.asa from path /home/ikhan/.ansible/collections/ansible_collections/cisco/asa/plugins/cliconf/asa.py for network_os cisco.asa.asa
<192.168.10.1>
<192.168.10.1> local domain socket path is /home/ikhan/.ansible/pc/a5874044ce
<192.168.10.1> ESTABLISH LOCAL CONNECTION FOR USER: ikhan
<192.168.10.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "echo /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995" && echo ansible-tmp-1586226695.53-12192347931995="echo /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995" ) && sleep 0'
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils
Using module_utils file ansible_collections/cisco/asa
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec
Using module_utils file ansible_collections/cisco/asa/plugins
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/config
Using module_utils file ansible_collections
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/basic.py
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/ogs/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs
Using module_utils file ansible_collections/cisco
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/cfg
Using module_utils file ansible_collections/ansible/netcommon/plugins
Using module_utils file ansible_collections/ansible/netcommon
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/utils
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/utils/utils
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/cfg/base
Using module_utils file ansible_collections/ansible
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/utils
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/six/init.py
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/ogs/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy/base
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/ogs
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/_text.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/connection.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/json.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/_collections_compat.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/collections.py
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/acls
Using module_utils file ansible_collections/cisco/asa/plugins/module_utils/network/asa/argspec/acls/acls
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/network
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/netconf
Using module_utils file ansible_collections/ansible/netcommon/plugins/module_utils/network/common/parsing
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/parsing/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/parsing/convert_bool.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/network.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/text/formatters.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/validation.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/text/converters.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/pycompat24.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/warnings.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/text/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/process.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/_utils.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/parameters.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/_json_compat.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/sys_info.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/common/file.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/distro/init.py
Using module_utils file /home/ikhan/.local/lib/python2.7/site-packages/ansible/module_utils/distro/_distro.py
Using module file /home/ikhan/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py
<192.168.10.1> PUT /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/tmp0ZS8DQ TO /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/AnsiballZ_asa_ogs.py
<192.168.10.1> EXEC /bin/sh -c 'chmod u+x /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/ /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/AnsiballZ_asa_ogs.py && sleep 0'
<192.168.10.1> EXEC /bin/sh -c 'python /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/AnsiballZ_asa_ogs.py && sleep 0'
<192.168.10.1> EXEC /bin/sh -c 'rm -f -r /home/ikhan/.ansible/tmp/ansible-local-19888Raa0mK/ansible-tmp-1586226695.53-12192347931995/ > /dev/null 2>&1 && sleep 0'
changed: [192.168.10.1] => {
"after": [
{
"name": "test_og_network",
"network_object": {
"address": [
"192.0.2.0 255.255.255.0",
"198.51.100.0 255.255.255.0"
],
"host": [
"192.0.2.1",
"192.0.2.2"
]
},
"object_type": "network"
},
{
"group_object": "test_og_network",
"name": "test_network_og",
"object_type": "network"
}
],
"before": [
{
"description": "test_og_network",
"name": "test_og_network",
"network_object": {
"address": [
"192.0.2.0 255.255.255.0",
"198.51.100.0 255.255.255.0"
],
"host": [
"192.0.2.1",
"192.0.2.2"
]
},
"object_type": "network"
},
{
"description": "test network og",
"group_object": "test_og_network",
"name": "test_network_og",
"network_object": {
"host": [
"192.0.3.1",
"192.0.3.2"
]
},
"object_type": "network"
}
],
"changed": true,
"commands": [
"object-group network test_og_network",
"no description test_og_network",
"object-group network test_network_og",
"no description test network og",
"no network-object host 192.0.3.1",
"no network-object host 192.0.3.2"
],
"invocation": {
"module_args": {
"config": [
{
"description": "test_og_network",
"group_object": null,
"icmp_object": null,
"name": "test_og_network",
"network_object": {
"address": [
"192.0.2.0 255.255.255.0",
"198.51.100.0 255.255.255.0"
],
"host": [
"192.0.2.1",
"192.0.2.2"
],
"ipv6_address": null,
"object": null
},
"object_type": "network",
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
},
{
"description": "test network og",
"group_object": "test_og_network",
"icmp_object": null,
"name": "test_network_og",
"network_object": {
"address": null,
"host": [
"192.0.3.1",
"192.0.3.2"
],
"ipv6_address": [
"2001:db8:0:3::/64"
],
"object": null
},
"object_type": "network",
"protocol_object": null,
"security_group": null,
"service_object": null,
"user_object": null
}
],
"running_config": null,
"state": "deleted"
}
}
}
META: ran handlers
META: ran handlers

PLAY RECAP ********************************************************************************************************************************************************************************************************
192.168.10.1 : ok=1 changed=1 unreachable=0 failed=0 skipped=0 rescued=0 ignored=0

Here is the ASA output after deleted operations:

iftyasa(config)# sh run object-group
object-group network test_og_network
network-object host 192.0.2.1
network-object host 192.0.2.2
network-object 192.0.2.0 255.255.255.0
network-object 198.51.100.0 255.255.255.0
object-group network test_network_og
group-object test_og_network

Notice it deleted these two lines from ASA, but not rest:

network-object host 192.0.3.1
network-object host 192.0.3.2

When I run same deleted playbook again

I am left with this config on ASA

so deleted operation is deleted one object group this time, but even after running same playbook again it is not deleting the other og. This is a bug and not a consistent behaviour.

ANSIBLE VERSION

ansible 2.10.dev0

CONFIGURATION

OS / ENVIRONMENT

Fedora 30

STEPS TO REPRODUCE

EXPECTED RESULTS

Delete the OGs

ACTUAL RESULTS

module asa_acls doesn't work if there are network-object-group in ACL

SUMMARY

If we have ACL where there are network-object-group, and I play a playbook with the module asa_acls with the state: gathered, I obtain an issue.

ISSUE TYPE

Feature request

COMPONENT NAME

ANSIBLE VERSION

ansible 2.9.6

CONFIGURATION

--

OS / ENVIRONMENT

I have this list of ACLs.
access-list ACI-PBR line 51 extended permit tcp object-group devaccess-dockertest object-group devaccess-dockertest-endpoints eq 3389 (hitcnt=0) 0x961626dc
access-list ACI-PBR line 51 extended permit tcp host 1.1.1.1 host 1.1.1.1 eq 3389 (hitcnt=0) 0xcf956318
access-list ACI-PBR line 51 extended permit tcp host 172.19.4.74 host 1.1.1.1 eq 3389 (hitcnt=0) 0x08b394cc
access-list ACI-PBR line 51 extended permit tcp host 172.25.7.134 host 1.1.1.1 eq 3389 (hitcnt=0) 0x753ed89c
access-list ACI-PBR line 51 extended permit tcp host 172.26.5.167 host 1.1.1.1 eq 3389 (hitcnt=0) 0x27a90068
access-list ACI-PBR line 51 extended permit tcp host 172.30.5.81 host 1.1.1.1 eq 3389 (hitcnt=0) 0x8de1b244
access-list ACI-PBR line 51 extended permit tcp host 192.168.1.72 host 1.1.1.1 eq 3389 (hitcnt=0) 0x3b079250
access-list ACI-PBR line 52 extended permit tcp object-group devaccess-dockertest object-group devaccess-dockertest-endpoints eq 5900 (hitcnt=0) 0x7b6b76d7
access-list ACI-PBR line 52 extended permit tcp host 1.1.1.1 host 1.1.1.1 eq 5900 (hitcnt=0) 0x695a0127
access-list ACI-PBR line 52 extended permit tcp host 172.19.4.74 host 1.1.1.1 eq 5900 (hitcnt=0) 0xf6e22d3a
access-list ACI-PBR line 52 extended permit tcp host 172.25.7.134 host 1.1.1.1 eq 5900 (hitcnt=0) 0x7314f207
access-list ACI-PBR line 52 extended permit tcp host 172.26.5.167 host 1.1.1.1 eq 5900 (hitcnt=0) 0x07da2b97
access-list ACI-PBR line 52 extended permit tcp host 172.30.5.81 host 1.1.1.1 eq 5900 (hitcnt=0) 0xcfdb417c
access-list ACI-PBR line 52 extended permit tcp host 192.168.1.72 host 1.1.1.1 eq 5900 (hitcnt=0) 0x87525554

The playbook that I use is the following:

---
- hosts: asa
  gather_facts: false
  connection: network_cli

  collections:
    - cisco.asa

  tasks:
  - name: Gather listed ACLs with provided configurations
    cisco.asa.asa_acls:
      config:
      state: gathered

EXPECTED RESULTS

ACTUAL RESULTS

It's failed with the following message.

....
File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
  File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
  File "/tmp/ansible_cisco.asa.asa_acls_payload_ZCnlJX/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol

      File "/tmp/ansible_cisco.asa.asa_acls_payload_3F2REH/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 176, in populate_port_protocol
      File "/tmp/ansible_cisco.asa.asa_acls_payload_3F2REH/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 96, in populate_port_protocol
    RuntimeError: maximum recursion depth exceeded in cmp
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

Help wanted!

SUMMARY

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_config.py

ANSIBLE VERSION

ansible-2.9.7

CONFIGURATION

OS / ENVIRONMENT

ubuntu 20

STEPS TO REPRODUCE

When I run a command access-list test-acl-1 extended permit tcp object-group IP_Test host 10.22.5.38 eq 8080 and IP_Test does not exist on my device, and then an error should happend, but not.
The error msg is more than 256 chars with CLI, but ansible tells me task is successful.
May link to ansible-collections/ansible.netcommon#201.

EXPECTED RESULTS

ansible reports update

ACTUAL RESULTS

ansible reports `error`

asa_og: Issue when using state:replace with Port: 80 in port-groups

From @djedovica on Jul 08, 2020 09:12

SUMMARY

I have a port 80 in the port group on the firewall. When I send a task with state:replace the port 80 will always be removed from this group. When I send once again the same task, the port 80 will be created in this port group. By next attempt it will be removed, and then created etc. I get no errors from ansible.

I have also tested with other ports and the same problem appears with port 67. Other ports that I have tested seem to work properly (of course, I haven’t tested all possible ports).

The same problem appears when using port range with port 90 (Example: port_range: 80 90).

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_og

ANSIBLE VERSION

ansible 2.8.4
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Aug  7 2019, 17:28:10) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

ANSIBLE_PIPELINING(/etc/ansible/ansible.cfg) = True
DEFAULT_HASH_BEHAVIOUR(/etc/ansible/ansible.cfg) = merge
DEFAULT_PRIVATE_KEY_FILE(/etc/ansible/ansible.cfg) = /root/.ssh/id_rsa
DEFAULT_PRIVATE_ROLE_VARS(/etc/ansible/ansible.cfg) = True
DEFAULT_VAULT_PASSWORD_FILE(/etc/ansible/ansible.cfg) = /root/.ansible/vault.key
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PARAMIKO_HOST_KEY_AUTO_ADD(/etc/ansible/ansible.cfg) = True
PERSISTENT_CONNECT_TIMEOUT(/etc/ansible/ansible.cfg) = 30
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Centos 7.7
Firewall: ASA 5515

STEPS TO REPRODUCE

I have two tasks: one for creating a port-group with state: present and second to edit a port-group with state: replace. The problem appears when I send a task with state:replace. This task is always going to delete port 80 from port-group.
For example:

First task:
- name: configure port-object object-group
  asa_og:
    name: port_group_test_7
    group_type: port-object
    state: present
    description: description
    protocol: tcp-udp
    port_eq:
      - "80"
      - "90"
    port_range:
  tags:
    - port_group1


Second Task:
- name: configure port-object object-group
  asa_og:
    name: port_group_test_7
    group_type: port-object
    state: replace
    description: description
    protocol: tcp-udp
    port_eq:
      - "80"
      - "91"
    port_range:
  tags:
    - port_group1

In this example, the difference is that I have replaced port 90 with port 91. After executing Task 1, on the firewall is created a port-group with ports: 80 and 90 (there is no problem). After executing Task 2, the group on the firewall will contain only the port 91, the port 80 is deleted.

