- name: Get secrets for SNMP manager
  set_fact:
    manager: '{{ lookup("passwordstore", "host/"+snmp_manager.name, returnall=true, missing="empty") | from_yaml }}'

- name: Generate SNMP passwords
  delegate_to: localhost
  command: 'snmpv3-hashgen --yaml --user {{ manager.snmp_user }} --auth {{ manager.snmp_pass }} --priv {{ manager.snmp_pass }} --hash sha1 --engine {{ snmp_engine_id }}'
  check_mode: false
  changed_when: false
  register: snmp_config

- name: Get SNMP password hash
  set_fact:
    snmp_hashes: '{{ (snmp_config.stdout | from_yaml).snmpv3.hashes }}'

# check if the SNMP user and group we want to set differ from current switch config
# in this case we have to remove them before trying to chane password or settings
- name: Define SNMP user and group configuration commands
  set_fact:
    target_user: "snmp-server user {{ manager.snmp_user }} public v3 encrypted auth sha {{ snmp_hashes.auth }} priv {{ snmp_hashes.priv[:32] }} "
    target_group: "snmp-server group public v3  priv read public "

- name: Get existing SNMP user and group entries from switch
  set_fact:
    current_user: "{{ ansible_net_config | split('\n')
        | select('match', '^snmp-server user '+manager.snmp_user+' public v3') }}"
    current_group: "{{ ansible_net_config | split('\n')
        | select('match', '^snmp-server group public v3') }}"

- name: Check if existing SNMP user and/or group should be removed
  set_fact:
    remove_user: "{{ current_user and target_user is not in current_user }}"
    remove_group: "{{ current_group and target_group is not in current_group }}"

- name: Remove existing SNMP user to reset password
  when: remove_user or remove_group # can’t change group with existing users
  block:
    - name: Remove SNMP user
      ansible.netcommon.cli_config:
        config: 'no snmp-server user {{ manager.snmp_user }} public v3'
      notify: write config

    - set_fact:
        current_user: false

- name: Remove existing SNMP group to change parameters
  when: remove_group
  block:
    - name: Remove existing SNMP group
      ansible.netcommon.cli_config:
        config: 'no snmp-server group public v3 priv'
      notify: write config

    - set_fact:
        current_group: false

# create new SNMP user and group
- name: Create SNMP group and user
  when: not current_group
  ansible.netcommon.cli_config:
    config: '{{ target_group }}'
  notify: write config

- name: Create SNMP user
  when: not current_user
  ansible.netcommon.cli_config:
    config: '{{ target_user }}'
  notify: write config