[cloud] Add ipv6 support to ec2_vpc_nacl_facts (#30581)
* wrap boto3 connection in try/except and handle exception, add traceback import * params dont need to be mutually exclusive and support check mode * add check to set nacl_ids to empty list instead of None for boto3 func * standard exception handling using traceback * update current RETURN documentation which is incorrect. * update logic to check for and return ipv6 cidr instead of ipv4 cidr in a NACL * ignore default and reserved rule numbers - greater than 32766 * was breaking on non-standard protocol numbers - AWS nacls now support full list -1 to 254 * update port range and icmp type/code handling * add some more detail to returned nacl entries * Update exception handling to account for BotoCoreError Remove exception handling from the boto connection creation since it does nothing * rules numbers from 32767 to 65535 are reserved for internal AWS use so we ignore here
This commit is contained in:
parent
dca5d9bbd4
commit
56da2c13d6
1 changed files with 54 additions and 28 deletions
|
@ -60,7 +60,7 @@ EXAMPLES = '''
|
||||||
'''
|
'''
|
||||||
|
|
||||||
RETURN = '''
|
RETURN = '''
|
||||||
nacl:
|
nacls:
|
||||||
description: Returns an array of complex objects as described below.
|
description: Returns an array of complex objects as described below.
|
||||||
returned: success
|
returned: success
|
||||||
type: complex
|
type: complex
|
||||||
|
@ -86,20 +86,29 @@ nacl:
|
||||||
returned: always
|
returned: always
|
||||||
type: list of string
|
type: list of string
|
||||||
ingress:
|
ingress:
|
||||||
description: A list of NACL ingress rules.
|
description:
|
||||||
|
- A list of NACL ingress rules with the following format.
|
||||||
|
- [rule no, protocol, allow/deny, v4 or v6 cidr, icmp_type, icmp_code, port from, port to]
|
||||||
returned: always
|
returned: always
|
||||||
type: list of list
|
type: list of list
|
||||||
|
sample: [[100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]]
|
||||||
egress:
|
egress:
|
||||||
description: A list of NACL egress rules.
|
description:
|
||||||
|
- A list of NACL egress rules with the following format.
|
||||||
|
- [rule no, protocol, allow/deny, v4 or v6 cidr, icmp_type, icmp_code, port from, port to]
|
||||||
returned: always
|
returned: always
|
||||||
type: list of list
|
type: list of list
|
||||||
|
sample: [[100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]]
|
||||||
'''
|
'''
|
||||||
|
|
||||||
|
import traceback
|
||||||
|
|
||||||
try:
|
try:
|
||||||
from botocore.exceptions import ClientError, NoCredentialsError
|
from botocore.exceptions import ClientError, BotoCoreError
|
||||||
except ImportError:
|
except ImportError:
|
||||||
pass # caught by imported HAS_BOTO3
|
pass # caught by imported HAS_BOTO3
|
||||||
|
|
||||||
|
from ansible.module_utils._text import to_native
|
||||||
from ansible.module_utils.basic import AnsibleModule
|
from ansible.module_utils.basic import AnsibleModule
|
||||||
from ansible.module_utils.ec2 import (ec2_argument_spec, boto3_conn, get_aws_connection_info,
|
from ansible.module_utils.ec2 import (ec2_argument_spec, boto3_conn, get_aws_connection_info,
|
||||||
ansible_dict_to_boto3_filter_list, HAS_BOTO3,
|
ansible_dict_to_boto3_filter_list, HAS_BOTO3,
|
||||||
|
@ -116,10 +125,17 @@ def list_ec2_vpc_nacls(connection, module):
|
||||||
nacl_ids = module.params.get("nacl_ids")
|
nacl_ids = module.params.get("nacl_ids")
|
||||||
filters = ansible_dict_to_boto3_filter_list(module.params.get("filters"))
|
filters = ansible_dict_to_boto3_filter_list(module.params.get("filters"))
|
||||||
|
|
||||||
|
if nacl_ids is None:
|
||||||
|
nacl_ids = []
|
||||||
|
|
||||||
try:
|
try:
|
||||||
nacls = connection.describe_network_acls(NetworkAclIds=nacl_ids, Filters=filters)
|
nacls = connection.describe_network_acls(NetworkAclIds=nacl_ids, Filters=filters)
|
||||||
except (ClientError, NoCredentialsError) as e:
|
except ClientError as e:
|
||||||
module.fail_json(msg=e.message, **camel_dict_to_snake_dict(e.response))
|
module.fail_json(msg="Unable to describe network ACLs {0}: {1}".format(nacl_ids, to_native(e)),
|
||||||
|
exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response))
|
||||||
|
except BotoCoreError as e:
|
||||||
|
module.fail_json(msg="Unable to describe network ACLs {0}: {1}".format(nacl_ids, to_native(e)),
|
||||||
