ansible-collections/google.cloud
1
0
Fork 0
mirror of https://github.com/ansible-collections/google.cloud.git synced 2025-04-09 04:10:27 -07:00
Code Issues Projects Releases Packages Wiki Activity Actions 1

Add a few new fields to firewalls, and use PATCH instead of PUT for updates, because it supports updating more fields.

Browse source
This commit is contained in:
Dana Hoffman 2018-08-20 21:21:35 +00:00 committed by Alex Stephen
parent 2837b2f836
commit 4b78ed9b8f
2 changed files with 514 additions and 404 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

570
plugins/modules/gcp_compute_firewall.py
View file

@ -47,7 +47,50 @@ requirements:
- requests >= 2.18.4 - requests >= 2.18.4
- google-auth >= 1.3.0 - google-auth >= 1.3.0
options: options:
state: state:
description:
- Whether the given object should exist in GCP
choices: ['present', 'absent']
default: 'present'
allowed:
description:
- The list of ALLOW rules specified by this firewall. Each rule specifies a protocol
and port-range tuple that describes a permitted connection.
required: false
suboptions:
ip_protocol:
description:
- The IP protocol to which this rule applies. The protocol type is required when creating
a firewall rule. This value can either be one of the following well known protocol
strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
required: true
ports:
description:
- An optional list of ports to which this rule applies. This field is only applicable
for UDP or TCP protocol. Each entry must be either an integer or a range. If not
specified, this rule applies to connections through any port.
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
required: false
denied:
description:
- The list of DENY rules specified by this firewall. Each rule specifies a protocol
and port-range tuple that describes a denied connection.
required: false
version_added: 2.7
suboptions:
ip_protocol:
description:
- The IP protocol to which this rule applies. The protocol type is required when creating
a firewall rule. This value can either be one of the following well known protocol
strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
required: true
ports:
description:
- An optional list of ports to which this rule applies. This field is only applicable
for UDP or TCP protocol. Each entry must be either an integer or a range. If not
specified, this rule applies to connections through any port.
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
required: false
description: description:
- Whether the given object should exist in GCP - Whether the given object should exist in GCP
choices: choices:
@ -62,12 +105,54 @@ options:
suboptions: suboptions:
ip_protocol: ip_protocol:
description: description:
- The IP protocol to which this rule applies. The protocol type is required - An optional description of this resource. Provide this property when you create
when creating a firewall rule. This value can either be one of the following the resource.
well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol required: false
number. destination_ranges:
description:
- If destination ranges are specified, the firewall will apply only to traffic that
has destination IP address in these ranges. These ranges must be expressed in CIDR
format. Only IPv4 is supported.
required: false
version_added: 2.7
direction:
description:
- 'Direction of traffic to which this firewall applies; default is INGRESS. Note:
For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS
traffic, it is NOT supported to specify sourceRanges OR sourceTags.'
required: false
version_added: 2.7
choices: ['INGRESS', 'EGRESS']
name:
description:
- Name of the resource. Provided by the client when the resource is created. The name
must be 1-63 characters long, and comply with RFC1035. Specifically, the name must
be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`
which means the first character must be a lowercase letter, and all following characters
must be a dash, lowercase letter, or digit, except the last character, which cannot
be a dash.
required: true required: true
ports: network:
description:
- 'URL of the network resource for this firewall rule. If not specified when creating
a firewall rule, the default network is used: global/networks/default If you choose to
specify this property, you can specify the network as a full or partial URL. For
example, the following are all valid URLs:
U(https://www.googleapis.com/compute/v1/projects/myproject/global/)
networks/my-network projects/myproject/global/networks/my-network
global/networks/default .'
required: true
priority:
description:
- Priority for this rule. This is an integer between 0 and 65535, both inclusive.
When not specified, the value assumed is 1000. Relative priorities determine precedence
of conflicting rules. Lower value of priority implies higher precedence (eg, a rule
with priority 0 has higher precedence than a rule with priority 1). DENY rules take
precedence over ALLOW rules having equal priority.
required: false
default: 1000
version_added: 2.7
source_ranges:
description: description:
- An optional list of ports to which this rule applies. This field is only - An optional list of ports to which this rule applies. This field is only
applicable for UDP or TCP protocol. Each entry must be either an integer applicable for UDP or TCP protocol. Each entry must be either an integer
@ -75,21 +160,40 @@ options:
port. port.
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
required: false required: false
denied: source_service_accounts:
description:
- The list of DENY rules specified by this firewall. Each rule specifies a protocol
and port-range tuple that describes a denied connection.
required: false
version_added: 2.8
suboptions:
ip_protocol:
description: description:
- The IP protocol to which this rule applies. The protocol type is required - If source service accounts are specified, the firewall will apply only to traffic
when creating a firewall rule. This value can either be one of the following originating from an instance with a service account in this list. Source service
well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol accounts cannot be used to control traffic to an instance's external IP address
number. because service accounts are associated with an instance, not an IP address. sourceRanges
required: true can be set at the same time as sourceServiceAccounts. If both are set, the firewall
ports: will apply to traffic that has source IP address within sourceRanges OR the source
IP belongs to an instance with service account listed in sourceServiceAccount. The
connection does not need to match both properties for the firewall to apply. sourceServiceAccounts
cannot be used at the same time as sourceTags or targetTags.
required: false
version_added: 2.7
source_tags:
description:
- If source tags are specified, the firewall will apply only to traffic with source
IP that belongs to a tag listed in source tags. Source tags cannot be used to control
traffic to an instance's external IP address. Because tags are associated with an
instance, not an IP address. One or both of sourceRanges and sourceTags may be set.
If both properties are set, the firewall will apply to traffic that has source IP
address within sourceRanges OR the source IP that belongs to a tag listed in the
sourceTags property. The connection does not need to match both properties for the
firewall to apply.
required: false
target_service_accounts:
description:
- A list of service accounts indicating sets of instances located in the network that
may make network connections as specified in allowed[].
- targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
If neither targetServiceAccounts nor targetTags are specified, the firewall rule
applies to all instances on the specified network.
required: false
version_added: 2.7
target_tags:
description: description:
- An optional list of ports to which this rule applies. This field is only - An optional list of ports to which this rule applies. This field is only
applicable for UDP or TCP protocol. Each entry must be either an integer applicable for UDP or TCP protocol. Each entry must be either an integer
@ -146,9 +250,10 @@ options:
networks/my-network projects/myproject/global/networks/my-network global/networks/default networks/my-network projects/myproject/global/networks/my-network global/networks/default
.' .'
- 'This field represents a link to a Network resource in GCP. It can be specified - 'This field represents a link to a Network resource in GCP. It can be specified
in two ways. First, you can place in the selfLink of the resource here as a in two ways. First, you can place a dictionary with key ''selfLink'' and value
string Alternatively, you can add `register: name-of-resource` to a gcp_compute_network of your resource''s selfLink Alternatively, you can add `register: name-of-resource`
task and then set this network field to "{{ name-of-resource }}"' to a gcp_compute_network task and then set this network field to "{{ name-of-resource
}}"'
required: false required: false
default: default:
selfLink: global/networks/default selfLink: global/networks/default
@ -214,196 +319,186 @@ options:
required: false required: false
extends_documentation_fragment: gcp extends_documentation_fragment: gcp
notes: notes:
- 'API Reference: U(https://cloud.google.com/compute/docs/reference/latest/firewalls)' - "API Reference: U(https://cloud.google.com/compute/docs/reference/latest/firewalls)"
- 'Official Documentation: U(https://cloud.google.com/vpc/docs/firewalls)' - "Official Documentation: U(https://cloud.google.com/vpc/docs/firewalls)"
''' '''
EXAMPLES = ''' EXAMPLES = '''
- name: create a firewall - name: create a firewall
gcp_compute_firewall: gcp_compute_firewall:
name: "test_object" name: test_object
allowed: allowed:
- ip_protocol: tcp - ip_protocol: tcp
ports: ports:
- '22' - '22'
target_tags: target_tags:
- test-ssh-server - test-ssh-server
- staging-ssh-server - staging-ssh-server
source_tags: source_tags:
- test-ssh-clients - test-ssh-clients
project: "test_project" project: test_project
auth_kind: "serviceaccount" auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem" service_account_file: "/tmp/auth.pem"
state: present state: present
''' '''
RETURN = ''' RETURN = '''
allowed: allowed:
description: description:
- The list of ALLOW rules specified by this firewall. Each rule specifies a protocol - The list of ALLOW rules specified by this firewall. Each rule specifies a protocol
and port-range tuple that describes a permitted connection. and port-range tuple that describes a permitted connection.
returned: success returned: success
type: complex type: complex
contains: contains:
ip_protocol: ip_protocol:
description: description:
- The IP protocol to which this rule applies. The protocol type is required - The IP protocol to which this rule applies. The protocol type is required when creating
when creating a firewall rule. This value can either be one of the following a firewall rule. This value can either be one of the following well known protocol
well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
number. returned: success
returned: success type: str
type: str ports:
ports: description:
description: - An optional list of ports to which this rule applies. This field is only applicable
- An optional list of ports to which this rule applies. This field is only applicable for UDP or TCP protocol. Each entry must be either an integer or a range. If not
for UDP or TCP protocol. Each entry must be either an integer or a range. specified, this rule applies to connections through any port.
