9e2ff3e4d5
* Updated Avi Modules with following 1. Support to perform patch operation using the modules. The data update method is selected using avi_api_update_method=patch and patch operation is determined by avi_api_patch_op. The patch data is the normal params that are provided in the modules 2. Support for avi_credentials as single authentication dictionary for all API calls. This is preferred way as opposed to previously all credentials details would pollute the individual Ansible tasks. It also allows the module development to be enhanced without breaking compatibility for new authentication schemes like SAML etc. 3. Support for sharing api_context between the module invocations. This is a workaround to not do multiple logins to Avi Controller and be able to re-use single login across multiple REST API calls. 4. Documentation update for new parameters and existing ones with Units data. * Fixed the pylint and pep8 errors caused due to pycharm editor auto formatting
216 lines
8.4 KiB
Python
216 lines
8.4 KiB
Python
#!/usr/bin/python
|
|
#
|
|
# Created on Aug 25, 2016
|
|
# @author: Gaurav Rastogi (grastogi@avinetworks.com)
|
|
# Eric Anderson (eanderson@avinetworks.com)
|
|
# module_check: supported
|
|
# Avi Version: 17.1.1
|
|
#
|
|
#
|
|
# This file is part of Ansible
|
|
#
|
|
# Ansible is free software: you can redistribute it and/or modify
|
|
# it under the terms of the GNU General Public License as published by
|
|
# the Free Software Foundation, either version 3 of the License, or
|
|
# (at your option) any later version.
|
|
#
|
|
# Ansible is distributed in the hope that it will be useful,
|
|
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
# GNU General Public License for more details.
|
|
#
|
|
# You should have received a copy of the GNU General Public License
|
|
# along with Ansible. If not, see <http://www.gnu.org/licenses/>.
|
|
#
|
|
|
|
ANSIBLE_METADATA = {'metadata_version': '1.1',
|
|
'status': ['preview'],
|
|
'supported_by': 'community'}
|
|
|
|
DOCUMENTATION = '''
|
|
---
|
|
module: avi_sslprofile
|
|
author: Gaurav Rastogi (grastogi@avinetworks.com)
|
|
|
|
short_description: Module for setup of SSLProfile Avi RESTful Object
|
|
description:
|
|
- This module is used to configure SSLProfile object
|
|
- more examples at U(https://github.com/avinetworks/devops)
|
|
requirements: [ avisdk ]
|
|
version_added: "2.3"
|
|
options:
|
|
state:
|
|
description:
|
|
- The state that should be applied on the entity.
|
|
default: present
|
|
choices: ["absent", "present"]
|
|
avi_api_update_method:
|
|
description:
|
|
- Default method for object update is HTTP PUT.
|
|
- Setting to patch will override that behavior to use HTTP PATCH.
|
|
version_added: "2.5"
|
|
default: put
|
|
choices: ["put", "patch"]
|
|
avi_api_patch_op:
|
|
description:
|
|
- Patch operation to use when using avi_api_update_method as patch.
|
|
version_added: "2.5"
|
|
choices: ["add", "replace", "delete"]
|
|
accepted_ciphers:
|
|
description:
|
|
- Ciphers suites represented as defined by U(http://www.openssl.org/docs/apps/ciphers.html).
|
|
- Default value when not specified in API or module is interpreted by Avi Controller as AES:3DES:RC4.
|
|
accepted_versions:
|
|
description:
|
|
- Set of versions accepted by the server.
|
|
cipher_enums:
|
|
description:
|
|
- Enum options - tls_ecdhe_ecdsa_with_aes_128_gcm_sha256, tls_ecdhe_ecdsa_with_aes_256_gcm_sha384, tls_ecdhe_rsa_with_aes_128_gcm_sha256,
|
|
- tls_ecdhe_rsa_with_aes_256_gcm_sha384, tls_ecdhe_ecdsa_with_aes_128_cbc_sha256, tls_ecdhe_ecdsa_with_aes_256_cbc_sha384,
|
|
- tls_ecdhe_rsa_with_aes_128_cbc_sha256, tls_ecdhe_rsa_with_aes_256_cbc_sha384, tls_rsa_with_aes_128_gcm_sha256, tls_rsa_with_aes_256_gcm_sha384,
|
|
- tls_rsa_with_aes_128_cbc_sha256, tls_rsa_with_aes_256_cbc_sha256, tls_ecdhe_ecdsa_with_aes_128_cbc_sha, tls_ecdhe_ecdsa_with_aes_256_cbc_sha,
|
|
- tls_ecdhe_rsa_with_aes_128_cbc_sha, tls_ecdhe_rsa_with_aes_256_cbc_sha, tls_rsa_with_aes_128_cbc_sha, tls_rsa_with_aes_256_cbc_sha,
|
|
- tls_rsa_with_3des_ede_cbc_sha, tls_rsa_with_rc4_128_sha.
|
|
description:
|
|
description:
|
|
- User defined description for the object.
|
|
dhparam:
|
|
description:
|
|
- Dh parameters used in ssl.
|
|
- At this time, it is not configurable and is set to 2048 bits.
|
|
enable_ssl_session_reuse:
|
|
description:
|
|
- Enable ssl session re-use.
|
|
- Default value when not specified in API or module is interpreted by Avi Controller as True.