EXPECTED RESULTS

I expect that port group contains ports: 80, 91

ACTUAL RESULTS

After first execution: port group contains only port 91
After second execution: port group contains ports 80, 91
After third execution: port group contains only port 91
etc.

Copied from original issue: ansible/ansible#70518

Changed concatenation to string formatting

SUMMARY

https://github.com/ansible/ansible/pull/59073/files

See the PR I put in, can you add this to the ASA?

ISSUE TYPE

Bug 58258 on Ansible

COMPONENT NAME

asa_og

ANSIBLE VERSION

ansible --version
ansible 2.8.1
  config file = /Users/joshv/Github/ansible-asa_work/ansible.cfg
  configured module search path = ['/etc/ansible/library']
  ansible python module location = /usr/local/lib/python3.7/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.7.2 (default, Feb 10 2019, 15:44:18) [Clang 10.0.0 (clang-1000.11.45.5)]

CONFIGURATION

DEFAULT_HOST_LIST(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = ['/Users/joshv/Github/ansible-asa_work/hosts']
DEFAULT_MODULE_PATH(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = ['/etc/ansible/library']
HOST_KEY_CHECKING(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = False
INTERPRETER_PYTHON(/Users/joshv/Github/ansible-asa_work/ansible.cfg) = /usr/local/bin/python3

OS / ENVIRONMENT

Mac OS as command host
ASAv in lab environment

STEPS TO REPRODUCE

    - name: "TASK 3: Add Port Group"
      asa_og:
        name: SVC_OBJ_DNS_NTP
        group_type: port-object
        state: present
        description: DNS and NTP ports
        protocol: udp
        port_eq:
          - 53
          - 123
      register: output3

Workaround task setup:

    - name: "TASK 3: Add Port Group"
      asa_og:
        name: SVC_OBJ_DNS_NTP
        group_type: port-object
        state: present
        description: DNS and NTP ports
        protocol: udp
        port_eq:
          - "53"
          - "123"
      register: output3

EXPECTED RESULTS

I'd expect that the object group would be created.

ACTUAL RESULTS

The module errors out on playbook execution.

Workaround: Change the integers to strings to avoid integer/string concatenation issues

fatal: [asa1]: FAILED! => {"changed": false, "module_stderr": "/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py:18: DeprecationWarning: the imp module is deprecated in favour of importlib; see the module's documentation for alternative uses
  import imp
Traceback (most recent call last):
  File \"/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py\", line 114, in <module>
    _ansiballz_main()
  File \"/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py\", line 106, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File \"/Users/joshv/.ansible/tmp/ansible-local-49807bxzhne75/ansible-tmp-1561309596.022644-207996390419631/AnsiballZ_asa_og.py\", line 49, in invoke_module
    imp.load_module('__main__', mod, module, MOD_DESC)
  File \"/usr/local/Cellar/python/3.7.2_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/imp.py\", line 234, in load_module
    return load_source(name, filename, file)
  File \"/usr/local/Cellar/python/3.7.2_1/Frameworks/Python.framework/Versions/3.7/lib/python3.7/imp.py\", line 169, in load_source
    module = _exec(spec, sys.modules[name])
  File \"<frozen importlib._bootstrap>\", line 630, in _exec
  File \"<frozen importlib._bootstrap_external>\", line 728, in exec_module
  File \"<frozen importlib._bootstrap>\", line 219, in _call_with_frames_removed
  File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 801, in <module>
  File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 788, in main
  File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 735, in map_obj_to_commands
  File \"/var/folders/cf/m5ysrq0j1vn8y0s8_67j4hyw0000gn/T/ansible_asa_og_payload_8oc36h_s/__main__.py\", line 557, in present
TypeError: can only concatenate str (not \"int\") to str
", "module_stdout": "", "msg": "MODULE FAILURE
See stdout/stderr for the exact error", "rc": 1}

Merge the code in ansible/ansible#59073 and this will be resolved.

asa_ogs The 'host' Key Does Not Model IPv6 addresses (loss of idempotence)

SUMMARY

The 'before' and 'after' state does not show IPv6 addresses for 'host' keys. This causes every execution of a play to try and add the IPv6 host entry. It appends to 'commands' correctly and is sent to the device but because it is not in the model it reports changed. It also sends commands that result in an error at the CLI to the box.

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_ogs

ANSIBLE VERSION

ansible 2.9.24
  config file = /home/darkhelmet/Documents/Projects/ansible.cfg
  configured module search path = ['/home/darkhelmet/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3.9/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.6 (default, Jul 16 2021, 00:00:00) [GCC 11.1.1 20210531 (Red Hat 11.1.1-3)]

COLLECTION VERSION

# /home/darkhelmet/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa  2.0.2

CONFIGURATION

OS / ENVIRONMENT

ASAv 9.12(4)

STEPS TO REPRODUCE

---
- hosts: asav-912

  tasks:
    - cisco.asa.asa_ogs:
        config:
          - object_type: network
            object_groups:
              - name: issue-128
                network_object:
                  host:
                    - 192.0.2.1
                    - 2001:0db8::1
        state: replaced

EXPECTED RESULTS

I expect an object-group that looks like:

object-group network issue-128
 network-object host 192.0.2.1
 network-object host 2001:db8::1

And if it exists I expect the task to be idempotent.

ACTUAL RESULTS

changed: [asav-912] => {
    "after": [
        {
            "object_groups": [
                {
                    "name": "issue-128",
                    "network_object": {
                        "host": [
                            "192.0.2.1"
                        ]
                    }
                }
            ],
            "object_type": "network"
        }
    ],
    "before": [
        {
            "object_groups": [
                {
                    "name": "issue-128",
                    "network_object": {
                        "host": [
                            "192.0.2.1"
                        ]
                    }
                }
            ],
            "object_type": "network"
        }
    ],
    "changed": true,
    "commands": [
        "object-group network issue-128",
        "network-object host 2001:0db8::1"
    ],
    "invocation": {
        "module_args": {
            "config": [
                {
                    "object_groups": [
                        {
                            "description": null,
                            "group_object": null,
                            "icmp_type": null,
                            "name": "issue-128",
                            "network_object": {
                                "address": null,
                                "host": [
                                    "192.0.2.1",
                                    "2001:0db8::1"
                                ],
                                "ipv6_address": null,
                                "object": null
                            },
                            "protocol_object": null,
                            "security_group": null,
                            "service_object": null,
                            "user_object": null
                        }
                    ],
                    "object_type": "network"
                }
            ],
            "running_config": null,
            "state": "replaced"
        }
    }
}

asa_acls not able to parse ACL lines with a service-object as the destination service

SUMMARY

If a service-group is used for the destination service, it is not parsed properly.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_acls

ANSIBLE VERSION

❯ ansible --version
ansible 2.9.14.post0
  config file = /Users/tim.franson/dev/netops/ansible.cfg
  configured module search path = ['/Users/tim.franson/dev/netops/library/modules']
  ansible python module location = /Users/tim.franson/dev/ansible/lib/ansible
  executable location = /Users/tim.franson/dev/ansible/bin/ansible
  python version = 3.8.5 (default, Jul 21 2020, 10:42:08) [Clang 11.0.0 (clang-1100.0.33.17)]

CONFIGURATION

DEFAULT_ACTION_PLUGIN_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/plugins/action']
DEFAULT_CALLBACK_WHITELIST(/Users/tim.franson/dev/netops/ansible.cfg) = ['profile_tasks']
DEFAULT_HOST_LIST(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/inventory/lab.yaml']
DEFAULT_JINJA2_EXTENSIONS(/Users/tim.franson/dev/netops/ansible.cfg) = jinja2.ext.loopcontrols
DEFAULT_MODULE_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/modules']
DEFAULT_MODULE_UTILS_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/module_utils']
DEFAULT_ROLES_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/roles']
DEFAULT_STDOUT_CALLBACK(/Users/tim.franson/dev/netops/ansible.cfg) = yaml
DEFAULT_TERMINAL_PLUGIN_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = ['/Users/tim.franson/dev/netops/library/plugins/terminal']
DEFAULT_TIMEOUT(/Users/tim.franson/dev/netops/ansible.cfg) = 30
RETRY_FILES_SAVE_PATH(/Users/tim.franson/dev/netops/ansible.cfg) = /Users/tim.franson/dev/netops/inventory/retry

OS / ENVIRONMENT

N/A - referencing local config file

STEPS TO REPRODUCE

playbook

- name: Configure applications
  hosts: os_cisco_asa
  gather_facts: False

  tasks:
    - name: Parse the commands for provided configuration
      cisco.asa.asa_acls:
        running_config: "{{ lookup('file', '/Users/tim.franson/config_file.txt') }}"
        state: parsed
      register: parsed_acl

    - name: Print
      debug:
        msg: "{{ parsed_acl }}"

config_file.txt

access-list SOME_ACCESS_LIST remark This rule is not parsed properly
access-list SOME_ACCESS_LIST extended permit object-group DESTINATION_SERVICE_GROUP object SOURCE_OBJECT any

EXPECTED RESULTS

A properly generated yaml-ized rule

ACTUAL RESULTS

ok: [myasa] =>
  msg:
    changed: false
    failed: false
    parsed:
      acls:
      - aces:
        - remark: This rule is not parsed properly
        - grant: permit
          source:
            object_group: DESTINATION_SERVICE_GROUP
        acl_type: extended
        name: SOME_ACCESS_LIST

TypeError: argument of type 'NoneType' is not iterable in service-group

Fix proposed in PR #71

SUMMARY

TypeError: argument of type 'NoneType' is not iterable in service-group when service-object not existing in ASA V. 9.6(3)17

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_og

ANSIBLE VERSION

ansible 2.9.7
  config file = None
  configured module search path = ['/Users/federicoolivieri/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Library/Frameworks/Python.framework/Versions/3.6/lib/python3.6/site-packages/ansible
  executable location = /Library/Frameworks/Python.framework/Versions/3.6/bin/ansible
  python version = 3.6.8 (v3.6.8:3c6b436a57, Dec 24 2018, 02:04:31) [GCC 4.2.1 Compatible Apple LLVM 6.0 (clang-600.0.57)]

STEPS TO REPRODUCE

    - name: CONFIG | OG | update SERVICE object-group ASA Vesion 8 or below.
      asa_og:
        name: "{{ item.name }}"
        group_type: service-object
        state: present
        description: "{{ item.description }}"
        service_cfg: "{{ item.service_cfg | regex_replace('destination ') }}"
      notify: save config
      loop: "{{ service_object }}"
      when: "(item.service_cfg is defined) and ('8' in asa_version.split('.')[0] and '7' in asa_version.split('.')[0])"

EXPECTED RESULTS

Object group to be configured on ASA

ACTUAL RESULTS

{
    "module_stdout": "",
    "module_stderr": "Traceback (most recent call last):\n  File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.network.asa.asa_og', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 801, in <module>\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 788, in main\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 735, in map_obj_to_commands\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 602, in present\nTypeError: argument of type 'NoneType' is not iterable\n",
    "exception": "Traceback (most recent call last):\n  File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/var/lib/awx/.ansible/tmp/ansible-local-7917vsjauk24/ansible-tmp-1599135052.5277274-179017891288941/AnsiballZ_asa_og.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible.modules.network.asa.asa_og', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib64/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib64/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 801, in <module>\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 788, in main\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 735, in map_obj_to_commands\n  File \"/tmp/ansible_asa_og_payload_qfhj60mq/ansible_asa_og_payload.zip/ansible/modules/network/asa/asa_og.py\", line 602, in present\nTypeError: argument of type 'NoneType' is not iterable\n",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1,
    "_ansible_no_log": false,
    "changed": false,
    "item": {
        "name": "ftp_svc",
        "description": "GNS-39102 - Infosec Security Tools",
        "service_cfg": [
            "tcp destination eq ftp",
            "tcp destination eq ftp-data"
        ]
    },
    "ansible_loop_var": "item",
    "_ansible_item_label": {
        "name": "ftp_svc",
        "description": "GNS-39102 - Infosec Security Tools",
        "service_cfg": [
            "tcp destination eq ftp",
            "tcp destination eq ftp-data"
        ]
    }
}

asa_ogs KeyError Exception on Empty Object-Group

SUMMARY

When a network object-group exists but does not contain any network-object's you get a KeyError on 'network-object' that is not caught. This configuration is valid in the ASA so it should be handled.

