access: limit OIDs exposed over SNMP

Define a custom SNMP group with read access only to fields we need.

For D-Link switches, modifying the group must be handled the same as
user, i.e. the group (and user) must be removed and readded.

Untested for FS S5800.

roles/access/tasks/fs.yml

@@ -4,11 +4,11 @@
 
 - name: Get existing SNMP users
   set_fact:
-    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
-    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
+    current_user: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
+    target_user: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
 
 - name: Remove existing SNMP user to reset password
-  when: "snmp_current and snmp_target is not in snmp_current"
+  when: "current_user and target_user is not in current_user"
   block:
     - name: Remove SNMP user
       ansible.netcommon.cli_config:
@@ -19,14 +19,14 @@
       notify: write config
 
     - set_fact:
-        snmp_current: false
+        current_user: false
 
 - name: Create SNMP user
-  when: "not snmp_current"
+  when: "not current_user"
   ansible.netcommon.cli_config:
     config: "{{ item }}"
   loop:
-    - "{{ snmp_target }}"
+    - "{{ target_user }}"
     - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
   no_log: true
   notify: write config