diff options
Diffstat (limited to 'lib/ansible/modules/storage/netapp/na_ontap_firewall_policy.py')
-rw-r--r-- | lib/ansible/modules/storage/netapp/na_ontap_firewall_policy.py | 351 |
1 files changed, 0 insertions, 351 deletions
diff --git a/lib/ansible/modules/storage/netapp/na_ontap_firewall_policy.py b/lib/ansible/modules/storage/netapp/na_ontap_firewall_policy.py deleted file mode 100644 index ca58750881..0000000000 --- a/lib/ansible/modules/storage/netapp/na_ontap_firewall_policy.py +++ /dev/null @@ -1,351 +0,0 @@ -#!/usr/bin/python - -# (c) 2018-2019, NetApp, Inc -# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) - -from __future__ import absolute_import, division, print_function -__metaclass__ = type - -ANSIBLE_METADATA = {'metadata_version': '1.1', - 'status': ['preview'], - 'supported_by': 'certified'} - -DOCUMENTATION = ''' -module: na_ontap_firewall_policy -short_description: NetApp ONTAP Manage a firewall policy -version_added: '2.7' -author: NetApp Ansible Team (@carchi8py) <ng-ansibleteam@netapp.com> -description: - - Configure firewall on an ONTAP node and manage firewall policy for an ONTAP SVM -extends_documentation_fragment: - - netapp.na_ontap -requirements: - - Python package ipaddress. Install using 'pip install ipaddress' -options: - state: - description: - - Whether to set up a firewall policy or not - choices: ['present', 'absent'] - default: present - allow_list: - description: - - A list of IPs and masks to use. - - The host bits of the IP addresses used in this list must be set to 0. - policy: - description: - - A policy name for the firewall policy - service: - description: - - The service to apply the policy to - choices: ['dns', 'http', 'https', 'ndmp', 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet'] - vserver: - description: - - The Vserver to apply the policy to. - enable: - description: - - enable firewall on a node - choices: ['enable', 'disable'] - logging: - description: - - enable logging for firewall on a node - choices: ['enable', 'disable'] - node: - description: - - The node to run the firewall configuration on -''' - -EXAMPLES = """ - - name: create firewall Policy - na_ontap_firewall_policy: - state: present - allow_list: [1.2.3.0/24,1.3.0.0/16] - policy: pizza - service: http - vserver: ci_dev - hostname: "{{ netapp hostname }}" - username: "{{ netapp username }}" - password: "{{ netapp password }}" - - - name: Modify firewall Policy - na_ontap_firewall_policy: - state: present - allow_list: [1.5.3.0/24] - policy: pizza - service: http - vserver: ci_dev - hostname: "{{ netapp hostname }}" - username: "{{ netapp username }}" - password: "{{ netapp password }}" - - - name: Destroy firewall Policy - na_ontap_firewall_policy: - state: absent - policy: pizza - service: http - vserver: ci_dev - hostname: "{{ netapp hostname }}" - username: "{{ netapp username }}" - password: "{{ netapp password }}" - - - name: Enable firewall and logging on a node - na_ontap_firewall_policy: - node: test-vsim1 - enable: enable - logging: enable - hostname: "{{ netapp hostname }}" - username: "{{ netapp username }}" - password: "{{ netapp password }}" - -""" - -RETURN = """ -""" - -import traceback - -from ansible.module_utils.basic import AnsibleModule -from ansible.module_utils._text import to_native -import ansible.module_utils.netapp as netapp_utils -from ansible.module_utils.netapp_module import NetAppModule -try: - import ipaddress - HAS_IPADDRESS_LIB = True -except ImportError: - HAS_IPADDRESS_LIB = False - -import sys - -HAS_NETAPP_LIB = netapp_utils.has_netapp_lib() - - -class NetAppONTAPFirewallPolicy(object): - def __init__(self): - self.argument_spec = netapp_utils.na_ontap_host_argument_spec() - self.argument_spec.update(dict( - state=dict(required=False, choices=['present', 'absent'], default='present'), - allow_list=dict(required=False, type="list"), - policy=dict(required=False, type='str'), - service=dict(required=False, type='str', choices=['dns', 'http', 'https', 'ndmp', - 'ndmps', 'ntp', 'rsh', 'snmp', 'ssh', 'telnet']), - vserver=dict(required=False, type="str"), - enable=dict(required=False, type="str", choices=['enable', 