If not specified, this rule applies to connections through any port. - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' returned: success
returned: success type: list
type: list creation_timestamp:
creationTimestamp: description:
description: - Creation timestamp in RFC3339 text format.
- Creation timestamp in RFC3339 text format. returned: success
returned: success type: str
type: str denied:
denied: description:
description: - The list of DENY rules specified by this firewall. Each rule specifies a protocol
- The list of DENY rules specified by this firewall. Each rule specifies a protocol and port-range tuple that describes a denied connection.
and port-range tuple that describes a denied connection. returned: success
returned: success type: complex
type: complex contains:
contains: ip_protocol:
ip_protocol: description:
description: - The IP protocol to which this rule applies. The protocol type is required when creating
- The IP protocol to which this rule applies. The protocol type is required a firewall rule. This value can either be one of the following well known protocol
when creating a firewall rule. This value can either be one of the following strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol returned: success
number. type: str
returned: success ports:
type: str description:
ports: - An optional list of ports to which this rule applies. This field is only applicable
description: for UDP or TCP protocol. Each entry must be either an integer or a range. If not
- An optional list of ports to which this rule applies. This field is only applicable specified, this rule applies to connections through any port.
for UDP or TCP protocol. Each entry must be either an integer or a range. - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
If not specified, this rule applies to connections through any port. returned: success
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' type: list
returned: success description:
type: list description:
description: - An optional description of this resource. Provide this property when you create
description: the resource.
- An optional description of this resource. Provide this property when you create returned: success
the resource. type: str
returned: success destination_ranges:
type: str description:
destinationRanges: - If destination ranges are specified, the firewall will apply only to traffic that
description: has destination IP address in these ranges. These ranges must be expressed in CIDR
- If destination ranges are specified, the firewall will apply only to traffic that format. Only IPv4 is supported.
has destination IP address in these ranges. These ranges must be expressed in returned: success
CIDR format. Only IPv4 is supported. type: list
returned: success direction:
type: list description:
direction: - 'Direction of traffic to which this firewall applies; default is INGRESS. Note:
description: For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS
- 'Direction of traffic to which this firewall applies; default is INGRESS. Note: traffic, it is NOT supported to specify sourceRanges OR sourceTags.'
For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS returned: success
traffic, it is NOT supported to specify sourceRanges OR sourceTags.' type: str
returned: success id:
type: str description:
disabled: - The unique identifier for the resource.
description: returned: success
- Denotes whether the firewall rule is disabled, i.e not applied to the network type: int
it is associated with. When set to true, the firewall rule is not enforced and name:
the network behaves as if it did not exist. If this is unspecified, the firewall description:
rule will be enabled. - Name of the resource. Provided by the client when the resource is created. The name
returned: success must be 1-63 characters long, and comply with RFC1035. Specifically, the name must
type: bool be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`
id: which means the first character must be a lowercase letter, and all following characters
description: must be a dash, lowercase letter, or digit, except the last character, which cannot
- The unique identifier for the resource. be a dash.
returned: success returned: success
type: int type: str
name: network:
description: description:
- Name of the resource. Provided by the client when the resource is created. The - 'URL of the network resource for this firewall rule. If not specified when creating
name must be 1-63 characters long, and comply with RFC1035. Specifically, the a firewall rule, the default network is used: global/networks/default If you choose to
name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` specify this property, you can specify the network as a full or partial URL. For
which means the first character must be a lowercase letter, and all following example, the following are all valid URLs:
characters must be a dash, lowercase letter, or digit, except the last character, U(https://www.googleapis.com/compute/v1/projects/myproject/global/)
which cannot be a dash. networks/my-network projects/myproject/global/networks/my-network
returned: success global/networks/default .'
type: str returned: success
network: type: dict
description: priority:
- 'URL of the network resource for this firewall rule. If not specified when creating description:
a firewall rule, the default network is used: global/networks/default If you choose - Priority for this rule. This is an integer between 0 and 65535, both inclusive.
to specify this property, you can specify the network as a full or partial URL. When not specified, the value assumed is 1000. Relative priorities determine precedence
For example, the following are all valid URLs: U(https://www.googleapis.com/compute/v1/projects/myproject/global/) of conflicting rules. Lower value of priority implies higher precedence (eg, a rule
networks/my-network projects/myproject/global/networks/my-network global/networks/default with priority 0 has higher precedence than a rule with priority 1). DENY rules take
.' precedence over ALLOW rules having equal priority.
returned: success returned: success
type: str type: int
priority: source_ranges:
description: description:
- Priority for this rule. This is an integer between 0 and 65535, both inclusive. - If source ranges are specified, the firewall will apply only to traffic that has
When not specified, the value assumed is 1000. Relative priorities determine precedence source IP address in these ranges. These ranges must be expressed in CIDR format.
of conflicting rules. Lower value of priority implies higher precedence (eg, a One or both of sourceRanges and sourceTags may be set. If both properties are set,
rule with priority 0 has higher precedence than a rule with priority 1). DENY the firewall will apply to traffic that has source IP address within sourceRanges
rules take precedence over ALLOW rules having equal priority. OR the source IP that belongs to a tag listed in the sourceTags property. The connection
returned: success does not need to match both properties for the firewall to apply. Only IPv4 is supported.
type: int returned: success
sourceRanges: type: list
description: source_service_accounts:
- If source ranges are specified, the firewall will apply only to traffic that has description:
source IP address in these ranges. These ranges must be expressed in CIDR format. - If source service accounts are specified, the firewall will apply only to traffic
One or both of sourceRanges and sourceTags may be set. If both properties are originating from an instance with a service account in this list. Source service
set, the firewall will apply to traffic that has source IP address within sourceRanges accounts cannot be used to control traffic to an instance's external IP address
OR the source IP that belongs to a tag listed in the sourceTags property. The because service accounts are associated with an instance, not an IP address. sourceRanges
connection does not need to match both properties for the firewall to apply. Only can be set at the same time as sourceServiceAccounts. If both are set, the firewall
IPv4 is supported. will apply to traffic that has source IP address within sourceRanges OR the source
returned: success IP belongs to an instance with service account listed in sourceServiceAccount. The
type: list connection does not need to match both properties for the firewall to apply. sourceServiceAccounts
sourceServiceAccounts: cannot be used at the same time as sourceTags or targetTags.
description: returned: success
- If source service accounts are specified, the firewall will apply only to traffic type: list
originating from an instance with a service account in this list. Source service source_tags:
accounts cannot be used to control traffic to an instance's external IP address description:
because service accounts are associated with an instance, not an IP address. sourceRanges - If source tags are specified, the firewall will apply only to traffic with source
can be set at the same time as sourceServiceAccounts. If both are set, the firewall IP that belongs to a tag listed in source tags. Source tags cannot be used to control
will apply to traffic that has source IP address within sourceRanges OR the source traffic to an instance's external IP address. Because tags are associated with an
IP belongs to an instance with service account listed in sourceServiceAccount. instance, not an IP address. One or both of sourceRanges and sourceTags may be set.
The connection does not need to match both properties for the firewall to apply. If both properties are set, the firewall will apply to traffic that has source IP
sourceServiceAccounts cannot be used at the same time as sourceTags or targetTags. address within sourceRanges OR the source IP that belongs to a tag listed in the
returned: success sourceTags property. The connection does not need to match both properties for the
type: list firewall to apply.
sourceTags: returned: success
description: type: list
- If source tags are specified, the firewall will apply only to traffic with source target_service_accounts:
IP that belongs to a tag listed in source tags. Source tags cannot be used to description:
control traffic to an instance's external IP address. Because tags are associated - A list of service accounts indicating sets of instances located in the network that
with an instance, not an IP address. One or both of sourceRanges and sourceTags may make network connections as specified in allowed[].
may be set. If both properties are set, the firewall will apply to traffic that - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
has source IP address within sourceRanges OR the source IP that belongs to a tag If neither targetServiceAccounts nor targetTags are specified, the firewall rule
listed in the sourceTags property. The connection does not need to match both applies to all instances on the specified network.
properties for the firewall to apply. returned: success
returned: success type: list
type: list target_tags:
targetServiceAccounts: description:
description: - A list of instance tags indicating sets of instances located in the network that
- A list of service accounts indicating sets of instances located in the network may make network connections as specified in allowed[].
that may make network connections as specified in allowed[]. - If no targetTags are specified, the firewall rule applies to all instances on the
- targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. specified network.
