Scripts become a system when they’re inventory-driven, idempotent, safe, and version-controlled. Assemble the pieces into automation you can trust in production.
Why: real automation reads devices and their variables from an inventory file (YAML/JSON), so adding a device is a data change, not a code change — the same principle behind Ansible and Nornir. When: keep hosts, credentials references, and per-device variables in structured inventory under version control. Where: this separation is what lets one script scale to the whole fleet.
import yaml
inventory = yaml.safe_load(open("inventory.yaml"))
# inventory.yaml:
# devices:
# - name: SW1
# host: 192.168.1.1
# device_type: cisco_ios
# vars: { mgmt_vlan: 99 }
for dev in inventory["devices"]:
print("would configure", dev["name"], "at", dev["host"])Why: safe automation checks current state and changes only what differs (idempotent), previews changes before applying (dry-run/diff), and can revert (rollback) — so re-running is harmless and mistakes are recoverable. When: build these in from the start; they are what make automation trustworthy on production networks. Where: test every change against a lab (GNS3/EVE-NG) before it ever touches real gear.
IDEMPOTENT run it twice -> same result, no needless changes
DRY-RUN show the diff FIRST (NAPALM compare_config) -> approve
ROLLBACK keep a known-good config to revert to instantly
TEST run against a lab (GNS3/EVE-NG) before production
Golden rule: never let a script make a change it can't preview or undo.Why: automation has powerful access to the whole network, so credentials must live in a secrets manager (never in code or Git), a dedicated least-privilege account should run it, and every change must be logged and reviewable. When: apply these before automating anything that touches production. Where: configs and scripts in Git give you history, review, and rollback for the network itself.
import os
# Credentials from the environment or a secrets manager — never in code/Git:
password = os.environ["NET_AUTOMATION_PASS"]
# Checklist for production automation:
# [ ] secrets in a vault, not plaintext
# [ ] dedicated service account, least privilege
# [ ] all scripts + rendered configs in version control (Git)
# [ ] every automated change logged with who/what/when
# [ ] tested in a lab before production