039c770a95
Since https://github.com/ansible/ansible/pull/56733, we were not able to apply firewall rules with no `allowed_hosts` key. closes: #61332 In addition, this patch ensures the `allowed_hosts` key accepts a dict, instead of a dict in a single entry list. ```yaml vmware_host_firewall_manager: esxi_hostname: "{{ esxi1 }}" rules: - name: NFC enabled: True allowed_hosts: - all_ip: False ip_address: - "1.2.3.4" ``` Should be written: ```yaml vmware_host_firewall_manager: esxi_hostname: "{{ esxi1 }}" rules: - name: NFC enabled: True allowed_hosts: all_ip: False ip_address: - "1.2.3.4" ```
222 lines
9.3 KiB
YAML
222 lines
9.3 KiB
YAML
# Test code for the vmware_host_firewall_manager module.
|
|
# Copyright: (c) 2018, Abhijeet Kasurde <akasurde@redhat.com>
|
|
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
|
|
- when: vcsim is not defined
|
|
block:
|
|
- import_role:
|
|
name: prepare_vmware_tests
|
|
vars:
|
|
setup_attach_host: true
|
|
|
|
- name: Enable vvold rule set on all hosts of {{ ccr1 }}
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
cluster_name: "{{ ccr1 }}"
|
|
rules:
|
|
- name: vvold
|
|
enabled: True
|
|
register: all_hosts_result
|
|
- debug: msg="{{ all_hosts_result }}"
|
|
- name: ensure everything is changed for all hosts of {{ ccr1 }}
|
|
assert:
|
|
that:
|
|
- all_hosts_result.changed
|
|
- all_hosts_result.rule_set_state is defined
|
|
|
|
- name: ensure info are gathered for all hosts of {{ ccr1 }}
|
|
assert:
|
|
that:
|
|
- all_hosts_result.rule_set_state[item]['vvold']['current_state'] == True
|
|
- all_hosts_result.rule_set_state[item]['vvold']['desired_state'] == True
|
|
- all_hosts_result.rule_set_state[item]['vvold']['previous_state'] == False
|
|
with_items:
|
|
- '{{ esxi1 }}'
|
|
- '{{ esxi2 }}'
|
|
|
|
- name: Disable vvold for {{ host1 }}
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
esxi_hostname: '{{ esxi1 }}'
|
|
rules:
|
|
- name: vvold
|
|
enabled: False
|
|
register: host_result
|
|
- debug: msg="{{ host_result }}"
|
|
- name: ensure vvold is disabled for {{ host1 }}
|
|
assert:
|
|
that:
|
|
- host_result.changed
|
|
- host_result.rule_set_state is defined
|
|
|
|
- name: ensure info are gathered for {{ host1 }}
|
|
assert:
|
|
that:
|
|
- host_result.rule_set_state[item]['vvold']['current_state'] == False
|
|
- host_result.rule_set_state[item]['vvold']['desired_state'] == False
|
|
- host_result.rule_set_state[item]['vvold']['previous_state'] == True
|
|
with_items:
|
|
- '{{ esxi1 }}'
|
|
|
|
- name: Enable vvold rule set on all hosts of {{ ccr1 }} in check mode
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
cluster_name: "{{ ccr1 }}"
|
|
rules:
|
|
- name: vvold
|
|
enabled: True
|
|
register: all_hosts_result_check_mode
|
|
check_mode: yes
|
|
- debug: var=all_hosts_result_check_mode
|
|
- name: ensure everything is changed for all hosts of {{ ccr1 }}
|
|
assert:
|
|
that:
|
|
- all_hosts_result_check_mode.changed
|
|
- all_hosts_result_check_mode.rule_set_state is defined
|
|
|
|
- name: ensure info are gathered for all hosts of {{ ccr1 }}
|
|
assert:
|
|
that:
|
|
- all_hosts_result_check_mode.rule_set_state[esxi1]['vvold']['current_state'] == True
|
|
- all_hosts_result_check_mode.rule_set_state[esxi2]['vvold']['current_state'] == True
|
|
- all_hosts_result_check_mode.rule_set_state[esxi2]['vvold']['desired_state'] == True
|
|
|
|
- name: Disable vvold for {{ host1 }} in check mode
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
esxi_hostname: '{{ esxi1 }}'
|
|
rules:
|
|
- name: vvold
|
|
enabled: False
|
|
register: host_result_check_mode
|
|
check_mode: yes
|
|
- debug: msg="{{ host_result_check_mode }}"
|
|
- name: ensure vvold is disabled for {{ host1 }}
|
|
assert:
|
|
that:
|
|
- host_result_check_mode.changed == False
|
|
- host_result_check_mode.rule_set_state is defined
|
|
|
|
- name: ensure info are gathered for {{ host1 }}
|
|
assert:
|
|
that:
|
|
- host_result_check_mode.rule_set_state[item]['vvold']['current_state'] == False
|
|
- host_result_check_mode.rule_set_state[item]['vvold']['desired_state'] == False
|
|