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

/home/darkhelmet/.venvs/py2-ansible2.9/lib/python2.7/site-packages/ansible/parsing/vault/__init__.py:44: CryptographyDeprecationWarning: Python 2 is no longer supported by the Python core team. Support for it is now deprecated in cryptography, and will be removed in the next release.
  from cryptography.exceptions import InvalidSignature
ansible 2.9.23
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/darkhelmet/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /home/darkhelmet/.venvs/py2-ansible2.9/lib/python2.7/site-packages/ansible
  executable location = /home/darkhelmet/.venvs/py2-ansible2.9/bin/ansible
  python version = 2.7.18 (default, May 19 2021, 00:00:00) [GCC 11.1.1 20210428 (Red Hat 11.1.1-1)]

Same problem with Ansible 2.9.23 on Python 3.9 as well.

COLLECTION VERSION

# /home/darkhelmet/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa  2.0.2

CONFIGURATION

OS / ENVIRONMENT

ASA 9.12(4)29 on both real hardware and an ASAv

STEPS TO REPRODUCE

Create an empty network object-group but do not add any network-objects to it. You will get a KeyError on network-object missing because no network-object's are in the object-group.

object-group network bug_test_obj

---
- hosts: all
  tasks:
    - cisco.asa.asa_ogs:
        config:
          - object_type: network
            object_groups:
              - name: bug_test_obj
                network_object:
                  host:
                    - 9.9.9.9

EXPECTED RESULTS

The empty object-group now has 9.9.9.9 instead of being empty.

ACTUAL RESULTS

The full traceback is:
Traceback (most recent call last):
  File "/home/darkhelmet/.ansible/tmp/ansible-local-80877k3oz87/ansible-tmp-1629468497.24-80940-60367002611697/AnsiballZ_asa_ogs.py", line 102, in <module>
    _ansiballz_main()
  File "/home/darkhelmet/.ansible/tmp/ansible-local-80877k3oz87/ansible-tmp-1629468497.24-80940-60367002611697/AnsiballZ_asa_ogs.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/darkhelmet/.ansible/tmp/ansible-local-80877k3oz87/ansible-tmp-1629468497.24-80940-60367002611697/AnsiballZ_asa_ogs.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_ogs', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib64/python3.9/runpy.py", line 210, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib64/python3.9/runpy.py", line 97, in _run_module_code
    _run_code(code, mod_globals, init_globals,
  File "/usr/lib64/python3.9/runpy.py", line 87, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py", line 918, in <module>
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py", line 912, in main
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 56, in execute_module
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 129, in gen_config
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 145, in _compare
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 221, in _network_object_compare
  File "/tmp/ansible_cisco.asa.asa_ogs_payload_pfeq4xn0/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py", line 474, in _add_object_cmd
KeyError: 'network_object'

@nj344170w and @russ-jenkins

Add support for service object groups

SUMMARY

Add support for service object groups

ISSUE TYPE

Feature Idea
Support for service object groups

ASA Config:
object-group service global-dns-ports
description: global dns ports
service-object tcp destination eq domain
service-object udp destination eq domain

COMPONENT NAME

cisco.asa.asa_ogs:

ADDITIONAL INFORMATION

It would complete the OGS management of the ASAs.

Output from "gathered" module shows empty despite having objects in the service object group

 "object_groups": [
                    {
                        "description": "ansible_test object-group description",
                        "name": "ansible_test_2"
                    },
                    {
                        "description": "global dns ports",
                        "name": "global-dns-ports"
                    },
                ]

Not able to gather ogs

SUMMARY

When trying to run cisco.asa.asa_ogs, I constantly get the following error, msg: 'argument start is of type <type ''str''> found in ''config -> object_groups -> services_object -> destination_port -> range''. and we were unable to convert to int: <type ''str''> cannot be converted to an int'

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/Users/jholbert/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.8/site-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.8.12 (default, Oct 13 2021, 06:42:19) [Clang 12.0.0 (clang-1200.0.32.29)]

COLLECTION VERSION

not able to retrieve

CONFIGURATION

DEFAULT_LOAD_CALLBACK_PLUGINS(/private/etc/ansible/ansible.cfg) = True
DEFAULT_STDOUT_CALLBACK(/private/etc/ansible/ansible.cfg) = yaml
DEPRECATION_WARNINGS(/private/etc/ansible/ansible.cfg) = True
HOST_KEY_CHECKING(/private/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/private/etc/ansible/ansible.cfg) = 120
PERSISTENT_CONNECT_TIMEOUT(/private/etc/ansible/ansible.cfg) = 60
RETRY_FILES_ENABLED(/private/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Cisco Adaptive Security Appliance Software Version 9.16(1)28

STEPS TO REPRODUCE

Running the below playbook always fails with the error message above

---
- hosts: asa_staging
  gather_facts: false
  connection: network_cli
  become: yes
  become_method: enable

  tasks:
    - name: Gather listed OGs with provided configurations
      cisco.asa.asa_ogs:
        config:
        state: gathered

EXPECTED RESULTS

Gathered results

ACTUAL RESULTS

fatal: [aws-stg-asa01]: FAILED! => changed=false 
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python
  msg: 'argument start is of type <type ''str''> found in ''config -> object_groups -> services_object -> destination_port -> range''. and we were unable to convert to int: <type ''str''> cannot be converted to an int'

False error when config matches stderr_re

Line can also match "error:" which is commented in access-list remark, for example:
access-list test-acl-001 remark error: this is a error test.
And other line included error: will also match it.

Problem in port range and destination address ACL parsing

SUMMARY

There are issues with simple ACL parse. Please look at "destination" section.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_acls

ANSIBLE VERSION

ansible 2.10.5

COLLECTION VERSION

dmitry@host:~$ ansible-galaxy collection list cisco.asa

# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.asa  1.0.4

# /home/dmitry/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa  2.0.2

CONFIGURATION

OS / ENVIRONMENT

Ubuntu Server 21.04

STEPS TO REPRODUCE

dmitry@host:~$ cat small.txt
access-list ck_kspd_in line 1 extended permit tcp 10.10.10.0 255.255.252.0 host 10.20.20.164 range 8001 8002

---

- hosts: asa01
  gather_facts: false
  connection: network_cli

  collections:
    - cisco.asa

  tasks:
    - name: Parse the commands for provided configuration
      cisco.asa.asa_acls:
        running_config: "{{ lookup('file', 'small.txt') }}"
        state: parsed

EXPECTED RESULTS

    "parsed": {
        "acls": [
            {
                "aces": [
                    {
                        "destination": {
                            "host": "10.20.20.164",
                            "port_protocol": {
                                "range": {
                                    "end": 8002,
                                    "start": 8001 
                                }
                            }
                        },
                        "grant": "permit",
                        "line": 1,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "address": "10.10.10.0",
                            "netmask": "255.255.252.0"
                        }
                    }
                ],
                "acl_type": "extended",
                "name": "ck_kspd_in"
            }
        ]
    }

ACTUAL RESULTS

    "parsed": {
        "acls": [
            {
                "aces": [
                    {
                        "destination": {
                            "address": "host",
                            "netmask": "10.20.20.164"
                        },
                        "grant": "permit",
                        "line": 1,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "address": "10.10.10.0",
                            "netmask": "255.255.252.0"
                        }
                    }
                ],
                "acl_type": "extended",
                "name": "ck_kspd_in"
            }
        ]
    }

Add changeling link on README and description in galaxy.yaml

cisco.asa.asa_facts fails to pull object groups (ogs) when object group on the device has 'group-objects' mentioned in it.

SUMMARY

When we try to gather object groups from the device using cisco.asa.asa_facts module, it is failing with below error. We observed that on ASA device we have group_objects are called under some object groups. And mostly this error is stating the same.

"msg": "Unsupported parameters for (basic.py) module: group_object found in config -> object_groups. Supported parameters include: description, icmp_type, name, network_object, protocol_object, security_group, service_object, user_object",

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_facts:
gather_network_resources: ogs

ANSIBLE VERSION

ansible 2.9.10

CONFIGURATION

OS / ENVIRONMENT

ASA 9.4

STEPS TO REPRODUCE

      cisco.asa.asa_facts:
        gather_network_resources: ogs
      register: object

On asa device, configure object group with group_objects
eg.

object-group network icmp-type

#group_object ICMP_UNREACHABLE

EXPECTED RESULTS

We are expecting all the object group pulled from the device.

ACTUAL RESULTS

{
    "msg": "Unsupported parameters for (basic.py) module: group_object found in config -> object_groups. Supported parameters include: description, icmp_type, name, network_object, protocol_object, security_group, service_object, user_object",
    "invocation": {
        "module_args": {
            "config": [
                {
                    "object_type": "icmp-type",
                    "object_groups": [
                        {
                            "name": "ICMP",
                            "group_object": "ICMP_UNREACHABLE",
                            "icmp_type": {}
                        },
                        {
                            "name": "ICMP_PING",
                            "icmp_type": {
                                "icmp_object": [
                                    "echo",
                                    "echo-reply"
                                ]
                            }
                        },
                        {
                            "name": "ICMP_TRACEROUTE",
                            "icmp_type": {
                                "icmp_object": [
                                    "time-exceeded",
                                    "traceroute"
                                ]
                            }
                        },
                        {
                            "name": "ICMP_UNREACHABLE",
                            "icmp_type": {
                                "icmp_object": [
                                    "unreachable"
                                ]
                            }
                        }
                    ]
                },
                {
                    "object_type": "network",
                    "object_groups": [
                        {
                            "name": "GRP",
                            "network_object": {}
                        },
                        {
                            "name": "OBJECTGROUPNAME",
                            "description": "PAYROLL \"CUSTOMER\"",
                            "network_object": {
                                "host": [
                                    "192.168.0.200"
                                ]
                            }
                        },
                        {
                            "name": "Object_group_name",
                            "description": "PAYROLL \"Customer\"",
                            "network_object": {
                                "host": [
                                    "192.168.0.200"
                                ]
                            }
                        },
                        {
                            "name": "test_vip_create2",
                            "network_object": {
                                "host": [
                                    "212.68.10.82"
                                ]
                            }
                        }
                    ]
                }
            ],
            "state": "merged",
            "running_config": null
        }
    },
    "_ansible_no_log": false,
    "changed": false,
    "_ansible_delegated_vars": {
        "ansible_host": "172.27.192.40",
        "ansible_port": null,
        "ansible_user": null
    }
}

Unable to gather facts: 'NoneType' object is not subscriptable

SUMMARY

Errors encountered trying to gather facts with the collection.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_facts

ANSIBLE VERSION

ansible 2.9.5
  config file = /home/username/Ansible-CiscoASA/ansible.cfg
  configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
  executable location = /usr/local/bin/ansible
  python version = 3.6.8 (default, Jan 14 2019, 11:02:34) [GCC 8.0.1 20180414 (experimental) [trunk revision 259383]]

CONFIGURATION

COLLECTIONS_PATHS(/home/username/Ansible-CiscoASA/ansible.cfg) = ['/home/username/.ansible/collections']
DEFAULT_HOST_LIST(/home/username/Ansible-CiscoASA/ansible.cfg) = ['/home/username/Ansible-CiscoASA/production']
HOST_KEY_CHECKING(/home/username/Ansible-CiscoASA/ansible.cfg) = False
INTERPRETER_PYTHON(/home/username/Ansible-CiscoASA/ansible.cfg) = /usr/bin/python3
RETRY_FILES_ENABLED(/home/username/Ansible-CiscoASA/ansible.cfg) = False

OS / ENVIRONMENT

Ansible host: Ubuntu 18.04.2 LTS
ASA: 9.10(1)30

STEPS TO REPRODUCE

ansible-playbook test_rule_new.yml -u username --ask-pass --ask-become-pass -vvvv

---
#this builds a sample rule in VRF32 - it looks to see if this EXACT line exists in the ACL list, and creates it if it does not
- hosts: asa
  tasks:
  - name: Gather all legacy facts
    become: yes
    cisco.asa.asa_facts:
      gather_subset:
      - config

EXPECTED RESULTS

Return facts successfully.

