Thanks for the quick response!  Is there a good resource for some examples of different policies in XML?  Or can you give a quick example of using ForEach to parse through the array returned by the list search?  I'm quite versed in Python, but completely new when it comes to using XML.  Thanks!

Thanks, also actually looking at the XML schema was very helpful.  I got the basic idea working (pasted below), but to just add to my learning, what would be the best way to

1. make sure the entries are in the same order as the list

2. make sure there are no extraneous entries on the list

Concatenating the array beforehand and looking for one chunk would solve both issues, just wondering if there is any way to do it while looping in the way below.  Just trying to learn all the options available, thanks!

<PolicyRuleLogic editor="raw-xml" xmlns='http://www.infoblox.com/NetworkAutomation/1.0/ScriptXml'>
  <Expr op='array' output='missing_ips'/>
  <ListSearch list-name='0-ACL-37' result-columns='ip' result-mode='all' search-columns='status'>
    <Expr value='active'/>
  </ListSearch>
  <ForEach>
    <Expr variable='ip'/>
    <Do>
      <If>
        <ConfigFileCheck op='contains-one'>
          <Expr op='concat'>
            <Expr value='^access-list 37 permit '/>
            <Expr variable='_loop_value'/>
          </Expr>
        </ConfigFileCheck>
        <Then>
        </Then>
        <Else>
          <Expr op='push'>
            <Expr variable='missing_ips'/>
            <Expr variable='_loop_value'/>
          </Expr>
        </Else>
      </If>
    </Do>
  </ForEach>
  <If>
    <Expr op='!='>
      <Expr op='size'>
        <Expr variable='missing_ips'/>
      </Expr>
      <Expr value='0'/>
    </Expr>
    <Then>
      <PolicyRuleFail>
        <Expr op='concat'>
          <Expr>These IPs are missing from SNMP access: </Expr>
          <Expr op='join'>
            <Expr variable='missing_ips'/>
            <Expr value=', '/>
          </Expr>
          <Expr value='.'/>
        </Expr>
      </PolicyRuleFail>
    </Then>
    <Else>
      <PolicyRulePass>The switch has all of the correct SNMP access entries.</PolicyRulePass>
    </Else>
  </If>
</PolicyRuleLogic>

In the github location John pointed out, a specific example that may help is the verify-users.xml rule which uses the valid_users.csv list.  It is a good example of looking up on the config to verify there are no list entries present and looking up on the list to ensure they all exist in the config.

https://github.com/infobloxopen/netmri-toolkit/tree/master/policy

Great, thats a good one (and that is the way I ended up doing it yesterday before checking that out).  

Not sure if I should put this one in a different thread, but can someone explain the match variables?  I see in that example there is _start_match_1.  Looking at another example I was trying to use _match_1, but that wasn't working, though using _match_0 did the trick.  (In both my script and the example it seemed like that would have been the very first match.)

Thanks for any clarity on that one!

Yes, this really should be explained in the online help but I didn't see it there.

If you have a regular expression match like this:

...
<Expr op='matches'>
   <Expr value='myfoobar barfoo123'/>
   <Expr value='foo(bar)? ([a-z]+)'/>
</Expr>
...

it will return true (unless I have a typo), and it will set the following global _match variables:

_match_pre - the text before the match, in this case "my"
_match - the entire match, in this case "foobar barfoo"
_match_0 - same as _match
_match_1 - the first capture (ie, in parentheses) match, in this case 'bar'
_match_2 - the second capture, in this case 'barfoo'
_match_post - the text after the match, in this case '123'
_match_array - an array where element 0 is _match_0, element 1 is _match_1, etc.

Of course if you have more than two capture groups, you'll get one _match_X for each.

In the ConfigBlockCheck, you can access the _start_match variables that are the result of the match in the starting regexp of the block, and in the case of the regexp block end method, you can access _end_match variables.

Note that these _match variables are global and are set on every regular expression evaluation so you'll need to save them off if you need them later.