From babfe458521d4b753462de2b67a30d3fbf699b76 Mon Sep 17 00:00:00 2001 From: Jasper Aorangi Date: Thu, 16 Aug 2018 15:16:30 +1200 Subject: [PATCH] Add 'panos_set' module for pushing arbitrary commands to PAN-OS NVA's (#43339) * Add 'panos_set' module for pushing arbitrary commands to PAN-OS NVA devices --- .../modules/network/panos/panos_set.py | 162 ++++++++++++++++++ 1 file changed, 162 insertions(+) create mode 100644 lib/ansible/modules/network/panos/panos_set.py diff --git a/lib/ansible/modules/network/panos/panos_set.py b/lib/ansible/modules/network/panos/panos_set.py new file mode 100644 index 0000000000..7b6fba1143 --- /dev/null +++ b/lib/ansible/modules/network/panos/panos_set.py @@ -0,0 +1,162 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- +# +# Ansible module to manage PaloAltoNetworks Firewall +# (c) 2018, Jasper Mackenzie +# +# This file is part of Ansible +# +# Ansible is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# Ansible is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with Ansible. If not, see . + +DOCUMENTATION = ''' +--- +module: panos_set +short_description: Execute arbitrary commands on a PAN-OS device using XPath and element +description: + - Run an arbitrary 'xapi' command taking an XPath (i.e get) or XPath and element (i.e set). + - See https://github.com/kevinsteves/pan-python/blob/master/doc/pan.xapi.rst for details + - Runs a 'set' command by default + - This should support _all_ commands that your PAN-OS device accepts vi it's cli + - cli commands are found as + - Once logged in issue 'debug cli on' + - Enter configuration mode by issuing 'configure' + - Enter your set (or other) command, for example 'set deviceconfig system timezone Australia/Melbourne' + - returns + - > + "Australia/Melbourne + - The 'xpath' is "/config/devices/entry[@name='localhost.localdomain']/deviceconfig/system" + - The 'element' is "Australia/Melbourne" +author: "Jasper Mackenzie" +version_added: "2.7" +requirements: + - pan-python +options: + ip_address: + description: + - IP address or host FQDN of the target PAN-OS NVA + required: true + username: + description: + - User name for a user with admin rights on the PAN-OS NVA + default: admin + password: + description: + - Password for the given 'username' + required: true + command: + description: + - Xapi method name which supports 'xpath' or 'xpath' and 'element' + choices: + - set + - edit + - delete + - get + - show + - override + default: set + xpath: + description: + - The 'xpath' for the commands configurable + required: true + element: + description: + - The 'element' for the 'xpath' if required +extends_documentation_fragment: panos +''' + +EXAMPLES = ''' + +- name: Set timezone on PA NVA + panos_set: + ip_address: "192.168.1.1" + username: "my-random-admin" + password: "admin1234" + xpath: "/config/devices/entry/deviceconfig/system" + element: "Australia/Melbourne" + +- name: Commit configuration + panos_commit: + ip_address: "192.168.1.1" + username: "my-random-admin" + password: "admin1234" +''' + +RETURN = ''' +# Default return values +''' + +ANSIBLE_METADATA = {'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community'} + +from ansible.module_utils.basic import AnsibleModule + +try: + import pan.xapi + HAS_LIB = True +except ImportError: + HAS_LIB = False + + +def main(): + argument_spec = dict( + ip_address=dict(required=True), + password=dict(required=True, no_log=True), + username=dict(default='admin'), + command=dict(default='set', choices=['set', 'edit', 'delete', 'get', 'show', 'override']), + xpath=dict(required=True), + element=dict(default=None) + ) + module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=False) + if not HAS_LIB: + module.fail_json(msg='pan-python is required for this module') + + ip_address = module.params["ip_address"] + password = module.params["password"] + username = module.params['username'] + xpath = module.params['xpath'] + element = module.params['element'] + xcommand = module.params['command'] + + xapi = pan.xapi.PanXapi( + hostname=ip_address, + api_username=username, + api_password=password, + timeout=60 + ) + + if element is None: + # Issue command with no `element` + try: + getattr(xapi, xcommand)(xpath=xpath) + except Exception as e: + raise Exception("Failed to run '%s' with xpath: '%s' with the following error: %s" % + (xcommand, xpath, e)) + else: + # Issue command with `element` + try: + getattr(xapi, xcommand)(xpath=xpath, element=element) + except Exception as e: + raise Exception("Failed to run '%s' with xpath: '%s' and element '%s' with the following error: %s" % + (xcommand, xpath, element, e)) + + module.exit_json( + status="success" + ) + + +if __name__ == '__main__': + main()