Your inventory doesn’t include any “mgmt” group, so I would expect a “skipping: no hosts matched” message. Also, missing the tasks: line. I’m going to assume you’ve left out some stuff in an effort to reduce irrelevant text…[subsequently fixed]
The real problem is, you’re targeting the host(s) in your “mgmt” group. The fact that you’re looping over names of hosts in your inventory doesn’t alter that fact. The variables available with each iteration of the task are still those associated with your target hosts.
Instead, you need to target the correct hosts – 'all:!mgmt' – and use delegate_to: to ensure that the task runs on one of your mgmt hosts, but targeting – and thus using the variables associated with – your non-mgmt hosts.
(N.B.: I’m not familiar with check_point.mgmt.cp_mgmt_install_policy, so I’m making some assumptions about things like the targets parameter for example.)
After thinking a bit (but not enough apparently), I’m not exactly sure about the connection: setting. That may need to be different on your mgmt host(s) vs the non-mgmt hosts. You’ll have to sort that out though. You can do that in group_vars, host_vars, inventory, or at the task level I think. I looked at a few docs, but came away more confused than informed. Fortunately for you, you actually have hosts to try various things on.
Do let us know what works in this case, b/c I think others would benefit from a working example.
I don’t have to execute anything on the individual inventory host in this case.
Actually, only a connection to the management server (mgmt) has to be made and the policy installation on the individual host is then triggered from there.
If I only include hosts in the inventory - which all have the same policy set and I then hardcode the policy set to the appropriate one - the playbook works.
I just wanted to bring in a little more dynamics
This playbook is working, when I limit the playbook to the “cp_gaia” group in the inventory and the policy_package is set static to “pol_sat_gaia” …
That is, use task variables to set the variable explicitly from the corresponding host’s variables — even though you are targeting one of your "mgmt" hosts. (“One of” b/c of the "run_once:" bit; you don’t want to do it across more than one I don’t think.)
There are lots of ways to do things.
Some of them are right.
Some of them work.
Some of them are in both sets.
“Every tool is a hammer is you use it wrong enough.”
I went back to the delegate_to example and it works now. I can now control on which systems the policy should be installed. I think it looks very nice now