Initial implementation of rax_clb_ssl.

lib/ansible/modules/extras/cloud/rackspace/rax_clb_ssl.py

@@ -0,0 +1,284 @@
+#!/usr/bin/python
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+# This is a DOCUMENTATION stub specific to this module, it extends
+# a documentation fragment located in ansible.utils.module_docs_fragments
+DOCUMENTATION='''
+module: rax_clb_ssl
+short_description: Manage SSL termination for a Rackspace Cloud Load Balancer.
+description:
+- Set up, reconfigure, or remove SSL termination for an existing load balancer.
+version_added: "1.8.2"
+options:
+  balancer_name:
+    description:
+    - Name or ID of the load balancer on which to manage SSL termination.
+    required: true
+  state:
+    description:
+    - If set to "present", SSL termination will be added to this load balancer.
+    - If "absent", SSL termination will be removed instead.
+    choices:
+      - present
+      - absent
+    default: present
+  enabled:
+    description:
+    - If set to "false", temporarily disable SSL termination without discarding
+    - existing credentials.
+    default: true
+  private_key:
+    description:
+    - The private SSL key as a string in PEM format.
+  certificate:
+    description:
+    - The public SSL certificates as a string in PEM format.
+  intermediate_certificate:
+    description:
+    - One or more intermediate certificate authorities as a string in PEM
+    - format, concatenated into a single string.
+  secure_port:
+    description:
+    - The port to listen for secure traffic.
+    default: 443
+  secure_traffic_only:
+    description:
+    - If "true", the load balancer will *only* accept secure traffic.
+    default: false
+  https_redirect:
+    description:
+    - If "true", the load balancer will redirect HTTP traffic to HTTPS.
+    - Requires "secure_traffic_only" to be true. Incurs an implicit wait if SSL
+    - termination is also applied or removed.
+  wait:
+    description:
+    - Wait for the balancer to be in state "running" before turning.
+    default: false
+  wait_timeout:
+    description:
+    - How long before "wait" gives up, in seconds.
+    default: 300
+author: Ash Wilson
+extends_documentation_fragment: rackspace
+'''
+
+EXAMPLES = '''
+- name: Enable SSL termination on a load balancer
+  rax_clb_ssl:
+    balancer_name: the_loadbalancer
+    state: present
+    private_key: "{{ lookup('file', 'credentials/server.key' ) }}"
+    certificate: "{{ lookup('file', 'credentials/server.crt' ) }}"
+    intermediate_certificate: "{{ lookup('file', 'credentials/trust-chain.crt') }}"
+    secure_traffic_only: true
+    wait: true
+
+- name: Disable SSL termination
+  rax_clb_ssl:
+    balancer_name: "{{ registered_lb.balancer.id }}"
+    state: absent
+    wait: true
+'''
+
+from ansible.module_utils.basic import *
+from ansible.module_utils.rax import *
+
+try:
+    import pyrax
+    HAS_PYRAX = True
+except ImportError:
+    HAS_PYRAX = False
+
+def cloud_load_balancer_ssl(module, balancer_name, state, enabled, private_key,
+                            certificate, intermediate_certificate, secure_port,
+                            secure_traffic_only, https_redirect,
+                            wait, wait_timeout):
+    # Validate arguments.
+
+    if not balancer_name:
+        module.fail_json(msg='balancer_name is required.')
+
+    if state == 'present':
+        if not private_key:
+            module.fail_json(msg="private_key must be provided.")
+        else:
+            private_key = private_key.strip()
+
+        if not certificate:
+            module.fail_json(msg="certificate must be provided.")
+        else:
+            certificate = certificate.strip()
+
+    if state not in ('present', 'absent'):
+        module.fail_json(msg="State must be either 'present' or 'absent'.")
+
+    attempts = wait_timeout / 5
+
+    # Locate the load balancer.
+
+    clb = pyrax.cloud_loadbalancers
+    if not clb:
+        module.fail_json(msg='Failed to instantiate client. This '
+                             'typically indicates an invalid region or an '
+                             'incorrectly capitalized region name.')
+
+    balancers = []
+    for balancer in clb.list():
+        if balancer_name == balancer.name or balancer_name == str(balancer.id):
+            balancers.append(balancer)
+
+    if not balancers:
+        module.fail_json(msg='No load balancers matched your criteria. '
+                             'Use rax_clb to create the balancer first.')
+
+    if len(balancers) > 1:
+        module.fail_json(msg="%d load balancers were matched your criteria. Try"
+                             "using the balancer's id instead." % len(balancers))
+
+    balancer = balancers[0]
+    existing_ssl = balancer.get_ssl_termination()
+
+    changed = False
+
+    if state == 'present':
+        # Apply or reconfigure SSL termination on the load balancer.