|
exception=traceback.format_exc())
|
||||||
|
|
||||||
# Turn the boto3 result in to ansible_friendly_snaked_names
|
# Turn the boto3 result in to ansible_friendly_snaked_names
|
||||||
snaked_nacls = []
|
snaked_nacls = []
|
||||||
|
@ -132,9 +148,9 @@ def list_ec2_vpc_nacls(connection, module):
|
||||||
nacl['tags'] = boto3_tag_list_to_ansible_dict(nacl['tags'], 'key', 'value')
|
nacl['tags'] = boto3_tag_list_to_ansible_dict(nacl['tags'], 'key', 'value')
|
||||||
if 'entries' in nacl:
|
if 'entries' in nacl:
|
||||||
nacl['egress'] = [nacl_entry_to_list(entry) for entry in nacl['entries']
|
nacl['egress'] = [nacl_entry_to_list(entry) for entry in nacl['entries']
|
||||||
if entry['rule_number'] != 32767 and entry['egress']]
|
if entry['rule_number'] < 32767 and entry['egress']]
|
||||||
nacl['ingress'] = [nacl_entry_to_list(entry) for entry in nacl['entries']
|
nacl['ingress'] = [nacl_entry_to_list(entry) for entry in nacl['entries']
|
||||||
if entry['rule_number'] != 32767 and not entry['egress']]
|
if entry['rule_number'] < 32767 and not entry['egress']]
|
||||||
del nacl['entries']
|
del nacl['entries']
|
||||||
if 'associations' in nacl:
|
if 'associations' in nacl:
|
||||||
nacl['subnets'] = [a['subnet_id'] for a in nacl['associations']]
|
nacl['subnets'] = [a['subnet_id'] for a in nacl['associations']]
|
||||||
|
@ -148,21 +164,36 @@ def list_ec2_vpc_nacls(connection, module):
|
||||||
|
|
||||||
def nacl_entry_to_list(entry):
|
def nacl_entry_to_list(entry):
|
||||||
|
|
||||||
elist = [entry['rule_number'],
|
# entry list format
|
||||||
PROTOCOL_NAMES[entry['protocol']],
|
# [ rule_num, protocol name or number, allow or deny, ipv4/6 cidr, icmp type, icmp code, port from, port to]
|
||||||
entry['rule_action'],
|
elist = []
|
||||||
entry['cidr_block']
|
|
||||||
]
|
elist.append(entry['rule_number'])
|
||||||
if entry['protocol'] == '1':
|
|
||||||
elist = elist + [-1, -1]
|
if entry.get('protocol') in PROTOCOL_NAMES:
|
||||||
|
elist.append(PROTOCOL_NAMES[entry['protocol']])
|
||||||
else:
|
else:
|
||||||
elist = elist + [None, None, None, None]
|
elist.append(entry.get('protocol'))
|
||||||
|
|
||||||
if 'icmp_type_code' in entry:
|
elist.append(entry['rule_action'])
|
||||||
elist[4] = entry['icmp_type_code']['type']
|
|
||||||
elist[5] = entry['icmp_type_code']['code']
|
|
||||||
|
|
||||||
if 'port_range' in entry:
|
if entry.get('cidr_block'):
|
||||||
|
elist.append(entry['cidr_block'])
|
||||||
|
elif entry.get('ipv6_cidr_block'):
|
||||||
|
elist.append(entry['ipv6_cidr_block'])
|
||||||
|
else:
|
||||||
|
elist.append(None)
|
||||||
|
|
||||||
|
elist = elist + [None, None, None, None]
|
||||||
|
|
||||||
|
if entry['protocol'] in ('1', '58'):
|
||||||
|
elist[4] = entry.get('icmp_type_code', {}).get('type')
|
||||||
|
elist[5] = entry.get('icmp_type_code', {}).get('code')
|
||||||
|
|
||||||
|
if entry['protocol'] not in ('1', '6', '17', '58'):
|
||||||
|
elist[6] = 0
|
||||||
|
elist[7] = 65535
|
||||||
|
elif 'port_range' in entry:
|
||||||
elist[6] = entry['port_range']['from']
|
elist[6] = entry['port_range']['from']
|
||||||
elist[7] = entry['port_range']['to']
|
elist[7] = entry['port_range']['to']
|
||||||
|
|
||||||
|
@ -179,19 +210,14 @@ def main():
|
||||||
)
|
)
|
||||||
)
|
)
|
||||||
|
|
||||||
module = AnsibleModule(argument_spec=argument_spec,
|
module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True)
|
||||||
mutually_exclusive=[['nacl_ids', 'filters']])
|
|
||||||
|
|
||||||
if not HAS_BOTO3:
|
if not HAS_BOTO3:
|
||||||
module.fail_json(msg='boto3 required for this module')
|
module.fail_json(msg='boto3 required for this module')
|
||||||
|
|
||||||
region, ec2_url, aws_connect_params = get_aws_connection_info(module, boto3=True)
|
region, ec2_url, aws_connect_params = get_aws_connection_info(module, boto3=True)
|
||||||
|
connection = boto3_conn(module, conn_type='client', resource='ec2',
|
||||||
if region:
|
region=region, endpoint=ec2_url, **aws_connect_params)
|
||||||
connection = boto3_conn(module, conn_type='client', resource='ec2',
|
|
||||||
region=region, endpoint=ec2_url, **aws_connect_params)
|
|
||||||
else:
|
|
||||||
module.fail_json(msg="region must be specified")
|
|
||||||
|
|
||||||
list_ec2_vpc_nacls(connection, module)
|
list_ec2_vpc_nacls(connection, module)
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue