cs_network_acl_rule: implement cidr/cidrs as list (#56083)
This commit is contained in:
parent
864bd941af
commit
f42a32ad36
2 changed files with 36 additions and 28 deletions
|
@ -23,11 +23,12 @@ options:
|
||||||
type: str
|
type: str
|
||||||
required: true
|
required: true
|
||||||
aliases: [ acl ]
|
aliases: [ acl ]
|
||||||
cidr:
|
cidrs:
|
||||||
description:
|
description:
|
||||||
- CIDR of the rule.
|
- CIDRs of the rule.
|
||||||
type: str
|
type: list
|
||||||
default: 0.0.0.0/0
|
default: [ 0.0.0.0/0 ]
|
||||||
|
aliases: [ cidr ]
|
||||||
rule_position:
|
rule_position:
|
||||||
description:
|
description:
|
||||||
- The position of the network ACL rule.
|
- The position of the network ACL rule.
|
||||||
|
@ -134,7 +135,7 @@ EXAMPLES = '''
|
||||||
cidr: 0.0.0.0/0
|
cidr: 0.0.0.0/0
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16
|
- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16 and 10.22.0.0/16
|
||||||
cs_network_acl_rule:
|
cs_network_acl_rule:
|
||||||
network_acl: web
|
network_acl: web
|
||||||
rule_position: 1
|
rule_position: 1
|
||||||
|
@ -142,20 +143,10 @@ EXAMPLES = '''
|
||||||
traffic_type: ingress
|
traffic_type: ingress
|
||||||
action_policy: deny
|
action_policy: deny
|
||||||
start_port: 8000
|
start_port: 8000
|
||||||
end_port: 8000
|
end_port: 9000
|
||||||
cidr: 10.20.0.0/16
|
cidrs:
|
||||||
delegate_to: localhost
|
- 10.20.0.0/16
|
||||||
|
- 10.22.0.0/16
|
||||||
- name: create a network ACL rule
|
|
||||||
cs_network_acl_rule:
|
|
||||||
network_acl: web
|
|
||||||
rule_position: 1
|
|
||||||
vpc: my vpc
|
|
||||||
traffic_type: ingress
|
|
||||||
action_policy: deny
|
|
||||||
start_port: 8000
|
|
||||||
end_port: 8000
|
|
||||||
cidr: 10.20.0.0/16
|
|
||||||
delegate_to: localhost
|
delegate_to: localhost
|
||||||
|
|
||||||
- name: remove a network ACL rule
|
- name: remove a network ACL rule
|
||||||
|
@ -179,6 +170,12 @@ cidr:
|
||||||
returned: success
|
returned: success
|
||||||
type: str
|
type: str
|
||||||
sample: 0.0.0.0/0
|
sample: 0.0.0.0/0
|
||||||
|
cidrs:
|
||||||
|
description: CIDRs of the network ACL rule.
|
||||||
|
returned: success
|
||||||
|
type: list
|
||||||
|
sample: [ 0.0.0.0/0 ]
|
||||||
|
version_added: '2.9'
|
||||||
rule_position:
|
rule_position:
|
||||||
description: Position of the network ACL rule.
|
description: Position of the network ACL rule.
|
||||||
returned: success
|
returned: success
|
||||||
|
@ -357,7 +354,7 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
|
||||||
'icmpcode': self.module.params.get('icmp_code'),
|
'icmpcode': self.module.params.get('icmp_code'),
|
||||||
'icmptype': self.module.params.get('icmp_type'),
|
'icmptype': self.module.params.get('icmp_type'),
|
||||||
'traffictype': self.module.params.get('traffic_type'),
|
'traffictype': self.module.params.get('traffic_type'),
|
||||||
'cidrlist': self.module.params.get('cidr'),
|
'cidrlist': self.module.params.get('cidrs'),
|
||||||
}
|
}
|
||||||
if not self.module.check_mode:
|
if not self.module.check_mode:
|
||||||
res = self.query_api('createNetworkACL', **args)
|
res = self.query_api('createNetworkACL', **args)
|
||||||
|
@ -379,7 +376,7 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
|
||||||
'icmpcode': self.module.params.get('icmp_code'),
|
'icmpcode': self.module.params.get('icmp_code'),
|
||||||
'icmptype': self.module.params.get('icmp_type'),
|
'icmptype': self.module.params.get('icmp_type'),
|
||||||
'traffictype': self.module.params.get('traffic_type'),
|
'traffictype': self.module.params.get('traffic_type'),
|
||||||
'cidrlist': self.module.params.get('cidr'),
|
'cidrlist': ",".join(self.module.params.get('cidrs')),
|
||||||
}
|
}
|
||||||
if self.has_changed(args, network_acl_rule):
|
if self.has_changed(args, network_acl_rule):
|
||||||
self.result['changed'] = True
|
self.result['changed'] = True
|
||||||
|
@ -395,6 +392,8 @@ class AnsibleCloudStackNetworkAclRule(AnsibleCloudStack):
|
||||||
def get_result(self, network_acl_rule):
|
def get_result(self, network_acl_rule):
|
||||||
super(AnsibleCloudStackNetworkAclRule, self).get_result(network_acl_rule)
|
super(AnsibleCloudStackNetworkAclRule, self).get_result(network_acl_rule)
|
||||||
if network_acl_rule:
|
if network_acl_rule:
|
||||||
|
if 'cidrlist' in network_acl_rule:
|
||||||
|
self.result['cidrs'] = network_acl_rule['cidrlist'].split(',') or [network_acl_rule['cidrlist']]
|
||||||
if network_acl_rule['protocol'] not in ['tcp', 'udp', 'icmp', 'all']:
|
if network_acl_rule['protocol'] not in ['tcp', 'udp', 'icmp', 'all']:
|
||||||
self.result['protocol_number'] = int(network_acl_rule['protocol'])
|
self.result['protocol_number'] = int(network_acl_rule['protocol'])
|
||||||
self.result['protocol'] = 'by_number'
|
self.result['protocol'] = 'by_number'
|
||||||
|
@ -409,7 +408,7 @@ def main():
|
||||||
network_acl=dict(required=True, aliases=['acl']),
|
network_acl=dict(required=True, aliases=['acl']),
|
||||||
rule_position=dict(required=True, type='int', aliases=['number']),
|
rule_position=dict(required=True, type='int', aliases=['number']),
|
||||||
vpc=dict(required=True),
|
vpc=dict(required=True),
|
||||||
cidr=dict(default='0.0.0.0/0'),
|
cidrs=dict(type='list', default=['0.0.0.0/0'], aliases=['cidr']),
|
||||||
protocol=dict(choices=['tcp', 'udp', 'icmp', 'all', 'by_number'], default='tcp'),
|
protocol=dict(choices=['tcp', 'udp', 'icmp', 'all', 'by_number'], default='tcp'),
|
||||||
protocol_number=dict(type='int'),
|
protocol_number=dict(type='int'),
|
||||||
traffic_type=dict(choices=['ingress', 'egress'], aliases=['type'], default='ingress'),
|
traffic_type=dict(choices=['ingress', 'egress'], aliases=['type'], default='ingress'),
|
||||||
|
|
|
@ -174,7 +174,9 @@
|
||||||
traffic_type: egress
|
traffic_type: egress
|
||||||
action_policy: deny
|
action_policy: deny
|
||||||
port: 81
|
port: 81
|
||||||
cidr: 0.0.0.0/0
|
cidrs:
|
||||||
|
- 1.2.3.0/24
|
||||||
|
- 3.2.1.0/24
|
||||||
zone: "{{ cs_common_zone_adv }}"
|
zone: "{{ cs_common_zone_adv }}"
|
||||||
register: acl_rule
|
register: acl_rule
|
||||||
check_mode: true
|
check_mode: true
|
||||||
|
@ -189,6 +191,7 @@
|
||||||
- acl_rule.end_port == 80
|
- acl_rule.end_port == 80
|
||||||
- acl_rule.action_policy == "allow"
|
- acl_rule.action_policy == "allow"
|
||||||
- acl_rule.cidr == "0.0.0.0/0"
|
- acl_rule.cidr == "0.0.0.0/0"
|
||||||
|
- acl_rule.cidrs == [ "0.0.0.0/0" ]
|
||||||
- acl_rule.traffic_type == "ingress"
|
- acl_rule.traffic_type == "ingress"
|
||||||
- acl_rule.rule_position == 1
|
- acl_rule.rule_position == 1
|
||||||
|
|
||||||
|
@ -201,7 +204,9 @@
|
||||||
action_policy: deny
|
action_policy: deny
|
||||||
port: 81
|
port: 81
|
||||||
protocol: udp
|
protocol: udp
|
||||||
cidr: 0.0.0.0/0
|
cidrs:
|
||||||
|
- 1.2.3.0/24
|
||||||
|
- 3.2.1.0/24
|
||||||
zone: "{{ cs_common_zone_adv }}"
|
zone: "{{ cs_common_zone_adv }}"
|
||||||
register: acl_rule
|
register: acl_rule
|
||||||
- name: verify test change network acl rule
|
- name: verify test change network acl rule
|
||||||
|
@ -214,7 +219,8 @@
|
||||||
- acl_rule.start_port == 81
|
- acl_rule.start_port == 81
|
||||||
- acl_rule.end_port == 81
|
- acl_rule.end_port == 81
|
||||||
- acl_rule.action_policy == "deny"
|
- acl_rule.action_policy == "deny"
|
||||||
- acl_rule.cidr == "0.0.0.0/0"
|
- acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
|
||||||
|
- acl_rule.cidrs == [ "1.2.3.0/24", "3.2.1.0/24" ]
|
||||||
- acl_rule.traffic_type == "egress"
|
- acl_rule.traffic_type == "egress"
|
||||||
- acl_rule.protocol == "udp"
|
- acl_rule.protocol == "udp"
|
||||||
- acl_rule.rule_position == 1
|
- acl_rule.rule_position == 1
|
||||||
|
@ -228,7 +234,9 @@
|
||||||
action_policy: deny
|
action_policy: deny
|
||||||
port: 81
|
port: 81
|
||||||
protocol: udp
|
protocol: udp
|
||||||
cidr: 0.0.0.0/0
|
cidrs:
|
||||||
|
- 1.2.3.0/24
|
||||||
|
- 3.2.1.0/24
|
||||||
zone: "{{ cs_common_zone_adv }}"
|
zone: "{{ cs_common_zone_adv }}"
|
||||||
register: acl_rule
|
register: acl_rule
|
||||||
- name: verify test change network acl idempotence
|
- name: verify test change network acl idempotence
|
||||||
|
@ -241,7 +249,8 @@
|
||||||
- acl_rule.start_port == 81
|
- acl_rule.start_port == 81
|
||||||
- acl_rule.end_port == 81
|
- acl_rule.end_port == 81
|
||||||
- acl_rule.action_policy == "deny"
|
- acl_rule.action_policy == "deny"
|
||||||
- acl_rule.cidr == "0.0.0.0/0"
|
- acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
|
||||||
|
- acl_rule.cidrs == [ "1.2.3.0/24", "3.2.1.0/24" ]
|
||||||
- acl_rule.traffic_type == "egress"
|
- acl_rule.traffic_type == "egress"
|
||||||
- acl_rule.protocol == "udp"
|
- acl_rule.protocol == "udp"
|
||||||
- acl_rule.rule_position == 1
|
- acl_rule.rule_position == 1
|
||||||
|
@ -270,7 +279,7 @@
|
||||||
- acl_rule.start_port == 81
|
- acl_rule.start_port == 81
|
||||||
- acl_rule.end_port == 81
|
- acl_rule.end_port == 81
|
||||||
- acl_rule.action_policy == "deny"
|
- acl_rule.action_policy == "deny"
|
||||||
- acl_rule.cidr == "0.0.0.0/0"
|
- acl_rule.cidr == "1.2.3.0/24,3.2.1.0/24"
|
||||||
- acl_rule.traffic_type == "egress"
|
- acl_rule.traffic_type == "egress"
|
||||||
- acl_rule.protocol == "udp"
|
- acl_rule.protocol == "udp"
|
||||||
- acl_rule.rule_position == 1
|
- acl_rule.rule_position == 1
|
||||||
|
|
Loading…
Reference in a new issue