ACTUAL RESULTS

(Replaced sensitive values)

ansible-playbook test_rule_new.yml -u username --ask-pass --ask-become-pass -vvvv
ansible-playbook 2.9.5
  config file = /home/username/Ansible-CiscoASA/ansible.cfg
  configured module search path = ['/home/username/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/local/lib/python3.6/dist-packages/ansible
  executable location = /usr/local/bin/ansible-playbook
  python version = 3.6.8 (default, Jan 14 2019, 11:02:34) [GCC 8.0.1 20180414 (experimental) [trunk revision 259383]]
Using /home/username/Ansible-CiscoASA/ansible.cfg as config file
SSH password: 
BECOME password[defaults to SSH password]: 
setting up inventory plugins
host_list declined parsing /home/username/Ansible-CiscoASA/production as it did not pass its verify_file() method
script declined parsing /home/username/Ansible-CiscoASA/production as it did not pass its verify_file() method
auto declined parsing /home/username/Ansible-CiscoASA/production as it did not pass its verify_file() method
Parsed /home/username/Ansible-CiscoASA/production inventory source with ini plugin
Loading callback plugin default of type stdout, v2.0 from /usr/local/lib/python3.6/dist-packages/ansible/plugins/callback/default.py

PLAYBOOK: test_rule_new.yml *************************************************************************************************************************
Positional arguments: test_rule_new.yml
verbosity: 4
ask_pass: True
remote_user: username
connection: smart
timeout: 10
become_method: sudo
become_ask_pass: True
tags: ('all',)
inventory: ('/home/username/Ansible-CiscoASA/production',)
forks: 5
1 plays in test_rule_new.yml

PLAY [asa] ******************************************************************************************************************************************

TASK [Gathering Facts] ******************************************************************************************************************************
task path: /home/username/Ansible-CiscoASA/test_rule_new.yml:3
<10.10.10.10> attempting to start connection
<10.10.10.10> using connection plugin network_cli
<10.10.10.10> local domain socket does not exist, starting it
<10.10.10.10> control socket path is /home/username/.ansible/pc/357ccb133a
<10.10.10.10> local domain socket listeners started successfully
<10.10.10.10> loaded cliconf plugin asa from path /usr/local/lib/python3.6/dist-packages/ansible/plugins/cliconf/asa.py for network_os asa
<10.10.10.10> 
<10.10.10.10> local domain socket path is /home/username/.ansible/pc/357ccb133a
<10.10.10.10> ESTABLISH LOCAL CONNECTION FOR USER: username
<10.10.10.10> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713 `" && echo ansible-tmp-1593484924.2645752-268035200652713="` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713 `" ) && sleep 0'
Using module file /usr/local/lib/python3.6/dist-packages/ansible/modules/system/setup.py
<10.10.10.10> PUT /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/tmphixothel TO /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/AnsiballZ_setup.py
<10.10.10.10> EXEC /bin/sh -c 'chmod u+x /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/ /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/AnsiballZ_setup.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c '/usr/bin/python3 /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/AnsiballZ_setup.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c 'rm -f -r /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484924.2645752-268035200652713/ > /dev/null 2>&1 && sleep 0'
ok: [10.10.10.10]
META: ran handlers

TASK [Gather all legacy facts] **********************************************************************************************************************
task path: /home/username/Ansible-CiscoASA/test_rule_new.yml:5
<10.10.10.10> attempting to start connection
<10.10.10.10> using connection plugin network_cli
<10.10.10.10> found existing local domain socket, using it!
<10.10.10.10> updating play_context for connection
<10.10.10.10> ssh connection done, setting terminal
<10.10.10.10> loaded terminal plugin for network_os asa
<10.10.10.10> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.10.10.10> firing event: on_open_shell()
<10.10.10.10> ssh connection has completed successfully
<10.10.10.10> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.10.10.10> Response received, triggered 'persistent_buffer_read_timeout' timer of 0.1 seconds
<10.10.10.10> authorizing connection
<10.10.10.10> 
<10.10.10.10> local domain socket path is /home/username/.ansible/pc/357ccb133a
<10.10.10.10> ESTABLISH LOCAL CONNECTION FOR USER: username
<10.10.10.10> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478 `" && echo ansible-tmp-1593484927.7340422-65588891130478="` echo /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478 `" ) && sleep 0'
Using module file /home/username/.ansible/collections/ansible_collections/cisco/asa/plugins/modules/asa_facts.py
<10.10.10.10> PUT /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/tmp1w7dpkqc TO /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py
<10.10.10.10> EXEC /bin/sh -c 'chmod u+x /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/ /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c '/usr/bin/python3 /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py && sleep 0'
<10.10.10.10> EXEC /bin/sh -c 'rm -f -r /home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/ > /dev/null 2>&1 && sleep 0'
The full traceback is:
Traceback (most recent call last):
  File "/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py", line 102, in <module>
    _ansiballz_main()
  File "/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_facts', init_globals=None, run_name='__main__', alter_sys=True)
  File "/usr/lib/python3.6/runpy.py", line 205, in run_module
    return _run_module_code(code, init_globals, run_name, mod_spec)
  File "/usr/lib/python3.6/runpy.py", line 96, in _run_module_code
    mod_name, mod_spec, pkg_name, script_name)
  File "/usr/lib/python3.6/runpy.py", line 85, in _run_code
    exec(code, run_globals)
  File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py", line 206, in <module>
  File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py", line 197, in main
  File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py", line 64, in get_facts
  File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py", line 153, in get_network_legacy_facts
  File "/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy/base.py", line 53, in populate
TypeError: 'NoneType' object is not subscriptable
fatal: [10.10.10.10]: FAILED! => {
    "changed": false,
    "module_stderr": "Traceback (most recent call last):\n  File \"/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/username/.ansible/tmp/ansible-local-20434zhssd7kn/ansible-tmp-1593484927.7340422-65588891130478/AnsiballZ_asa_facts.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_facts', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib/python3.6/runpy.py\", line 205, in run_module\n    return _run_module_code(code, init_globals, run_name, mod_spec)\n  File \"/usr/lib/python3.6/runpy.py\", line 96, in _run_module_code\n    mod_name, mod_spec, pkg_name, script_name)\n  File \"/usr/lib/python3.6/runpy.py\", line 85, in _run_code\n    exec(code, run_globals)\n  File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py\", line 206, in <module>\n  File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_facts.py\", line 197, in main\n  File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py\", line 64, in get_facts\n  File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py\", line 153, in get_network_legacy_facts\n  File \"/tmp/ansible_cisco.asa.asa_facts_payload_ltlft16w/ansible_cisco.asa.asa_facts_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/legacy/base.py\", line 53, in populate\nTypeError: 'NoneType' object is not subscriptable\n",
    "module_stdout": "",
    "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error",
    "rc": 1
}

PLAY RECAP ******************************************************************************************************************************************
10.10.10.10                  : ok=1    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Error when using "any" as source or destination in asa_acls playbook

SUMMARY

Facing an error when trying to set a source or destination to any in playbook while using asa_acls module.

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls

ANSIBLE VERSION

ansible --version
ansible 2.9.9
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/abusse/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]

CONFIGURATION

ansible-config dump --only-changed
DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = auto_legacy_silent

OS / ENVIRONMENT

Debian 10.4
ASA is running version 9.9(1)2

STEPS TO REPRODUCE

Collections used:

ansible.netcommon:0.0.3-dev51
cisco.asa:0.0.2-dev15

Playbook used:

---
- hosts: devpn

  connection: network_cli
  gather_facts: no
  become: yes
  become_method: enable
  vars_files:
    - ./credentials.yml

  collections:
    - cisco.asa

  tasks:
    - name: "TASK 1: Create ansible_test ACL"
      asa_acls: &id001
        config:
          - acls:
            - name: ansible_test
              acl_type: extended
              aces:
                - remark: HostA
                - grant: permit
                  protocol: ip
                  source:
                    host: 1.1.1.1
                  destination:
                    any: true
                - remark: HostB
                - grant: permit
                  protocol: ip
                  source:
                    host: 2.2.2.2
                  destination:
                    any: true
                - remark: HostC
                - grant: permit
                  protocol: ip
                  source:
                    host: 3.3.3.3
                  destination:
                    any: true
        state: replaced

EXPECTED RESULTS

The output below should be the result on the ASA.

devpn# sh run access-list ansible_test
access-list ansible_test remark HostA
access-list ansible_test extended permit ip host 1.1.1.1 any
access-list ansible_test remark HostB
access-list ansible_test extended permit ip host 2.2.2.2 any
access-list ansible_test remark HostC
access-list ansible_test extended permit ip host 3.3.3.3 any

ACTUAL RESULTS

$ ansible-playbook --ask-vault-pass --check -i staging acl.yml -v
Using /etc/ansible/ansible.cfg as config file
Vault password:

PLAY [devpn] ******************************************************************************************************************************************************

TASK [TASK 1: Create ansible_test ACL] ****************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'any' is not in list
fatal: [devpn]: FAILED! => changed=false
  ansible_facts:
    discovered_interpreter_python: /usr/bin/python
  module_stderr: |-
    Traceback (most recent call last):
      File "/home/abusse/.ansible/tmp/ansible-local-15293098Y72/ansible-tmp-1591790115.48-15300-4341809460479/AnsiballZ_asa_acls.py", line 102, in <module>
        _ansiballz_main()
      File "/home/abusse/.ansible/tmp/ansible-local-15293098Y72/ansible-tmp-1591790115.48-15300-4341809460479/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
        invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
      File "/home/abusse/.ansible/tmp/ansible-local-15293098Y72/ansible-tmp-1591790115.48-15300-4341809460479/AnsiballZ_asa_acls.py", line 40, in invoke_module
        runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
      File "/usr/lib/python2.7/runpy.py", line 188, in run_module
        fname, loader, pkg_name)
      File "/usr/lib/python2.7/runpy.py", line 82, in _run_module_code
        mod_name, mod_fname, mod_loader, pkg_name)
      File "/usr/lib/python2.7/runpy.py", line 72, in _run_code
        exec code in run_globals
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1194, in <module>
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1189, in main
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 71, in execute_module
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 53, in get_acls_facts
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py", line 60, in get_facts
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py", line 131, in get_network_resources_facts
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 70, in populate_facts
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 397, in render_config
      File "/tmp/ansible_asa_acls_payload_qAh3jF/ansible_asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py", line 193, in populate_source_destination
    ValueError: 'any' is not in list
  module_stdout: ''
  msg: |-
    MODULE FAILURE
    See stdout/stderr for the exact error
  rc: 1

PLAY RECAP ********************************************************************************************************************************************************
devpn                      : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

state:deleted removes wrong object-group

SUMMARY

When using module cisco.asa.asa_ogs with state:deleted does not delete correct object-group. It deletes object-group used in previous task.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_ogs:
state: deleted

ANSIBLE VERSION

ansible 2.9.13
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/kolpakoff/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Apr  2 2020, 13:16:51) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)

CONFIGURATION

DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = [u'/home/kolpakoff/ansible/inventory']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

CentOS Linux release 7.8.2003 (Core)
Tested on ASA software 9.10(1), 9.4(3)

STEPS TO REPRODUCE

---
- hosts: asa_all
  tasks:

  - name: Creating object-group 'test1'
    cisco.asa.asa_ogs:
      config:
        - object_type: network
          object_groups:
            - name: "test1"
              description: "test1 hosts"
              network_object:
                host:
                  - 192.168.21.1
                  - 192.168.21.2
      state: replaced

  - name: Remove old groups
    cisco.asa.asa_ogs:
      config:
        - object_type: network
          object_groups:
            - name: "old_test"
      state: deleted

EXPECTED RESULTS

Created object-group "test1"
Removed object-group "old_test"

ACTUAL RESULTS

Object-group "test1" created and then removed.

