diff options
8 files changed, 116 insertions, 285 deletions
diff --git a/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py b/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py index e58593f..5c37741 100644 --- a/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py +++ b/plugins/module_utils/network/vyos/config/firewall_rules/firewall_rules.py @@ -235,28 +235,11 @@ class Firewall_rules(ConfigBase): have, rs["name"], "r_list" ) if h: - w_rules = rs.get("rules") or [] - h_rules = h.get("rules") or [] - if w_rules and h_rules: - for rule in w_rules: - if self.search_r_sets_in_have( - h_rules, rule["number"], "rules" - ): - commands.append( - self._add_r_base_attrib( - w["afi"], - rs["name"], - "number", - rule, - opr=False, - ) - ) - else: - commands.append( - self._compute_command( - w["afi"], h["name"], remove=True - ) + commands.append( + self._compute_command( + w["afi"], h["name"], remove=True ) + ) elif have: for h in have: if h["afi"] == w["afi"]: diff --git a/plugins/modules/vyos_firewall_rules.py b/plugins/modules/vyos_firewall_rules.py index a9e676b..9c2e832 100644 --- a/plugins/modules/vyos_firewall_rules.py +++ b/plugins/modules/vyos_firewall_rules.py @@ -37,8 +37,9 @@ ANSIBLE_METADATA = { } DOCUMENTATION = """module: vyos_firewall_rules -short_description: Manage firewall rule-set attributes on VyOS devices +short_description: Firewall rules resource module description: This module manages firewall rule-set attributes on VyOS devices +version_added: "1.0.0" notes: - Tested against VyOS 1.1.8 (helium). - This module works with connection C(network_cli). See L(the VyOS OS Platform Options,../network/user_guide/platform_vyos.html). @@ -397,13 +398,12 @@ options: type: str running_config: description: - - The module, by default, will connect to the remote device and retrieve the current - running-config to use as a base for comparing against the contents of source. - There are times when it is not desirable to have the task get the current running-config - for every task in a playbook. The I(running_config) argument allows the implementer - to pass in the configuration to use as the base config for comparison. This - value of this option should be the output received from device by executing - command C(show configuration commands | grep 'firewall' + - This option is used only with state I(parsed). + - The value of this option should be the output received from the VyOS device by executing + the command B(show configuration commands | grep firewall). + - The state I(parsed) reads the configuration from C(running_config) option and transforms + it into Ansible structured data as per the resource module's argspec and the value is then + returned in the I(parsed) key within the result. type: str state: description: @@ -437,7 +437,7 @@ EXAMPLES = """ # set firewall name Downlink rule 502 ipsec 'match-ipsec' # - name: Delete attributes of given firewall rules. - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: - afi: ipv4 rule_sets: @@ -486,12 +486,22 @@ EXAMPLES = """ # set firewall group address-group 'inbound' -# Using deleted to delete all the the firewall rules when provided config is empty +# Using deleted to delete firewall rules based on afi # # Before state # ------------- # # vyos@vyos:~$ show configuration commands| grep firewall +# set firewall ipv6-name UPLINK default-action 'accept' +# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' +# set firewall ipv6-name UPLINK rule 1 action 'accept' +# set firewall ipv6-name UPLINK rule 1 +# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' +# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' +# set firewall ipv6-name UPLINK rule 2 action 'accept' +# set firewall ipv6-name UPLINK rule 2 +# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' +# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' # set firewall group address-group 'inbound' # set firewall name Downlink default-action 'accept' # set firewall name Downlink description 'IPv4 INBOUND rule set' @@ -501,10 +511,12 @@ EXAMPLES = """ # set firewall name Downlink rule 502 action 'reject' # set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' # set firewall name Downlink rule 502 ipsec 'match-ipsec' + # - name: Delete attributes of given firewall rules. - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: + - afi: ipv4 state: deleted # # @@ -514,69 +526,29 @@ EXAMPLES = """ # # "before": [ # { -# "afi": "ipv4", +# "afi": "ipv6", # "rule_sets": [ # { # "default_action": "accept", -# "description": "IPv4 INBOUND rule set", -# "name": "Downlink", +# "description": "This is ipv6 specific rule-set", +# "name": "UPLINK", # "rules": [ # { # "action": "accept", -# "description": "Rule 501 is configured by Ansible", +# "description": "Fwipv6-Rule 1 is configured by Ansible", # "ipsec": "match-ipsec", -# "number": 501 +# "number": 1 # }, # { -# "action": "reject", -# "description": "Rule 