cisco.asa.asa_ogs 模块 – 对象组资源模块
注意
此模块是 cisco.asa 集合 (版本 6.0.0) 的一部分。
如果您使用的是 ansible 包,则可能已安装此集合。它不包含在 ansible-core 中。要检查它是否已安装,请运行 ansible-galaxy collection list。
要安装它,请使用: ansible-galaxy collection install cisco.asa。
要在 playbook 中使用它,请指定: cisco.asa.asa_ogs。
注意
cisco.asa 集合已弃用,并将从 Ansible 12 中删除。有关更多信息,请参阅 讨论主题。
cisco.asa 1.0.0 中的新增功能
概要
此模块配置和管理 ASA 平台上的对象和组。
参数
参数 |
注释 |
|---|---|
对象组选项列表。 |
|
对象组。 |
|
对象组的描述。 |
|
将对象组配置为对象 |
|
配置 ICMP 类型对象 |
|
定义组中的 ICMP 类型。 选项
|
|
指定对象组 ID |
|
配置网络对象 |
|
输入一个 IPv4 网络地址,用空格分隔的网络掩码。 |
|
设置为指定单个主机对象。 |
|
输入一个 IPv6 前缀。 |
|
输入此关键字以指定网络对象 |
|
配置端口对象 |
|
输入此关键字以指定端口 |
|
输入此关键字以指定端口范围 |
|
指定端口范围的结束。 |
|
指定端口范围的开始。 |
|
指定对象组仅用于指定的协议。 需要配置端口对象时。 选项
|
|
配置协议对象 |
|
定义组中的协议。 用户可以直接指定协议/协议号 (0-255) |
|
配置安全组 |
|
输入此关键字以指定安全组名称。 |
|
输入此关键字以指定安全组标签。 |
|
配置服务对象 在 object_group 级别引入了新的“services_object”参数,请使用在 object_group 级别定义的较新的“services_object”参数代替 object_group 级别上的“service_object”参数,“service_object”选项将在将来的版本中被弃用并删除。 |
|
输入此关键字以指定服务对象 |
|
定义组中的协议。 选项
|
|
配置服务对象列表 较新的 OG services_object 参数将替换 service_object 参数 随版本 2.1.0 发布 |
|
关键字,用于指定目标端口 |
|
仅匹配给定端口号上的数据包。 |
|
仅匹配端口号更大的数据包。 |
|
仅匹配端口号较小的数据包。 |
|
仅匹配不在给定端口号上的数据包。 |
|
端口范围运算符 |
|
指定端口范围的结束。 |
|
指定端口范围的开始。 |
|
输入此关键字以指定服务对象 |
|
定义组中的协议。 |
|
关键字,用于指定源端口 |
|
仅匹配给定端口号上的数据包。 |
|
仅匹配端口号更大的数据包。 |
|
仅匹配端口号较小的数据包。 |
|
仅匹配不在给定端口号上的数据包。 |
|
端口范围运算符 |
|
指定端口范围的结束。 |
|
指定端口范围的开始。 |
|
配置单个用户、本地用户或导入用户组 |
|
配置用户对象 要配置的用户对象名称。 |
|
用户域 |
|
输入用户名 |
|
配置用户组对象。 |
|
组域 |
|
输入组名 |
|
对象组类型。 选项
|
|
默认情况下,此模块将连接到远程设备并检索当前运行配置,将其用作与源内容进行比较的基础。有时,不希望任务为 playbook 中的每个任务获取当前运行配置。running_config 参数允许实现者传入用作比较基础配置的配置。此选项的值应是通过执行命令从设备接收到的输出。 |
|
配置应保留的状态 选项
|
备注
注意
针对 Cisco ASA 版本 9.10(1)11 进行了测试
此模块适用于连接
network_cli。请参阅 ASA 平台选项。
示例
# Using merged
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_network_og
# network-object host 198.51.100.1
- name: "Merge module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: group_network_obj
group_object:
- test_og_network
- name: test_og_network
description: test_og_network
network_object:
host:
- 192.0.2.1
- 192.0.2.2
address:
- 192.0.2.0 255.255.255.0
- 198.51.100.0 255.255.255.0
- name: test_network_og
description: test_network_og
network_object:
host:
- 198.51.100.1
- 198.51.100.2
ipv6_address:
- 2001:db8:3::/64
- object_type: security
object_groups:
- name: test_og_security
description: test_security
security_group:
sec_name:
- test_1
- test_2
tag:
- 10
- 20
- object_type: service
object_groups:
- name: O-Worker
services_object:
- protocol: tcp
destination_port:
range:
start: 100
end: 200
- protocol: tcp-udp
source_port:
eq: 1234
destination_port:
gt: nfs
- name: O-UNIX-TCP
protocol: tcp
port_object:
- eq: https
- range:
start: 100
end: 400
- object_type: user
object_groups:
- name: test_og_user
description: test_user
user_object:
user:
- name: new_user_1
domain: LOCAL
- name: new_user_2
domain: LOCAL
state: merged
# Commands fired:
# ---------------
#
# object-group security test_og_security
# description test_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group network group_network_obj
# group-object test_og_network
# object-group network test_og_network
# description test_og_network
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# object-group network test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:3::/64
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# description test_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# After state:
# ------------
#
# ciscoasa# sh running-config object-group
# object-group network group_network_obj
# group-object test_og_network
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# network-object host 198.51.100.1
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# description test_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# Using Replaced
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: "Replace module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network_replace
network_object:
host:
- 198.51.100.1
address:
- 198.51.100.0 255.255.255.0
- object_type: protocol
object_groups:
- name: test_og_protocol
description: test_og_protocol
protocol_object:
