From 5b0214bccecaa6af1812ae34a1a12032fb03f0a9 Mon Sep 17 00:00:00 2001
From: The Magician <magic-modules@google.com>
Date: Fri, 19 Jul 2019 13:42:37 -0700
Subject: [PATCH] New Module: gcp_appengine_firewall_rule (#58852)
---
.../google/gcp_appengine_firewall_rule.py | 279 ++++++++++++++++++
.../gcp_appengine_firewall_rule/aliases | 2 +
.../defaults/main.yml | 2 +
.../gcp_appengine_firewall_rule/meta/main.yml | 0
.../tasks/main.yml | 108 +++++++
5 files changed, 391 insertions(+)
create mode 100644 lib/ansible/modules/cloud/google/gcp_appengine_firewall_rule.py
create mode 100644 test/integration/targets/gcp_appengine_firewall_rule/aliases
create mode 100644 test/integration/targets/gcp_appengine_firewall_rule/defaults/main.yml
create mode 100644 test/integration/targets/gcp_appengine_firewall_rule/meta/main.yml
create mode 100644 test/integration/targets/gcp_appengine_firewall_rule/tasks/main.yml
diff --git a/lib/ansible/modules/cloud/google/gcp_appengine_firewall_rule.py b/lib/ansible/modules/cloud/google/gcp_appengine_firewall_rule.py
new file mode 100644
index 00000000000..2f03577d07d
--- /dev/null
+++ b/lib/ansible/modules/cloud/google/gcp_appengine_firewall_rule.py
@@ -0,0 +1,279 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Copyright (C) 2017 Google
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+# ----------------------------------------------------------------------------
+#
+# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
+#
+# ----------------------------------------------------------------------------
+#
+# This file is automatically generated by Magic Modules and manual
+# changes will be clobbered when the file is regenerated.
+#
+# Please read more about how to change this file at
+# https://www.github.com/GoogleCloudPlatform/magic-modules
+#
+# ----------------------------------------------------------------------------
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+################################################################################
+# Documentation
+################################################################################
+
+ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'}
+
+DOCUMENTATION = '''
+---
+module: gcp_appengine_firewall_rule
+description:
+- A single firewall rule that is evaluated against incoming traffic and provides an
+ action to take on matched requests.
+short_description: Creates a GCP FirewallRule
+version_added: 2.9
+author: Google Inc. (@googlecloudplatform)
+requirements:
+- python >= 2.6
+- requests >= 2.18.4
+- google-auth >= 1.3.0
+options:
+ state:
+ description:
+ - Whether the given object should exist in GCP
+ choices:
+ - present
+ - absent
+ default: present
+ type: str
+ description:
+ description:
+ - An optional string description of this rule.
+ required: false
+ type: str
+ source_range:
+ description:
+ - IP address or range, defined using CIDR notation, of requests that this rule
+ applies to.
+ required: true
+ type: str
+ action:
+ description:
+ - The action to take if this rule matches.
+ - 'Some valid choices include: "UNSPECIFIED_ACTION", "ALLOW", "DENY"'
+ required: true
+ type: str
+ priority:
+ description:
+ - A positive integer that defines the order of rule evaluation.
+ - Rules with the lowest priority are evaluated first.
+ - A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic
+ when no previous rule matches. Only the action of this rule can be modified
+ by the user.
+ required: false
+ type: int
+extends_documentation_fragment: gcp
+notes:
+- 'API Reference: U(https://cloud.google.com/appengine/docs/admin-api/reference/rest/v1/apps.firewall.ingressRules)'
+- 'Official Documentation: U(https://cloud.google.com/appengine/docs/standard/python/creating-firewalls#creating_firewall_rules)'
+'''
+
+EXAMPLES = '''
+- name: create a firewall rule
+ gcp_appengine_firewall_rule:
+ priority: 1000
+ source_range: 10.0.0.0
+ action: ALLOW
+ project: test_project
+ auth_kind: serviceaccount
+ service_account_file: "/tmp/auth.pem"
+ state: present
+'''
+
+RETURN = '''
+description:
+ description:
+ - An optional string description of this rule.
+ returned: success
+ type: str
+sourceRange:
+ description:
+ - IP address or range, defined using CIDR notation, of requests that this rule applies
+ to.
+ returned: success
+ type: str
+action:
+ description:
+ - The action to take if this rule matches.
+ returned: success
+ type: str
+priority:
+ description:
+ - A positive integer that defines the order of rule evaluation.
+ - Rules with the lowest priority are evaluated first.
+ - A default rule at priority Int32.MaxValue matches all IPv4 and IPv6 traffic when
+ no previous rule matches. Only the action of this rule can be modified by the
+ user.
+ returned: success
+ type: int
+'''
+
+################################################################################
+# Imports
+################################################################################
+
+from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest, replace_resource_dict
+import json
+
+################################################################################
+# Main
+################################################################################
+
+
+def main():
+ """Main function"""
+
+ module = GcpModule(
+ argument_spec=dict(
+ state=dict(default='present', choices=['present', 'absent'], type='str'),
+ description=dict(type='str'),
+ source_range=dict(required=True, type='str'),
+ action=dict(required=True, type='str'),
+ priority=dict(type='int'),
+ )
+ )
+
+ if not module.params['scopes']:
+ module.params['scopes'] = ['https://www.googleapis.com/auth/cloud-platform']
+
+ state = module.params['state']
+
+ fetch = fetch_resource(module, self_link(module))
+ changed = False
+
+ if fetch:
+ if state == 'present':
+ if is_different(module, fetch):
+ update(module, self_link(module), fetch)
+ fetch = fetch_resource(module, self_link(module))
+ changed = True
+ else:
+ delete(module, self_link(module))
+ fetch = {}
+ changed = True
+ else:
+ if state == 'present':
+ fetch = create(module, collection(module))
+ changed = True
+ else:
+ fetch = {}
+
+ fetch.update({'changed': changed})
+
+ module.exit_json(**fetch)
+
+
+def create(module, link):
+ auth = GcpSession(module, 'appengine')
+ return return_if_object(module, auth.post(link, resource_to_request(module)))
+
+
+def update(module, link, fetch):
+ auth = GcpSession(module, 'appengine')
+ params = {'updateMask': updateMask(resource_to_request(module), response_to_hash(module, fetch))}
+ request = resource_to_request(module)
+ del request['name']
+ return return_if_object(module, auth.patch(link, request, params=params))
+
+
+def updateMask(request, response):
+ update_mask = []
+ if request.get('description') != response.get('description'):
+ update_mask.append('description')
+ if request.get('sourceRange') != response.get('sourceRange'):
+ update_mask.append('sourceRange')
+ if request.get('action') != response.get('action'):
+ update_mask.append('action')
+ if request.get('priority') != response.get('priority'):
+ update_mask.append('priority')
+ return ','.join(update_mask)
+
+
+def delete(module, link):
+ auth = GcpSession(module, 'appengine')
+ return return_if_object(module, auth.delete(link))
+
+
+def resource_to_request(module):
+ request = {u'description': module.params.get('description'), u'sourceRange': module.params.get('source_range'), u'action': module.params.get('action')}
+ return_vals = {}
+ for k, v in request.items():
+ if v or v is False:
+ return_vals[k] = v
+
+ return return_vals
+
+
+def fetch_resource(module, link, allow_not_found=True):
+ auth = GcpSession(module, 'appengine')
+ return return_if_object(module, auth.get(link), allow_not_found)
+
+
+def self_link(module):
+ return "https://appengine.googleapis.com/v1/apps/{project}/firewall/ingressRules/{priority}".format(**module.params)
+
+
+def collection(module):
+ return "https://appengine.googleapis.com/v1/apps/{project}/firewall/ingressRules".format(**module.params)
+
+
+def return_if_object(module, response, allow_not_found=False):
+ # If not found, return nothing.
+ if allow_not_found and response.status_code == 404:
+ return None
+
+ # If no content, return nothing.
+ if response.status_code == 204:
+ return None
+
+ try:
+ module.raise_for_status(response)
+ result = response.json()
+ except getattr(json.decoder, 'JSONDecodeError', ValueError):
+ module.fail_json(msg="Invalid JSON response with error: %s" % response.text)
+
+ if navigate_hash(result, ['error', 'errors']):
+ module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
+
+ return result
+
+
+def is_different(module, response):
+ request = resource_to_request(module)
+ response = response_to_hash(module, response)
+
+ # Remove all output-only from response.
+ response_vals = {}
+ for k, v in response.items():
+ if k in request:
+ response_vals[k] = v
+
+ request_vals = {}
+ for k, v in request.items():
+ if k in response:
+ request_vals[k] = v
+
+ return GcpRequest(request_vals) != GcpRequest(response_vals)
+
+
+# Remove unnecessary properties from the response.