502 is configured by Ansible", +# "action": "accept", +# "description": "Fwipv6-Rule 2 is configured by Ansible", # "ipsec": "match-ipsec", -# "number": 502 +# "number": 2 # } # ] -# } +# } # ] -# } -# ] -# "commands": [ -# "delete firewall name" -# ] -# -# "after": [] -# After state -# ------------ -# vyos@vyos# run show configuration commands | grep firewall -# set firewall group address-group 'inbound' - - -# Using deleted to delete the the firewall rules based on afi -# -# Before state -# ------------- -# -# vyos@vyos:~$ show configuration commands| grep firewall -# set firewall group address-group 'inbound' -# set firewall name Downlink default-action 'accept' -# set firewall name Downlink description 'IPv4 INBOUND rule set' -# set firewall name Downlink rule 501 action 'accept' -# set firewall name Downlink rule 501 description 'Rule 501 is configured by Ansible' -# set firewall name Downlink rule 501 ipsec 'match-ipsec' -# set firewall name Downlink rule 502 action 'reject' -# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' -# set firewall name Downlink rule 502 ipsec 'match-ipsec' -# -- name: Delete attributes of given firewall rules. - vyos_firewall_rules: - config: - - afi: ipv4 - state: deleted -# -# -# ------------------------ -# Module Execution Results -# ------------------------ -# -# "before": [ +# }, # { # "afi": "ipv4", # "rule_sets": [ @@ -603,18 +575,26 @@ EXAMPLES = """ # } # ] # "commands": [ -# "delete firewall name", +# "delete firewall name" # ] # # "after": [] # After state # ------------ -# vyos@vyos# run show configuration commands | grep firewall -# set firewall group address-group 'inbound' - +# vyos@vyos:~$ show configuration commands| grep firewall +# set firewall ipv6-name UPLINK default-action 'accept' +# set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' +# set firewall ipv6-name UPLINK rule 1 action 'accept' +# set firewall ipv6-name UPLINK rule 1 +# set firewall ipv6-name UPLINK rule 1 description 'Fwipv6-Rule 1 is configured by Ansible' +# set firewall ipv6-name UPLINK rule 1 ipsec 'match-ipsec' +# set firewall ipv6-name UPLINK rule 2 action 'accept' +# set firewall ipv6-name UPLINK rule 2 +# set firewall ipv6-name UPLINK rule 2 description 'Fwipv6-Rule 2 is configured by Ansible' +# set firewall ipv6-name UPLINK rule 2 ipsec 'match-ipsec' -# Using deleted to delete the the firewall rules based on rule number/id +# Using deleted to delete all the the firewall rules when provided config is empty # # Before state # ------------- @@ -631,13 +611,8 @@ EXAMPLES = """ # set firewall name Downlink rule 502 ipsec 'match-ipsec' # - name: Delete attributes of given firewall rules. - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: - - afi: ipv4 - rule_sets: - - name: 'Downlink' - rules: - - number: 501 state: deleted # # @@ -672,38 +647,14 @@ EXAMPLES = """ # } # ] # "commands": [ -# "delete firewall ipv6-name Downlink rule 501" +# "delete firewall name" # ] # -# "after": [ -# { -# "afi": "ipv4", -# "rule_sets": [ -# { -# "default_action": "accept", -# "description": "IPv4 INBOUND rule set", -# "name": "Downlink", -# "rules": [ -# { -# "action": "reject", -# "description": "Rule 502 is configured by Ansible", -# "ipsec": "match-ipsec", -# "number": 502 -# } -# ] -# } -# ] -# } -# ] +# "after": [] # After state # ------------ -# vyos@vyos:~$ show configuration commands| grep firewall +# vyos@vyos# run show configuration commands | grep firewall # set firewall group address-group 'inbound' -# set firewall name Downlink default-action 'accept' -# set firewall name Downlink description 'IPv4 INBOUND rule set' -# set firewall name Downlink rule 502 action 'reject' -# set firewall name Downlink rule 502 description 'Rule 502 is configured by Ansible' -# set firewall name Downlink rule 502 ipsec 'match-ipsec' # Using merged @@ -715,7 +666,7 @@ EXAMPLES = """ # set firewall group address-group 'inbound' # - name: Merge the provided configuration with the exisiting running configuration - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: - afi: 'ipv6' rule_sets: @@ -934,7 +885,7 @@ EXAMPLES = """ # set firewall name INBOUND rule 103 state related 'enable' # - name: Replace device configurations of listed firewall rules with provided configurations - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: - afi: 'ipv6' rule_sets: @@ -1116,7 +1067,7 @@ EXAMPLES = """ # set firewall name INBOUND rule 104 ipsec 'match-none' # - name: Overrides all device configuration with provided configuration - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: - afi: 'ipv4' rule_sets: @@ -1267,7 +1218,7 @@ EXAMPLES = """ # set firewall name INBOUND rule 103 state related 'enable' # - name: Gather listed firewall rules with provided configurations - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: state: gathered # @@ -1382,7 +1333,7 @@ EXAMPLES = """ # # - name: Render the commands for provided configuration - vyos_firewall_rules: + vyos.vyos.vyos_firewall_rules: config: - afi: 'ipv6' rule_sets: @@ -1452,8 +1403,8 @@ EXAMPLES = """ # Using parsed # # -- name: Render the commands for provided configuration - vyos_firewall_rules: +- name: Parsed the provided input commands. + vyos.vyos.vyos_firewall_rules: running_config: "set firewall group address-group 'inbound' set firewall name Downlink default-action 'accept' @@ -1546,6 +1497,7 @@ def main(): required_if = [ ("state", "merged", ("config",)), ("state", "replaced", ("config",)), + ("state", "rendered", ("config",)), ("state", "overridden", ("config",)), ("state", "parsed", ("running_config",)), ] diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml index 7acfe65..67bfd3c 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted.yaml @@ -11,15 +11,11 @@ register: result vyos.vyos.vyos_firewall_rules: &id001 config: - - afi: ipv6 rule_sets: - - name: UPLINK - - afi: ipv4 rule_sets: - - name: INBOUND state: deleted diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml deleted file mode 100644 index d77e2a9..0000000 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/deleted_rule.yaml +++ /dev/null @@ -1,58 +0,0 @@ ---- -- debug: - msg: Start vyos_firewall_rules deleted integration tests ansible_connection={{ - ansible_connection }} - -- include_tasks: _populate.yaml - -- block: - - - name: Delete firewall rule. - register: result - vyos.vyos.vyos_firewall_rules: &id001 - config: - - - afi: ipv6 - rule_sets: - - - name: UPLINK - rules: - - - number: 1 - state: deleted - - - name: Assert that the before dicts were correctly generated - assert: - that: - - "{{ populate | symmetric_difference(result['before']) |length == 0 }}" - - - name: Assert that the correct set of commands were generated - assert: - that: - - "{{ deleted_r['commands'] | symmetric_difference(result['commands'])\ - \ |length == 0 }}" - - - name: Assert that the after dicts were correctly generated - assert: - that: - - "{{ deleted_r['after'] | symmetric_difference(result['after']) |length\ - \ == 0 }}" - - - name: Delete attributes of given interfaces (IDEMPOTENT) - register: result - vyos.vyos.vyos_firewall_rules: *id001 - - - name: Assert that the previous task was idempotent - assert: - that: - - result.changed == false - - result.commands|length == 0 - - - name: Assert that the before dicts were correctly generated - assert: - that: - - "{{ deleted_r['after'] | symmetric_difference(result['before']) |length\ - \ == 0 }}" - always: - - - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml index cdc8e51..59c81aa 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/gathered.yaml @@ -9,9 +9,9 @@ - block: - - name: Merge the provided configuration with the exisiting running configuration + - name: Gather the provided configuration with the exisiting running configuration register: result - vyos.vyos.vyos_firewall_rules: &id001 + vyos.vyos.vyos_firewall_rules: config: state: gathered @@ -21,14 +21,6 @@ - "{{ populate | symmetric_difference(result['gathered']) |length == 0\ \ }}" - - name: Gather the existing running configuration (IDEMPOTENT) - register: result - vyos.vyos.vyos_firewall_rules: *id001 - - - name: Assert that the previous task was idempotent - assert: - that: - - result['changed'] == false always: - include_tasks: _remove_config.yaml diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml index a793ac5..bc95524 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/parsed.yaml @@ -3,39 +3,14 @@ msg: START vyos_firewall_rules parsed integration tests on connection={{ ansible_connection }} -- include_tasks: _remove_config.yaml - -- include_tasks: _populate.yaml - -- block: - - - name: Gather firewall_rules facts - register: firewall_rules_facts - vyos.vyos.vyos_facts: - gather_subset: - - default - gather_network_resources: - - firewall_rules - - - name: Provide the running configuration for parsing (config to be parsed) - register: result - vyos.vyos.vyos_firewall_rules: &id001 - running_config: "{{ lookup('file', '_parsed_config.cfg') }}" - state: parsed - - - name: Assert that correct parsing done - assert: - that: "{{ ansible_facts['network_resources']['firewall_rules'] | symmetric_difference(result['parsed'])\ - \ |length == 0 }}" - - - name: Gather the existing running configuration (IDEMPOTENT) - register: result - vyos.vyos.vyos_firewall_rules: *id001 - - - name: Assert that the previous task was idempotent - assert: - that: - - result['changed'] == false - always: - - - include_tasks: _remove_config.yaml +- name: Parse externally provided Firewall rules config to agnostic model + register: result + vyos.vyos.vyos_firewall_rules: + running_config: "{{ lookup('file', '_parsed_config.cfg') }}" + state: parsed + +- name: Assert that config was correctly parsed + assert: + that: + - "{{ parsed['after'] | symmetric_difference(result['parsed']) |length ==\ + \ 0 }}" diff --git a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml index f000998..6670fd7 100644 --- a/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml +++ b/tests/integration/targets/vyos_firewall_rules/tests/cli/rendered.yaml @@ -5,13 +5,11 @@ - include_tasks: _remove_config.yaml -- include_tasks: _populate.yaml - - block: - name: Structure provided configuration into device specific commands register: result - vyos.vyos.vyos_firewall_rules: &id001 + vyos.vyos.vyos_firewall_rules: config: - afi: ipv6 @@ -60,14 +58,5 @@ - "{{ rendered['commands'] | symmetric_difference(result['rendered'])\ \ |length == 0 }}" - - name: Structure provided configuration into device specific commands (IDEMPOTENT) - register: result - vyos.vyos.vyos_firewall_rules: *id001 - - - name: Assert that the previous task was idempotent - assert: - that: - - result['changed'] == false - always: - - - include_tasks: _remove_config.yaml +- debug: + msg: END vyos_firewall_rules rendered integration tests on connection={{ ansible_connection }} diff --git a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml index c15a101..88323ba 100644 --- a/tests/integration/targets/vyos_firewall_rules/vars/main.yaml +++ b/tests/integration/targets/vyos_firewall_rules/vars/main.yaml @@ -196,42 +196,7 @@ overridden: action: reject description: Rule 502 is configured by Ansible ipsec: match-ipsec -rendered: - commands: - - set firewall ipv6-name UPLINK default-action 'accept' - - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' - - set firewall name INBOUND default-action 'accept' - - set firewall name INBOUND description 'IPv4 INBOUND rule set' - - set firewall name INBOUND rule 101 action 'accept' - - set firewall name INBOUND rule 101 - - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' - - set firewall name INBOUND rule 101 ipsec 'match-ipsec' - - set firewall name INBOUND rule 102 action 'reject' - - set firewall name INBOUND rule 102 - - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' - - set firewall name INBOUND rule 102 ipsec 'match-ipsec' - - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' - - set firewall name INBOUND rule 103 destination group address-group inbound - - set firewall name INBOUND rule 103 - - set firewall name INBOUND rule 103 source address 192.0.2.0 - - set firewall name INBOUND rule 103 state established enable - - set firewall name INBOUND rule 103 state related enable - - set firewall name INBOUND rule 103 state invalid disable - - set firewall name INBOUND rule 103 state new disable - - set firewall name INBOUND rule 103 action 'accept' -deleted_rs: - commands: - - delete firewall ipv6-name UPLINK - - delete firewall name INBOUND - after: [] -deleted_afi_all: - commands: - - delete firewall ipv6-name - - delete firewall name - after: [] -deleted_r: - commands: - - delete firewall ipv6-name UPLINK rule 1 +parsed: after: - afi: ipv6 rule_sets: @@ -239,6 +204,10 @@ deleted_r: description: This is ipv6 specific rule-set default_action: accept rules: + - number: 1 + action: accept + description: Fwipv6-Rule 1 is configured by Ansible + ipsec: match-ipsec - number: 2 action: accept description: Fwipv6-Rule 2 is configured by Ansible @@ -270,6 +239,39 @@ deleted_r: new: false invalid: false related: true +rendered: + commands: + - set firewall ipv6-name UPLINK default-action 'accept' + - set firewall ipv6-name UPLINK description 'This is ipv6 specific rule-set' + - set firewall name INBOUND default-action 'accept' + - set firewall name INBOUND description 'IPv4 INBOUND rule set' + - set firewall name INBOUND rule 101 action 'accept' + - set firewall name INBOUND rule 101 + - set firewall name INBOUND rule 101 description 'Rule 101 is configured by Ansible' + - set firewall name INBOUND rule 101 ipsec 'match-ipsec' + - set firewall name INBOUND rule 102 action 'reject' + - set firewall name INBOUND rule 102 + - set firewall name INBOUND rule 102 description 'Rule 102 is configured by Ansible' + - set firewall name INBOUND rule 102 ipsec 'match-ipsec' + - set firewall name INBOUND rule 103 description 'Rule 103 is configured by Ansible' + - set firewall name INBOUND rule 103 destination group address-group inbound + - set firewall name INBOUND rule 103 + - set firewall name INBOUND rule 103 source address 192.0.2.0 + - set firewall name INBOUND rule 103 state established enable + - set firewall name INBOUND rule 103 state related enable + - set firewall name INBOUND rule 103 state invalid disable + - set firewall name INBOUND rule 103 state new disable + - set firewall name INBOUND rule 103 action 'accept' +deleted_rs: + commands: + - delete firewall ipv6-name UPLINK + - delete firewall name INBOUND + after: [] +deleted_afi_all: + commands: + - delete firewall ipv6-name + - delete firewall name + after: [] round_trip: after: - afi: ipv6 |