'disable']), - logging=dict(required=False, type="str", choices=['enable', 'disable']), - node=dict(required=False, type="str") - )) - - self.module = AnsibleModule( - argument_spec=self.argument_spec, - required_together=(['policy', 'service', 'vserver'], - ['enable', 'node'] - ), - supports_check_mode=True - ) - - self.na_helper = NetAppModule() - self.parameters = self.na_helper.set_parameters(self.module.params) - - if HAS_NETAPP_LIB is False: - self.module.fail_json(msg="the python NetApp-Lib module is required") - else: - self.server = netapp_utils.setup_na_ontap_zapi(module=self.module) - - if HAS_IPADDRESS_LIB is False: - self.module.fail_json(msg="the python ipaddress lib is required for this module") - return - - def validate_ip_addresses(self): - ''' - Validate if the given IP address is a network address (i.e. it's host bits are set to 0) - ONTAP doesn't validate if the host bits are set, - and hence doesn't add a new address unless the IP is from a different network. - So this validation allows the module to be idempotent. - :return: None - ''' - for ip in self.parameters['allow_list']: - # create an IPv4 object for current IP address - if sys.version_info[0] >= 3: - ip_addr = str(ip) - else: - ip_addr = unicode(ip) # pylint: disable=undefined-variable - # get network address from netmask, throw exception if address is not a network address - try: - ipaddress.ip_network(ip_addr) - except ValueError as exc: - self.module.fail_json(msg='Error: Invalid IP address value for allow_list parameter.' - 'Please specify a network address without host bits set: %s' - % (to_native(exc))) - - def get_firewall_policy(self): - """ - Get a firewall policy - :return: returns a firewall policy object, or returns False if there are none - """ - net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-get-iter") - attributes = { - 'query': { - 'net-firewall-policy-info': self.firewall_policy_attributes() - } - } - net_firewall_policy_obj.translate_struct(attributes) - - try: - result = self.server.invoke_successfully(net_firewall_policy_obj, True) - except netapp_utils.zapi.NaApiError as error: - self.module.fail_json(msg="Error getting firewall policy %s:%s" % (self.parameters['policy'], - to_native(error)), - exception=traceback.format_exc()) - - if result.get_child_by_name('num-records') and int(result.get_child_content('num-records')) >= 1: - attributes_list = result.get_child_by_name('attributes-list') - policy_info = attributes_list.get_child_by_name('net-firewall-policy-info') - ips = self.na_helper.get_value_for_list(from_zapi=True, - zapi_parent=policy_info.get_child_by_name('allow-list')) - return { - 'service': policy_info['service'], - 'allow_list': ips} - return None - - def create_firewall_policy(self): - """ - Create a firewall policy for given vserver - :return: None - """ - net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-create") - net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes()) - if self.parameters.get('allow_list'): - self.validate_ip_addresses() - net_firewall_policy_obj.add_child_elem(self.na_helper.get_value_for_list(from_zapi=False, - zapi_parent='allow-list', - zapi_child='ip-and-mask', - data=self.parameters['allow_list']) - ) - try: - self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True) - except netapp_utils.zapi.NaApiError as error: - self.module.fail_json(msg="Error creating Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc()) - - def destroy_firewall_policy(self): - """ - Destroy a Firewall Policy from a vserver - :return: None - """ - net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-destroy") - net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes()) - try: - self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True) - except netapp_utils.zapi.NaApiError as error: - self.module.fail_json(msg="Error destroying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc()) - - def modify_firewall_policy(self, modify): - """ - Modify a firewall Policy on a vserver - :return: none - """ - self.validate_ip_addresses() - net_firewall_policy_obj = netapp_utils.zapi.NaElement("net-firewall-policy-modify") - net_firewall_policy_obj.translate_struct(self.firewall_policy_attributes()) - net_firewall_policy_obj.add_child_elem(self.na_helper.get_value_for_list(from_zapi=False, - zapi_parent='allow-list', - zapi_child='ip-and-mask', - data=modify['allow_list'])) - try: - self.server.invoke_successfully(net_firewall_policy_obj, enable_tunneling=True) - except netapp_utils.zapi.NaApiError as error: - self.module.fail_json(msg="Error modifying Firewall Policy: %s" % (to_native(error)), exception=traceback.format_exc()) - - def firewall_policy_attributes(self): - return { - 'policy': self.parameters['policy'], - 'service': self.parameters['service'], - 'vserver': self.parameters['vserver'], - } - - def get_firewall_config_for_node(self): - """ - Get firewall configuration on the node - :return: dict() with firewall config details - """ - if self.parameters.get('logging'): - if self.parameters.get('node') is None: - self.module.fail_json(msg='Error: Missing parameter \'node\' to modify firewall logging') - net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-get") - net_firewall_config_obj.add_new_child('node-name', self.parameters['node']) - try: - result = self.server.invoke_successfully(net_firewall_config_obj, True) - except netapp_utils.zapi.NaApiError as error: - self.module.fail_json(msg="Error getting Firewall Configuration: %s" % (to_native(error)), - exception=traceback.format_exc()) - if result.get_child_by_name('attributes'): - firewall_info = result['attributes'].get_child_by_name('net-firewall-config-info') - return {'enable': self.change_status_to_bool(firewall_info.get_child_content('is-enabled'), to_zapi=False), - 'logging': self.change_status_to_bool(firewall_info.get_child_content('is-logging'), to_zapi=False)} - return None - - def modify_firewall_config(self, modify): - """ - Modify the configuration of a firewall on node - :return: None - """ - net_firewall_config_obj = netapp_utils.zapi.NaElement("net-firewall-config-modify") - net_firewall_config_obj.add_new_child('node-name', self.parameters['node']) - if modify.get('enable'): - net_firewall_config_obj.add_new_child('is-enabled', self.change_status_to_bool(self.parameters['enable'])) - if modify.get('logging'): - net_firewall_config_obj.add_new_child('is-logging', self.change_status_to_bool(self.parameters['logging'])) - try: - self.server.invoke_successfully(net_firewall_config_obj, enable_tunneling=True) - except netapp_utils.zapi.NaApiError as error: - self.module.fail_json(msg="Error modifying Firewall Config: %s" % (to_native(error)), - exception=traceback.format_exc()) - - def change_status_to_bool(self, input, to_zapi=True): - if to_zapi: - return 'true' if input == 'enable' else 'false' - else: - return 'enable' if input == 'true' else 'disable' - - def autosupport_log(self): - results = netapp_utils.get_cserver(self.server) - cserver = netapp_utils.setup_na_ontap_zapi(module=self.module, vserver=results) - netapp_utils.ems_log_event("na_ontap_firewall_policy", cserver) - - def apply(self): - self.autosupport_log() - cd_action, modify, modify_config = None, None, None - if self.parameters.get('policy'): - current = self.get_firewall_policy() - cd_action = self.na_helper.get_cd_action(current, self.parameters) - if cd_action is None and self.parameters['state'] == 'present': - modify = self.na_helper.get_modified_attributes(current, self.parameters) - if self.parameters.get('node'): - current_config = self.get_firewall_config_for_node() - # firewall config for a node is always present, we cannot create or delete a firewall on a node - modify_config = self.na_helper.get_modified_attributes(current_config, self.parameters) - - if self.na_helper.changed: - if self.module.check_mode: - pass - else: - if cd_action == 'create': - self.create_firewall_policy() - elif cd_action == 'delete': - self.destroy_firewall_policy() - else: - if modify: - self.modify_firewall_policy(modify) - if modify_config: - self.modify_firewall_config(modify_config) - self.module.exit_json(changed=self.na_helper.changed) - - -def main(): - """ - Execute action from playbook - :return: nothing - """ - cg_obj = NetAppONTAPFirewallPolicy() - cg_obj.apply() - - -if __name__ == '__main__': - main() |