TASK [Creating object-group 'test1'] ****************************************************************************
changed: [w220] => {
    "after": [
        {
            "object_groups": [
                {
                    "description": "test1 hosts",
                    "name": "test1",
                    "network_object": {
                        "host": [
                            "192.168.21.1",
                            "192.168.21.2"
                        ]
                    }
                }
            ],
            "object_type": "network"
        }
    ],
    "before": {},
    "changed": true,
    "commands": [
        "object-group network test1",
        "description test1 hosts",
        "network-object host 192.168.21.1",
        "network-object host 192.168.21.2"
    ],
    "invocation": {
        "module_args": {
            "config": [
                {
                    "object_groups": [
                        {
                            "description": "test1 hosts",
                            "icmp_type": null,
                            "name": "test1",
                            "network_object": {
                                "address": null,
                                "host": [
                                    "192.168.21.1",
                                    "192.168.21.2"
                                ],
                                "ipv6_address": null
                            },
                            "protocol_object": null,
                            "security_group": null,
                            "service_object": null,
                            "user_object": null
                        }
                    ],
                    "object_type": "network"
                }
            ],
            "running_config": null,
            "state": "replaced"
        }
    }
}

TASK [Remove old groups] ****************************************************************************************
changed: [w220] => {
    "after": [
        {
            "object_groups": [
                {
                    "description": "test1 hosts",
                    "name": "test1",
                    "network_object": {
                        "host": [
                            "192.168.21.1",
                            "192.168.21.2"
                        ]
                    }
                }
            ],
            "object_type": "network"
        }
    ],
    "before": [
        {
            "object_groups": [
                {
                    "description": "test1 hosts",
                    "name": "test1",
                    "network_object": {
                        "host": [
                            "192.168.21.1",
                            "192.168.21.2"
                        ]
                    }
                }
            ],
            "object_type": "network"
        }
    ],
    "changed": true,
    "commands": [
        "no object-group network test1"
    ],
    "invocation": {
        "module_args": {
            "config": [
                {
                    "object_groups": [
                        {
                            "description": null,
                            "icmp_type": null,
                            "name": "old_test",
                            "network_object": null,
                            "protocol_object": null,
                            "security_group": null,
                            "service_object": null,
                            "user_object": null
                        }
                    ],
                    "object_type": "network"
                }
            ],
            "running_config": null,
            "state": "deleted"
        }
    }
}

@tigryss Can you plz share the playbook with which you're seeing the following failure?

How to Remove Cisco ASA Firewall boot Variables with Ansible

From @reuben3010 on Jul 13, 2020 00:10

I am running a project of upgrading multiple Cisco 5506X firewalls and my challenge is i have some firewalls that have primary and secondary boot system configured and some firewalls that have one one boot system configured. Given this issue, how do i build the logic that uses ansible to remove the boot variable and update them with new software and not get errors. I have written the code for this but i keep on getting errors.

Copied from original issue: ansible/ansible#70588

Inclusion of cisco.asa in Ansible 2.10

This collection will be included in Ansible 2.10 because it contains modules and/or plugins that were included in Ansible 2.9. Please review:

The list of requirements for inclusion in Ansible: https://github.com/ansible-collections/overview/blob/master/collection_requirements.rst
The roadmap with all important dates for Ansible 2.10: https://github.com/ansible/ansible/blob/devel/docs/docsite/rst/roadmap/COLLECTIONS_2_10.rst

DEADLINE: 2020-08-18

The latest version of the collection available on August 18 will be included in Ansible 2.10.0, except possibly newer versions which differ only in the patch level. (For details, see the roadmap). Please release version 1.0.0 of your collection by this date! If 1.0.0 does not exist, the same 0.x.y version will be used in all of Ansible 2.10 without updates, and your 1.x.y release will not be included until Ansible 2.11 (unless you request an exception at a community working group meeting and go through a demanding manual process to vouch for backwards compatibility . . . you want to avoid this!).

Follow semantic versioning rules

Your collection versioning must follow all semver rules. This means:

Patch level releases can only contain bugfixes;
Minor releases can contain new features, new modules and plugins, and bugfixes, but must not break backwards compatibility;
Major releases can break backwards compatibility.

Changelogs and Porting Guide

Your collection should provide data for the Ansible 2.10 changelog and porting guide. The changelog and porting guide are automatically generated from ansible-base, and from the changelogs of the included collections. All changes from the breaking_changes, major_changes, removed_features and deprecated_features sections will appear in both the changelog and the porting guide. You have two options for providing changelog fragments to include:

If possible, use the antsibull-changelog tool, which uses the same changelog fragment as the ansible/ansible repository (see the documentation).
If you cannot use antsibull-changelog, you can provide the changelog in a machine-readable format as changelogs/changelog.yaml inside your collection (see the documentation of changelogs/changelog.yaml format).

If you cannot contribute to the integrated Ansible changelog using one of these methods, please provide a link to your collection's changelog by creating an issue in https://github.com/ansible-community/ansible-build-data/. If you do not provide changelogs/changelog.yml or a link, users will not be able to find out what changed in your collection from the Ansible changelog and porting guide.

Make sure your collection passes the sanity tests

Run ansible-test sanity --docker -v in the collection with the latest ansible-base or stable-2.10 ansible/ansible checkout.

Keep informed

Be sure you're subscribed to:

Changes impacting Collections to track changes that Collection maintainers should be aware of;
The Bullhorn, a newsletter for the Ansible developer community, back issues and how to add content.

Questions and Feedback

If you have questions or want to provide feedback, please see the Feedback section in the collection requirements.

(Internal link to keep track of issues: ansible-collections/overview#102)

Incorrect documentation for "passwords" variable

SUMMARY

The description for the passwords parameter is incorrect. It was copy/pasted directly from the context parameter.

ISSUE TYPE

Documentation Report

COMPONENT NAME

doc_fragments/asa.py

ANSIBLE VERSION

(venv) ➜  venv ansible --version
ansible 2.10.7
  config file = None
  configured module search path = ['/Users/matt/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /Users/matt/environments/venv/lib/python3.9/site-packages/ansible
  executable location = /Users/matt/environments/venv/bin/ansible
  python version = 3.9.6 (default, Jun 29 2021, 05:25:02) [Clang 12.0.5 (clang-1205.0.22.9)]

asa_ogs: "Unsupported parameters" in network_object

SUMMARY

Module asa_ogs show unexpected behavior while using network_object parameter

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_ogs

ANSIBLE VERSION

ansible 2.9.9
python version = 3.8.5 (default, Jan 27 2021, 15:41:15) [GCC 9.3.0]

CONFIGURATION

command_timeout = 60
host_key_checking = False

OS / ENVIRONMENT

Tested against ASA 5525-X - Version: 9.14(2)8,
Ansible running on Ubuntu 20.04.2 LTS

STEPS TO REPRODUCE

Run the asa_ogs module with the "network_object" parameter in a task.
Following task as an example - found in the documentation (https://github.com/ansible-collections/cisco.asa/blob/main/docs/cisco.asa.asa_ogs_module.rst)

- name: "Merge module attributes of given object-group"
  cisco.asa.asa_ogs:
    config:
    - object_type: network
      object_groups:
        - name: test_og_network
          description: test_og_network
          network_object:
            host:
              - 192.0.2.1
              - 192.0.2.2
            address:
              - 192.0.2.0 255.255.255.0
              - 198.51.100.0 255.255.255.0

EXPECTED RESULTS

Module creates network object as specified.

ACTUAL RESULTS

Module raises the following error at playbook launch:

"msg": "Unsupported parameters for (basic.py) module: object found in config -> object_groups -> network_object. Supported parameters include: address, host, ipv6_address"

Ansible_net_model is not returned in facts

SUMMARY

Return value "ansible_net_model" is absent when requesting ASA facts via CISCO ASA Ansible Collection.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_facts – Collect facts from remote devices running Cisco ASA

ANSIBLE VERSION

ansible 2.10.3

CONFIGURATION

COLLECTIONS_PATHS(/etc/ansible/ansible.cfg) = ['/etc/ansible/collections']
DEFAULT_ROLES_PATH(/etc/ansible/ansible.cfg) = ['/etc/ansible/roles']

OS / ENVIRONMENT

For example: Cisco ASA5508, Cisco FPR2110

STEPS TO REPRODUCE

Get facts from device using "cisco.asa.asa_facts" plugin

- hosts: asa
  connection: network_cli
  gather_facts: no

  vars:
    ansible_python_interpreter: /usr/bin/python3.6
    ansible_user: name
    ansible_ssh_pass: passwd
    ansible_become: true
    ansible_become_method: ansible.netcommon.enable
    ansible_become_pass: become_password
    ansible_connection: ansible.netcommon.network_cli
    ansible_network_os: cisco.asa.asa

  collections:
    - cisco.asa

  tasks:
    - name: Gather all legacy facts
      asa_facts:
        gather_subset: all

EXPECTED RESULTS

I expect to see "ansible_net_model" in returned value as it stated in documentation https://docs.ansible.com/ansible/2.10/collections/cisco/asa/asa_facts_module.html

ACTUAL RESULTS

"ansible_net_model" is not seen in response.

State: replaced not replacing all lines of ACL

SUMMARY

When running a playbook to replace a certain ACL with new/modified lines it leaves orphaned lines behind without deleting them.

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls

ANSIBLE VERSION

ansible 2.9.15
  config file = /etc/ansible/ansible.cfg
  configured module search path = [u'/home/abusse/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.16 (default, Oct 10 2019, 22:02:15) [GCC 8.3.0]

CONFIGURATION

DEFAULT_STDOUT_CALLBACK(/etc/ansible/ansible.cfg) = yaml
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = auto_legacy_silent

OS / ENVIRONMENT

Debian 10.6
ASA is running version 9.9(1)2

STEPS TO REPRODUCE

Collections used:

ansible.netcommon:1.4.2-dev2
cisco.asa:1.0.4

Before state:

# sh access-list ansible_test
access-list ansible_test; 3 elements; name hash: 0x1b2b1138
access-list ansible_test line 1 remark HostA
access-list ansible_test line 2 extended deny ip host 1.1.1.1 any4 (hitcnt=0) 0xc24d3351
access-list ansible_test line 3 remark HostB
access-list ansible_test line 4 extended permit ip host 2.2.2.2 any4 (hitcnt=0) 0x44cd4b7e
access-list ansible_test line 5 remark HostC
access-list ansible_test line 6 extended permit ip host 3.3.3.3 any4 (hitcnt=0) 0x4c8c99d5

Playbook used:

---
- hosts: devpn

  connection: network_cli
  gather_facts: no
  become: yes
  become_method: enable
  vars_files:
    - ./svc_credentials.yml

  collections:
    - cisco.asa

  tasks:
    - name: "TASK 1: Create ansible_test ACL"
      asa_acls:
        config:
          acls:
          - name: ansible_test
            acl_type: extended
            aces:
              - line: 1
                remark: HostA0
              - grant: deny
                line: 2
                protocol: ip
                source:
                  host: 1.1.1.1
                destination:
                  any4: true
              - line: 3
                remark: HostB1
              - grant: permit
                line: 4
                protocol: ip
                source:
                  host: 2.2.2.2
                destination:
                  any4: true
              - line: 5
                remark: HostC2
              - grant: permit
                line: 6
                protocol: ip
                source:
                  host: 3.3.3.3
                destination:
                  any4: true
        state: replaced

EXPECTED RESULTS

# sh access-list ansible_test
access-list ansible_test; 3 elements; name hash: 0x1b2b1138
access-list ansible_test line 1 remark HostA0
access-list ansible_test line 2 extended deny ip host 1.1.1.1 any4 (hitcnt=0) 0xc24d3351
access-list ansible_test line 3 remark HostB1
access-list ansible_test line 4 extended permit ip host 2.2.2.2 any4 (hitcnt=0) 0x44cd4b7e
access-list ansible_test line 5 remark HostC2
access-list ansible_test line 6 extended permit ip host 3.3.3.3 any4 (hitcnt=0) 0x4c8c99d5

ACTUAL RESULTS

The ACL has been partially updated but left old remarks behind.

# sh access-list ansible_test
access-list ansible_test; 3 elements; name hash: 0x1b2b1138
access-list ansible_test line 1 remark HostAA
access-list ansible_test line 2 remark HostA
access-list ansible_test line 3 remark HostBB
access-list ansible_test line 4 extended deny ip host 1.1.1.1 any4 (hitcnt=0) 0xc24d3351
access-list ansible_test line 5 remark HostCC
access-list ansible_test line 6 remark HostB
access-list ansible_test line 7 extended permit ip host 2.2.2.2 any4 (hitcnt=0) 0x44cd4b7e
access-list ansible_test line 8 remark HostC
access-list ansible_test line 9 extended permit ip host 3.3.3.3 any4 (hitcnt=0) 0x4c8c99d5

asa_acls fails with replaced when trying to remove an ACE with an IPv6 source address

SUMMARY

asa_acls with state: replaced fails to remove ACEs with IPv6 source addresses.

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible 2.9.15
  python version = 3.8.2 (default, Jul  4 2020, 11:16:10) [GCC 8.3.0]

CONFIGURATION

ENABLE_TASK_DEBUGGER(env: ANSIBLE_ENABLE_TASK_DEBUGGER) = True

OS / ENVIRONMENT

ASA 5506 9.15(1)10

STEPS TO REPRODUCE

Add a ACE with an IPv6 source host on the ASA that is not in the Ansible ACL config

access-list TEST-ACL line 9 extended permit ip host 2001:db8::1 any6

Run the module with state: replaced
The module fails to run and the ACE is not removed.

EXPECTED RESULTS

A complete command is sent to the device to remove the ACE.

no access-list TEST-ACL line 9 extended permit ip host 2001:db8::1 any6

ACTUAL RESULTS

The ACE is not removed because an incomplete command is being sent:

[ASA] TASK: asa_acls : Ensure ACLs are configured (debug)> p result._result['commands']
['no access-list TEST-ACL line 9 extended permit ip', <-- The command is incomplete.

[...]

before is also incorrect and doesn't contain any ACEs with ip host <ipv6 address>.

asa_acls Duplicate Element Doesn't Fail or Move Correctly

SUMMARY

When specifying a line in the ACE entry the module reports changed if that ACE is not present at that line but fails to correctly move it. This makes the play not idempotent because each run will report changed and fail to move the line successfully.

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible 2.9.23
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/home/darkhelmet/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /home/darkhelmet/.venvs/py2-tower-3.8.3/lib/python3.9/site-packages/ansible
  executable location = /home/darkhelmet/.venvs/py2-tower-3.8.3/bin/ansible
  python version = 3.9.6 (default, Jul 16 2021, 00:00:00) [GCC 11.1.1 20210531 (Red Hat 11.1.1-3)]

COLLECTION VERSION

# /home/darkhelmet/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa  2.0.2

CONFIGURATION

OS / ENVIRONMENT

ASAv 9.12(4)

STEPS TO REPRODUCE

On the ASA create an ACL like:

access-list abcd extended permit ip any4 host 1.1.1.1 
access-list abcd extended permit ip any4 host 8.8.8.8 
access-list abcd extended permit ip any4 host 9.9.9.9

Then use merged to add a line at position 2:

    - cisco.asa.asa_acls:
        config:
          acls:
            - name: abcd
              acl_type: extended
              aces:
                - grant: deny
                  line: 2
                  protocol_options:
                    ip: true
                  source:
                    any4: true
                  destination:
                    host: 8.8.4.4
        state: merged

Go on the CLI of the ASA and add an ACL entry at line 2 (that pushes the one we just added to line 2)

access-list abcd line 2 extended deny ip any4 host 1.0.0.1

Then run the above play again. You'll see it tries to run:

    "commands": [
        "access-list abcd line 2 extended deny ip any4 host 8.8.4.4"
    ],

EXPECTED RESULTS

Ideally, the playbook removes the line and re-adds it which allows the play to truly "change" successfully. Because it may change a live ACL on the device that "could" affect management it may be preferential to "fail" out and allow the playbook author to handle the move separately. Either solutions are alright in the long run. Right now it's just not idempotent because the move fails.

ACTUAL RESULTS

It results in the following at the CLI:

ciscoasa(config)# access-list abcd line 2 extended deny ip any4 host 8.8.4.4
WARNING: <abcd> found duplicate element
access-list abcd line 2 extended deny ip any4 host 8.8.4.4

The task reports "changed" and moves on.

@nj344170w and @russ-jenkins

Problem when object-group contains dot "." symbol

SUMMARY

When object-group contains dot "." symbol, "address" and "netmask" appears but should not.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_acls

ANSIBLE VERSION

ansible 2.10.5

COLLECTION VERSION

dmitry@host:~$ ansible-galaxy collection list cisco.asa

# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.asa  1.0.4

# /home/dmitry/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa  2.0.2

CONFIGURATION

OS / ENVIRONMENT

Ubuntu Server 21.04

STEPS TO REPRODUCE

dmitry@host:~$ cat small.txt
access-list l2_r_in line 480 extended permit tcp 10.20.20.0 255.255.255.0 object-group ALLSERV.12 eq 9389
access-list l2_r_in line 481 extended permit tcp 10.20.20.0 255.255.255.0 object-group ALLSERV12 eq 9389

---

- hosts: asa01
  gather_facts: false
  connection: network_cli

  collections:
    - cisco.asa

  tasks:
    - name: Parse the commands for provided configuration
      cisco.asa.asa_acls:
        running_config: "{{ lookup('file', 'small.txt') }}"
        state: parsed

EXPECTED RESULTS

    "parsed": {
        "acls": [
            {
                "aces": [
                    {
                        "destination": {
                            "object_group": "ALLSERV.12",
                            "port_protocol": {
                                "eq": "9389"
                            }
                        },
                        "grant": "permit",
                        "line": 480,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "address": "10.20.20.0",
                            "netmask": "255.255.255.0"
                        }
                    },
                    {
                        "destination": {
                            "object_group": "ALLSERV12",
                            "port_protocol": {
                                "eq": "9389"
                            }
                        },
                        "grant": "permit",
                        "line": 481,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "address": "10.20.20.0",
                            "netmask": "255.255.255.0"
                        }
                    }
                ],
                "acl_type": "extended",
                "name": "l2_r_in"
            }
        ]
    }

ACTUAL RESULTS

    "parsed": {
        "acls": [
            {
                "aces": [
                    {
                        "destination": {
                            "address": "object-group",    <---- EXTRA LINES
                            "netmask": "ALLSERV.12",    <---- EXTRA LINES
                            "object_group": "ALLSERV.12",
                            "port_protocol": {
                                "eq": "9389"
                            }
                        },
                        "grant": "permit",
                        "line": 480,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "address": "10.20.20.0",
                            "netmask": "255.255.255.0"
                        }
                    },
                    {
                        "destination": {
                            "object_group": "ALLSERV12",
                            "port_protocol": {
                                "eq": "9389"
                            }
                        },
                        "grant": "permit",
                        "line": 481,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "address": "10.20.20.0",
                            "netmask": "255.255.255.0"
                        }
                    }
                ],
                "acl_type": "extended",
                "name": "l2_r_in"
            }
        ]
    }

asa_ogs and asa_acls: gathered status results in ImportError for jinja2

SUMMARY

When trying to run the asa_ogs or asa_acls modules with the "status: gathered" parameter as illustrated in the documentation examples, the error, "ImportError: jinja2 is required but does not appear to be installed" is received.

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_ogs
cisco.asa.asa_acls

ANSIBLE VERSION

Thu May 20 12:53:37 test_playbooks $ ansible --version
ansible 2.10.3
  config file = None
  configured module search path = ['<path>/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = <path>/Library/Python/3.8/lib/python/site-packages/ansible
  executable location = <path>/Library/Python/3.8/bin/ansible
  python version = 3.8.2 (default, Apr  8 2021, 23:19:18) [Clang 12.0.5 (clang-1205.0.22.9)]
Thu May 20 12:53:44 test_playbooks $ ansible-galaxy collection list

# <path>/.ansible/collections/ansible_collections
Collection             Version
---------------------- -------
ansible.netcommon      2.0.0  
ansible.utils          2.0.1  
cisco.asa              2.0.2  
paloaltonetworks.panos 2.5.0  
Thu May 20 12:53:53 test_playbooks $ 

Even after upgrading netcommon and utils the errors remain:

Thu May 20 13:28:22 test_playbooks $ ansible-galaxy collection list

# <path>/.ansible/collections/ansible_collections
Collection             Version
---------------------- -------
ansible.netcommon      2.1.0  
ansible.utils          2.2.0  
cisco.asa              2.0.2  
paloaltonetworks.panos 2.5.0  
Thu May 20 13:28:26 test_playbooks $

CONFIGURATION

Thu May 20 13:37:28 test_playbooks $ ansible-config dump --only-changed
Thu May 20 13:37:32 test_playbooks

OS / ENVIRONMENT

MacOS 11.3.1 (20E241)
jinja2 is definitely installed and works for other playbooks, as templates are used often:

Thu May 20 12:59:58 ~ $ pip install jinja2
Defaulting to user installation because normal site-packages is not writeable
Requirement already satisfied: jinja2 in ./Library/Python/3.8/lib/python/site-packages (2.11.2)
Requirement already satisfied: MarkupSafe>=0.23 in ./Library/Python/3.8/lib/python/site-packages (from jinja2) (1.1.1)
Thu May 20 13:00:29 ~ $

STEPS TO REPRODUCE

Create a playbook with the sample task for "status: gathered" from the module documentation for either the asa_ogs or asa_acls

# Task configuration (as shown in the documentation examples):

- name: Gather listed OGs with provided configurations
  cisco.asa.asa_ogs:
    config:
    state: gathered

# Same for ACLs:

- name: Gather listed ACLs with provided configurations
  cisco.asa.asa_acls:
    config:
    state: gathered

EXPECTED RESULTS

Object-groups or ACLs are gathered

ACTUAL RESULTS

ImportError for jinja2

Thu May 20 12:52:12 test_playbooks $ ansible-playbook -i ../inventory test_asa_gather_network_groups.yml 

PLAY [Testing cisco.asa.asa_ogs module] *********************************************************************************************************************

TASK [Gather listed OGs with provided configurations] *******************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: jinja2 is required but does not appear to be installed.  It can be installed using `pip install jinja2`
[WARNING]: Platform darwin on host <ip> is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python
interpreter could change the meaning of that path. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more
information.
fatal: [<ip>]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"<path>/.ansible/tmp/ansible-local-16526dqu7n_cj/ansible-tmp-1621536739.773023-16530-253068423146480/AnsiballZ_asa_ogs.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"<path>/.ansible/tmp/ansible-local-16526dqu7n_cj/ansible-tmp-1621536739.773023-16530-253068423146480/AnsiballZ_asa_ogs.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"<path>/.ansible/tmp/ansible-local-16526dqu7n_cj/ansible-tmp-1621536739.773023-16530-253068423146480/AnsiballZ_asa_ogs.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_ogs', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 188, in run_module\n    fname, loader, pkg_name)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 82, in _run_module_code\n    mod_name, mod_fname, mod_loader, pkg_name)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py\", line 918, in <module>\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_ogs.py\", line 912, in main\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/ogs/ogs.py\", line 48, in __init__\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/rm_templates/ogs.py\", line 111, in __init__\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/rm_base/network_template.py\", line 27, in __init__\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_ogs_payload_ezyOck/ansible_cisco.asa.asa_ogs_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/utils.py\", line 726, in __init__\nImportError: jinja2 is required but does not appear to be installed.  It can be installed using `pip install jinja2`\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP **************************************************************************************************************************************************
<ip>             : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Thu May 20 12:52:22 test_playbooks $ 
Thu May 20 12:52:27 test_playbooks $ 
Thu May 20 12:52:27 test_playbooks $ 
Thu May 20 12:52:27 test_playbooks $ ansible-playbook -i ../inventory test_asa_gather_network_groups.yml 

