violet dirge
Hello!
I've done some hunting but can't find any information about potential support for managing Multi Admin Verification and Anti-ransomware protection via ansible.
https://docs.netapp.com/us-en/ontap/multi-admin-verify/
https://docs.netapp.com/us-en/ontap/anti-ransomware/
Is that something you have any links/pointers/info about?
All the best,
Pete
weary forge
There are feature requests open for both things:
MAV: https://github.com/ansible-collections/netapp.ontap/issues/167
ARP: https://github.com/ansible-collections/netapp.ontap/issues/203
I can share examples for MAV with the generic na_ontap_restit module, if you are interested.
violet dirge
Thank you for the links - I will keep an eye on those feature requests. If it's easy to give a couple of examples with the restit module that would be good - but I'm also happy to wait for it to appear as its own module if that's not too far down the roadmap.
weary forge
Someone from NetApp has to answer for the roadmap part.
Here is my example, it was part of a bigger playbook. I have to split it into multiple posts as uploading files is not working here.
`vars:
mav:
enabled: true
approver:
- user1
- user2
- user3
- user4
- user5
approval_group: Team-Name
approval_op_unwanted:
- "set"
- "security login unlock"
- "security login password"
approval_op_wanted:
- "cluster peer delete"
- "volume delete"
- "volume snapshot delete"
- "volume snapshot policy modify"
- "volume snapshot policy modify-schedule"
- "volume snapshot policy remove-schedule"
- "vserver peer delete"
mailaddress:
- team@domain.local
tasks:
name: Get Multi-Admin Verify Status
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify
method: GET
changed_when: false
register: mav_status
tags: mav
block:
name: Get Multi-Admin Verify unwanted default rules
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/rules
method: GET
query:
system_defined: false
operation: "{{ mav.approval_op_unwanted |join('|') }}"
changed_when: false
register: mav_rules_unwanted
name: Delete unwanted default Multi-Admin Verify rules (non-idempotent REST call)
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/rules/{{ item.owner.uuid }}/{{ item.operation |replace(' ', '+') }}
method: DELETE
loop: "{{ mav_rules_unwanted.response.records }}"
loop_control:
label: "{{ item.operation }}"
name: Get Multi-Admin Verify wanted rules
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/rules
method: GET
query:
system_defined: false
operation: "{{ mav.approval_op_wanted |join('|') }}"
changed_when: false
register: mav_rules_wanted
`
` - name: Create Multi-Admin Verify rules (non-idempotent REST call)
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/rules
method: POST
body:
operation: "{{ item }}"
loop: "{{ mav.approval_op_wanted }}"
when: "item not in (mav_rules_wanted.response.records | map(attribute='operation'))"
- name: Get Multi-Admin Verify approval-group
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/approval-groups
method: GET
query:
name: "{{ mav.approval_group }}"
changed_when: false
register: mav_group
- name: Create Multi-Admin Verify approval-group (non-idempotent REST call)
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/approval-groups
method: POST
body:
email: "{{ mav.mailaddress }}"
approvers: "{{ mav.approver }}"
name: "{{ mav.approval_group }}"
when: mav_group.response.num_records == 0
register: mav_group_created
- name: Modify Multi-Admin Verify approval-group (non-idempotent REST call)
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify/approval-groups/{{ mav_group.response.records[0].owner.uuid }}/{{ mav.approval_group }}
method: PATCH
body:
email: "{{ mav.mailaddress }}"
approvers: "{{ mav.approver }}"
when: not mav_group_created.changed
- name: Enable Multi-Admin Verify (non-idempotent REST call)
netapp.ontap.na_ontap_restit:
api: security/multi-admin-verify
method: PATCH
body:
approval_groups:
- "{{ mav.approval_group }}"
enabled: true
# condition of block statement
when:
- mav.enabled
- not mav_status.response.enabled`
Thank you for this - it looks very useful!