+        ssl_attrs = dict(
+            securePort=secure_port,
+            privatekey=private_key,
+            certificate=certificate,
+            intermediateCertificate=intermediate_certificate,
+            enabled=enabled,
+            secureTrafficOnly=secure_traffic_only
+        )
+
+        needs_change = False
+
+        if existing_ssl:
+            for ssl_attr, value in ssl_attrs.iteritems():
+                if ssl_attr == 'privatekey':
+                    # The private key is not included in get_ssl_termination's
+                    # output (as it shouldn't be). Also, if you're changing the
+                    # private key, you'll also be changing the certificate,
+                    # so we don't lose anything by not checking it.
+                    continue
+
+                if value is not None and existing_ssl.get(ssl_attr) != value:
+                    # module.fail_json(msg='Unnecessary change', attr=ssl_attr, value=value, existing=existing_ssl.get(ssl_attr))
+                    needs_change = True
+        else:
+            needs_change = True
+
+        if needs_change:
+            balancer.add_ssl_termination(**ssl_attrs)
+            changed = True
+    elif state == 'absent':
+        # Remove SSL termination if it's already configured.
+        if existing_ssl:
+            balancer.delete_ssl_termination()
+            changed = True
+
+    if https_redirect is not None and balancer.httpsRedirect != https_redirect:
+        if changed:
+            # This wait is unavoidable because load balancers are immutable
+            # while the SSL termination changes above are being applied.
+            pyrax.utils.wait_for_build(balancer, interval=5, attempts=attempts)
+
+        balancer.update(httpsRedirect=https_redirect)
+        changed = True
+
+    if changed and wait:
+        pyrax.utils.wait_for_build(balancer, interval=5, attempts=attempts)
+
+    balancer.get()
+    new_ssl_termination = balancer.get_ssl_termination()
+
+    # Intentionally omit the private key from the module output, so you don't
+    # accidentally echo it with `ansible-playbook -v` or `debug`, and the
+    # certificate, which is just long. Convert other attributes to snake_case
+    # and include https_redirect at the top-level.
+    if new_ssl_termination:
+        new_ssl = dict(
+            enabled=new_ssl_termination['enabled'],
+            secure_port=new_ssl_termination['securePort'],
+            secure_traffic_only=new_ssl_termination['secureTrafficOnly']
+        )
+    else:
+        new_ssl = None
+
+    result = dict(
+        changed=changed,
+        https_redirect=balancer.httpsRedirect,
+        ssl_termination=new_ssl
+    )
+    success = True
+
+    if balancer.status == 'ERROR':
+        result['msg'] = '%s failed to build' % balancer.id
+        success = False
+    elif wait and balancer.status not in ('ACTIVE', 'ERROR'):
+        result['msg'] = 'Timeout waiting on %s' % balancer.id
+        success = False
+
+    if success:
+        module.exit_json(**result)
+    else:
+        module.fail_json(**result)
+
+def main():
+    argument_spec = rax_argument_spec()
+    argument_spec.update(dict(
+        balancer_name=dict(type='str'),
+        state=dict(default='present', choices=['present', 'absent']),
+        enabled=dict(type='bool', default=True),
+        private_key=dict(),
+        certificate=dict(),
+        intermediate_certificate=dict(),
+        secure_port=dict(type='int', default=443),
+        secure_traffic_only=dict(type='bool', default=False),
+        https_redirect=dict(type='bool'),
+        wait=dict(type='bool', default=False),
+        wait_timeout=dict(type='int', default=300)
+    ))
+
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        required_together=rax_required_together(),
+    )
+
+    if not HAS_PYRAX:
+        module.fail_json(msg='pyrax is required for this module.')
+
+    balancer_name = module.params.get('balancer_name')
+    state = module.params.get('state')
+    enabled = module.boolean(module.params.get('enabled'))
+    private_key = module.params.get('private_key')
+    certificate = module.params.get('certificate')
+    intermediate_certificate = module.params.get('intermediate_certificate')
+    secure_port = module.params.get('secure_port')
+    secure_traffic_only = module.boolean(module.params.get('secure_traffic_only'))
+    https_redirect = module.boolean(module.params.get('https_redirect'))
+    wait = module.boolean(module.params.get('wait'))
+    wait_timeout = module.params.get('wait_timeout')
+
+    setup_rax_module(module, pyrax)
+
+    cloud_load_balancer_ssl(
+        module, balancer_name, state, enabled, private_key, certificate,
+        intermediate_certificate, secure_port, secure_traffic_only,
+        https_redirect, wait, wait_timeout
+    )
+
+main()