PLAY [Testing cisco.asa.asa_ogs module] *********************************************************************************************************************

TASK [Gather listed ACLs with provided configurations] ******************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ImportError: jinja2 is required but does not appear to be installed.  It can be installed using `pip install jinja2`
[WARNING]: Platform darwin on host <ip> is using the discovered Python interpreter at /usr/bin/python, but future installation of another Python
interpreter could change the meaning of that path. See https://docs.ansible.com/ansible/2.10/reference_appendices/interpreter_discovery.html for more
information.
fatal: [<ip>]: FAILED! => {"ansible_facts": {"discovered_interpreter_python": "/usr/bin/python"}, "changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"<path>/.ansible/tmp/ansible-local-16555fvyj4v4k/ansible-tmp-1621536754.536745-16559-218329172548531/AnsiballZ_asa_acls.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"<path>/.ansible/tmp/ansible-local-16555fvyj4v4k/ansible-tmp-1621536754.536745-16559-218329172548531/AnsiballZ_asa_acls.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"<path>/.ansible/tmp/ansible-local-16555fvyj4v4k/ansible-tmp-1621536754.536745-16559-218329172548531/AnsiballZ_asa_acls.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 188, in run_module\n    fname, loader, pkg_name)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 82, in _run_module_code\n    mod_name, mod_fname, mod_loader, pkg_name)\n  File \"/System/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1258, in <module>\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1253, in main\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py\", line 48, in __init__\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/rm_templates/acls.py\", line 125, in __init__\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/rm_base/network_template.py\", line 27, in __init__\n  File \"/var/folders/d4/bxy7t7hx4blcgh3cbmm5smhr0000gn/T/ansible_cisco.asa.asa_acls_payload_xfpckn/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/utils.py\", line 726, in __init__\nImportError: jinja2 is required but does not appear to be installed.  It can be installed using `pip install jinja2`\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP **************************************************************************************************************************************************
<ip>             : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0   

Thu May 20 12:52:37 test_playbooks $

Replace state in ASA acls resource module throwing traceback

SUMMARY

Replace state in ASA acls resource module throwing traceback

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls

ANSIBLE VERSION

devel

CONFIGURATION

OS / ENVIRONMENT

macos

STEPS TO REPRODUCE

With pre-existing test_access ACLs

- cisco.asa.asa_acls:
      config:
        - acls:
          - name: test_access
            acl_type: extended
            aces:
              - grant: deny
                line: 1
                protocol: tcp
                protocol_options:
                  tcp: true
                source:
                  address: 192.0.3.0
                  netmask: 255.255.255.0
                destination:
                  address: 192.0.4.0
                  netmask: 255.255.255.0
                  port_protocol:
                    eq: www
                log: default
          - name: test_global_access
            acl_type: extended
            aces:
              - grant: deny
                line: 1
                protocol_options:
                  tcp: true
                source:
                  address: 192.0.1.0
                  netmask: 255.255.255.0
                  port_protocol:
                    eq: telnet
                destination:
                  address: 192.0.2.0
                  netmask: 255.255.255.0
                  port_protocol:
                    eq: www
      state: replaced

EXPECTED RESULTS

Replace state operation should run and config the play as expected

ACTUAL RESULTS

Failing with traceback error

The full traceback is:
Traceback (most recent call last):
  File "/Users/sjaiswal/.ansible/tmp/ansible-local-21754ooD5I5/ansible-tmp-1585746777.99-86419625801332/AnsiballZ_asa_acls.py", line 102, in <module>
    _ansiballz_main()
  File "/Users/sjaiswal/.ansible/tmp/ansible-local-21754ooD5I5/ansible-tmp-1585746777.99-86419625801332/AnsiballZ_asa_acls.py", line 94, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/Users/sjaiswal/.ansible/tmp/ansible-local-21754ooD5I5/ansible-tmp-1585746777.99-86419625801332/AnsiballZ_asa_acls.py", line 40, in invoke_module
    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 188, in run_module
    fname, loader, pkg_name)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 82, in _run_module_code
    mod_name, mod_fname, mod_loader, pkg_name)
  File "/Library/Frameworks/Python.framework/Versions/2.7/lib/python2.7/runpy.py", line 72, in _run_code
    exec code in run_globals
  File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1211, in <module>
  File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py", line 1206, in main
  File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py", line 80, in execute_module
  File "/var/folders/n7/73s22vps0ls44ng__t8mwtl40000gn/T/ansible_cisco.asa.asa_acls_payload_eJNJD6/ansible_cisco.asa.asa_acls_payload.zip/ansible/module_utils/connection.py", line 187, in __rpc__
ansible.module_utils.connection.ConnectionError:                   e-address log errorso access-list test_access line 2 extended deny icmp 198.51.$
ERROR: access-list <test_access> does not exist
ciscoasa(config)#

Prompt issue with

SUMMARY

I try to call remote ssh command but the command change a prompt from "#" to " /dirname #" so ansible send an error command timeout triggered, can someone help me please?
it's a firepower, and I need to use scope command to change the object. if I try show config or version it's working well, but if I try scope then I get timeout and the only what I found that the prompt is different
"/security # " does not match a regex https://regex101.com/r/cQ9MpW/1

ISSUE TYPE

Bug Report

COMPONENT NAME

ANSIBLE VERSION

ansible [core 2.11.6]
config file = /etc/ansible/ansible.cfg
configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
ansible python module location = /opt/ansible/venv/lib/python3.9/site-packages/ansible
ansible collection location = /root/.ansible/collections:/usr/share/ansible/collections
executable location = /opt/ansible/venv/bin/ansible
python version = 3.9.5 (default, May 19 2021, 11:32:47) [GCC 9.3.0]
jinja version = 3.0.2
libyaml = True

COLLECTION VERSION

/root/.ansible/collections/ansible_collections

Collection Version

cisco.asa 2.0.2

/opt/ansible/venv/lib/python3.9/site-packages/ansible_collections

Collection Version

cisco.asa 2.1.0

CONFIGURATION

DEPRECATION_WARNINGS(/etc/ansible/ansible.cfg) = False
DISPLAY_SKIPPED_HOSTS(/etc/ansible/ansible.cfg) = False
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 45
RETRY_FILES_ENABLED(/etc/ansible/ansible.cfg) = False

OS / ENVIRONMENT

Firepower 41xx
show version
Version: 2.8(1.143)
Startup-Vers: 2.8(1.143

STEPS TO REPRODUCE

# scope ?
  adapter              Mezzanine Adapter
  cabling              Cabling
  chassis              Chassis
  cloud-connector      Cloud Connector
  eth-server           Ethernet Server Domain
  eth-uplink           Ethernet Uplink
  fabric-interconnect  Fabric Interconnect
  firmware             Firmware
  host-eth-if          Host Ethernet Interface
  license              License
  monitoring           Monitor the system
  org                  Organizations
  packet-capture       Packet Capture Domain
  security             security mode
  server               Server
  service-profile      Service Profile
  ssa                  Security Services
  system               Systems
  vhba                 vHBA
  vnic                 vNIC
# scope security
/security # 

With Ansible the same:
1 command
- scope ?

code
        - name: "commands firepower"
          when: inventory_hostname == fwname
          asa_command:
            commands:
             - scope ?             
             - exit


ok: [FIREPOWER] => {
    "msg": {
        "changed": false,
        "failed": false,
        "stdout": [
            "scope \n  adapter              Mezzanine Adapter \n  cabling              Cabling \n  chassis              Chassis \n  cloud-connector      Cloud Connector \n  eth-server           Ethernet Server Domain \n  eth-uplink           Ethernet Uplink \n  fabric-interconnect  Fabric Interconnect \n  firmware             Firmware \n  host-eth-if          Host Ethernet Interface \n  license              License \n  monitoring           Monitor the system \n  org                  Organizations \n  packet-capture       Packet Capture Domain \n  security             security mode \n  server               Server \n  service-profile      Service Profile \n  ssa                  Security Services \n  system               Systems \n  vhba                 vHBA \n  vnic                 vNIC \n\n\n\n                         ^\n% Incomplete Command at '^' marker",
            "None"
        ],
        "stdout_lines": [
            [
                "scope ",
                "  adapter              Mezzanine Adapter ",
                "  cabling              Cabling ",
                "  chassis              Chassis ",
                "  cloud-connector      Cloud Connector ",
                "  eth-server           Ethernet Server Domain ",
                "  eth-uplink           Ethernet Uplink ",
                "  fabric-interconnect  Fabric Interconnect ",
                "  firmware             Firmware ",
                "  host-eth-if          Host Ethernet Interface ",
                "  license              License ",
                "  monitoring           Monitor the system ",
                "  org                  Organizations ",
                "  packet-capture       Packet Capture Domain ",
                "  security             security mode ",
                "  server               Server ",
                "  service-profile      Service Profile ",
                "  ssa                  Security Services ",
                "  system               Systems ",
                "  vhba                 vHBA ",
                "  vnic                 vNIC ",
                "",
                "",
                "",
                "                         ^",
                "% Incomplete Command at '^' marker"
            ],
            [
                "None"
            ]
        ]
    }
}



2 command
- scope security

code
        - name: "commands firepower"
          when: inventory_hostname == fwname
          asa_command:
            commands:             
             - scope security
             - exit

The full traceback is:
  File "/tmp/ansible_asa_command_payload_on6ya26c/ansible_asa_command_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/asa.py", line 147, in run_commands
    return connection.run_commands(commands=commands, check_rc=check_rc)
  File "/tmp/ansible_asa_command_payload_on6ya26c/ansible_asa_command_payload.zip/ansible/module_utils/connection.py", line 200, in __rpc__
    raise ConnectionError(to_text(msg, errors='surrogate_then_replace'), code=code)
fatal: [FIREPOWER]: FAILED! => {
    "changed": false,
    "invocation": {
        "module_args": {
            "authorize": null,
            "commands": [
                "scope security"
            ],
            "context": null,
            "interval": 1,
            "match": "all",
            "passwords": null,
            "provider": null,
            "retries": 10,
            "wait_for": null
        }
    },
    "msg": "command timeout triggered, timeout value is 45 secs.\nSee the timeout setting options in the Network Debug and Troubleshooting Guide."
}

EXPECTED RESULTS

ACTUAL RESULTS

No destination when source port range present

SUMMARY

There is no destination section when source port range present in ACL

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa.asa_acls

ANSIBLE VERSION

ansible 2.10.5

COLLECTION VERSION

dmitry@host:~$ ansible-galaxy collection list cisco.asa

# /usr/lib/python3/dist-packages/ansible_collections
Collection Version
---------- -------
cisco.asa  1.0.4

# /home/dmitry/.ansible/collections/ansible_collections
Collection Version
---------- -------
cisco.asa  2.0.2

CONFIGURATION

OS / ENVIRONMENT

Ubuntu Server 21.04

STEPS TO REPRODUCE

dmitry@host:~$ cat small.txt
access-list management_in line 160 extended permit tcp host 10.20.20.5 range 49152 65535 10.30.30.0 255.255.255.0 eq 100
access-list management_in line 160 extended permit tcp host 10.20.20.5 10.30.30.0 255.255.255.0 eq 100