+# This is for doing comparisons with Ansible's current parameters.
+def response_to_hash(module, response):
+ return {u'description': response.get(u'description'), u'sourceRange': response.get(u'sourceRange'), u'action': response.get(u'action')}
+
+
+if __name__ == '__main__':
+ main()
diff --git a/test/integration/targets/gcp_appengine_firewall_rule/aliases b/test/integration/targets/gcp_appengine_firewall_rule/aliases
new file mode 100644
index 00000000000..9812f019ca4
--- /dev/null
+++ b/test/integration/targets/gcp_appengine_firewall_rule/aliases
@@ -0,0 +1,2 @@
+cloud/gcp
+unsupported
diff --git a/test/integration/targets/gcp_appengine_firewall_rule/defaults/main.yml b/test/integration/targets/gcp_appengine_firewall_rule/defaults/main.yml
new file mode 100644
index 00000000000..ba66644fc1c
--- /dev/null
+++ b/test/integration/targets/gcp_appengine_firewall_rule/defaults/main.yml
@@ -0,0 +1,2 @@
+---
+resource_name: "{{ resource_prefix }}"
diff --git a/test/integration/targets/gcp_appengine_firewall_rule/meta/main.yml b/test/integration/targets/gcp_appengine_firewall_rule/meta/main.yml
new file mode 100644
index 00000000000..e69de29bb2d
diff --git a/test/integration/targets/gcp_appengine_firewall_rule/tasks/main.yml b/test/integration/targets/gcp_appengine_firewall_rule/tasks/main.yml
new file mode 100644
index 00000000000..94dac0184cd
--- /dev/null
+++ b/test/integration/targets/gcp_appengine_firewall_rule/tasks/main.yml
@@ -0,0 +1,108 @@
+---
+# ----------------------------------------------------------------------------
+#
+# *** AUTO GENERATED CODE *** AUTO GENERATED CODE ***
+#
+# ----------------------------------------------------------------------------
+#
+# This file is automatically generated by Magic Modules and manual
+# changes will be clobbered when the file is regenerated.
+#
+# Please read more about how to change this file at
+# https://www.github.com/GoogleCloudPlatform/magic-modules
+#
+# ----------------------------------------------------------------------------
+# Pre-test setup
+- name: delete a firewall rule
+ gcp_appengine_firewall_rule:
+ priority: 1000
+ source_range: 10.0.0.0
+ action: ALLOW
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ state: absent
+#----------------------------------------------------------
+- name: create a firewall rule
+ gcp_appengine_firewall_rule:
+ priority: 1000
+ source_range: 10.0.0.0
+ action: ALLOW
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ state: present
+ register: result
+- name: assert changed is true
+ assert:
+ that:
+ - result.changed == true
+- name: verify that firewall_rule was created
+ gcp_appengine_firewall_rule_facts:
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ scopes:
+ - https://www.googleapis.com/auth/cloud-platform
+ register: results
+- name: verify that command succeeded
+ assert:
+ that:
+ - results['resources'] | length >= 1
+# ----------------------------------------------------------------------------
+- name: create a firewall rule that already exists
+ gcp_appengine_firewall_rule:
+ priority: 1000
+ source_range: 10.0.0.0
+ action: ALLOW
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ state: present
+ register: result
+- name: assert changed is false
+ assert:
+ that:
+ - result.changed == false
+#----------------------------------------------------------
+- name: delete a firewall rule
+ gcp_appengine_firewall_rule:
+ priority: 1000
+ source_range: 10.0.0.0
+ action: ALLOW
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ state: absent
+ register: result
+- name: assert changed is true
+ assert:
+ that:
+ - result.changed == true
+- name: verify that firewall_rule was deleted
+ gcp_appengine_firewall_rule_facts:
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ scopes:
+ - https://www.googleapis.com/auth/cloud-platform
+ register: results
+- name: verify that command succeeded
+ assert:
+ that:
+ - results['resources'] | length == 0
+# ----------------------------------------------------------------------------
+- name: delete a firewall rule that does not exist
+ gcp_appengine_firewall_rule:
+ priority: 1000
+ source_range: 10.0.0.0
+ action: ALLOW
+ project: "{{ gcp_project }}"
+ auth_kind: "{{ gcp_cred_kind }}"
+ service_account_file: "{{ gcp_cred_file }}"
+ state: absent
+ register: result
+- name: assert changed is false
+ assert:
+ that:
+ - result.changed == false