Include latest changes for templates and backup and restore (#17)

* add playbooks for backup & restore device templates with policies

* include security changes for scorecard

* bump setuptools for security scorecard

* mark false positives for secret

* playbooks for running config b&r

* ansible lint

* use galaxy versions and add note for release

* update reqs

* add workflow for requirements verification

* updated azure reqs and docs fix

* update workflows

.ansible-lint

@@ -12,6 +12,7 @@ profile: production
 exclude_paths:
   - playbooks/aws/results/*
   - playbooks/azure/results/*
+  - .github/workflows/requirements.yml
 # parseable: true
 # quiet: true
 # strict: true
@@ -21,6 +22,10 @@ verbosity: 1
 mock_modules:
   - cisco.catalystwan.wait_for_api_server
   - azure.azcollection.azure_rm_account_info
+  - cisco.catalystwan.device_templates_recovery
+  - cisco.catalystwan.cli_templates
+  - cisco.catalystwan.device_templates
+  - cisco.catalystwan.devices_info
 #   - zuul_return
 #   # note the foo.bar is invalid as being neither a module or a collection
 #   - fake_namespace.fake_collection.fake_module
@@ -43,6 +48,7 @@ mock_roles:
   - cisco.catalystwan.vmanage_mode
   - cisco.catalystwan.health_checks
 
+
 #   - mocked_role
 #   - author.role_name # old standalone galaxy role
 #   - fake_namespace.fake_collection.fake_role # role within a collection

.github/workflows/galaxy-importer.yml

@@ -12,17 +12,19 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   galaxy-importer:
     runs-on:
       - ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 

.github/workflows/linters.yml

@@ -7,6 +7,8 @@ on:
     branches:
       - main
 
+permissions: read-all
+
 jobs:
   analyze-code:
     runs-on: ubuntu-latest
@@ -19,22 +21,22 @@ jobs:
 
     steps:
       - name: Check out the repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 
-      - uses: isort/isort-action@master
+      - uses: isort/isort-action@f14e57e1d457956c45a19c05a89cccdf087846e5 # v1.1.0
         with:
           requirementsFiles: "requirements.txt"
 
       - name: Run check-yaml, end-of-file-fixer, trailing-whitespace
-        uses: pre-commit/[email protected].0
+        uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd # v3.0.1
 
       - name: Run ansible-lint
-        uses: ansible/ansible-lint@main
+        uses: ansible/ansible-lint@95382d398ea1744bf6bfa47b030f14c38b3f6957 # v24.7.0
 
       - name: Install detect-secrets
         run: pip install detect-secrets==1.4.0

.github/workflows/release-from-tag.yml

@@ -5,17 +5,19 @@ on:
     tags:
       - 'v*.*.*'
 
+permissions: read-all
+
 jobs:
   publish-release:
     runs-on:
       - ubuntu-latest
 
     steps:
       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
 
       - name: Set up Python
-        uses: actions/setup-python@v5
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
         with:
           python-version: '3.10'
 

.github/workflows/requirements.yml

@@ -0,0 +1,33 @@
+# .github/workflows/requirements.yml
+name: requirements.txt combatibility
+
+on:
+  pull_request:
+
+  push:
+    branches:
+      - main
+
+permissions: read-all
+
+jobs:
+  install-requirements:
+    runs-on: ubuntu-latest
+
+    strategy:
+      matrix:
+        python-version: ['3.10', '3.11', '3.12']
+
+    steps:
+      - name: Checkout repository
+        uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7
+
+      - name: Set up Python ${{ matrix.python-version }}
+        uses: actions/setup-python@39cd14951b08e74b54015e9e001cdefcf80e669f # v5.1.1
+        with:
+          python-version: ${{ matrix.python-version }}
+
+      - name: Install dependencies
+        run: |
+          python -m pip install --upgrade pip
+          pip install -r requirements.txt --no-deps

.github/workflows/scorecard.yml

@@ -23,7 +23,7 @@ jobs:
     permissions:
       id-token: write
       security-events: write
-    secrets: inherit
+    secrets: inherit  # pragma: allowlist secret
     with:
       # Publish results of Scorecard analysis
       publish-results: true

README.md

@@ -42,7 +42,12 @@ By leveraging these Ansible resources, [ansible-collection-sdwan](https://github
 