If neither targetServiceAccounts nor targetTags are specified, the firewall rule returned: success
applies to all instances on the specified network. type: list
returned: success
type: list
targetTags:
description:
- A list of instance tags indicating sets of instances located in the network that
may make network connections as specified in allowed[].
- If no targetTags are specified, the firewall rule applies to all instances on
the specified network.
returned: success
type: list
''' '''
################################################################################ ################################################################################
@ -426,30 +521,26 @@ def main():
module = GcpModule( module = GcpModule(
argument_spec=dict( argument_spec=dict(
state=dict(default='present', choices=['present', 'absent'], type='str'), state=dict(default='present', choices=['present', 'absent'], type='str'),
allowed=dict(type='list', elements='dict', options=dict(ip_protocol=dict(required=True, type='str'), ports=dict(type='list', elements='str'))), allowed=dict(type='list', elements='dict', options=dict(
denied=dict(type='list', elements='dict', options=dict(ip_protocol=dict(required=True, type='str'), ports=dict(type='list', elements='str'))), ip_protocol=dict(required=True, type='str'),
ports=dict(type='list', elements='str')
)),
denied=dict(type='list', elements='dict', options=dict(
ip_protocol=dict(required=True, type='str'),
ports=dict(type='list', elements='str')
)),
description=dict(type='str'), description=dict(type='str'),
destination_ranges=dict(type='list', elements='str'), destination_ranges=dict(type='list', elements='str'),
direction=dict(type='str', choices=['INGRESS', 'EGRESS']), direction=dict(type='str', choices=['INGRESS', 'EGRESS']),
disabled=dict(type='bool'),
name=dict(required=True, type='str'), name=dict(required=True, type='str'),
network=dict(default=dict(selfLink='global/networks/default')), network=dict(required=True, type='dict'),
priority=dict(default=1000, type='int'), priority=dict(default=1000, type='int'),
source_ranges=dict(type='list', elements='str'), source_ranges=dict(type='list', elements='str'),
source_service_accounts=dict(type='list', elements='str'), source_service_accounts=dict(type='list', elements='str'),
source_tags=dict(type='list', elements='str'), source_tags=dict(type='list', elements='str'),
target_service_accounts=dict(type='list', elements='str'), target_service_accounts=dict(type='list', elements='str'),
target_tags=dict(type='list', elements='str'), target_tags=dict(type='list', elements='str')
), )
mutually_exclusive=[
['allowed', 'denied'],
['destination_ranges', 'source_ranges', 'source_tags'],
['destination_ranges', 'source_ranges'],
['source_service_accounts', 'source_tags', 'target_tags'],
['destination_ranges', 'source_service_accounts', 'source_tags', 'target_service_accounts'],
['source_tags', 'target_service_accounts', 'target_tags'],
['source_service_accounts', 'target_service_accounts', 'target_tags'],
],
) )
if not module.params['scopes']: if not module.params['scopes']:
@ -506,7 +597,6 @@ def resource_to_request(module):
u'description': module.params.get('description'), u'description': module.params.get('description'),
u'destinationRanges': module.params.get('destination_ranges'), u'destinationRanges': module.params.get('destination_ranges'),
u'direction': module.params.get('direction'), u'direction': module.params.get('direction'),
u'disabled': module.params.get('disabled'),
u'name': module.params.get('name'), u'name': module.params.get('name'),
u'network': replace_resource_dict(module.params.get(u'network', {}), 'selfLink'), u'network': replace_resource_dict(module.params.get(u'network', {}), 'selfLink'),
u'priority': module.params.get('priority'), u'priority': module.params.get('priority'),
@ -514,7 +604,7 @@ def resource_to_request(module):
u'sourceServiceAccounts': module.params.get('source_service_accounts'), u'sourceServiceAccounts': module.params.get('source_service_accounts'),
u'sourceTags': module.params.get('source_tags'), u'sourceTags': module.params.get('source_tags'),
u'targetServiceAccounts': module.params.get('target_service_accounts'), u'targetServiceAccounts': module.params.get('target_service_accounts'),
u'targetTags': module.params.get('target_tags'), u'targetTags': module.params.get('target_tags')
} }
request = encode_request(request, module) request = encode_request(request, module)
return_vals = {} return_vals = {}
@ -587,7 +677,6 @@ def response_to_hash(module, response):
u'description': response.get(u'description'), u'description': response.get(u'description'),
