diff --git a/plugins/modules/gcp_compute_firewall.py b/plugins/modules/gcp_compute_firewall.py index ccecb4b..f2eab7c 100644 --- a/plugins/modules/gcp_compute_firewall.py +++ b/plugins/modules/gcp_compute_firewall.py @@ -47,7 +47,50 @@ requirements: - requests >= 2.18.4 - google-auth >= 1.3.0 options: - state: + state: + description: + - Whether the given object should exist in GCP + choices: ['present', 'absent'] + default: 'present' + allowed: + description: + - The list of ALLOW rules specified by this firewall. Each rule specifies a protocol + and port-range tuple that describes a permitted connection. + required: false + suboptions: + ip_protocol: + description: + - The IP protocol to which this rule applies. The protocol type is required when creating + a firewall rule. This value can either be one of the following well known protocol + strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number. + required: true + ports: + description: + - An optional list of ports to which this rule applies. This field is only applicable + for UDP or TCP protocol. Each entry must be either an integer or a range. If not + specified, this rule applies to connections through any port. + - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' + required: false + denied: + description: + - The list of DENY rules specified by this firewall. Each rule specifies a protocol + and port-range tuple that describes a denied connection. + required: false + version_added: 2.7 + suboptions: + ip_protocol: + description: + - The IP protocol to which this rule applies. The protocol type is required when creating + a firewall rule. This value can either be one of the following well known protocol + strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number. + required: true + ports: + description: + - An optional list of ports to which this rule applies. This field is only applicable + for UDP or TCP protocol. Each entry must be either an integer or a range. If not + specified, this rule applies to connections through any port. + - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' + required: false description: - Whether the given object should exist in GCP choices: @@ -62,12 +105,54 @@ options: suboptions: ip_protocol: description: - - The IP protocol to which this rule applies. The protocol type is required - when creating a firewall rule. This value can either be one of the following - well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol - number. + - An optional description of this resource. Provide this property when you create + the resource. + required: false + destination_ranges: + description: + - If destination ranges are specified, the firewall will apply only to traffic that + has destination IP address in these ranges. These ranges must be expressed in CIDR + format. Only IPv4 is supported. + required: false + version_added: 2.7 + direction: + description: + - 'Direction of traffic to which this firewall applies; default is INGRESS. Note: + For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS + traffic, it is NOT supported to specify sourceRanges OR sourceTags.' + required: false + version_added: 2.7 + choices: ['INGRESS', 'EGRESS'] + name: + description: + - Name of the resource. Provided by the client when the resource is created. The name + must be 1-63 characters long, and comply with RFC1035. Specifically, the name must + be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` + which means the first character must be a lowercase letter, and all following characters + must be a dash, lowercase letter, or digit, except the last character, which cannot + be a dash. required: true - ports: + network: + description: + - 'URL of the network resource for this firewall rule. If not specified when creating + a firewall rule, the default network is used: global/networks/default If you choose to + specify this property, you can specify the network as a full or partial URL. For + example, the following are all valid URLs: + U(https://www.googleapis.com/compute/v1/projects/myproject/global/) + networks/my-network projects/myproject/global/networks/my-network + global/networks/default .' + required: true + priority: + description: + - Priority for this rule. This is an integer between 0 and 65535, both inclusive. + When not specified, the value assumed is 1000. Relative priorities determine precedence + of conflicting rules. Lower value of priority implies higher precedence (eg, a rule + with priority 0 has higher precedence than a rule with priority 1). DENY rules take + precedence over ALLOW rules having equal priority. + required: false + default: 1000 + version_added: 2.7 + source_ranges: description: - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer @@ -75,21 +160,40 @@ options: port. - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' required: false - denied: - description: - - The list of DENY rules specified by this firewall. Each rule specifies a protocol - and port-range tuple that describes a denied connection. - required: false - version_added: 2.8 - suboptions: - ip_protocol: + source_service_accounts: description: - - The IP protocol to which this rule applies. The protocol type is required - when creating a firewall rule. This value can either be one of the following - well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol - number. - required: true - ports: + - If source service accounts are specified, the firewall will apply only to traffic + originating from an instance with a service account in this list. Source service + accounts cannot be used to control traffic to an instance's external IP address + because service accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the firewall + will apply to traffic that has source IP address within sourceRanges OR the source + IP belongs to an instance with service account listed in sourceServiceAccount. The + connection does not need to match both properties for the firewall to apply. sourceServiceAccounts + cannot be used at the same time as sourceTags or targetTags. + required: false + version_added: 2.7 + source_tags: + description: + - If source tags are specified, the firewall will apply only to traffic with source + IP that belongs to a tag listed in source tags. Source tags cannot be used to control + traffic to an instance's external IP address. Because tags are associated with an + instance, not an IP address. One or both of sourceRanges and sourceTags may be set. + If both properties are set, the firewall will apply to traffic that has source IP + address within sourceRanges OR the source IP that belongs to a tag listed in the + sourceTags property. The connection does not need to match both properties for the + firewall to apply. + required: false + target_service_accounts: + description: + - A list of service accounts indicating sets of instances located in the network that + may make network connections as specified in allowed[]. + - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. + If neither targetServiceAccounts nor targetTags are specified, the firewall rule + applies to all instances on the specified network. + required: false + version_added: 2.7 + target_tags: description: - An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer @@ -146,9 +250,10 @@ options: networks/my-network projects/myproject/global/networks/my-network global/networks/default .' - 'This field represents a link to a Network resource in GCP. It can be specified - in two ways. First, you can place in the selfLink of the resource here as a - string Alternatively, you can add `register: name-of-resource` to a gcp_compute_network - task and then set this network field to "{{ name-of-resource }}"' + in two ways. First, you can place a dictionary with key ''selfLink'' and value + of your resource''s selfLink Alternatively, you can add `register: name-of-resource` + to a gcp_compute_network task and then set this network field to "{{ name-of-resource + }}"' required: false default: selfLink: global/networks/default @@ -214,196 +319,186 @@ options: required: false extends_documentation_fragment: gcp notes: -- 'API Reference: U(https://cloud.google.com/compute/docs/reference/latest/firewalls)' -- 'Official Documentation: U(https://cloud.google.com/vpc/docs/firewalls)' + - "API Reference: U(https://cloud.google.com/compute/docs/reference/latest/firewalls)" + - "Official Documentation: U(https://cloud.google.com/vpc/docs/firewalls)" ''' EXAMPLES = ''' - name: create a firewall gcp_compute_firewall: - name: "test_object" - allowed: - - ip_protocol: tcp - ports: - - '22' - target_tags: - - test-ssh-server - - staging-ssh-server - source_tags: - - test-ssh-clients - project: "test_project" - auth_kind: "serviceaccount" - service_account_file: "/tmp/auth.pem" - state: present + name: test_object + allowed: + - ip_protocol: tcp + ports: + - '22' + target_tags: + - test-ssh-server + - staging-ssh-server + source_tags: + - test-ssh-clients + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: present ''' RETURN = ''' -allowed: - description: - - The list of ALLOW rules specified by this firewall. Each rule specifies a protocol - and port-range tuple that describes a permitted connection. - returned: success - type: complex - contains: - ip_protocol: - description: - - The IP protocol to which this rule applies. The protocol type is required - when creating a firewall rule. This value can either be one of the following - well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol - number. - returned: success - type: str - ports: - description: - - An optional list of ports to which this rule applies. This field is only applicable - for UDP or TCP protocol. Each entry must be either an integer or a range. - If not specified, this rule applies to connections through any port. - - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' - returned: success - type: list -creationTimestamp: - description: - - Creation timestamp in RFC3339 text format. - returned: success - type: str -denied: - description: - - The list of DENY rules specified by this firewall. Each rule specifies a protocol - and port-range tuple that describes a denied connection. - returned: success - type: complex - contains: - ip_protocol: - description: - - The IP protocol to which this rule applies. The protocol type is required - when creating a firewall rule. This value can either be one of the following - well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol - number. - returned: success - type: str - ports: - description: - - An optional list of ports to which this rule applies. This field is only applicable - for UDP or TCP protocol. Each entry must be either an integer or a range. - If