From 8428f13bc1d495df70d2b93513b949f41209428c Mon Sep 17 00:00:00 2001 From: Abhijeet Kasurde Date: Mon, 5 Feb 2018 22:24:28 +0530 Subject: [PATCH] VMware: add new module vmware_host_firewall_facts (#35467) Signed-off-by: Abhijeet Kasurde --- .../vmware/vmware_host_firewall_facts.py | 164 ++++++++++++++++++ .../vmware_host_firewall_facts/aliases | 3 + .../vmware_host_firewall_facts/tasks/main.yml | 88 ++++++++++ 3 files changed, 255 insertions(+) create mode 100644 lib/ansible/modules/cloud/vmware/vmware_host_firewall_facts.py create mode 100644 test/integration/targets/vmware_host_firewall_facts/aliases create mode 100644 test/integration/targets/vmware_host_firewall_facts/tasks/main.yml diff --git a/lib/ansible/modules/cloud/vmware/vmware_host_firewall_facts.py b/lib/ansible/modules/cloud/vmware/vmware_host_firewall_facts.py new file mode 100644 index 0000000000..afa39ad2e4 --- /dev/null +++ b/lib/ansible/modules/cloud/vmware/vmware_host_firewall_facts.py @@ -0,0 +1,164 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# Copyright: (c) 2018, Abhijeet Kasurde +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: vmware_host_firewall_facts +short_description: Gathers facts about an ESXi host's firewall configuration information +description: +- This module can be used to gather facts about an ESXi host's firewall configuration information when ESXi hostname or Cluster name is given. +version_added: '2.5' +author: +- Abhijeet Kasurde (@akasurde) +notes: +- Tested on vSphere 6.5 +requirements: +- python >= 2.6 +- PyVmomi +options: + cluster_name: + description: + - Name of the cluster from which the ESXi host belong to. + - If C(esxi_hostname) is not given, this parameter is required. + esxi_hostname: + description: + - ESXi hostname to gather facts from. + - If C(cluster_name) is not given, this parameter is required. +extends_documentation_fragment: vmware.documentation +''' + +EXAMPLES = r''' +- name: Gather firewall facts about all ESXi Host in given Cluster + vmware_host_firewall_facts: + hostname: '{{ vcenter_hostname }}' + username: '{{ vcenter_username }}' + password: '{{ vcenter_password }}' + cluster_name: cluster_name + +- name: Gather firewall facts about ESXi Host + vmware_host_firewall_facts: + hostname: '{{ vcenter_hostname }}' + username: '{{ vcenter_username }}' + password: '{{ vcenter_password }}' + esxi_hostname: '{{ esxi_hostname }}' +''' + +RETURN = r''' +hosts_firewall_facts: + description: metadata about host's firewall configuration + returned: on success + type: dict + sample: { + "esxi_hostname_0001": [ + { + "allowed_hosts": { + "all_ip": true, + "ip_address": [] + }, + "enabled": true, + "key": "CIMHttpServer", + "rule": [ + { + "direction": "inbound", + "end_port": null, + "port": 5988, + "port_type": "dst", + "protocol": "tcp" + } + ], + "service": "sfcbd-watchdog" + }, + ] + } +''' + +from ansible.module_utils.basic import AnsibleModule +from ansible.module_utils.vmware import vmware_argument_spec, PyVmomi + + +class FirewallFactsManager(PyVmomi): + def __init__(self, module): + super(FirewallFactsManager, self).__init__(module) + cluster_name = self.params.get('cluster_name', None) + esxi_host_name = self.params.get('esxi_hostname', None) + self.hosts = [] + if cluster_name: + cluster_obj = self.find_cluster_by_name(cluster_name=cluster_name) + if cluster_obj: + self.hosts = [host for host in cluster_obj.host] + else: + module.fail_json(changed=False, msg="Cluster '%s' not found" % cluster_name) + elif esxi_host_name: + esxi_host_obj = self.find_hostsystem_by_name(host_name=esxi_host_name) + if esxi_host_obj: + self.hosts = [esxi_host_obj] + else: + module.fail_json(changed=False, msg="ESXi '%s' not found" % esxi_host_name) + + @staticmethod + def normalize_rule_set(rule_obj): + rule_dict = dict() + rule_dict['key'] = rule_obj.key + rule_dict['service'] = rule_obj.service + rule_dict['enabled'] = rule_obj.enabled + rule_dict['rule'] = [] + + for rule in rule_obj.rule: + rule_set_dict = dict() + rule_set_dict['port'] = rule.port + rule_set_dict['end_port'] = rule.endPort + rule_set_dict['direction'] = rule.direction + rule_set_dict['port_type'] = rule.portType + rule_set_dict['protocol'] = rule.protocol + rule_dict['rule'].append(rule_set_dict) + + allowed_host = rule_obj.allowedHosts + rule_allow_host = dict() + rule_allow_host['ip_address'] = [ip for ip in allowed_host.ipAddress] + rule_allow_host['all_ip'] = allowed_host.allIp + rule_dict['allowed_hosts'] = rule_allow_host + return rule_dict + + def gather_host_firewall_facts(self): + hosts_firewall_facts = dict() + for host in self.hosts: + firewall_system = host.configManager.firewallSystem + if firewall_system: + hosts_firewall_facts[host.name] = [] + for rule_set_obj in firewall_system.firewallInfo.ruleset: + hosts_firewall_facts[host.name].append(self.normalize_rule_set(rule_obj=rule_set_obj)) + return hosts_firewall_facts + + +def main(): + argument_spec = vmware_argument_spec() + argument_spec.update( + cluster_name=dict(type='str', required=False), + esxi_hostname=dict(type='str', required=False), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + required_one_of=[ + ['cluster_name', 'esxi_hostname'], + ] + ) + + vmware_host_firewall = FirewallFactsManager(module) + module.exit_json(changed=False, hosts_firewall_facts=vmware_host_firewall.gather_host_firewall_facts()) + + +if __name__ == "__main__": + main() diff --git a/test/integration/targets/vmware_host_firewall_facts/aliases b/test/integration/targets/vmware_host_firewall_facts/aliases new file mode 100644 index 0000000000..6ee4e3d4f9 --- /dev/null +++ b/test/integration/targets/vmware_host_firewall_facts/aliases @@ -0,0 +1,3 @@ +posix/ci/cloud/group4/vcenter +cloud/vcenter + diff --git a/test/integration/targets/vmware_host_firewall_facts/tasks/main.yml b/test/integration/targets/vmware_host_firewall_facts/tasks/main.yml new file mode 100644 index 0000000000..4e6b04e168 --- /dev/null +++ b/test/integration/targets/vmware_host_firewall_facts/tasks/main.yml @@ -0,0 +1,88 @@ +# Test code for the vmware_host_firewall_facts module. +# Copyright: (c) 2018, Abhijeet Kasurde +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +- name: make sure pyvmomi is installed + pip: + name: pyvmomi + state: latest + when: "{{ ansible_user_id == 'root' }}" + +- name: store the vcenter container ip + set_fact: + vcsim: "{{ lookup('env', 'vcenter_host') }}" + +- debug: var=vcsim + +- name: Wait for Flask controller to come up online + wait_for: + host: "{{ vcsim }}" + port: 5000 + state: started + +- name: kill vcsim + uri: + url: http://{{ vcsim }}:5000/killall + +- name: start vcsim + uri: + url: http://{{ vcsim }}:5000/spawn?cluster=2 + register: vcsim_instance + +- debug: + var: vcsim_instance + +- name: Wait for vcsim server to come up online + wait_for: + host: "{{ vcsim }}" + port: 443 + state: started + +- name: get a list of Cluster from vcsim + uri: + url: http://{{ vcsim }}:5000/govc_find?filter=CCR + register: clusters + +- name: get a cluster + set_fact: + ccr1: "{{ clusters.json[0] | basename }}" + +- name: get a list of hosts from vcsim + uri: + url: http://{{ vcsim }}:5000/govc_find?filter=H + register: hosts + +- name: get a host + set_fact: + host1: "{{ hosts.json[0] | basename }}" + +- debug: var=ccr1 +- debug: var=host1 + +- name: Gather firewall facts for all ESXi host from given cluster + vmware_host_firewall_facts: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance.json.username }}" + password: "{{ vcsim_instance.json.password }}" + validate_certs: no + cluster_name: "{{ ccr1 }}" + register: firewall_0001_results + +- assert: + that: + - "not firewall_0001_results.changed" + - "firewall_0001_results.hosts_firewall_facts is defined" + +- name: Gather firewall facts for ESXi host + vmware_host_firewall_facts: + hostname: "{{ vcsim }}" + username: "{{ vcsim_instance.json.username }}" + password: "{{ vcsim_instance.json.password }}" + validate_certs: no + esxi_hostname: "{{ host1 }}" + register: firewall_0002_results + +- assert: + that: + - "not firewall_0002_results.changed" + - "firewall_0002_results.hosts_firewall_facts is defined"