---
- name: network setup
  cs_network:
    name: "{{ cs_firewall_network }}"
    network_offering: DefaultIsolatedNetworkOfferingWithSourceNatService
    network_domain: example.com
    zone: "{{ cs_common_zone_adv }}"
  register: net
- name: verify network setup
  assert:
    that:
    - net|success

- name: public ip address setup
  cs_ip_address:
    network: ansible test
    zone: "{{ cs_common_zone_adv }}"
  register: ip_address
- name: verify public ip address setup
  assert:
    that:
    - ip_address|success

- name: set ip address as fact
  set_fact:
    cs_firewall_ip_address: "{{ ip_address.ip_address }}"

- name: setup 80
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify setup
  assert:
    that:
    - fw|success

- name: setup 5300
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify setup
  assert:
    that:
    - fw|success

- name: setup all
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify setup
  assert:
    that:
    - fw|success

- name: test fail if missing params
  action: cs_firewall
  register: fw
  ignore_errors: true
- name: verify results of fail if missing params
  assert:
    that:
    - fw|failed
    - "fw.msg == 'one of the following is required: ip_address,network'"

- name: test fail if missing params
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
  register: fw
  ignore_errors: true
- name: verify results of fail if missing params
  assert:
    that:
    - fw|failed
    - "fw.msg == \"missing required argument for protocol 'tcp': start_port or end_port\""

- name: test fail if missing params network egress
  cs_firewall:
    type: egress
    zone: "{{ cs_common_zone_adv }}"
  register: fw
  ignore_errors: true
- name: verify results of fail if missing params ip_address
  assert:
    that:
    - fw|failed
    - "fw.msg == 'one of the following is required: ip_address,network'"

- name: test present firewall rule ingress 80 in check mode
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
  register: fw
  check_mode: true
- name: verify results of present firewall rule ingress 80 in check mode
  assert:
    that:
    - fw|success
    - fw|changed

- name: test present firewall rule ingress 80
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of present firewall rule ingress 80
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "tcp"
    - fw.start_port == 80
    - fw.end_port == 80
    - fw.type == "ingress"

- name: test present firewall rule ingress 80 idempotence
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of present firewall rule ingress 80 idempotence
  assert:
    that:
    - fw|success
    - not fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "tcp"
    - fw.start_port == 80
    - fw.end_port == 80
    - fw.type == "ingress"

- name: test present firewall rule ingress 5300 in check mode
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
  register: fw
  check_mode: true
- name: verify results of present firewall rule ingress 5300 in check mode
  assert:
    that:
    - fw|success
    - fw|changed

- name: test present firewall rule ingress 5300
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of present firewall rule ingress 5300
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "1.2.3.4/24"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "udp"
    - fw.start_port == 5300
    - fw.end_port == 5333
    - fw.type == "ingress"

- name: test present firewall rule ingress 5300 idempotence
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of present firewall rule ingress 5300 idempotence
  assert:
    that:
    - fw|success
    - not fw|changed
    - fw.cidr == "1.2.3.4/24"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "udp"
    - fw.start_port == 5300
    - fw.end_port == 5333
    - fw.type == "ingress"

- name: test present firewall rule egress all in check mode
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    zone: "{{ cs_common_zone_adv }}"
  register: fw
  check_mode: true
- name: verify results of present firewall rule egress all in check mode
  assert:
    that:
    - fw|success
    - fw|changed

- name: test present firewall rule egress all
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of present firewall rule egress all
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"

- name: test present firewall rule egress all idempotence
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of present firewall rule egress all idempotence
  assert:
    that:
    - fw|success
    - not fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"

- name: test absent firewall rule ingress 80 in check mode
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
  check_mode: true
- name: verify results of absent firewall rule ingress 80 in check mode
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "tcp"
    - fw.start_port == 80
    - fw.end_port == 80
    - fw.type == "ingress"

- name: test absent firewall rule ingress 80
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify results of absent firewall rule ingress 80
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "tcp"
    - fw.start_port == 80
    - fw.end_port == 80
    - fw.type == "ingress"

- name: test absent firewall rule ingress 80 idempotence
  cs_firewall:
    port: 80
    ip_address: "{{ cs_firewall_ip_address }}"
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify results of absent firewall rule ingress 80 idempotence
  assert:
    that:
    - fw|success
    - not fw|changed

- name: test absent firewall rule ingress 5300 in check mode
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
  check_mode: true
- name: verify results of absent firewall rule ingress 5300 in check mode
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "1.2.3.4/24"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "udp"
    - fw.start_port == 5300
    - fw.end_port == 5333
    - fw.type == "ingress"

- name: test absent firewall rule ingress 5300
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify results of absent firewall rule ingress 5300
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "1.2.3.4/24"
    - fw.ip_address == "{{ cs_firewall_ip_address }}"
    - fw.protocol == "udp"
    - fw.start_port == 5300
    - fw.end_port == 5333
    - fw.type == "ingress"

- name: test absent firewall rule ingress 5300 idempotence
  cs_firewall:
    ip_address: "{{ cs_firewall_ip_address }}"
    protocol: udp
    start_port: 5300
    end_port: 5333
    cidr: 1.2.3.4/24
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify results of absent firewall rule ingress 5300 idempotence
  assert:
    that:
    - fw|success
    - not fw|changed

- name: test absent firewall rule egress all in check mode
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    state: absent
    zone: "{{ cs_common_zone_adv }}"
  register: fw
  check_mode: true
- name: verify results of absent firewall rule egress all in check mode
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"

- name: test absent firewall rule egress all
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    state: absent
    zone: "{{ cs_common_zone_adv }}"
  register: fw
- name: verify results of absent firewall rule egress all
  assert:
    that:
    - fw|success
    - fw|changed
    - fw.cidr == "0.0.0.0/0"
    - fw.network == "{{ cs_firewall_network }}"
    - fw.protocol == "all"
    - fw.type == "egress"

- name: test absent firewall rule egress all idempotence
  cs_firewall:
    network: "{{ cs_firewall_network }}"
    protocol: all
    type: egress
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: fw
- name: verify results of absent firewall rule egress all idempotence
  assert:
    that:
    - fw|success
    - not fw|changed

- name: network cleanup
  cs_network:
    name: "{{ cs_firewall_network }}"
    zone: "{{ cs_common_zone_adv }}"
    state: absent
  register: net
- name: verify network cleanup
  assert:
    that:
    - net|success