not specified, this rule applies to connections through any port. - - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' - returned: success - type: list -description: - description: - - An optional description of this resource. Provide this property when you create - the resource. - returned: success - type: str -destinationRanges: - description: - - If destination ranges are specified, the firewall will apply only to traffic that - has destination IP address in these ranges. These ranges must be expressed in - CIDR format. Only IPv4 is supported. - returned: success - type: list -direction: - description: - - 'Direction of traffic to which this firewall applies; default is INGRESS. Note: - For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS - traffic, it is NOT supported to specify sourceRanges OR sourceTags.' - returned: success - type: str -disabled: - description: - - Denotes whether the firewall rule is disabled, i.e not applied to the network - it is associated with. When set to true, the firewall rule is not enforced and - the network behaves as if it did not exist. If this is unspecified, the firewall - rule will be enabled. - returned: success - type: bool -id: - description: - - The unique identifier for the resource. - returned: success - type: int -name: - description: - - Name of the resource. Provided by the client when the resource is created. The - name must be 1-63 characters long, and comply with RFC1035. Specifically, the - name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` - which means the first character must be a lowercase letter, and all following - characters must be a dash, lowercase letter, or digit, except the last character, - which cannot be a dash. - returned: success - type: str -network: - description: - - 'URL of the network resource for this firewall rule. If not specified when creating - a firewall rule, the default network is used: global/networks/default If you choose - to specify this property, you can specify the network as a full or partial URL. - For example, the following are all valid URLs: U(https://www.googleapis.com/compute/v1/projects/myproject/global/) - networks/my-network projects/myproject/global/networks/my-network global/networks/default - .' - returned: success - type: str -priority: - description: - - Priority for this rule. This is an integer between 0 and 65535, both inclusive. - When not specified, the value assumed is 1000. Relative priorities determine precedence - of conflicting rules. Lower value of priority implies higher precedence (eg, a - rule with priority 0 has higher precedence than a rule with priority 1). DENY - rules take precedence over ALLOW rules having equal priority. - returned: success - type: int -sourceRanges: - description: - - If source ranges are specified, the firewall will apply only to traffic that has - source IP address in these ranges. These ranges must be expressed in CIDR format. - One or both of sourceRanges and sourceTags may be set. If both properties are - set, the firewall will apply to traffic that has source IP address within sourceRanges - OR the source IP that belongs to a tag listed in the sourceTags property. The - connection does not need to match both properties for the firewall to apply. Only - IPv4 is supported. - returned: success - type: list -sourceServiceAccounts: - description: - - If source service accounts are specified, the firewall will apply only to traffic - originating from an instance with a service account in this list. Source service - accounts cannot be used to control traffic to an instance's external IP address - because service accounts are associated with an instance, not an IP address. sourceRanges - can be set at the same time as sourceServiceAccounts. If both are set, the firewall - will apply to traffic that has source IP address within sourceRanges OR the source - IP belongs to an instance with service account listed in sourceServiceAccount. - The connection does not need to match both properties for the firewall to apply. - sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. - returned: success - type: list -sourceTags: - description: - - If source tags are specified, the firewall will apply only to traffic with source - IP that belongs to a tag listed in source tags. Source tags cannot be used to - control traffic to an instance's external IP address. Because tags are associated - with an instance, not an IP address. One or both of sourceRanges and sourceTags - may be set. If both properties are set, the firewall will apply to traffic that - has source IP address within sourceRanges OR the source IP that belongs to a tag - listed in the sourceTags property. The connection does not need to match both - properties for the firewall to apply. - returned: success - type: list -targetServiceAccounts: - description: - - A list of service accounts indicating sets of instances located in the network - that may make network connections as specified in allowed[]. - - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. - If neither targetServiceAccounts nor targetTags are specified, the firewall rule - applies to all instances on the specified network. - returned: success - type: list -targetTags: - description: - - A list of instance tags indicating sets of instances located in the network that - may make network connections