ansible-msp-automations/roles/pfsense_upgrade/tasks/carp_post.yml

# roles/pfsense_upgrade/tasks/carp_post.yml
# Handles CARP/HA post-upgrade logic: restore and verification.
# Only runs on primary after successful upgrade.

# Exit early if HA not needed
- name: "[CARP] Exit - No HA configured"
  ansible.builtin.meta: end_play
  when: ha_peer is not defined or ha_peer | length == 0

# Exit early if no upgrade available
- name: "[CARP] Exit - No upgrade available for this host"
  ansible.builtin.meta: end_play
  when: not (upgrade_available | default(false) | bool)

# ---------------------------------------------------------------------------
# Post-upgrade: restore CARP on primary and verify state
# ---------------------------------------------------------------------------
- name: "[CARP/primary] Re-enable CARP (exit maintenance mode)"
  ansible.builtin.raw: |
    php -r 'require_once("/etc/inc/interfaces.inc"); interfaces_carp_set_maintenancemode(false);'
  register: _carp_restore
  changed_when: true
  when:
    - ha_role == 'primary'
    - ha_peer is defined

- name: "[CARP/primary] Wait for CARP state to stabilize after restore"
  ansible.builtin.pause:
    seconds: 20
  when: 
    - ha_role == 'primary'
    - ha_peer is defined

- name: "[CARP/primary] Verify primary has reclaimed MASTER for all VIPs"
  ansible.builtin.raw: |
    php -r 'require_once("/etc/inc/config.inc"); require_once("/etc/inc/interfaces.inc"); $all_master = true; foreach(config_get_path("virtualip/vip", []) as $vip) { if ($vip["mode"] != "carp") continue; if (get_carp_interface_status("_vip" . $vip["uniqid"]) != "MASTER") { $all_master = false; break; } } echo $all_master ? "ALL_MASTER" : "NOT_ALL_MASTER";'
  register: _primary_carp_final
  changed_when: false
  when:
    - ha_role == 'primary'
    - ha_peer is defined

- name: "[CARP/primary] Warn if primary did not reclaim MASTER"
  ansible.builtin.debug:
    msg: >
      WARNING: Primary CARP state is '{{ _primary_carp_final.stdout }}' — expected ALL_MASTER.
      This may resolve on its own. Check CARP status on both nodes manually.
  when:
    - ha_role == 'primary'
    - ha_peer is defined
    - _primary_carp_final.stdout != "ALL_MASTER"

- name: "[CARP/primary] CARP state confirmed restored"
  ansible.builtin.debug:
    msg: "{{ inventory_hostname }} has reclaimed MASTER for all VIPs. HA pair is fully operational."
  when:
    - ha_role == 'primary'
    - ha_peer is defined
    - _primary_carp_final.stdout == "ALL_MASTER"