7 changed files with 29 additions and 77 deletions
--- a/inventory.sh
+++ b/inventory.sh
@ -0,0 +1,11 @@
+#!/bin/sh
+
+# use this wrapper as your inventory if you have ansible-vault secrets in some config context
+
+# thank you Dameon Wagner you magnificent beast
+# https://github.com/netbox-community/ansible_modules/discussions/551
+
+# remove this file if/when this gets to your computer
+# https://github.com/netbox-community/ansible_modules/pull/1114
+
+ANSIBLE_ASK_VAULT_PASS=no ansible-inventory -i inventory.yml "${@}"
--- a/roles/access/tasks/d-link.yml
+++ b/roles/access/tasks/d-link.yml
@ -4,43 +4,22 @@

 - name: Generate SNMP passwords
  delegate_to: localhost
-  command: >
-    snmpv3-hashgen --yaml
-        --engine {{ snmp_engine_id }}
-        --user {{ manager.snmp_user }}
-        --auth {{ manager.snmp_pass }}
-        --priv {{ manager.snmp_pass }}
-        --hash sha1
+  command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
  check_mode: false
  changed_when: false
-  no_log: true
  register: snmp_config

 - name: Get SNMP password hash
  set_fact:
    snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}'

-# check if the SNMP user and group we want to set differ from current switch config
-# in this case we have to remove them before trying to chane password or settings
- name: Define SNMP user and group configuration commands
+- name: Get SNMP users
  set_fact:
-    target_user: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
-    target_group: "snmp-server group public v3  priv read public "
-
- name: Get existing SNMP user and group entries from switch
-  set_fact:
-    current_user: "{{ ansible_net_config | split('\n')
-        | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
-    current_group: "{{ ansible_net_config | split('\n')
-        | select('match', '^snmp-server group public v3') }}"
-
- name: Check if existing SNMP user and/or group should be removed
-  set_fact:
-    remove_user: "{{ current_user and target_user is not in current_user }}"
-    remove_group: "{{ current_group and target_group is not in current_group }}"
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
+    snmp_target: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "

 - name: Remove existing SNMP user to reset password
-  when: remove_user or remove_group # can’t change group with existing users
+  when: 'snmp_current and snmp_target is not in snmp_current'
  block:
    - name: Remove SNMP user
      ansible.netcommon.cli_config:
@ -48,28 +27,10 @@
      notify: write config

    - set_fact:
-        current_user: false
-
- name: Remove existing SNMP group to change parameters
-  when: remove_group
-  block:
-    - name: Remove existing SNMP group
-      ansible.netcommon.cli_config:
-        config: 'no snmp-server group public v3 priv'
-      notify: write config
-
-    - set_fact:
-        current_group: false
-
-# create new SNMP user and group
- name: Create SNMP group and user
-  when: not current_group
-  ansible.netcommon.cli_config:
-    config: '{{ target_group }}'
-  notify: write config
+        snmp_current: false

 - name: Create SNMP user
-  when: not current_user
+  when: 'not snmp_current'
  ansible.netcommon.cli_config:
-    config: '{{ target_user }}'
+    config: '{{ snmp_target }}'
  notify: write config
--- a/roles/access/tasks/fs-s5860-48xmg-u.yml
+++ b/roles/access/tasks/fs-s5860-48xmg-u.yml
@ -4,16 +4,9 @@

 - name: Generate SNMP passwords
  delegate_to: localhost
-  command: >
-    snmpv3-hashgen --yaml
-        --engine {{ snmp_engine_id }}
-        --user {{ manager.snmp_user }}
-        --auth {{ manager.snmp_pass }}
-        --priv {{ manager.snmp_pass }}
-        --hash sha1
+  command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
  check_mode: false
  changed_when: false
-  no_log: true
  register: snmp_config

 - name: Get SNMP password hash
--- a/roles/access/tasks/fs.yml
+++ b/roles/access/tasks/fs.yml
@ -4,11 +4,11 @@

 - name: Get existing SNMP users
  set_fact:
-    current_user: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
-    target_user: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
+    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "

 - name: Remove existing SNMP user to reset password
-  when: "current_user and target_user is not in current_user"
+  when: "snmp_current and snmp_target is not in snmp_current"
  block:
    - name: Remove SNMP user
      ansible.netcommon.cli_config:
@ -19,14 +19,14 @@
      notify: write config

    - set_fact:
-        current_user: false
+        snmp_current: false

 - name: Create SNMP user
-  when: "not current_user"
+  when: "not snmp_current"
  ansible.netcommon.cli_config:
    config: "{{ item }}"
  loop:
-    - "{{ target_user }}"
+    - "{{ snmp_target }}"
    - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
  no_log: true
  notify: write config
--- a/roles/access/templates/config-d-link.j2
+++ b/roles/access/templates/config-d-link.j2
@ -112,11 +112,7 @@ snmp-server name {{ inventory_hostname }}
 snmp-server location {{ rack }}
 {# SNMP engine ID must be exactly 24 hex digits #}
 snmp-server engineID local {{ snmp_engine_id }}
-{# limit MIBs exposed over SNMP #}
-snmp-server view public 1.3.6.1.2.1.1 included {# system +#}
-snmp-server view public 1.3.6.1.2.1.2 included {# interfaces +#}
-snmp-server view public 1.3.6.1.2.1.17.7 included {# qBridgeMIB +#}
-snmp-server view public 1.3.6.1.2.1.31 included {# ifMIB +#}
+snmp-server group public v3  priv read CommunityView

 sntp enable
 {% for address in ntp %}
--- a/roles/access/templates/config-fs-s5800-48t4s.j2
+++ b/roles/access/templates/config-fs-s5800-48t4s.j2
@ -17,11 +17,7 @@ vlan database
 snmp-server enable
 snmp-server system-location {{ rack }}
 snmp-server engineID {{ snmp_engine_id }}
-snmp-server view public included 1.3.6.1.2.1.1 {# system +#}
-snmp-server view public included 1.3.6.1.2.1.2 {# interfaces +#}
-snmp-server view public included 1.3.6.1.2.1.17.7 {# qBridgeMIB +#}
-snmp-server view public included 1.3.6.1.2.1.31 {# ifMIB +#}
-snmp-server access public security-model usm priv read public
+snmp-server access public security-model usm priv read _all_

 {# sort to ensure LAG interfaces are added last #}
 {% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %}
--- a/roles/access/templates/config-fs-s5860-48xmg-u.j2
+++ b/roles/access/templates/config-fs-s5860-48xmg-u.j2
@ -58,9 +58,4 @@ interface {{ iface.name }}

 enable service snmp-agent
 snmp-server location {{ rack }}
-{# limit MIBs exposed over SNMP #}
-snmp-server view public 1.3.6.1.2.1.1 include {# system +#}
-snmp-server view public 1.3.6.1.2.1.2 include {# interfaces +#}
-snmp-server view public 1.3.6.1.2.1.17.7 include {# qBridgeMIB +#}
-snmp-server view public 1.3.6.1.2.1.31 include {# ifMIB +#}
-snmp-server group public v3 priv read public
+snmp-server group public v3 priv read default