 - Automate Deployment: Roll out and provision Cisco SD-WAN controllers and edge devices with minimal manual intervention using [SDWAN Deployment](https://github.com/cisco-open/ansible-collection-sdwan-deployment) roles.
 - Onboarding of Controllers and Edge Devices: Simplify the process of integrating controllers and edge devices into the Cisco SD-WAN fabric, using automated deployment with PnP (Plug-and-Play), using [ansible-collection-catalystwan](https://github.com/cisco-open/ansible-collection-catalystwan) modules and roles.
-- Workflow for Upgrades: Structured workflow that automates the upgrade process for controllers and edge devices.
+- Workflow for Upgrades: Structured workflow that automates the upgrade process for controllers and edge devices. See [example playbook for upgrades](./playbooks/software_upgrades_with_remote_server.yml)
+- Workflows for backup and restore:
+  - Backup Device configuration (includes Device Templates, Policies, Feature Templates). See [backup device configuration](./playbooks/backup_restore/backup_device_configuration.yml)
+  - Restore Device configuration (includes Device Templates, Policies, Feature Templates). See [restore device configuration](./playbooks/backup_restore/restore_device_configuration.yml)
+  - Backup running config (cli templates). See [backup running config](./playbooks/backup_restore/backup_running_config.yml)
+  - Restore running config (cli templates). See [restore running config](./playbooks/backup_restore/restore_running_config.yml)
 
 [ansible-collection-sdwan](https://github.com/cisco-open/ansible-collection-sdwan) illustrates the power of Ansible's modularity and the significant benefits of using roles, custom modules, and collections for automating network operations. It stands as an indispensable resource for organizations looking to implement Infrastructure as Code (IaC) within their network infrastructure and embrace a more agile and DevOps-oriented approach to network management.
 

docs/CONTRIBUTING.md

@@ -26,3 +26,11 @@ Select one from [issue form](https://github.com/cisco-open/ansible-collection-sd
 ### Create PR
 
 When you're finished with the changes, create a pull request, also known as a PR.
+
+---
+
+## Release process
+
+According to [release workflow inside .github workflows](../.github/workflows/release-from-tag.yml) collection publication to Ansible Galaxy will happen when admin of the repository will push new tag.
+This tag must match version used in [galaxy.yml](../galaxy.yml) file.
+Release will happen only if desired version was not published on Ansible Galaxy yet.

galaxy.yml

@@ -1,6 +1,6 @@
 namespace: cisco
 name: sdwan
-version: 0.1.0
+version: 0.2.0
 readme: README.md
 authors:
   - Arkadiusz Cichon <[email protected]>

playbooks/backup_restore/backup_device_configuration.yml

@@ -0,0 +1,22 @@
+# Copyright 2024 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# NOTE: This is example playbook that requires following variables:
+# manager_authentication: url, username, password
+# backup_dir_path
+
+- name: Example playbook with task to backup Device Templates with Policies and Feature Templates
+  hosts: localhost
+  gather_facts: false
+  vars:
+    manager_authentication: &manager_authentication
+      url: # your manager url
+      username: # your manager username
+      password: # your manager password
+  tasks:
+    - name: Perform backup of all non factory default Device Templates (no filters == backup non factory default)
+      cisco.catalystwan.device_templates_recovery:
+        mode: backup
+        # backup_dir_path: # path to create backup directory that will store exported configuration
+        manager_credentials:
+          <<: *manager_authentication

playbooks/backup_restore/backup_running_config.yml

@@ -0,0 +1,23 @@
+# Copyright 2024 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+
+- name: Example playbook for backup of running config
+  hosts: localhost
+  gather_facts: false
+  vars:
+    manager_authentication: &manager_authentication
+      url: # your manager url
+      username: # your manager username
+      password: # your manager password
+  tasks:
+    - name: Backup running-config for all c8000V devices with default backup dir (in CWD)
+      cisco.catalystwan.devices_info:
+        backup: true
+        backup_dir_path: # your backup bath
+        filters:
+          personality: "vedge"
+        manager_credentials:
+          <<: *manager_authentication
+      register: backup_info

playbooks/backup_restore/restore_device_configuration.yml

@@ -0,0 +1,22 @@
+# Copyright 2024 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+# NOTE: This is example playbook that requires following variables:
+# manager_authentication: url, username, password
+# backup_dir_path
+
+- name: Example playbook with task to restore Device Templates with Policies and Feature Templates
+  hosts: localhost
+  gather_facts: false
+  vars:
+    manager_authentication: &manager_authentication
+      url: # your manager url
+      username: # your manager username
+      password: # your manager password
+  tasks:
+    - name: Restore configuration from provided backup directory
+      cisco.catalystwan.device_templates_recovery:
+        mode: restore
+        # backup_dir_path: # path to backup directory from which templates will be imported
+        manager_credentials:
+          <<: *manager_authentication

