- name: Get secrets for SNMP manager
  set_fact:
    manager: "{{ lookup('passwordstore', 'host/'+snmp_manager.name, returnall=true, missing='empty') | from_yaml }}"

- name: Get existing SNMP users
  set_fact:
    snmp_current: "{{ ansible_net_config | split('\n') | select('match', '^snmp-server usm-user '+manager.snmp_user) }}"
    snmp_target: "snmp-server usm-user {{ manager.snmp_user }} authentication sha {{ manager.snmp_pass }} privacy des {{ manager.snmp_pass }} "

- name: Remove existing SNMP user to reset password
  when: "snmp_current and snmp_target is not in snmp_current"
  block:
    - name: Remove SNMP user
      ansible.netcommon.cli_config:
        config: "{{ item }}"
      loop:
        - "no snmp-server usm-user {{ manager.snmp_user }}"
        - "no snmp-server group public user {{ manager.snmp_user }} security-model usm"
      notify: write config

    - set_fact:
        snmp_current: false

- name: Create SNMP user
  when: "not snmp_current"
  ansible.netcommon.cli_config:
    config: "{{ item }}"
  loop:
    - "{{ snmp_target }}"
    - "snmp-server group public user {{ manager.snmp_user }} security-model usm"
  no_log: true
  notify: write config