protocol:
- tcp
- udp
state: replaced
# Commands Fired:
# ---------------
#
# object-group protocol test_og_protocol
# description test_og_protocol
# protocol tcp
# protocol udp
# object-group network test_og_network
# description test_og_network_replace
# no network-object 192.0.2.0 255.255.255.0
# no network-object 198.51.100.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# no network-object host 192.0.2.1
# no network-object host 192.0.2.2
# network-object host 198.51.100.1
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network_replace
# network-object host 198.51.100.1
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# object-group protocol test_og_protocol
# protocol-object tcp
# protocol-object udp
# Using Overridden
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: "Overridden module attributes of given object-group"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network_override
network_object:
host:
- 198.51.100.1
address:
- 198.51.100.0 255.255.255.0
- name: ANSIBLE_TEST
network_object:
object:
- TEST1
- TEST2
- object_type: protocol
object_groups:
- name: test_og_protocol
description: test_og_protocol
protocol_object:
protocol:
- tcp
- udp
state: overridden
# Commands Fired:
# ---------------
#
# no object-group security test_og_security
# no object-group service O-Worker
# no object-group service O-UNIX-TCP
# no object-group user test_og_user
# object-group protocol test_og_protocol
# description test_og_protocol
# protocol tcp
# protocol udp
# object-group network test_og_network
# description test_og_network_override
# no network-object 192.0.2.0 255.255.255.0
# no network-object 198.51.100.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# no network-object host 192.0.2.1
# no network-object host 192.0.2.2
# network-object host 198.51.100.1
# no object-group network test_network_og
# object-group network ANSIBLE_TEST
# network-object object TEST1
# network-object object TEST2
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network_override
# network-object host 198.51.100.1
# network-object 198.51.100.0 255.255.255.0
# object-group network ANSIBLE_TEST
# network-object object TEST1
# network-object object TEST2
# object-group protocol test_og_protocol
# protocol-object tcp
# protocol-object udp
# Using Deleted
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# object-group service O-UNIX-TCP tcp
# port-object eq https
# port-object range 100 400
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: "Delete given module attributes"
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
- name: test_network_og
- object_type: security
object_groups:
- name: test_og_security
- object_type: service
object_groups:
- name: O-UNIX-TCP
state: deleted
# Commands Fired:
# ---------------
#
# no object-group network test_og_network
# no object-group network test_network_og
# no object-group security test_og_security
# no object-group service O-UNIX-TCP
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# object-group service O-Worker
# service-object tcp destination range 100 200
# service-object tcp source eq 1234 destination gt nfs
# Using DELETED without any config passed
# "(NOTE: This will delete all of configured resource module attributes)"
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: Delete ALL configured module attributes
cisco.asa.asa_ogs:
config:
state: deleted
# Commands Fired:
# ---------------
#
# no object-group network test_og_network
# no object-group network test_network_og
# no object-group security test_og_security
# no object-group user test_og_user
# After state:
# -------------
#
# ciscoasa# sh running-config object-group
# Using Gathered
# Before state:
# -------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
- name: Gather listed OGs with provided configurations
cisco.asa.asa_ogs:
config:
state: gathered
