我有一个在Palo Alto防火墙上创建l3_subinterfaces的易操作手册,该创建基于防火墙的host_vars。
- l3_subinterfaces:
- tag: "9"
vr_name: "vr_production"
ip: "10.0.9.2/24"
comment: "VLAN9 Subinterface"
parent_if: "ethernet1/1"
zone: "Infrastructuur"
- tag: "13"
vr_name: "vr_production"
ip: "10.0.13.2/24"
comment: "VLAN13 Subinterface"
parent_if: "ethernet1/2"
zone: "Infrastructuur"
以及创建接口的剧本任务:
- name: Configure l3_subinterfaces
panos_l3_subinterface:
provider: "{{ panos_provider }}"
name: "{{ item.parent_if }}.{{ item.tag }}"
tag: "{{ item.tag }}"
ip: ["{{ item.ip }}"]
vr_name: "{{ item.vr_name }}"
zone_name: "{{ item.zone }}"
comment: "{{ item.comment }}"
enable_dhcp: false
with_items:
- "{{ l3_subinterfaces }}"
when: l3_subinterfaces is defined
所以目前一切都很顺利。然而,我试图实现的是在Ansible清单中保持防火墙的状态。
因此,例如,我现在删除了标记为13的l3_subinterface并再次运行该任务,它仍然在Palo Alto防火墙上配置了标记为13的l3_subinterface。
我正在想办法删除l3_subinterfaces,它存在于防火墙上,但不存在于我的host_vars中。我想我需要将类似te facts的东西与host_var进行比较,但我真的不知道该怎么做。
实际上我已经找到了自己的答案。解决方案是将列表l3_subinterface与palo-alto接口进行比较:
- name: Get interfaces facts
panos_facts:
provider: '{{ panos_provider }}'
gather_subset: ['interfaces']
- name: Delete unused l3_subinterfaces
panos_l3_subinterface:
provider: "{{ panos_provider }}"
name: "{{ item }}"
tag: "{{ item|regex_search('\d+$') }}"
state: "absent"
with_items:
- "{{ ansible_net_interfaces|selectattr('tag', 'defined')|map(attribute='name')|list | difference(l3_subinterfaces|map(attribute='name')|list) }}"