inventory.sh

@@ -0,0 +1,11 @@
+#!/bin/sh
+
+# use this wrapper as your inventory if you have ansible-vault secrets in some config context
+
+# thank you Dameon Wagner you magnificent beast
+# https://github.com/netbox-community/ansible_modules/discussions/551
+
+# remove this file if/when this gets to your computer
+# https://github.com/netbox-community/ansible_modules/pull/1114
+
+ANSIBLE_ASK_VAULT_PASS=no ansible-inventory -i inventory.yml "${@}"

roles/access/tasks/d-link.yml

@@ -4,43 +4,22 @@
 
 - name: Generate SNMP passwords
   delegate_to: localhost
-  command: >
+  command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
-    snmpv3-hashgen --yaml
-        --engine {{ snmp_engine_id }}
-        --user {{ manager.snmp_user }}
-        --auth {{ manager.snmp_pass }}
-        --priv {{ manager.snmp_pass }}
-        --hash sha1
   check_mode: false
   changed_when: false
-  no_log: true
   register: snmp_config
 
 - name: Get SNMP password hash
   set_fact:
     snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}'
 
-# check if the SNMP user and group we want to set differ from current switch config
+- name: Get SNMP users
-# in this case we have to remove them before trying to chane password or settings
-- name: Define SNMP user and group configuration commands
   set_fact:
-    target_user: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
-    target_group: "snmp-server group public v3  priv read public "
+    snmp_target: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
-
-- name: Get existing SNMP user and group entries from switch
-  set_fact:
-    current_user: "{{ ansible_net_config | split('\n')
-        | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
-    current_group: "{{ ansible_net_config | split('\n')
-        | select('match', '^snmp-server group public v3') }}"
-
-- name: Check if existing SNMP user and/or group should be removed
-  set_fact:
-    remove_user: "{{ current_user and target_user is not in current_user }}"
-    remove_group: "{{ current_group and target_group is not in current_group }}"
 
 - name: Remove existing SNMP user to reset password
-  when: remove_user or remove_group # can’t change group with existing users
+  when: 'snmp_current and snmp_target is not in snmp_current'
   block:
     - name: Remove SNMP user
       ansible.netcommon.cli_config:
@@ -48,28 +27,10 @@
       notify: write config
 
     - set_fact:
-        current_user: false
+        snmp_current: false
-
-- name: Remove existing SNMP group to change parameters
-  when: remove_group
-  block:
-    - name: Remove existing SNMP group
-      ansible.netcommon.cli_config:
-        config: 'no snmp-server group public v3 priv'
-      notify: write config
-
-    - set_fact:
-        current_group: false
-
-# create new SNMP user and group
-- name: Create SNMP group and user
-  when: not current_group
-  ansible.netcommon.cli_config:
-    config: '{{ target_group }}'
-  notify: write config
 
 - name: Create SNMP user
-  when: not current_user
+  when: 'not snmp_current'
   ansible.netcommon.cli_config:
-    config: '{{ target_user }}'
+    config: '{{ snmp_target }}'
   notify: write config

roles/access/tasks/fs-s5860-48xmg-u.yml

@@ -4,16 +4,9 @@
 
 - name: Generate SNMP passwords
   delegate_to: localhost
-  command: >
+  command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
-    snmpv3-hashgen --yaml
-        --engine {{ snmp_engine_id }}
-        --user {{ manager.snmp_user }}
-        --auth {{ manager.snmp_pass }}
-        --priv {{ manager.snmp_pass }}
-        --hash sha1
   check_mode: false
   changed_when: false
-  no_log: true
   register: snmp_config
 
 - name: Get SNMP password hash

roles/access/tasks/fs.yml

@@ -4,11 +4,11 @@
 
 - name: Get existing SNMP users
   set_fact:
-    current_user: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
+    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
-    target_user: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
+    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "
 
 - name: Remove existing SNMP user to reset password
-  when: "current_user and target_user is not in current_user"
+  when: "snmp_current and snmp_target is not in snmp_current"
   block:
     - name: Remove SNMP user
       ansible.netcommon.cli_config:
@@ -19,14 +19,14 @@
       notify: write config
 
     - set_fact:
-        current_user: false
+        snmp_current: false
 
 - name: Create SNMP user
-  when: "not current_user"
+  when: "not snmp_current"
   ansible.netcommon.cli_config:
     config: "{{ item }}"
   loop:
-    - "{{ target_user }}"
+    - "{{ snmp_target }}"
     - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
   no_log: true
   notify: write config

roles/access/templates/config-d-link.j2

@@ -112,11 +112,7 @@ snmp-server name {{ inventory_hostname }}
 snmp-server location {{ rack }}
 {# SNMP engine ID must be exactly 24 hex digits #}
 snmp-server engineID local {{ snmp_engine_id }}
-{# limit MIBs exposed over SNMP #}
+snmp-server group public v3  priv read CommunityView
-snmp-server view public 1.3.6.1.2.1.1 included {# system +#}
-snmp-server view public 1.3.6.1.2.1.2 included {# interfaces +#}
-snmp-server view public 1.3.6.1.2.1.17.7 included {# qBridgeMIB +#}
-snmp-server view public 1.3.6.1.2.1.31 included {# ifMIB +#}
 
 sntp enable
 {% for address in ntp %}

roles/access/templates/config-fs-s5800-48t4s.j2

@@ -17,11 +17,7 @@ vlan database
 snmp-server enable
 snmp-server system-location {{ rack }}
 snmp-server engineID {{ snmp_engine_id }}
-snmp-server view public included 1.3.6.1.2.1.1 {# system +#}
+snmp-server access public security-model usm priv read _all_
-snmp-server view public included 1.3.6.1.2.1.2 {# interfaces +#}
-snmp-server view public included 1.3.6.1.2.1.17.7 {# qBridgeMIB +#}
-snmp-server view public included 1.3.6.1.2.1.31 {# ifMIB +#}
-snmp-server access public security-model usm priv read public
 
 {# sort to ensure LAG interfaces are added last #}
 {% for iface in interfaces | sort(attribute="type.value") | sort(attribute="mgmt_only") %}

roles/access/templates/config-fs-s5860-48xmg-u.j2

@@ -58,9 +58,4 @@ interface {{ iface.name }}
 
 enable service snmp-agent
 snmp-server location {{ rack }}
-{# limit MIBs exposed over SNMP #}
+snmp-server group public v3 priv read default
-snmp-server view public 1.3.6.1.2.1.1 include {# system +#}
-snmp-server view public 1.3.6.1.2.1.2 include {# interfaces +#}
-snmp-server view public 1.3.6.1.2.1.17.7 include {# qBridgeMIB +#}
-snmp-server view public 1.3.6.1.2.1.31 include {# ifMIB +#}
-snmp-server group public v3 priv read public