as specified in allowed[]. - - If no targetTags are specified, the firewall rule applies to all instances on - the specified network. - returned: success - type: list + allowed: + description: + - The list of ALLOW rules specified by this firewall. Each rule specifies a protocol + and port-range tuple that describes a permitted connection. + returned: success + type: complex + contains: + ip_protocol: + description: + - The IP protocol to which this rule applies. The protocol type is required when creating + a firewall rule. This value can either be one of the following well known protocol + strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number. + returned: success + type: str + ports: + description: + - An optional list of ports to which this rule applies. This field is only applicable + for UDP or TCP protocol. Each entry must be either an integer or a range. If not + specified, this rule applies to connections through any port. + - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' + returned: success + type: list + creation_timestamp: + description: + - Creation timestamp in RFC3339 text format. + returned: success + type: str + denied: + description: + - The list of DENY rules specified by this firewall. Each rule specifies a protocol + and port-range tuple that describes a denied connection. + returned: success + type: complex + contains: + ip_protocol: + description: + - The IP protocol to which this rule applies. The protocol type is required when creating + a firewall rule. This value can either be one of the following well known protocol + strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number. + returned: success + type: str + ports: + description: + - An optional list of ports to which this rule applies. This field is only applicable + for UDP or TCP protocol. Each entry must be either an integer or a range. If not + specified, this rule applies to connections through any port. + - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' + returned: success + type: list + description: + description: + - An optional description of this resource. Provide this property when you create + the resource. + returned: success + type: str + destination_ranges: + description: + - If destination ranges are specified, the firewall will apply only to traffic that + has destination IP address in these ranges. These ranges must be expressed in CIDR + format. Only IPv4 is supported. + returned: success + type: list + direction: + description: + - 'Direction of traffic to which this firewall applies; default is INGRESS. Note: + For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS + traffic, it is NOT supported to specify sourceRanges OR sourceTags.' + returned: success + type: str + id: + description: + - The unique identifier for the resource. + returned: success + type: int + name: + description: + - Name of the resource. Provided by the client when the resource is created. The name + must be 1-63 characters long, and comply with RFC1035. Specifically, the name must + be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` + which means the first character must be a lowercase letter, and all following characters + must be a dash, lowercase letter, or digit, except the last character, which cannot + be a dash. + returned: success + type: str + network: + description: + - 'URL of the network resource for this firewall rule. If not specified when creating + a firewall rule, the default network is used: global/networks/default If you choose to + specify this property, you can specify the network as a full or partial URL. For + example, the following are all valid URLs: + U(https://www.googleapis.com/compute/v1/projects/myproject/global/) + networks/my-network projects/myproject/global/networks/my-network + global/networks/default .' + returned: success + type: dict + priority: + description: + - Priority for this rule. This is an integer between 0 and 65535, both inclusive. + When not specified, the value assumed is 1000. Relative priorities determine precedence + of conflicting rules. Lower value of priority implies higher precedence (eg, a rule + with priority 0 has higher precedence than a rule with priority 1). DENY rules take + precedence over ALLOW rules having equal priority. + returned: success + type: int + source_ranges: + description: + - If source ranges are specified, the firewall will apply only to traffic that has + source IP address in these ranges. These ranges must be expressed in CIDR format. + One or both of sourceRanges and sourceTags may be set. If both properties are set, + the firewall will apply to traffic that has source IP address within sourceRanges + OR the source IP that belongs to a tag listed in the sourceTags property. The connection + does not need to match both properties for the firewall to apply. Only IPv4 is supported. + returned: success + type: list + source_service_accounts: + description: + - If source service accounts are specified, the firewall will apply only to traffic + originating from an instance with a service account in this list. Source service + accounts cannot be used to control traffic to an instance's external IP address + because service accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the firewall + will apply to traffic that has source IP address within sourceRanges OR the source + IP belongs to an instance with service account listed in sourceServiceAccount. The + connection does not need to match both properties for the firewall to apply. sourceServiceAccounts + cannot be used at the same time as sourceTags or targetTags. + returned: success + type: list + source_tags: + description: + - If source tags are specified, the firewall will apply only to traffic with source + IP that belongs to a tag listed in source tags. Source tags cannot be used to control + traffic to an instance's external IP address. Because tags are associated with an + instance, not an IP address. One or both of sourceRanges and sourceTags may be set. + If both properties are set, the firewall will apply to traffic that has source IP + address within sourceRanges OR the source IP that belongs to a tag listed in the + sourceTags property. The connection does not need to match both properties for the + firewall to apply. + returned: success + type: list + target_service_accounts: + description: + - A list of service accounts indicating sets of instances located in the network that + may make network connections as specified in allowed[]. + - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. + If neither targetServiceAccounts nor targetTags are specified, the firewall rule + applies to all instances on the specified network. + returned: success + type: list + target_tags: + description: + - A list of instance tags indicating sets of instances located in the network that + may make network connections as specified in allowed[]. + - If no targetTags are specified, the firewall rule applies to all instances on the + specified network. + returned: success + type: list ''' ################################################################################ @@ -426,30 +521,26 @@ def main(): module = GcpModule( argument_spec=dict( state=dict(default='present', choices=['present', 'absent'], type='str'), - allowed=dict(type='list', elements='dict', options=dict(ip_protocol=dict(required=True, type='str'), ports=dict(type='list', elements='str'))), - denied=dict(type='list', elements='dict', options=dict(ip_protocol=dict(required=True, type='str'), ports=dict(type='list', elements='str'))), + allowed=dict(type='list', elements='dict', options=dict( + ip_protocol=dict(required=True, type='str'), + ports=dict(type='list', elements='str') + )), + denied=dict(type='list', elements='dict', options=dict( + ip_protocol=dict(required=True, type='str'), + ports=dict(type='list', elements='str') + )), description=dict(type='str'), destination_ranges=dict(type='list', elements='str'), direction=dict(type='str', choices=['INGRESS', 'EGRESS']), - disabled=dict(type='bool'), name=dict(required=True, type='str'), - network=dict(default=dict(selfLink='global/networks/default')), + network=dict(required=True, type='dict'), priority=dict(default=1000, type='int'), source_ranges=dict(type='list', elements='str'), source_service_accounts=dict(type='list', elements='str'), source_tags=dict(type='list', elements='str'), target_service_accounts=dict(type='list', elements='str'), - target_tags=dict(type='list', elements='str'), - ), - mutually_exclusive=[ - ['allowed', 'denied'], - ['destination_ranges', 'source_ranges', 'source_tags'], - ['destination_ranges', 'source_ranges'], - ['source_service_accounts', 'source_tags', 'target_tags'], - ['destination_ranges', 'source_service_accounts', 'source_tags', 'target_service_accounts'], - ['source_tags', 'target_service_accounts', 'target_tags'], - ['source_service_accounts', 'target_service_accounts', 'target_tags'], - ], + target_tags=dict(type='list', elements='str') + ) ) if not module.params['scopes']: @@ -506,7 +597,6 @@ def resource_to_request(module): u'description': module.params.get('description'), u'destinationRanges': module.params.get('destination_ranges'), u'direction': module.params.get('direction'), - u'disabled': module.params.get('disabled'), u'name': module.params.get('name'), u'network': replace_resource_dict(module.params.get(u'network', {}), 'selfLink'), u'priority': module.params.get('priority'), @@ -514,7 +604,7 @@ def resource_to_request(module): u'sourceServiceAccounts': module.params.get('source_service_accounts'), u'sourceTags': module.params.get('source_tags'), u'targetServiceAccounts': module.params.get('target_service_accounts'), - u'targetTags': module.params.get('target_tags'), + u'targetTags': module.params.get('target_tags') } request = encode_request(request, module) return_vals = {} @@ -587,7 +677,6 @@ def response_to_hash(module, response): u'description': response.get(u'description'), u'destinationRanges': response.get(u'destinationRanges'), u'direction': response.get(u'direction'), - u'disabled': response.get(u'disabled'), u'id': response.get(u'id'), u'name': module.params.get('name'), u'network': response.get(u'network'), @@ -596,7 +685,7 @@ def response_to_hash(module, response): u'sourceServiceAccounts': response.get(u'sourceServiceAccounts'), u'sourceTags': response.get(u'sourceTags'), u'targetServiceAccounts': response.get(u'targetServiceAccounts'), - u'targetTags': response.get(u'targetTags'), + u'targetTags': response.get(u'targetTags') } @@ -699,5 +788,38 @@ class FirewallDeniedArray(object): return remove_nones_from_dict({u'IPProtocol': item.get(u'IPProtocol'), u'ports': item.get(u'ports')}) +class