# Module Execution Result:
# ------------------------
#
# "gathered": [
# {
# "object_groups": [
# {
# "description": "test_security",
# "name": "test_og_security",
# "security_group": {
# "sec_name": [
# "test_2",
# "test_1"
# ],
# "tag": [
# 10,
# 20
# ]
# }
# }
# ],
# "object_type": "security"
# },
# {
# "object_groups": [
# {
# "description": "test_network_og",
# "name": "test_network_og",
# "network_object": {
# "host": [
# "198.51.100.1",
# "198.51.100.2"
# ],
# "ipv6_address": [
# "2001:db8:3::/64"
# ]
# }
# },
# {
# "description": "test_og_network",
# "name": "test_og_network",
# "network_object": {
# "address": [
# "192.0.2.0 255.255.255.0",
# "198.51.100.0 255.255.255.0"
# ],
# "host": [
# "192.0.2.1",
# "192.0.2.2"
# ]
# }
# }
# ],
# "object_type": "network"
# },
# {
# "object_groups": [
# {
# "description": "test_user",
# "name": "test_og_user",
# "user_object": {
# "user": [
# {
# "domain": "LOCAL",
# "name": "new_user_1"
# },
# {
# "domain": "LOCAL",
# "name": "new_user_2"
# }
# ]
# }
# }
# ],
# "object_type": "user"
# }
# ]
# After state:
# ------------
#
# ciscoasa# sh running-config object-group
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object host 192.0.2.2
# network-object 192.0.2.0 255.255.255.0
# network-object 198.51.100.0 255.255.255.0
# object-group network test_network_og
# description test_network_og
# network-object host 198.51.100.1
# network-object host 198.51.100.2
# network-object 2001:db8:0:3::/64
# group-object test_og_network
# object-group security test_og_security
# security-group name test_1
# security-group name test_2
# security-group tag 10
# security-group tag 20
# object-group user test_og_user
# user LOCAL\new_user_1
# user LOCAL\new_user_2
# Using Rendered
- name: Render the commands for provided configuration
cisco.asa.asa_ogs:
config:
- object_type: network
object_groups:
- name: test_og_network
description: test_og_network
network_object:
host:
- 192.0.2.1
- 192.0.2.2
address:
- 192.0.2.0 255.255.255.0
- 198.51.100.0 255.255.255.0
- name: test_network_og
description: test_network_og
network_object:
host:
- 198.51.100.1
- 198.51.100.2
ipv6_address:
- 2001:db8:3::/64
- object_type: security
object_groups:
- name: test_og_security
description: test_security
security_group:
sec_name:
- test_1
- test_2
tag:
- 10
- 20
- object_type: user
object_groups:
- name: test_og_user
description: test_user
user_object:
user:
- name: new_user_1
domain: LOCAL
- name: new_user_2
domain: LOCAL
state: rendered
# Module Execution Result:
# ------------------------
#
# "rendered": [
# "object-group security test_og_security",
# "description test_security",
# "security-group name test_1",
# "security-group name test_2",
# "security-group tag 10",
# "security-group tag 20",
# "object-group network test_og_network",
# "description test_og_network",
# "network-object 192.0.2.0 255.255.255.0",
# "network-object 198.51.100.0 255.255.255.0",
# "network-object host 192.0.2.1",
# "network-object host 192.0.2.2",
# "object-group network test_network_og",
# "description test_network_og",
# "network-object host 198.51.100.1",
# "network-object host 198.51.100.2",
# "network-object 2001:db8:3::/64",
# "object-group user test_og_user",
# "description test_user",
# "user LOCAL\new_user_1",
# "user LOCAL\new_user_2"
# ]
# Using Parsed
# parsed.cfg
#
# object-group network test_og_network
# description test_og_network
# network-object host 192.0.2.1
# network-object 192.0.2.0 255.255.255.0
# object-group network test_network_og
# network-object 2001:db8:3::/64
# object-group service test_og_service
# service-object tcp-udp
- name: Parse the commands for provided configuration
cisco.asa.asa_ogs:
running_config: "{{ lookup('file', 'parsed.cfg') }}"
state: parsed
# Module Execution Result:
# ------------------------
#
# "parsed": [
# {
# "object_groups": [
# {
# "name": "test_network_og"
# },
# {
# "description": "test_og_network",
# "name": "test_og_network",
# "network_object": {
# "host": [
# "192.0.2.2"
# ]
# }
# }
# ],
# "object_type": "network"
# },
# {
# "object_groups": [
# {
# "name": "test_og_service",
# "service_object": {
# "protocol": [
# "tcp-udp",
# "ipinip"
# ]
# }
# }
# ],
# "object_type": "service"
# }
# ]
返回值
常见的返回值已在 此处 记录,以下是此模块特有的字段
键 |
描述 |
|---|---|
模块完成后的配置,以结构化数据形式呈现。 返回:发生更改时 示例: |
|
模块调用之前的配置,以结构化数据形式呈现。 返回:始终 示例: |
|
推送到远程设备的命令集 返回:始终 示例: |