u'destinationRanges': response.get(u'destinationRanges'), u'destinationRanges': response.get(u'destinationRanges'),
u'direction': response.get(u'direction'), u'direction': response.get(u'direction'),
u'disabled': response.get(u'disabled'),
u'id': response.get(u'id'), u'id': response.get(u'id'),
u'name': module.params.get('name'), u'name': module.params.get('name'),
u'network': response.get(u'network'), u'network': response.get(u'network'),
@ -596,7 +685,7 @@ def response_to_hash(module, response):
u'sourceServiceAccounts': response.get(u'sourceServiceAccounts'), u'sourceServiceAccounts': response.get(u'sourceServiceAccounts'),
u'sourceTags': response.get(u'sourceTags'), u'sourceTags': response.get(u'sourceTags'),
u'targetServiceAccounts': response.get(u'targetServiceAccounts'), u'targetServiceAccounts': response.get(u'targetServiceAccounts'),
u'targetTags': response.get(u'targetTags'), u'targetTags': response.get(u'targetTags')
} }
@ -699,5 +788,38 @@ class FirewallDeniedArray(object):
return remove_nones_from_dict({u'IPProtocol': item.get(u'IPProtocol'), u'ports': item.get(u'ports')}) return remove_nones_from_dict({u'IPProtocol': item.get(u'IPProtocol'), u'ports': item.get(u'ports')})
class FirewallDeniedArray(object):
def __init__(self, request, module):
self.module = module
if request:
self.request = request
else:
self.request = []
def to_request(self):
items = []
for item in self.request:
items.append(self._request_for_item(item))
return items
def from_response(self):
items = []
for item in self.request:
items.append(self._response_from_item(item))
return items
def _request_for_item(self, item):
return remove_nones_from_dict({
u'IPProtocol': item.get('ip_protocol'),
u'ports': item.get('ports')
})
def _response_from_item(self, item):
return remove_nones_from_dict({
u'IPProtocol': item.get(u'ip_protocol'),
u'ports': item.get(u'ports')
})
if __name__ == '__main__': if __name__ == '__main__':
main() main()

348
plugins/modules/gcp_compute_firewall_facts.py
View file

@ -49,190 +49,178 @@ extends_documentation_fragment: gcp
''' '''
EXAMPLES = ''' EXAMPLES = '''
- name: a firewall facts - name: " a firewall facts"
gcp_compute_firewall_facts: gcp_compute_firewall_facts:
filters: filters:
- name = test_object - name = test_object
project: test_project project: test_project
auth_kind: serviceaccount auth_kind: serviceaccount
service_account_file: "/tmp/auth.pem" service_account_file: "/tmp/auth.pem"
state: facts
''' '''
RETURN = ''' RETURN = '''
items: items:
description: List of items description: List of items
returned: always returned: always
type: complex type: complex
contains: contains:
allowed: allowed:
description: description:
- The list of ALLOW rules specified by this firewall. Each rule specifies a - The list of ALLOW rules specified by this firewall. Each rule specifies a protocol
protocol and port-range tuple that describes a permitted connection. and port-range tuple that describes a permitted connection.
returned: success returned: success
type: complex type: complex
contains: contains:
ip_protocol: ip_protocol:
description: description:
- The IP protocol to which this rule applies. The protocol type is required - The IP protocol to which this rule applies. The protocol type is required when creating
when creating a firewall rule. This value can either be one of the following a firewall rule. This value can either be one of the following well known protocol
well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
protocol number. returned: success
returned: success type: str
type: str ports:
ports: description:
description: - An optional list of ports to which this rule applies. This field is only applicable
- An optional list of ports to which this rule applies. This field is only for UDP or TCP protocol. Each entry must be either an integer or a range. If not
applicable for UDP or TCP protocol. Each entry must be either an integer specified, this rule applies to connections through any port.
or a range. If not specified, this rule applies to connections through - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
any port. returned: success
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' type: list
returned: success creation_timestamp:
type: list description:
creationTimestamp: - Creation timestamp in RFC3339 text format.
description: returned: success
- Creation timestamp in RFC3339 text format. type: str
returned: success denied:
type: str description:
denied: - The list of DENY rules specified by this firewall. Each rule specifies a protocol
description: and port-range tuple that describes a denied connection.
