make panos security rule more idempotent (#26573)

This commit is contained in:
Ken Celenza 2017-08-01 13:35:18 -04:00 committed by Chris Alfonso
parent fb1583b2c2
commit 7a51c5f4df

View file

@ -272,22 +272,39 @@ except ImportError:
HAS_LIB = False HAS_LIB = False
def security_rule_exists(device, rule_name): def security_rule_exists(device, sec_rule):
if isinstance(device, pandevice.firewall.Firewall): if isinstance(device, pandevice.firewall.Firewall):
rule_base = pandevice.policies.Rulebase.refreshall(device) rule_base = pandevice.policies.Rulebase.refreshall(device)
elif isinstance(device, pandevice.panorama.Panorama): elif isinstance(device, pandevice.panorama.Panorama):
# look for only pre-rulebase ATM # look for only pre-rulebase ATM
rule_base = pandevice.policies.PreRulebase.refreshall(device) rule_base = pandevice.policies.PreRulebase.refreshall(device)
match_check = ['name', 'description', 'group_profile', 'antivirus', 'vulnerability'
'spyware', 'url_filtering', 'file_blocking', 'data_filtering',
'wildfire_analysis', 'type', 'action', 'tag', 'log_start', 'log_end']
list_check = ['tozone', 'fromzone', 'source', 'source_user', 'destination', 'category',
'application', 'service', 'hip_profiles']
change_check = False
if rule_base: if rule_base:
rule_base = rule_base[0] rule_base = rule_base[0]
security_rules = rule_base.findall(pandevice.policies.SecurityRule) security_rules = rule_base.findall(pandevice.policies.SecurityRule)
if security_rules: if security_rules:
for r in security_rules: for r in security_rules:
if r.name == rule_name: if r.name == sec_rule.name:
change_check = True
for check in match_check:
propose_check = getattr(sec_rule, check, None)
current_check = getattr(r, check, None)
if propose_check != current_check:
return True return True
for check in list_check:
propose_check = getattr(sec_rule, check, [])
current_check = getattr(r, check, [])
if set(propose_check) != set(current_check):
return True
if change_check:
return 'no_change'
return False return False
@ -334,13 +351,15 @@ def create_security_rule(**kwargs):
return security_rule return security_rule
def add_security_rule(device, sec_rule): def add_security_rule(device, sec_rule, rule_exist):
if isinstance(device, pandevice.firewall.Firewall): if isinstance(device, pandevice.firewall.Firewall):
rule_base = pandevice.policies.Rulebase.refreshall(device) rule_base = pandevice.policies.Rulebase.refreshall(device)
elif isinstance(device, pandevice.panorama.Panorama): elif isinstance(device, pandevice.panorama.Panorama):
# look for only pre-rulebase ATM # look for only pre-rulebase ATM
rule_base = pandevice.policies.PreRulebase.refreshall(device) rule_base = pandevice.policies.PreRulebase.refreshall(device)
if rule_exist:
return False
if rule_base: if rule_base:
rule_base = rule_base[0] rule_base = rule_base[0]
@ -449,10 +468,6 @@ def main():
else: else:
device = pandevice.firewall.Firewall(ip_address, username, password, api_key=api_key) device = pandevice.firewall.Firewall(ip_address, username, password, api_key=api_key)
if security_rule_exists(device, rule_name):
module.fail_json(msg='Rule with the same name already exists.')
try:
sec_rule = create_security_rule( sec_rule = create_security_rule(
rule_name=rule_name, rule_name=rule_name,
description=description, description=description,
@ -480,7 +495,11 @@ def main():
action=action action=action
) )
changed = add_security_rule(device, sec_rule) rule_exist = security_rule_exists(device, sec_rule)
if rule_exist is True:
module.fail_json(msg='Rule with the same name but different objects exists.')
try:
changed = add_security_rule(device, sec_rule, rule_exist)
except PanXapiError: except PanXapiError:
exc = get_exception() exc = get_exception()
module.fail_json(msg=exc.message) module.fail_json(msg=exc.message)