Solved: How to use ansible ios_acl module to merge a list of ACL's

DAVID · ‎03-28-2023

I have an extended access list and for simplicity sake I will say it is lines 1 to 10. I want to add lines 11 to 15 to the existing extended ACL using the ios_acl module for Ansible. I need to be able to loop through each acl I have in the playbook so that each rule will be appended to the end of the list of ACLs. Here is my playbook but since I am still learning, I am at a loss as to the simplest way to accomplish my task.

---

- name: Merge Access Lists

hosts: Router

gather_facts: False

connection: network_cli

vars:

acl_name: pos-to-wan

acl_rules:

- name: 911

action: permit

source: any

destination: 198.22.203.230

port_protocol: 443

- name: 912

action: permit

source: any

destination: 209.236.103.70

port_protocol: 443

- name: 913

action: permit

source: any

destination: 198.22.206.247

port_protocol: 22

- name: 914

action: permit

source: any

destination: 198.22.206.247

port_protocol: 990

- name: 915

action: permit

source: any

destination: 198.22.206.247

range: 64000 645000

- name: 916

action: permit

source: any

destination: 209.236.103.119

port_protocol: 22

- name: 917

action: permit

source: any

destination: 209.236.103.119

port_protocol: 990

- name: 918

action: permit

source: any

destination: 209.236.103.119

range: 64000 645000

tasks:

- name: Merge Access List Rules

cisco.ios.ios_acls:

config:

name: "{{ acl_name }}"

rules:

- "{{ item }}"

state: merged

loop: "{{ acl_rules }}"

- name: Resequence Access List

ios_config:

lines: ip access-list resequence pos-to-wan 10 10

- name: Save Running config

ios_config:

save_when: modified

Marcel Zehnder · ‎03-28-2023

Hi David

If you want to add addional entries to the ACL I think you can do it without a loop, just align the dicts in your "acl_rules" variable to the schema of the dict used in the Ansible module (https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html):

- name: Merge Access Lists
  hosts: Router
  gather_facts: false
  vars:
    acl_name: pos-to-wan
    acl_rules:
      - sequence: 911
        grant: permit
        source:
          any: true
        destination: 
          host: 198.22.203.230
          port_protocol: 
            eq: 443
        protocol: tcp
      - sequence: 912
        grant: permit
        source:
          any: true
        destination: 
          host: 209.236.103.70
          port_protocol: 
            eq: 443
        protocol: tcp
      - sequence: 913
        grant: permit
        source:
          any: true
        destination: 
          host: 198.22.206.247  
          port_protocol: 
            eq: 22
        protocol: tcp
  tasks:
    - name: Merge Access List Rules
      cisco.ios.ios_acls:
        config:
          - afi: ipv4
            acls: 
              - name: "{{ acl_name }}"
                acl_type: extended
                aces: "{{ acl_rules }}"

HTH
Marcel

View solution in original post

Marcel Zehnder · ‎03-28-2023

Hi David

If you want to add addional entries to the ACL I think you can do it without a loop, just align the dicts in your "acl_rules" variable to the schema of the dict used in the Ansible module (https://docs.ansible.com/ansible/latest/collections/cisco/ios/ios_acls_module.html):

- name: Merge Access Lists
  hosts: Router
  gather_facts: false
  vars:
    acl_name: pos-to-wan
    acl_rules:
      - sequence: 911
        grant: permit
        source:
          any: true
        destination: 
          host: 198.22.203.230
          port_protocol: 
            eq: 443
        protocol: tcp
      - sequence: 912
        grant: permit
        source:
          any: true
        destination: 
          host: 209.236.103.70
          port_protocol: 
            eq: 443
        protocol: tcp
      - sequence: 913
        grant: permit
        source:
          any: true
        destination: 
          host: 198.22.206.247  
          port_protocol: 
            eq: 22
        protocol: tcp
  tasks:
    - name: Merge Access List Rules
      cisco.ios.ios_acls:
        config:
          - afi: ipv4
            acls: 
              - name: "{{ acl_name }}"
                acl_type: extended
                aces: "{{ acl_rules }}"

HTH
Marcel

DAVID · ‎03-29-2023

Thanks for all your help. With a few changes, I was able to accomplish the task that I was after. Here is my revised file:

gather_facts: False

connection: network_cli

vars:

acl_name: pos-to-wan

acl_rules:

- sequence: 911

grant: permit

protocol: tcp

source:

any: true

destination:

host: 198.22.206.230

port_protocol:

eq: 443

- sequence: 912

grant: permit

protocol: tcp

source:

any: true

destination:

host: 209.236.103.70

port_protocol:

eq: 443

- sequence: 913

grant: permit

protocol: tcp

source:

any: true

destination:

host: 198.22.206.247

port_protocol:

eq: 22

- sequence: 914

grant: permit

protocol: tcp

source:

any: true

destination:

host: 198.22.206.247

port_protocol:

eq: 990

- sequence: 915

grant: permit

protocol: tcp

source:

any: true

destination:

host: 198.22.206.247

port_protocol:

range:

start: 64000

end: 64500

- sequence: 916

grant: permit

protocol: tcp

source:

any: true

destination:

host: 209.236.103.119

port_protocol:

eq: 22

- sequence: 917

grant: permit

protocol: tcp

source:

any: true

destination:

host: 209.236.103.119

port_protocol:

eq: 990

- sequence: 918

grant: permit

protocol: tcp

source:

any: true

destination:

host: 209.236.103.119

port_protocol:

range:

start: 64000

end: 64500

tasks:

- name: Merge Access List Rules

cisco.ios.ios_acls:

config:

- afi: ipv4

acls:

- name: "{{ acl_name }}"

acl_type: extended

aces: "{{ acl_rules }}"

- name: Resequence Access List

ios_config:

lines: ip access-list resequence pos-to-wan 10 10

- name: Save Running config

ios_config:

save_when: modified

netdood · ‎08-16-2024

This is not idempotent (always reports changed status) for me, was it for you guys?