- The list of DENY rules specified by this firewall. Each rule specifies a protocol returned: success
and port-range tuple that describes a denied connection. type: complex
returned: success contains:
type: complex ip_protocol:
contains: description:
ip_protocol: - The IP protocol to which this rule applies. The protocol type is required when creating
description: a firewall rule. This value can either be one of the following well known protocol
- The IP protocol to which this rule applies. The protocol type is required strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
when creating a firewall rule. This value can either be one of the following returned: success
well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP type: str
protocol number. ports:
returned: success description:
type: str - An optional list of ports to which this rule applies. This field is only applicable
ports: for UDP or TCP protocol. Each entry must be either an integer or a range. If not
description: specified, this rule applies to connections through any port.
- An optional list of ports to which this rule applies. This field is only - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
applicable for UDP or TCP protocol. Each entry must be either an integer returned: success
or a range. If not specified, this rule applies to connections through type: list
any port. description:
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' description:
returned: success - An optional description of this resource. Provide this property when you create
type: list the resource.
description: returned: success
description: type: str
- An optional description of this resource. Provide this property when you create destination_ranges:
the resource. description:
returned: success - If destination ranges are specified, the firewall will apply only to traffic that
type: str has destination IP address in these ranges. These ranges must be expressed in CIDR
destinationRanges: format. Only IPv4 is supported.
description: returned: success
- If destination ranges are specified, the firewall will apply only to traffic type: list
that has destination IP address in these ranges. These ranges must be expressed direction:
in CIDR format. Only IPv4 is supported. description:
returned: success - 'Direction of traffic to which this firewall applies; default is INGRESS. Note:
type: list For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS
direction: traffic, it is NOT supported to specify sourceRanges OR sourceTags.'
description: returned: success
- 'Direction of traffic to which this firewall applies; default is INGRESS. type: str
Note: For INGRESS traffic, it is NOT supported to specify destinationRanges; id:
For EGRESS traffic, it is NOT supported to specify sourceRanges OR sourceTags.' description:
returned: success - The unique identifier for the resource.
type: str returned: success
disabled: type: int
description: name:
- Denotes whether the firewall rule is disabled, i.e not applied to the network description:
it is associated with. When set to true, the firewall rule is not enforced - Name of the resource. Provided by the client when the resource is created. The name
and the network behaves as if it did not exist. If this is unspecified, the must be 1-63 characters long, and comply with RFC1035. Specifically, the name must
firewall rule will be enabled. be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`
returned: success which means the first character must be a lowercase letter, and all following characters
type: bool must be a dash, lowercase letter, or digit, except the last character, which cannot
id: be a dash.
description: returned: success
- The unique identifier for the resource. type: str
returned: success network:
type: int description:
name: - 'URL of the network resource for this firewall rule. If not specified when
description: creating a firewall rule, the default network is used: global/networks/default If
- Name of the resource. Provided by the client when the resource is created. you choose to specify this property, you can specify the network as a full or
The name must be 1-63 characters long, and comply with RFC1035. Specifically, partial URL. For example, the following are all valid URLs:
the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` U(https://www.googleapis.com/compute/v1/projects/myproject/global/)
which means the first character must be a lowercase letter, and all following networks/my-network projects/myproject/global/networks/my-network
characters must be a dash, lowercase letter, or digit, except the last character, global/networks/default .'
which cannot be a dash. returned: success
returned: success type: dict
type: str priority:
network: description:
description: - Priority for this rule. This is an integer between 0 and 65535, both inclusive.
- 'URL of the network resource for this firewall rule. If not specified when When not specified, the value assumed is 1000. Relative priorities determine precedence
creating a firewall rule, the default network is used: global/networks/default of conflicting rules. Lower value of priority implies higher precedence (eg, a rule
If you choose to specify this property, you can specify the network as a full with priority 0 has higher precedence than a rule with priority 1). DENY rules take
or partial URL. For example, the following are all valid URLs: U(https://www.googleapis.com/compute/v1/projects/myproject/global/) precedence over ALLOW rules having equal priority.
networks/my-network projects/myproject/global/networks/my-network global/networks/default returned: success
.' type: int
returned: success source_ranges:
type: str description:
priority: - If source ranges are specified, the firewall will apply only to traffic that has
description: source IP address in these ranges. These ranges must be expressed in CIDR format.
