cs_network_acl_rule: implement cidr/cidrs as list (#56083)

This commit is contained in:
René Moser 2019-05-06 22:36:26 +02:00 committed by GitHub
parent 864bd941af
commit f42a32ad36
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
2 changed files with 36 additions and 28 deletions

View file

@ -23,11 +23,12 @@ options:
type: str type: str
required: true required: true
aliases: [ acl ] aliases: [ acl ]
cidr: cidrs:
description: description:
- CIDR of the rule. - CIDRs of the rule.
type: str type: list
default: 0.0.0.0/0 default: [ 0.0.0.0/0 ]
aliases: [ cidr ]
rule_position: rule_position:
description: description:
- The position of the network ACL rule. - The position of the network ACL rule.
@ -134,7 +135,7 @@ EXAMPLES = '''
cidr: 0.0.0.0/0 cidr: 0.0.0.0/0
delegate_to: localhost delegate_to: localhost
- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16 - name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16 and 10.22.0.0/16
cs_network_acl_rule: cs_network_acl_rule:
network_acl: web network_acl: web
rule_position: 1 rule_position: 1
@ -142,20 +143,10 @@ EXAMPLES = '''
traffic_type: ingress traffic_type: ingress
action_policy: deny action_policy: deny
start_port: 8000 start_port: 8000
end_port: 8000 end_port: 9000
cidr: 10.20.0.0/16 cidrs:
delegate_to: localhost - 10.20.0.0/16
- 10.22.0.0/16
- name: create a network ACL rule
cs_network_acl_rule:
network_acl: web
rule_position: 1
vpc: my vpc
traffic_type: ingress
action_policy: deny
start_port: 8000
end_port: 8000
cidr: 10.20.0.0/16
delegate_to: localhost delegate_to: localhost
- name: remove a network ACL rule - name: remove a network ACL rule
@ -179,6 +170,12 @@ cidr:
returned: success returned: success
type: str type: str
sample: 0.0.0.0/0 sample: 0.0.0.0/0
cidrs:
description: CIDRs of the network ACL rule.
returned: success
type: list
sample: [ 0.0.0.0/0 ]
version_added: '2.9'
rule_position: rule_position:
description: Position of the network ACL rule. description: Position of the network ACL rule.
returned: success returned: success
@ -357,7 +354,7 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
'icmpcode': self.module.params.get('icmp_code'), 'icmpcode': self.module.params.get('icmp_code'),
'icmptype': self.module.params.get('icmp_type'), 'icmptype': self.module.params.get('icmp_type'),
'traffictype': self.module.params.get('traffic_type'), 'traffictype': self.module.params.get('traffic_type'),
'cidrlist': self.module.params.get('cidr'), 'cidrlist': self.module.params.get('cidrs'),
} }
if not self.module.check_mode: if not self.module.check_mode:
res = self.query_api('createNetworkACL', **args) res = self.query_api('createNetworkACL', **args)
@ -379,7 +376,7 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
'icmpcode': self.module.params.get('icmp_code'), 'icmpcode': self.module.params.get('icmp_code'),
'icmptype': self.module.params.get('icmp_type'), 'icmptype': self.module.params.get('icmp_type'),
'traffictype': self.module.params.get('traffic_type'), 'traffictype': self.module.params.get('traffic_type'),
'cidrlist': self.module.params.get('cidr'), 'cidrlist': ",".join(self.module.params.get('cidrs')),
} }
if self.has_changed(args, network_acl_rule): if self.has_changed(args, network_acl_rule):
self.result['changed'] = True self.result['changed'] = True
@ -395,6 +392,8 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
def get_result(self, network_acl_rule): def get_result(self, network_acl_rule):
super(AnsibleCloudStackNetworkAclRule, self).get_result(network_acl_rule) super(AnsibleCloudStackNetworkAclRule, self).get_result(network_acl_rule)
if network_acl_rule: if network_acl_rule:
if 'cidrlist' in network_acl_rule:
self.result['cidrs'] = network_acl_rule['cidrlist'].split(',') or [network_acl_rule['cidrlist']]
if network_acl_rule['protocol'] not in ['tcp', 'udp', 'icmp', 'all']: if network_acl_rule['protocol'] not in ['tcp', 'udp', 'icmp', 'all']:
self.result['protocol_number'] = int(network_acl_rule['protocol']) self.result['protocol_number'] = int(network_acl_rule['protocol'])
self.result['protocol'] = 'by_number' self.result['protocol'] = 'by_number'
@ -409,7 +408,7 @@ def main():
network_acl=dict(required=True, aliases=['acl']), network_acl=dict(required=True, aliases=['acl']),
rule_position=dict(required=True, type='int', aliases=['number']), rule_position=dict(required=True, type='int', aliases=['number']),
vpc=dict(required=True), vpc=dict(required=True),
cidr=dict(default='0.0.0.0/0'), cidrs=dict(type='list', default=['0.0.0.0/0'], aliases=['cidr']),
protocol=dict(choices=['tcp', 'udp', 'icmp', 'all', 'by_number'], default='tcp'), protocol=dict(choices=['tcp', 'udp', 'icmp', 'all', 'by_number'], default='tcp'),
protocol_number=dict(type='int'), protocol_number=dict(type='int'),
traffic_type=dict(choices=['ingress', 'egress'], aliases=['type'], default='ingress'), traffic_type=dict(choices=['ingress', 'egress'], aliases=['type'], default='ingress'),

