Claude 1

sophos-xgs-ansible/roles/sophos_common/defaults/main.yml

@@ -0,0 +1,18 @@
+---
+# ============================================================================
+# Sophos Common Role - Default Variables
+# ============================================================================
+# These are default values that can be overridden in group_vars or host_vars.
+# ============================================================================
+
+# API connection defaults
+sophos_mgmt_port: 4444
+sophos_validate_certs: false
+sophos_api_timeout: 30
+
+# Retry settings
+sophos_api_retries: 3
+sophos_api_retry_delay: 5
+
+# Security settings
+sophos_no_log_sensitive: true

sophos-xgs-ansible/roles/sophos_common/tasks/main.yml

@@ -0,0 +1,130 @@
+---
+# ============================================================================
+# Sophos Common Role - Main Tasks
+# ============================================================================
+# This role performs common setup tasks for all Sophos XGS firewalls:
+#   - Validates required variables
+#   - Tests API connectivity
+#   - Authenticates to the firewall
+#   - Gathers basic system facts
+#
+# This role should always run first before other configuration roles.
+# ============================================================================
+
+- name: Validate required variables are defined
+  ansible.builtin.assert:
+    that:
+      - sophos_mgmt_host is defined
+      - sophos_mgmt_host | length > 0
+      - sophos_mgmt_port is defined
+      - (sophos_api_key is defined) or (sophos_api_username is defined and sophos_api_password is defined)
+    fail_msg: |
+      Required variables are missing for {{ inventory_hostname }}.
+      Please ensure the following are defined in host_vars:
+        - sophos_mgmt_host (management IP or hostname)
+        - sophos_mgmt_port (API port, default 4444)
+        - Authentication: either sophos_api_key OR (sophos_api_username AND sophos_api_password)
+    success_msg: "All required variables are defined for {{ inventory_hostname }}"
+  tags: ['validation']
+
+- name: Display firewall connection information
+  ansible.builtin.debug:
+    msg:
+      - "Connecting to Sophos XGS Firewall:"
+      - "  Hostname: {{ inventory_hostname }}"
+      - "  Management IP: {{ sophos_mgmt_host }}"
+      - "  API Port: {{ sophos_mgmt_port }}"
+      - "  Auth Method: {{ 'API Key' if sophos_api_key is defined else 'Username/Password' }}"
+      - "  Validate Certs: {{ sophos_validate_certs }}"
+  tags: ['always']
+
+# ============================================================================
+# Test API connectivity
+# ============================================================================
+
+- name: Test HTTPS connectivity to Sophos XGS API
+  ansible.builtin.wait_for:
+    host: "{{ sophos_mgmt_host }}"
+    port: "{{ sophos_mgmt_port }}"
+    timeout: 10
+    state: started
+  delegate_to: localhost
+  tags: ['validation', 'connectivity']
+
+- name: Display connectivity success
+  ansible.builtin.debug:
+    msg: "Successfully connected to {{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}"
+  tags: ['validation', 'connectivity']
+
+# ============================================================================
+# Authenticate and gather system information
+# ============================================================================
+
+- name: Authenticate to Sophos XGS firewall and retrieve system status
+  ansible.builtin.uri:
+    url: "https://{{ sophos_mgmt_host }}:{{ sophos_mgmt_port }}/webconsole/APIController?reqxml=<Request><Login><Username>{{ sophos_api_username }}</Username><Password>{{ sophos_api_password }}</Password></Login><Get><System/></Get></Request>"
+    method: POST
+    validate_certs: "{{ sophos_validate_certs }}"
+    headers:
+      Content-Type: "application/x-www-form-urlencoded"
+    return_content: true
+    status_code: [200, 201]
+    timeout: "{{ sophos_api_timeout }}"
+  register: sophos_system_info
+  no_log: "{{ sophos_no_log_sensitive }}"
+  retries: "{{ sophos_api_retries }}"
+  delay: "{{ sophos_api_retry_delay }}"
+  tags: ['authentication', 'facts']
+
+- name: Parse system information from API response
+  ansible.builtin.set_fact:
+    sophos_facts:
+      hostname: "{{ sophos_system_info.content | regex_search('<HostName>(.*?)</HostName>', '\\1') | first | default('unknown') }}"
+      serial_number: "{{ sophos_system_info.content | regex_search('<SerialNumber>(.*?)</SerialNumber>', '\\1') | first | default('unknown') }}"
+      firmware_version: "{{ sophos_system_info.content | regex_search('<FirmwareVersion>(.*?)</FirmwareVersion>', '\\1') | first | default('unknown') }}"
+      device_model: "{{ sophos_system_info.content | regex_search('<ApplianceModel>(.*?)</ApplianceModel>', '\\1') | first | default('unknown') }}"
+      uptime_days: "{{ sophos_system_info.content | regex_search('<Uptime>(.*?)</Uptime>', '\\1') | first | default('0') }}"
+  tags: ['facts']
+
+- name: Display Sophos XGS system information
+  ansible.builtin.debug:
+    msg:
+      - "======================================"
+      - "Sophos XGS System Information"
+      - "======================================"
+      - "Hostname: {{ sophos_facts.hostname }}"
+      - "Model: {{ sophos_facts.device_model }}"
+      - "Serial Number: {{ sophos_facts.serial_number }}"
+      - "Firmware Version: {{ sophos_facts.firmware_version }}"
+      - "Uptime: {{ sophos_facts.uptime_days }} days"
+  tags: ['facts']
+
+# ============================================================================
+# Check firmware version compatibility (optional warning)
+# ============================================================================
+
+- name: Check if firmware version is recent
+  ansible.builtin.debug:
+    msg: "WARNING: This automation was tested with firmware version 19.x and 20.x. Current version: {{ sophos_facts.firmware_version }}"
+  when:
+    - sophos_facts.firmware_version is defined
+    - not sophos_facts.firmware_version is match('^(19|20)\.')
+  tags: ['validation']
+
+# ============================================================================
+# Store authentication token for subsequent API calls (if using token-based auth)
+# ============================================================================
+
+- name: Store API authentication credentials for use in other roles
+  ansible.builtin.set_fact:
+    sophos_api_auth_header: "{{ sophos_api_key | default('') }}"
+    sophos_api_credentials:
+      username: "{{ sophos_api_username | default('') }}"
+      password: "{{ sophos_api_password | default('') }}"
+  no_log: "{{ sophos_no_log_sensitive }}"
+  tags: ['authentication']
+
+- name: Common role tasks completed successfully
+  ansible.builtin.debug:
+    msg: "Sophos common role completed for {{ inventory_hostname }}"
+  tags: ['always']

sophos-xgs-ansible/roles/sophos_common/vars/main.yml

@@ -0,0 +1,30 @@
+---
+# ============================================================================
+# Sophos Common Role - Internal Variables
+# ============================================================================
+# These variables are internal to the role and should not be overridden.
+# ============================================================================
+
+# API endpoint paths (Sophos XGS XML API)
+sophos_api_base_path: "/webconsole/APIController"
+
+# XML API request wrapper template
+sophos_api_request_template: |
+  <Request>
+    <Login>
+      <Username>{{ sophos_api_username }}</Username>
+      <Password>{{ sophos_api_password }}</Password>
+    </Login>
+    {{ api_request_body }}
+  </Request>
+
+# Supported firmware versions (for validation)
+sophos_supported_firmware_versions:
+  - "19.0"
+  - "19.5"
+  - "20.0"
+
+# Default HTTP headers for API requests
+sophos_api_default_headers:
+  Content-Type: "application/x-www-form-urlencoded"
+  Accept: "application/xml"