diff --git a/lib/ansible/module_utils/fortios.py b/lib/ansible/module_utils/fortios.py new file mode 100644 index 0000000000..ce1cf7296b --- /dev/null +++ b/lib/ansible/module_utils/fortios.py @@ -0,0 +1,60 @@ +# This code is part of Ansible, but is an independent component. +# This particular file snippet, and this file snippet only, is BSD licensed. +# Modules you write using this snippet, which is embedded dynamically by Ansible +# still belong to the author of the module, and may assign their own license +# to the complete work. +# +# Copyright (c), Benjamin Jolivot , 2014 +# All rights reserved. +# +# Redistribution and use in source and binary forms, with or without modification, +# are permitted provided that the following conditions are met: +# +# * Redistributions of source code must retain the above copyright +# notice, this list of conditions and the following disclaimer. +# * Redistributions in binary form must reproduce the above copyright notice, +# this list of conditions and the following disclaimer in the documentation +# and/or other materials provided with the distribution. +# +# THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS "AS IS" AND +# ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED +# WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. +# IN NO EVENT SHALL THE COPYRIGHT HOLDER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, +# INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, +# PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS +# INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT +# LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE +# USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE. +# +import os +import time + + +fortios_argument_spec = dict( + host = dict(required=True ), + username = dict(required=True ), + password = dict(required=True, type='str', no_log=True ), + timeout = dict(type='int', default=60), + vdom = dict(type='str', default=None ), + backup = dict(type='bool', default=False), + backup_path = dict(type='path'), + backup_filename = dict(type='str'), +) + +fortios_required_if = [ + ['backup', True , ['backup_path'] ], +] + +def backup(module,running_config): + backup_path = module.params['backup_path'] + if not os.path.exists(backup_path): + try: + os.mkdir(backup_path) + except: + module.fail_json(msg="Can't create directory {0} Permission denied ?".format(backup_path)) + tstamp = time.strftime("%Y-%m-%d@%H:%M:%S", time.localtime(time.time())) + filename = '%s/%s_config.%s' % (backup_path, module.params['host'], tstamp) + try: + open(filename, 'w').write(running_config) + except: + module.fail_json(msg="Can't create backup file {0} Permission denied ?".format(filename)) diff --git a/lib/ansible/modules/network/fortios/__init__.py b/lib/ansible/modules/network/fortios/__init__.py new file mode 100644 index 0000000000..e69de29bb2 diff --git a/lib/ansible/modules/network/fortios/fortios_config.py b/lib/ansible/modules/network/fortios/fortios_config.py new file mode 100644 index 0000000000..1db65f2ee7 --- /dev/null +++ b/lib/ansible/modules/network/fortios/fortios_config.py @@ -0,0 +1,201 @@ +#!/usr/bin/python +# +# Ansible module to manage configuration on fortios devices +# (c) 2016, Benjamin Jolivot +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# + +ANSIBLE_METADATA = { + 'status': ['preview'], + 'supported_by': 'community', + 'version': '1.0' +} + +DOCUMENTATION = """ +--- +module: fortios_address +version_added: "2.3" +author: "Benjamin Jolivot (@bjolivot)" +short_description: Manage fortios firewall config +description: + - This module provides management of FortiOS Devices configuration. +extends_documentation_fragment: fortios +options: + src: + description: + - The I(src) argument provides a path to the configuration file + to load into the remote device. + filter: + description: + - Only for partial backup, you can restrict by giving expected configuration path (ex. firewall address). + default: "" +notes: + - This module requires pyFG python library +""" + +EXAMPLES = """ +- name: Backup current config + fortios_config: + host: 192.168.0.254 + username: admin + password: password + backup: yes + +- name: Backup only address objects + fortios_config: + host: 192.168.0.254 + username: admin + password: password + backup: yes + backup_path: /tmp/forti_backup/ + filter: "firewall address" + +- name: Update configuration from file + fortios_config: + host: 192.168.0.254 + username: admin + password: password + src: new_configuration.conf + +""" + +RETURN = """ +running_config: + description: full config string + returned: always + type: string +change_string: + description: The commands really executed by the module + returned: only if config changed + type: string +""" + + + +from ansible.module_utils.fortios import fortios_argument_spec, fortios_required_if +from ansible.module_utils.fortios import backup + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.pycompat24 import get_exception + + +#check for pyFG lib +try: + from pyFG import FortiOS, FortiConfig + from pyFG.fortios import logger + from pyFG.exceptions import CommandExecutionException, FailedCommit, ForcedCommit + HAS_PYFG=True +except: + HAS_PYFG=False + +# some blocks don't support update, so remove them +NOT_UPDATABLE_CONFIG_OBJECTS=[ + "vpn certificate local", +] + +def main(): + argument_spec = dict( + src = dict(type='str', default=None), + filter = dict(type='str', default=""), + ) + + argument_spec.update(fortios_argument_spec) + + required_if = fortios_required_if + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + required_if=required_if, + ) + + result = dict(changed=False) + + # fail if pyFG not present + if not HAS_PYFG: + module.fail_json(msg='Could not import the python library pyFG required by this module') + + #define device + f = FortiOS( module.params['host'], + username=module.params['username'], + password=module.params['password'], + timeout=module.params['username'], + vdom=module.params['vdom']) + + #connect + try: + f.open() + except: + module.fail_json(msg='Error connecting device') + + #get config + try: + f.load_config(path=module.params['filter']) + result['running_config'] = f.running_config.to_text() + + except: + module.fail_json(msg='Error reading running config') + + #backup config + if module.params['backup']: + backup(module, f.running_config.to_text()) + + + #update config + if module.params['src'] is not None: + #store config in str + try: + conf_str = open(module.params['src'], 'r').read() + f.load_config(in_candidate=True, config_text=conf_str) + except: + module.fail_json(msg="Can't open configuration file, or configuration invalid") + + #get updates lines + change_string = f.compare_config() + + #remove not updatable parts + c = FortiConfig() + c.parse_config_output(change_string) + + for o in NOT_UPDATABLE_CONFIG_OBJECTS: + c.del_block(o) + + change_string = c.to_text() + + if change_string != "": + result['change_string'] = change_string + result['changed'] = True + + #Commit if not check mode + if module.check_mode is False and change_string != "": + try: + f.commit(change_string) + except CommandExecutionException: + e = get_exception() + module.fail_json(msg="Unable to execute command, check your args, the error was {0}".format(e.message)) + except FailedCommit: + e = get_exception() + module.fail_json(msg="Unable to commit, check your args, the error was {0}".format(e.message)) + except ForcedCommit: + e = get_exception() + module.fail_json(msg="Failed to force commit, check your args, the error was {0}".format(e.message)) + + module.exit_json(**result) + +if __name__ == '__main__': + main() + diff --git a/lib/ansible/utils/module_docs_fragments/fortios.py b/lib/ansible/utils/module_docs_fragments/fortios.py new file mode 100644 index 0000000000..677089e3a3 --- /dev/null +++ b/lib/ansible/utils/module_docs_fragments/fortios.py @@ -0,0 +1,59 @@ +# +# (c) 2017, Benjamin Jolivot +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . +# + +class ModuleDocFragment(object): + + # Standard files documentation fragment + DOCUMENTATION = """ +options: + host: + description: + - Specifies the DNS hostname or IP address for connecting to the remote fortios device. + required: true + username: + description: + - Configures the username used to authenticate to the remote device. + required: true + password: + description: + - Specifies the password used to authenticate to the remote device. + required: true + timeout: + description: + - Timeout in seconds for connecting to the remote device. + default: 60 + vdom: + description: + - Specifies on which vdom to apply configuration + backup: + description: + - This argument will cause the module to create a backup of + the current C(running-config) from the remote device before any + changes are made. The backup file is written to the i(backup) + folder. + default: no + choices: ['yes', 'no'] + backup_path: + description: + - Specifies where to store backup files. Required if I(backup=yes). + backup_filename: + description: + - Specifies the backup filename. If omitted filename will be + formated like HOST_config.YYYY-MM-DD@HH:MM:SS +"""