View file

@ -174,7 +174,9 @@
traffic_type: egress traffic_type: egress
action_policy: deny action_policy: deny
port: 81 port: 81
cidr: 0.0.0.0/0 cidrs:
- 1.2.3.0/24
- 3.2.1.0/24
zone: "{{ cs_common_zone_adv }}" zone: "{{ cs_common_zone_adv }}"
register: acl_rule register: acl_rule
check_mode: true check_mode: true
@ -189,6 +191,7 @@
- acl_rule.end_port == 80 - acl_rule.end_port == 80
- acl_rule.action_policy == "allow" - acl_rule.action_policy == "allow"
- acl_rule.cidr == "0.0.0.0/0" - acl_rule.cidr == "0.0.0.0/0"
- acl_rule.cidrs == [ "0.0.0.0/0" ]
- acl_rule.traffic_type == "ingress" - acl_rule.traffic_type == "ingress"
- acl_rule.rule_position == 1 - acl_rule.rule_position == 1
@ -201,7 +204,9 @@
action_policy: deny action_policy: deny
port: 81 port: 81
protocol: udp protocol: udp
cidr: 0.0.0.0/0 cidrs:
- 1.2.3.0/24
- 3.2.1.0/24
zone: "{{ cs_common_zone_adv }}" zone: "{{ cs_common_zone_adv }}"
register: acl_rule register: acl_rule
- name: verify test change network acl rule - name: verify test change network acl rule
@ -214,7 +219,8 @@
- acl_rule.start_port == 81 - acl_rule.start_port == 81
- acl_rule.end_port == 81 - acl_rule.end_port == 81
- acl_rule.action_policy == "deny" - acl_rule.action_policy == "deny"
- acl_rule.cidr == "0.0.0.0/0" - acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
- acl_rule.cidrs == [ "1.2.3.0/24", "3.2.1.0/24" ]
- acl_rule.traffic_type == "egress" - acl_rule.traffic_type == "egress"
- acl_rule.protocol == "udp" - acl_rule.protocol == "udp"
- acl_rule.rule_position == 1 - acl_rule.rule_position == 1
@ -228,7 +234,9 @@
action_policy: deny action_policy: deny
port: 81 port: 81
protocol: udp protocol: udp
cidr: 0.0.0.0/0 cidrs:
- 1.2.3.0/24
- 3.2.1.0/24
zone: "{{ cs_common_zone_adv }}" zone: "{{ cs_common_zone_adv }}"
register: acl_rule register: acl_rule
- name: verify test change network acl idempotence - name: verify test change network acl idempotence
@ -241,7 +249,8 @@
- acl_rule.start_port == 81 - acl_rule.start_port == 81
- acl_rule.end_port == 81 - acl_rule.end_port == 81
- acl_rule.action_policy == "deny" - acl_rule.action_policy == "deny"
- acl_rule.cidr == "0.0.0.0/0" - acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
- acl_rule.cidrs == [ "1.2.3.0/24", "3.2.1.0/24" ]
- acl_rule.traffic_type == "egress" - acl_rule.traffic_type == "egress"
- acl_rule.protocol == "udp" - acl_rule.protocol == "udp"
- acl_rule.rule_position == 1 - acl_rule.rule_position == 1
@ -270,7 +279,7 @@
- acl_rule.start_port == 81 - acl_rule.start_port == 81
- acl_rule.end_port == 81 - acl_rule.end_port == 81
- acl_rule.action_policy == "deny" - acl_rule.action_policy == "deny"
- acl_rule.cidr == "0.0.0.0/0" - acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
- acl_rule.traffic_type == "egress" - acl_rule.traffic_type == "egress"
- acl_rule.protocol == "udp" - acl_rule.protocol == "udp"
- acl_rule.rule_position == 1 - acl_rule.rule_position == 1