---
- name: CORRECT VTY-ACL ON CISCO DEVICES
  hosts: cisco
  connection: network_cli
  gather_facts: no

  tasks:

    - name: SAVE RUNNING-CONFIG TO NVRAM FOR RECOVERY IF NEEDED
      ios_config:
        save_when: always

    - name: Set the task_status var
      set_fact:
        task_status: "OK"

    - block:
      - name: UPDATE VTY-ACL ACCESS LIST
        ios_config:
          parents: ip access-list extended VTY-ACL
          lines:
            - permit tcp host {{ hostvars['ansible-1'].ansible_host }} any eq 22
            - permit tcp 172.16.0.0 0.15.255.255 any eq 22
            - permit tcp 192.168.0.0 0.0.255.255 any eq 22
            - permit tcp 10.0.0.0 0.255.255.255 any eq 22 log-input
            - deny   ip any any log-input
          match: exact
          replace: block
          before:
            - line vty 0 15
            - NO access-class VTY-ACL in
            - NO ip access-list extended VTY-ACL
          after:
            - line vty 0 15
            - access-class VTY-ACL in

      - name: CHECK IF SSH IS STILL ACCESSIABLE FROM NETWORK
        wait_for:
          host: "{{ inventory_hostname }}"
          port: 22
          state: started
          delay: 2
          timeout: 6
        ignore_errors: no
        

      - name: SSH TEST SUCCESSFUL.  SAVING RUNNING-CONFIG
        ios_config:
          save_when: always

      rescue:
        - name: UPDATE FAILED. ROLLING BACK CONFIG
          ios_command:
            commands:
                - configure replace nvram:startup-config force
        - set_fact:
            task_status: "ERROR"

      when: task_status == 'OK'