- host_result_check_mode.rule_set_state[item]['vvold']['previous_state'] == False
|
|
with_items:
|
|
- '{{ esxi1 }}'
|
|
|
|
- name: Configure CIMHttpServer rule set on all hosts of {{ ccr1 }}
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
cluster_name: "{{ ccr1 }}"
|
|
rules:
|
|
- name: CIMHttpServer
|
|
enabled: True
|
|
allowed_hosts:
|
|
all_ip: False
|
|
ip_address:
|
|
- "192.168.100.11"
|
|
- "192.168.100.12"
|
|
ip_network:
|
|
- "192.168.200.0/24"
|
|
register: all_hosts_ip_specific
|
|
- debug: var=all_hosts_ip_specific
|
|
- name: ensure everything is changed for all hosts of {{ ccr1 }}
|
|
assert:
|
|
that:
|
|
- all_hosts_ip_specific.changed
|
|
- all_hosts_ip_specific.rule_set_state is defined
|
|
|
|
- name: ensure CIMHttpServer is configured for all hosts in {{ ccr1 }}
|
|
assert:
|
|
that:
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['current_state'] == True
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['desired_state'] == True
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['previous_state'] == True
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['current_allowed_all'] == False
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['previous_allowed_all'] == True
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['desired_allowed_all'] == False
|
|
- "'192.168.100.11' in all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['current_allowed_ip']"
|
|
- "'192.168.100.12' in all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['current_allowed_ip']"
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['previous_allowed_ip'] == []
|
|
- "'192.168.100.11' in all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['desired_allowed_ip']"
|
|
- "'192.168.100.12' in all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['desired_allowed_ip']"
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['current_allowed_networks'] == ["192.168.200.0/24"]
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['previous_allowed_networks'] == []
|
|
- all_hosts_ip_specific.rule_set_state[item]['CIMHttpServer']['allowed_hosts']['desired_allowed_networks'] == ["192.168.200.0/24"]
|
|
with_items:
|
|
- '{{ esxi1 }}'
|
|
- '{{ esxi2 }}'
|
|
|
|
- name: Configure the NFC firewall rule to only allow traffic from one IP on one ESXi host
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
esxi_hostname: "{{ esxi1 }}"
|
|
rules:
|
|
- name: NFC
|
|
enabled: True
|
|
allowed_hosts:
|
|
all_ip: False
|
|
ip_address:
|
|
- "192.168.100.11"
|
|
register: single_host_ip_specific
|
|
- set_fact:
|
|
nfc_state: "{{ single_host_ip_specific.rule_set_state[esxi1]['NFC'] }}"
|
|
- debug: var=single_host_ip_specific
|
|
- debug: var=nfc_state
|
|
- name: ensure NFC is configured on that host
|
|
assert:
|
|
that:
|
|
- nfc_state.current_state == true
|
|
- nfc_state.desired_state == true
|
|
- nfc_state.previous_state == true
|
|
- nfc_state.allowed_hosts.current_allowed_all == False
|
|
- nfc_state.allowed_hosts.previous_allowed_all == True
|
|
- nfc_state.allowed_hosts.desired_allowed_all == False
|
|
- nfc_state.allowed_hosts.current_allowed_ip == ["192.168.100.11"]
|
|
- nfc_state.allowed_hosts.previous_allowed_all == True
|
|
- nfc_state.allowed_hosts.desired_allowed_ip == ["192.168.100.11"]
|
|
- nfc_state.allowed_hosts.current_allowed_networks == []
|
|
- nfc_state.allowed_hosts.previous_allowed_networks == []
|
|
- nfc_state.allowed_hosts.desired_allowed_networks == []
|
|
|
|
- name: Ensure we can still pass the allowed_hosts configuration through a list for compat
|
|
vmware_host_firewall_manager:
|
|
hostname: "{{ vcenter_hostname }}"
|
|
username: "{{ vcenter_username }}"
|
|
password: "{{ vcenter_password }}"
|
|
validate_certs: no
|
|
esxi_hostname: "{{ esxi1 }}"
|
|
rules:
|
|
- name: NFC
|
|
enabled: True
|
|
allowed_hosts:
|
|
- all_ip: False
|
|
ip_address:
|
|
- "1.2.3.4"
|
|
register: using_list
|
|
- debug: var=using_list
|
|
- set_fact:
|
|
nfc_state: "{{ using_list.rule_set_state[esxi1]['NFC'] }}"
|
|
- name: ensure the correct host is set
|
|
assert:
|
|
that:
|
|
- nfc_state.allowed_hosts.current_allowed_ip == ["1.2.3.4"]
|