---

- hosts: asa01
  gather_facts: false
  connection: network_cli

  collections:
    - cisco.asa

  tasks:
    - name: Parse the commands for provided configuration
      cisco.asa.asa_acls:
        running_config: "{{ lookup('file', 'small.txt') }}"
        state: parsed

EXPECTED RESULTS

    "parsed": {
        "acls": [
            {
                "aces": [
                    {
                        "destination": {
                            "address": "10.30.30.0",
                            "netmask": "255.255.255.0",
                            "port_protocol": {
                                "eq": "100"
                            }
                        },
                        "grant": "permit",
                        "line": 160,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "host": "10.20.20.5",
                            "port_protocol": {
                                "range": {
                                    "end": 65535,
                                    "start": 49152 
                                }
                            }
                        }
                    },
                    {
                        "destination": {
                            "address": "10.30.30.0",
                            "netmask": "255.255.255.0",
                            "port_protocol": {
                                "eq": "100"
                            }
                        },
                        "grant": "permit",
                        "line": 160,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "host": "10.20.20.5"
                        }
                    }
                ],
                "acl_type": "extended",
                "name": "management_in"
            }
        ]
    }

ACTUAL RESULTS

    "parsed": {
        "acls": [
            {
                "aces": [
                    {             
                        "grant": "permit",         <--- NO DESTINATION
                        "line": 160,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "host": "10.20.20.5" <--- NO SOURCE PORT RANGE
                        }
                    },
                    {
                        "destination": {
                            "address": "10.30.30.0",
                            "netmask": "255.255.255.0",
                            "port_protocol": {
                                "eq": "100"
                            }
                        },
                        "grant": "permit",
                        "line": 160,
                        "protocol": "tcp",
                        "protocol_options": {
                            "tcp": true
                        },
                        "source": {
                            "host": "10.20.20.5"
                        }
                    }
                ],
                "acl_type": "extended",
                "name": "management_in"
            }
        ]
    }

[asa_acls]Not able to gather facts if any4/any6 is defined in source/destination

SUMMARY

Can't have the gather facts when an ACL contain "any4/any6".

ISSUE TYPE

Feature request

COMPONENT NAME

asa_acls

ANSIBLE VERSION

ansible 2.9.10
  config file = /home/xxxx/asa/ansible.cfg
  configured module search path = [u'/home/xxxx/.ansible/plugins/modules', u'/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python2.7/site-packages/ansible
  executable location = /usr/bin/ansible
  python version = 2.7.5 (default, Aug  7 2019, 00:51:29) [GCC 4.8.5 20150623 (Red Hat 4.8.5-39)]

CONFIGURATION

COLLECTIONS_PATHS(/home/xxxx/asa/ansible.cfg) = [u'/home/xxxx/asa/collections', u'/home/xxxx/.ansible/collecti
DEFAULT_CALLBACK_WHITELIST(/home/xxxx/asa/ansible.cfg) = [u'profile_tasks']
DEFAULT_HOST_LIST(/home/xxxx/asa/ansible.cfg) = [u'/home/xxxx/asa/inventory']

OS / ENVIRONMENT

Used module:

cisco.asa:1.0.0

STEPS TO REPRODUCE

---
- hosts: asa
  gather_facts: false
 
  collections:
    - cisco.asa

  tasks:
  - name: test
    cisco.asa.asa_acls:
      config:
      state: gathered

EXPECTED RESULTS

The tasks must return a list of ACL

ACTUAL RESULTS

ansible-playbook asa_acl.yml

PLAY [asa] ******************************************************************************************************************

TASK [test] *****************************************************************************************************************
Sunday 12 July 2020  02:23:46 +0200 (0:00:00.081)       0:00:00.081 ***********
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'any' is not in list
fatal: [ASA_DRO]: FAILED! => {"changed": false, "module_stderr": "Traceback (most recent call last):\n  File \"/home/sebastien/.ansible/tmp/ansible-local-18005eEiQXL/ansible-tmp-1594513427.38-18015-3767959020102/AnsiballZ_asa_acls.py\", line 102, in <module>\n    _ansiballz_main()\n  File \"/home/sebastien/.ansible/tmp/ansible-local-18005eEiQXL/ansible-tmp-1594513427.38-18015-3767959020102/AnsiballZ_asa_acls.py\", line 94, in _ansiballz_main\n    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)\n  File \"/home/sebastien/.ansible/tmp/ansible-local-18005eEiQXL/ansible-tmp-1594513427.38-18015-3767959020102/AnsiballZ_asa_acls.py\", line 40, in invoke_module\n    runpy.run_module(mod_name='ansible_collections.cisco.asa.plugins.modules.asa_acls', init_globals=None, run_name='__main__', alter_sys=True)\n  File \"/usr/lib64/python2.7/runpy.py\", line 176, in run_module\n    fname, loader, pkg_name)\n  File \"/usr/lib64/python2.7/runpy.py\", line 82, in _run_module_code\n    mod_name, mod_fname, mod_loader, pkg_name)\n  File \"/usr/lib64/python2.7/runpy.py\", line 72, in _run_code\n    exec code in run_globals\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1238, in <module>\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/modules/asa_acls.py\", line 1233, in main\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py\", line 88, in execute_module\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/config/acls/acls.py\", line 54, in get_acls_facts\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/facts.py\", line 59, in get_facts\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/ansible/netcommon/plugins/module_utils/network/common/facts/facts.py\", line 128, in get_network_resources_facts\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py\", line 70, in populate_facts\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py\", line 459, in render_config\n  File \"/tmp/ansible_cisco.asa.asa_acls_payload_RUDVTo/ansible_cisco.asa.asa_acls_payload.zip/ansible_collections/cisco/asa/plugins/module_utils/network/asa/facts/acls/acls.py\", line 216, in populate_source_destination\nValueError: 'any' is not in list\n", "module_stdout": "", "msg": "MODULE FAILURE\nSee stdout/stderr for the exact error", "rc": 1}

PLAY RECAP ******************************************************************************************************************
ASA                    : ok=0    changed=0    unreachable=0    failed=1    skipped=0    rescued=0    ignored=0

Sunday 12 July 2020  02:23:50 +0200 (0:00:03.983)       0:00:04.065 ***********
===============================================================================
test ----------------------------------------------------------------------------------------------------------------- 3.98s

Enable Cisco ASA Botnet Traffic Filter via dynamic/static DB configuration

SUMMARY

Enable Cisco ASA Botnet Traffic Filter via dynamic/static DB configuration.

Malware that attempts network activity such as sending private data (passwords, credit card numbers, keystrokes, or proprietary data) can be detected by the Botnet Traffic Filter when the malware starts a connection to a known bad IP address. The Botnet Traffic Filter checks incoming and outgoing connections against a dynamic/static database of known bad domain names and IP addresses (the blacklist), and then logs or blocks any suspicious activity. For more information around the feature, plz ref: Cisco Botnet traffic filter guide

If Ansible has the ASA dynamic_filter module to configure, this entire process of configuring and adding the address to static DB or enabling dynamic DB can be automated, and the process can then be integrated with Ansible security SIEM offerings and can easily be converted to solve and automate the task of incident response use case using Cisco ASA.

ISSUE TYPE

Feature Idea

COMPONENT NAME

cisco.asa

ADDITIONAL INFORMATION

asa_acls: No support for user identity

SUMMARY

The asa_acls module cannot work with ACEs that use user identity, since the acls dictionary does not contain any parameters pertaining to identity. Additionally, any existing ASA access-list commands containing the "user" or "user-group" keywords are not parsed correctly when gathered.

ISSUE TYPE

Bug Report

COMPONENT NAME

asa_acls

ANSIBLE VERSION

ansible 2.9.16
  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.1+ (default, Jan 20 2021, 14:49:22) [GCC 10.2.1 20210110]

CONFIGURATION

DEFAULT_HOST_LIST(/etc/ansible/ansible.cfg) = ['/etc/ansible/hosts']
HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 600

OS / ENVIRONMENT

Ansible running on Debian testing.
Tested against ASA 5516-X running software 9.8(4)10.

STEPS TO REPRODUCE

Apply an access-list command to an ASA that uses either the "user" or "user-group" keywords, e.g.:

access-list TEST-ACL extended permit object-group HTTP-HTTPS_sg user-group "DOMAIN\\Domain Users" object-group LocalNetworks_og object-group RFC1918_og

Then attempt to gather the ACL config from the ASA and save as YAML:

---
- name: convert interface to structured data
  connection: network_cli
  hosts: TESTING
  gather_facts: false
  vars:
    ansible_network_os: asa

  tasks:
    - name: Gather facts
      cisco.asa.asa_acls:
        state: gathered
      register: gather

    - name: Create inventory directory
      become: true
      delegate_to: localhost
      file:
        path: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}"
        state: directory

    - name: Write each resource to a file
      become: true
      delegate_to: localhost
      copy:
        content: "{{ gather['gathered'] | to_nice_yaml }}"
        dest: "{{ inventory_dir }}/host_vars/{{ inventory_hostname }}/acls.yaml"

EXPECTED RESULTS

Generated YAML file describes all aspects of the ACE, including user identity information.

ACTUAL RESULTS

Generated YAML is missing the identity information. Additionally, several non-identity parameters are also missing from the output and the single object-group retrieved from the config has been assigned to an incorrect parameter (presumably as the access-list command has not been parsed correctly).

acls:
-   aces:
    -   grant: permit
        line: 1
        source:
            object_group: HTTP-HTTPS_sg
    acl_type: extended
    name: TEST-ACL

asa_acl: "replace: block" not implemented

SUMMARY

The documentation for the asa_acl module states:
If the replace argument is set to `block` then the entire command block is pushed to the device in configuration mode if any line is not correct.

In fact, setting "replace: block" has no effect on the behaviour of the module, which always pushes the changed lines only (regardless of the value of the "replace" argument).

ISSUE TYPE

Bug Report

COMPONENT NAME

cisco.asa/asa_acl

ANSIBLE VERSION

  config file = /etc/ansible/ansible.cfg
  configured module search path = ['/root/.ansible/plugins/modules', '/usr/share/ansible/plugins/modules']
  ansible python module location = /usr/lib/python3/dist-packages/ansible
  executable location = /usr/bin/ansible
  python version = 3.9.1+ (default, Feb  5 2021, 13:46:56) [GCC 10.2.1 20210110]

CONFIGURATION

HOST_KEY_CHECKING(/etc/ansible/ansible.cfg) = False
INTERPRETER_PYTHON(/etc/ansible/ansible.cfg) = /usr/bin/python3
PERSISTENT_COMMAND_TIMEOUT(/etc/ansible/ansible.cfg) = 300

OS / ENVIRONMENT

Tested against ASA 5516-X running firmware 9.8(4)32, although this bug is independent of ASA version.

STEPS TO REPRODUCE

Run the asa_acl module with the replace: block argument.

EXPECTED RESULTS

The module sends all config lines to the ASA device, not just the ones that have changed.

ACTUAL RESULTS

The module sends only the config lines that have changed from the device's running config.

Have the possibility to have ACL with object-group for source and destination

SUMMARY

For the module asa_ogs, it will be good to have ACLs with object-group like this:

access-list global_access line 1 extended permit tcp object-group devaccess-WEB object-group devaccess-WEB-endpoints eq www
access-list global_access line 2 extended permit tcp object-group devaccess-WEB any4 eq www
access-list global_access line 3 extended permit tcp 172.30.0.0 255.255.0.0 object-group test-vip1 eq 200
...

ISSUE TYPE

Feature Idea

COMPONENT NAME

Module: asa_acls

ADDITIONAL INFORMATION

Something like this will be fine:

- name: Merge provided configuration with device configuration
  cisco.asa.asa_acls:
    config:
      - acls:
        - name: global_access
          acl_type: extended
          aces:
            - grant: permit
              line: 1
              protocol_options:
                tcp: true
              source:
                network-object-group: devaccess-WEB
              destination:
                address: 192.0.3.0
                netmask: 255.255.255.0
                port_protocol:
                  eq: www
    state: merged