Run the Check Ready playbook

The check_ready.yml playbook will loop until the firewall is fully booted and able to pass traffic:

---
- hosts: lab_fw
  connection: local

  vars:
    device:
      ip_address: '{{ ip_address }}'
      username: '{{ username | default(omit) }}'
      password: '{{ password | default(omit) }}'
      api_key: '{{ api_key | default(omit) }}'

  vars_files:
    - creds.yml

  collections:
    - paloaltonetworks.panos

  tasks:
    - name: Check to see if device is ready
      panos_op:
        provider: '{{ device }}'
        cmd: 'show chassis-ready'
      changed_when: false
      register: result
      until: result is not failed and (result.stdout | from_json).response.result == 'yes'
      retries: 50
      delay: 30

Run the playbook with ansible-playbook:

ansible-playbook -i inventory check_ready.yml --ask-vault-pass

The file creds.yml contains the username and password for the firewall, but it is encrypted with ansible-vault. The --ask-vault-pass option will prompt us for the password to decrypt them. Use the following vault password for each playbook run:

P4loalto!

ansible-vault will then decrypt the credentials stored in creds.yml and supply them to the playbook run.

Output:

../_images/check-ready.png

Optional: Avoid typing vault password each time

You will have to type the vault password each time you want to decrypt creds.yml. If you get tired of that, create a file in your home directory called .vault_pass.txt containing just the vault password, and then export the ANSIBLE_VAULT_PASSWORD_FILE environment variable:

echo 'P4loalto!' > $HOME/.vault_pass.txt
export ANSIBLE_VAULT_PASSWORD_FILE=~/.vault_pass.txt
../_images/vault-pass.png

Now, you can leave the --ask-vault-pass option off of the ansible-playbook commands, and the credentials will be decrypted transparently each time.

../_images/check-ready-no-vault.png