|
|
name:
|
|
description:
|
|
- Name of the object.
|
|
required: true
|
|
prefer_client_cipher_ordering:
|
|
description:
|
|
- Prefer the ssl cipher ordering presented by the client during the ssl handshake over the one specified in the ssl profile.
|
|
- Default value when not specified in API or module is interpreted by Avi Controller as False.
|
|
send_close_notify:
|
|
description:
|
|
- Send 'close notify' alert message for a clean shutdown of the ssl connection.
|
|
- Default value when not specified in API or module is interpreted by Avi Controller as True.
|
|
ssl_rating:
|
|
description:
|
|
- Sslrating settings for sslprofile.
|
|
ssl_session_timeout:
|
|
description:
|
|
- The amount of time before an ssl session expires.
|
|
- Default value when not specified in API or module is interpreted by Avi Controller as 86400.
|
|
- Units(SEC).
|
|
tags:
|
|
description:
|
|
- List of tag.
|
|
tenant_ref:
|
|
description:
|
|
- It is a reference to an object of type tenant.
|
|
url:
|
|
description:
|
|
- Avi controller URL of the object.
|
|
uuid:
|
|
description:
|
|
- Unique object identifier of the object.
|
|
extends_documentation_fragment:
|
|
- avi
|
|
'''
|
|
|
|
EXAMPLES = """
|
|
- name: Create SSL profile with list of allowed ciphers
|
|
avi_sslprofile:
|
|
controller: '{{ controller }}'
|
|
username: '{{ username }}'
|
|
password: '{{ password }}'
|
|
accepted_ciphers: >
|
|
ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA:
|
|
ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-ECDSA-AES256-SHA384:
|
|
AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:
|
|
AES256-SHA:DES-CBC3-SHA:ECDHE-RSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:
|
|
ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-SHA
|
|
accepted_versions:
|
|
- type: SSL_VERSION_TLS1
|
|
- type: SSL_VERSION_TLS1_1
|
|
- type: SSL_VERSION_TLS1_2
|
|
cipher_enums:
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_ECDSA_WITH_AES_128_CBC_SHA256
|
|
- TLS_ECDHE_ECDSA_WITH_AES_256_CBC_SHA384
|
|
- TLS_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_RSA_WITH_AES_128_CBC_SHA256
|
|
- TLS_RSA_WITH_AES_256_CBC_SHA256
|
|
- TLS_RSA_WITH_AES_128_CBC_SHA
|
|
- TLS_RSA_WITH_AES_256_CBC_SHA
|
|
- TLS_RSA_WITH_3DES_EDE_CBC_SHA
|
|
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA
|
|
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA384
|
|
- TLS_ECDHE_RSA_WITH_AES_128_CBC_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
|
|
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
|
|
- TLS_ECDHE_RSA_WITH_AES_256_CBC_SHA
|
|
name: PFS-BOTH-RSA-EC
|
|
send_close_notify: true
|
|
ssl_rating:
|
|
compatibility_rating: SSL_SCORE_EXCELLENT
|
|
performance_rating: SSL_SCORE_EXCELLENT
|
|
security_score: '100.0'
|
|
tenant_ref: Demo
|
|
"""
|
|
|
|
RETURN = '''
|
|
obj:
|
|
description: SSLProfile (api/sslprofile) object
|
|
returned: success, changed
|
|
type: dict
|
|
'''
|
|
|
|
from ansible.module_utils.basic import AnsibleModule
|
|
try:
|
|
from ansible.module_utils.network.avi.avi import (
|
|
avi_common_argument_spec, HAS_AVI, avi_ansible_api)
|
|
except ImportError:
|
|
HAS_AVI = False
|
|
|
|
|
|
def main():
|
|
argument_specs = dict(
|
|
state=dict(default='present',
|
|
choices=['absent', 'present']),
|
|
avi_api_update_method=dict(default='put',
|
|
choices=['put', 'patch']),
|
|
avi_api_patch_op=dict(choices=['add', 'replace', 'delete']),
|
|
accepted_ciphers=dict(type='str',),
|
|
accepted_versions=dict(type='list',),
|
|
cipher_enums=dict(type='list',),
|
|
description=dict(type='str',),
|
|
dhparam=dict(type='str',),
|
|
enable_ssl_session_reuse=dict(type='bool',),
|
|
name=dict(type='str', required=True),
|
|
prefer_client_cipher_ordering=dict(type='bool',),
|
|
send_close_notify=dict(type='bool',),
|
|
ssl_rating=dict(type='dict',),
|
|
ssl_session_timeout=dict(type='int',),
|
|
tags=dict(type='list',),
|
|
tenant_ref=dict(type='str',),
|
|
url=dict(type='str',),
|
|
uuid=dict(type='str',),
|
|
)
|
|
argument_specs.update(avi_common_argument_spec())
|
|
module = AnsibleModule(
|
|
argument_spec=argument_specs, supports_check_mode=True)
|
|
if not HAS_AVI:
|
|
return module.fail_json(msg=(
|
|
'Avi python API SDK (avisdk>=17.1) is not installed. '
|
|
'For more details visit https://github.com/avinetworks/sdk.'))
|
|
return avi_ansible_api(module, 'sslprofile',
|
|
set([]))
|
|
|
|
if __name__ == '__main__':
|
|
main()
|