FirewallDeniedArray(object): + def __init__(self, request, module): + self.module = module + if request: + self.request = request + else: + self.request = [] + + def to_request(self): + items = [] + for item in self.request: + items.append(self._request_for_item(item)) + return items + + def from_response(self): + items = [] + for item in self.request: + items.append(self._response_from_item(item)) + return items + + def _request_for_item(self, item): + return remove_nones_from_dict({ + u'IPProtocol': item.get('ip_protocol'), + u'ports': item.get('ports') + }) + + def _response_from_item(self, item): + return remove_nones_from_dict({ + u'IPProtocol': item.get(u'ip_protocol'), + u'ports': item.get(u'ports') + }) + + if __name__ == '__main__': main() diff --git a/plugins/modules/gcp_compute_firewall_facts.py b/plugins/modules/gcp_compute_firewall_facts.py index 782236e..c483e23 100644 --- a/plugins/modules/gcp_compute_firewall_facts.py +++ b/plugins/modules/gcp_compute_firewall_facts.py @@ -49,190 +49,178 @@ extends_documentation_fragment: gcp ''' EXAMPLES = ''' -- name: a firewall facts +- name: " a firewall facts" gcp_compute_firewall_facts: - filters: - - name = test_object - project: test_project - auth_kind: serviceaccount - service_account_file: "/tmp/auth.pem" + filters: + - name = test_object + project: test_project + auth_kind: serviceaccount + service_account_file: "/tmp/auth.pem" + state: facts ''' RETURN = ''' items: - description: List of items - returned: always - type: complex - contains: - allowed: - description: - - The list of ALLOW rules specified by this firewall. Each rule specifies a - protocol and port-range tuple that describes a permitted connection. - returned: success - type: complex - contains: - ip_protocol: - description: - - The IP protocol to which this rule applies. The protocol type is required - when creating a firewall rule. This value can either be one of the following - well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP - protocol number. - returned: success - type: str - ports: - description: - - An optional list of ports to which this rule applies. This field is only - applicable for UDP or TCP protocol. Each entry must be either an integer - or a range. If not specified, this rule applies to connections through - any port. - - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' - returned: success - type: list - creationTimestamp: - description: - - Creation timestamp in RFC3339 text format. - returned: success - type: str - denied: - description: - - The list of DENY rules specified by this firewall. Each rule specifies a protocol - and port-range tuple that describes a denied connection. - returned: success - type: complex - contains: - ip_protocol: - description: - - The IP protocol to which this rule applies. The protocol type is required - when creating a firewall rule. This value can either be one of the following - well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP - protocol number. - returned: success - type: str - ports: - description: - - An optional list of ports to which this rule applies. This field is only - applicable for UDP or TCP protocol. Each entry must be either an integer - or a range. If not specified, this rule applies to connections through - any port. - - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' - returned: success - type: list - description: - description: - - An optional description of this resource. Provide this property when you create - the resource. - returned: success - type: str - destinationRanges: - description: - - If destination ranges are specified, the firewall will apply only to traffic - that has destination IP address in these ranges. These ranges must be expressed - in CIDR format. Only IPv4 is supported. - returned: success - type: list - direction: - description: - - 'Direction of traffic to which this firewall applies; default is INGRESS. - Note: For INGRESS traffic, it is NOT supported to specify destinationRanges; - For EGRESS traffic, it is NOT supported to specify sourceRanges OR sourceTags.' - returned: success - type: str - disabled: - description: - - Denotes whether the firewall rule is disabled, i.e not applied to the network - it is associated with. When set to true, the firewall rule is not enforced - and the network behaves as if it did not exist. If this is unspecified, the - firewall rule will be enabled. - returned: success - type: bool - id: - description: - - The unique identifier for the resource. - returned: success - type: int - name: - description: - - Name of the resource. Provided by the client when the resource is created. - The name must be 1-63 characters long, and comply with RFC1035. Specifically, - the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` - which means the first character must be a lowercase letter, and all following - characters must be a dash, lowercase letter, or digit, except the last character, - which cannot be a dash. - returned: success - type: str - network: - description: - - 'URL of the network resource for this firewall rule. If not specified when - creating a firewall rule, the default network is used: global/networks/default - If you choose to specify this property, you can specify the network as a full - or partial URL. For example, the following are all valid URLs: U(https://www.googleapis.com/compute/v1/projects/myproject/global/) - networks/my-network projects/myproject/global/networks/my-network global/networks/default - .' - returned: success - type: str - priority: - description: - - Priority for this rule. This is an integer between 0 and 65535, both inclusive. - When not specified, the value assumed is 1000. Relative priorities determine - precedence of conflicting rules. Lower value of priority implies higher precedence - (eg, a rule with priority 0 has higher precedence than a rule with priority - 1). DENY rules take precedence over ALLOW rules having equal priority. - returned: success - type: int - sourceRanges: - description: - - If source ranges are specified, the firewall will apply only to traffic that - has source IP address in these ranges. These ranges must be expressed in CIDR - format. One or both of sourceRanges and sourceTags may be set. If both properties - are set, the firewall will apply to traffic that has source IP address within - sourceRanges OR the source IP that belongs to a tag listed in the sourceTags - property. The connection does not need to match both properties for the firewall - to apply. Only IPv4 is supported. - returned: success - type: list - sourceServiceAccounts: - description: - - If source service accounts are specified, the firewall will apply only to - traffic originating from an instance with a service account in this list. - Source service accounts cannot be used to control traffic to an instance's - external IP address because service accounts are associated with an instance, - not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. - If both are set, the firewall will apply to traffic that has source IP address - within sourceRanges OR the source IP belongs to an instance with service account - listed in sourceServiceAccount. The connection does not need to match both - properties for the firewall to apply. sourceServiceAccounts cannot be used - at the same time as sourceTags or targetTags. - returned: success - type: list - sourceTags: - description: - - If source tags are specified, the firewall will apply only to traffic with - source IP that belongs to a tag listed in source tags. Source tags cannot - be used to control traffic to an instance's external IP address. Because tags - are associated with an instance, not an IP address. One or both of sourceRanges - and sourceTags may be set. If both properties are set, the firewall will apply - to traffic that has source IP address within sourceRanges OR the source IP - that belongs to a tag listed in the sourceTags property. The connection does - not need to match both properties for the firewall to apply. - returned: success - type: list - targetServiceAccounts: - description: - - A list of service accounts indicating sets of instances located in the network - that may make network connections as specified in allowed[]. - - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. - If neither targetServiceAccounts nor targetTags are specified, the firewall - rule applies to all instances on the specified network. - returned: success - type: list - targetTags: - description: - - A list of instance tags indicating sets of instances located in the network - that may make network connections as specified in allowed[]. - - If no targetTags are specified, the firewall rule applies to all instances - on the specified network. - returned: success - type: list + description: List of items + returned: always + type: complex + contains: + allowed: + description: + - The list of ALLOW rules specified by this firewall. Each rule specifies a protocol + and port-range tuple that describes a permitted connection. + returned: success + type: complex + contains: + ip_protocol: + description: + - The IP protocol to which this rule applies. The protocol type is required when creating + a firewall rule. This value can either be one of the following well known protocol + strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number. + returned: success + type: str + ports: + description: + - An optional list of ports to which this rule applies. This field is only applicable + for UDP or TCP protocol. Each entry must be either an integer or a range. If not + specified, this rule applies to connections through any port. + - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' + returned: success + type: list + creation_timestamp: + description: + - Creation timestamp in RFC3339 text format. + returned: success + type: str + denied: + description: + - The list of DENY rules specified by this firewall. Each rule specifies a protocol + and port-range tuple that describes a denied connection. + returned: success + type: complex + contains: + ip_protocol: + description: + - The IP protocol to which this rule applies. The protocol type is required when creating + a firewall rule. This value can either be one of the following well known protocol + strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number. + returned: success + type: str + ports: + description: + - An optional list of ports to which this rule applies. This field is only applicable + for UDP or TCP protocol. Each entry must be either an integer or a range. If not + specified, this rule applies to connections through any port. + - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' + returned: success + type: list + description: + description: + - An optional description of this resource. Provide this property when you create + the resource. + returned: success + type: str + destination_ranges: + description: + - If destination ranges are specified, the firewall will apply only to traffic that + has destination IP address in these ranges. These ranges must be expressed in CIDR + format. Only IPv4 is supported. + returned: success + type: list + direction: + description: + - 'Direction of traffic to which this firewall applies; default is INGRESS. Note: + For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS + traffic, it is NOT supported to specify sourceRanges OR sourceTags.' + returned: success + type: str + id: + description: + - The unique identifier for the resource. + returned: success + type: int + name: + description: + - Name of the resource. Provided by the client when the resource is created. The name + must be 1-63 characters long, and comply with RFC1035. Specifically, the name must + be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` + which means the first character must be a lowercase letter, and all following characters + must be a dash, lowercase letter, or digit, except the last character, which cannot + be a dash. + returned: success + type: str + network: + description: + - 'URL of the network resource for this firewall rule. If not specified when + creating a firewall rule, the default network is used: global/networks/default If + you choose to specify this property, you can specify the network as a full or + partial URL. For example, the following are all valid URLs: + U(https://www.googleapis.com/compute/v1/projects/myproject/global/) + networks/my-network projects/myproject/global/networks/my-network + global/networks/default .' + returned: success + type: dict + priority: + description: + - Priority for this rule. This is an integer between 0 and 65535, both inclusive. + When not specified, the value assumed is 1000. Relative priorities determine precedence + of conflicting rules. Lower value of priority implies higher precedence (eg, a rule + with priority 0 has higher precedence than a rule with priority 1). DENY rules take + precedence over ALLOW rules having equal priority. + returned: success + type: int + source_ranges: + description: + - If source ranges are specified, the firewall will apply only to traffic that has + source IP address in these ranges. These ranges must be expressed in CIDR format. + One or both of sourceRanges and sourceTags may be set. If both properties are set, + the firewall will apply to traffic that has source IP address within sourceRanges + OR the source IP that belongs to a tag listed in the sourceTags property. The connection + does not need to match both properties for the firewall to apply. Only IPv4 is supported. + returned: success + type: list + source_service_accounts: + description: + - If source service accounts are specified, the firewall will apply only to traffic + originating from an instance with a service account in this list. Source service + accounts cannot be used to control traffic to an instance's external IP address + because service accounts are associated with an instance, not an IP address. sourceRanges + can be set at the same time as sourceServiceAccounts. If both are set, the firewall + will apply to traffic that has source IP address within sourceRanges OR the source + IP belongs to an instance with service account listed in sourceServiceAccount. The + connection does not need to match both properties for the firewall to apply. sourceServiceAccounts + cannot be used at the same time as sourceTags or targetTags. + returned: success + type: list + source_tags: + description: + - If source tags are specified, the firewall will apply only to traffic with source + IP that belongs to a tag listed in source tags. Source tags cannot be used to control + traffic to an instance's external IP address. Because tags are associated with an + instance, not an IP address. One or both of sourceRanges and sourceTags may be set. + If both properties are set, the firewall will apply to traffic that has source IP + address within sourceRanges OR the source IP that belongs to a tag listed in the + sourceTags property. The connection does not need to match both properties for the + firewall to apply. + returned: success + type: list + target_service_accounts: + description: + - A list of service accounts indicating sets of instances located in the network that + may make network connections as specified in allowed[]. + - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. + If neither targetServiceAccounts nor targetTags are specified, the firewall rule + applies to all instances on the specified network. + returned: success + type: list + target_tags: + description: + - A list of instance tags indicating sets of instances located in the network that + may make network connections as specified in allowed[]. + - If no targetTags are specified, the firewall rule applies to all instances on the + specified network. + returned: success + type: list ''' ################################################################################ @@ -257,7 +245,7 @@ def main(): items = items.get('items') else: items = [] - return_value = {'items': items} + return_value = {'resources': items} module.exit_json(**return_value)