- Priority for this rule. This is an integer between 0 and 65535, both inclusive. One or both of sourceRanges and sourceTags may be set. If both properties are set,
When not specified, the value assumed is 1000. Relative priorities determine the firewall will apply to traffic that has source IP address within sourceRanges
precedence of conflicting rules. Lower value of priority implies higher precedence OR the source IP that belongs to a tag listed in the sourceTags property. The connection
(eg, a rule with priority 0 has higher precedence than a rule with priority does not need to match both properties for the firewall to apply. Only IPv4 is supported.
1). DENY rules take precedence over ALLOW rules having equal priority. returned: success
returned: success type: list
type: int source_service_accounts:
sourceRanges: description:
description: - If source service accounts are specified, the firewall will apply only to traffic
- If source ranges are specified, the firewall will apply only to traffic that originating from an instance with a service account in this list. Source service
has source IP address in these ranges. These ranges must be expressed in CIDR accounts cannot be used to control traffic to an instance's external IP address
format. One or both of sourceRanges and sourceTags may be set. If both properties because service accounts are associated with an instance, not an IP address. sourceRanges
are set, the firewall will apply to traffic that has source IP address within can be set at the same time as sourceServiceAccounts. If both are set, the firewall
sourceRanges OR the source IP that belongs to a tag listed in the sourceTags will apply to traffic that has source IP address within sourceRanges OR the source
property. The connection does not need to match both properties for the firewall IP belongs to an instance with service account listed in sourceServiceAccount. The
to apply. Only IPv4 is supported. connection does not need to match both properties for the firewall to apply. sourceServiceAccounts
returned: success cannot be used at the same time as sourceTags or targetTags.
type: list returned: success
sourceServiceAccounts: type: list
description: source_tags:
- If source service accounts are specified, the firewall will apply only to description:
traffic originating from an instance with a service account in this list. - If source tags are specified, the firewall will apply only to traffic with source
Source service accounts cannot be used to control traffic to an instance's IP that belongs to a tag listed in source tags. Source tags cannot be used to control
external IP address because service accounts are associated with an instance, traffic to an instance's external IP address. Because tags are associated with an
not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. instance, not an IP address. One or both of sourceRanges and sourceTags may be set.
If both are set, the firewall will apply to traffic that has source IP address If both properties are set, the firewall will apply to traffic that has source IP
within sourceRanges OR the source IP belongs to an instance with service account address within sourceRanges OR the source IP that belongs to a tag listed in the
listed in sourceServiceAccount. The connection does not need to match both sourceTags property. The connection does not need to match both properties for the
properties for the firewall to apply. sourceServiceAccounts cannot be used firewall to apply.
at the same time as sourceTags or targetTags. returned: success
returned: success type: list
type: list target_service_accounts:
sourceTags: description:
description: - A list of service accounts indicating sets of instances located in the network that
- If source tags are specified, the firewall will apply only to traffic with may make network connections as specified in allowed[].
source IP that belongs to a tag listed in source tags. Source tags cannot - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
be used to control traffic to an instance's external IP address. Because tags If neither targetServiceAccounts nor targetTags are specified, the firewall rule
are associated with an instance, not an IP address. One or both of sourceRanges applies to all instances on the specified network.
and sourceTags may be set. If both properties are set, the firewall will apply returned: success
to traffic that has source IP address within sourceRanges OR the source IP type: list
that belongs to a tag listed in the sourceTags property. The connection does target_tags:
not need to match both properties for the firewall to apply. description:
returned: success - A list of instance tags indicating sets of instances located in the network that
type: list may make network connections as specified in allowed[].
targetServiceAccounts: - If no targetTags are specified, the firewall rule applies to all instances on the
description: specified network.
- A list of service accounts indicating sets of instances located in the network returned: success
that may make network connections as specified in allowed[]. type: list
- targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
If neither targetServiceAccounts nor targetTags are specified, the firewall
rule applies to all instances on the specified network.
returned: success
type: list
targetTags:
description:
- A list of instance tags indicating sets of instances located in the network
that may make network connections as specified in allowed[].
- If no targetTags are specified, the firewall rule applies to all instances
on the specified network.
returned: success
type: list
''' '''
################################################################################ ################################################################################
@ -257,7 +245,7 @@ def main():
items = items.get('items') items = items.get('items')
else: else:
items = [] items = []
return_value = {'items': items} return_value = {'resources': items}
module.exit_json(**return_value) module.exit_json(**return_value)