playbooks/backup_restore/restore_running_config.yml

@@ -0,0 +1,41 @@
+# Copyright 2024 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+
+- name: Testing playbook to verify backup & restore operations
+  hosts: localhost
+  gather_facts: false
+  vars_files:
+    - configuration_file_dev_vars.yml
+  vars:
+    manager_authentication: &manager_authentication
+      url: # your manager url
+      username: # your manager username
+      password: # your manager password
+  tasks:
+    - name: Using backup files, create CLI templates for each Edge device
+      cisco.catalystwan.cli_templates:
+        state: present
+        template_name: "backup-template-{{ device_item.filename }}"
+        template_description: "Template for {{ device_item.hostname }} created from backup file."
+        config_file: "{{ device_item.backup_path }}"
+        device_model: vedge-C8000V
+        manager_credentials:
+          <<: *manager_authentication
+      loop: "{{ backup_info.backup_paths }}"
+      loop_control:
+        loop_var: device_item
+      when: backup_info.backup_paths | length > 0
+
+    - name: Attach backup templates to the Edge devices
+      cisco.catalystwan.device_templates:
+        state: attached
+        template_name: "backup-template-{{ device_item.filename }}"
+        hostname: "{{ device_item.hostname }}"
+        manager_credentials:
+          <<: *manager_authentication
+      loop: "{{ backup_info.backup_paths }}"
+      loop_control:
+        loop_var: device_item
+      when: backup_info.backup_paths | length > 0

requirements.txt

@@ -3,16 +3,17 @@ annotated-types==0.6.0
 ansible==9.5.1
 ansible-core==2.16.6
 applicationinsights==0.11.10
-argcomplete==1.12.3
+argcomplete==3.3.0
 args==0.1.0
 attrs==21.4.0
-azure-cli-core==2.34.0
-azure-cli-telemetry==1.0.6
+azure-cli-core==2.63.0
+azure-cli-nspkg==3.0.4
+azure-cli-telemetry==1.1.0
 azure-common==1.1.11
 azure-containerregistry==1.1.0
 azure-core==1.28.0
 azure-graphrbac==0.61.1
-azure-identity==1.7.0
+azure-identity==1.16.1
 azure-keyvault==4.2.0
 azure-keyvault-certificates==4.7.0
 azure-keyvault-keys==4.8.0
@@ -49,24 +50,25 @@ azure-mgmt-rdbms==10.0.0
 azure-mgmt-recoveryservices==2.0.0
 azure-mgmt-recoveryservicesbackup==3.0.0
 azure-mgmt-redis==13.0.0
-azure-mgmt-resource==21.1.0
+azure-mgmt-resource==23.0.0
 azure-mgmt-search==8.0.0
 azure-mgmt-servicebus==7.1.0
 azure-mgmt-sql==3.0.1
 azure-mgmt-storage==19.0.0
 azure-mgmt-trafficmanager==1.0.0b1
 azure-mgmt-web==6.1.0
 azure-nspkg==2.0.0
-azure-storage-blob==12.11.0
+azure-storage-blob==12.13.0
 bcrypt==4.1.2
 boto3==1.34.78
 botocore==1.34.78
-catalystwan==0.33.4
+catalystwan==0.34.0.dev2
 certifi==2024.2.2
 cffi==1.16.0
 charset-normalizer==3.3.2
 ciscoconfparse==1.9.41
 clint==0.5.1
+colorama==0.4.6
 cryptography==42.0.5
 Deprecated==1.2.14
 dnspython==2.6.1
@@ -78,18 +80,18 @@ idna==3.7
 isodate==0.6.1
 Jinja2==3.1.3
 jmespath==1.0.1
-knack==0.9.0
+knack==0.11.0
 loguru==0.7.2
 MarkupSafe==2.1.5
 mccabe==0.7.0
-msal==1.23.0
-msal-extensions==0.3.1
+msal==1.30.0
+msal-extensions==1.2.0
 msrest==0.7.1
 msrestazure==0.6.4
 netaddr==1.2.1
 oauthlib==3.2.2
-packaging==23.2
-paramiko==2.12.0
+packaging==21.3
+paramiko==3.4.0
 passlib==1.7.4
 pkginfo==1.10.0
 portalocker==1.7.1
@@ -107,12 +109,12 @@ pyparsing==3.1.2
 PySocks==1.7.1
 python-dateutil==2.9.0.post0
 PyYAML==6.0.1
-requests==2.31.0
+requests==2.32.2
 requests-oauthlib==2.0.0
 requests-toolbelt==1.0.0
 resolvelib==1.0.1
 s3transfer==0.10.1
-setuptools==69.5.1
+setuptools==72.1.0
 six==1.16.0
 tabulate==0.9.0
 tenacity==8.2.3