Add autopublish and autoinstallpolicy behaviour to Checkpoint devices (#50862)

* Add autopublish and autoinstallpolicy behaviour to Checkpoint devices

Up till now we published and installed policy package for every operation,
however operators may not want that and only reconcile changes after a series
of changes.
Added flags to toggle this behaviour, which defaults to autopublish and
autoinstall policy package just as it was till now.
The policy package name defaults to 'standard', since it's the default one
created on the Checkpoint management server on AWS, unsure if that's common
in other setups.

* Change signature for publish and install policy

The module object is not needed

* Fix pep8

* Fix install_policy invocation

Also fix payload in publish/discard, since it seems passing the UID
when it's not needed has issues.

* Add doc fragments

* Remove default value of targets on install_policy method

It's already defaulting to None via checkpoint_arg_spec

* Fix pep8

* Remove doc fragment and push down auto options to resource modules

I realized if I put those options as doc fragments they will show up
on facts module, which do not apply, only on resource modules that
mangle with objects.

* Fix bogus param name and validate modules issues

* Fix bogus param name on checkpoint_host
pull/50926/head
Ricardo Carrillo Cruz 6 years ago committed by GitHub
parent bca50b47ed
commit 077d6a63c1
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -27,10 +27,33 @@
#
def publish(module, connection):
connection.send_request('/web_api/publish', None)
checkpoint_argument_spec = dict(auto_publish_session=dict(type='bool', default=True),
policy_package=dict(type='str', default='standard'),
auto_install_policy=dict(type='bool', default=True),
targets=dict(type='list')
)
def install_policy(module, connection):
payload = {'policy-package': 'standard'}
def publish(connection, uid=None):
payload = None
if uid:
payload = {'uid': uid}
connection.send_request('/web_api/publish', payload)
def discard(connection, uid=None):
payload = None
if uid:
payload = {'uid': uid}
connection.send_request('/web_api/discard', payload)
def install_policy(connection, policy_package, targets):
payload = {'policy-package': policy_package,
'targets': targets}
connection.send_request('/web_api/install-policy', payload)

@ -71,6 +71,27 @@ options:
- State of the access rule (present or absent). Defaults to present.
type: str
default: present
auto_publish_session:
description:
- Publish the current session if changes have been performed
after task completes.
type: bool
default: 'yes'
auto_install_policy:
description:
- Install the package policy if changes have been performed
after the task completes.
type: bool
default: 'yes'
policy_package:
description:
- Package policy name to be installed.
type: bool
default: 'standard'
targets:
description:
- Targets to install the package policy on.
type: list
"""
EXAMPLES = """
@ -99,7 +120,7 @@ checkpoint_access_rules:
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.connection import Connection
from ansible.module_utils.network.checkpoint.checkpoint import publish, install_policy
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec, publish, install_policy
import json
@ -195,6 +216,7 @@ def main():
enabled=dict(type='bool', default=True),
state=dict(type='str', default='present')
)
argument_spec.update(checkpoint_argument_spec)
required_if = [('state', 'present', ('layer', 'position'))]
module = AnsibleModule(argument_spec=argument_spec, required_if=required_if)
@ -206,28 +228,42 @@ def main():
if code == 200:
if needs_update(module, response):
code, response = update_access_rule(module, connection)
publish(module, connection)
install_policy(module, connection)
if module.params['auto_publish_session']:
publish(connection)
if module.params['auto_install_policy']:
install_policy(connection, module.params['policy_package'], module.params['targets'])
result['changed'] = True
result['checkpoint_access_rules'] = response
else:
pass
elif code == 404:
code, response = create_access_rule(module, connection)
publish(module, connection)
install_policy(module, connection)
if module.params['auto_publish_session']:
publish(connection)
if module.params['auto_install_policy']:
install_policy(connection, module.params['policy_package'], module.params['targets'])
result['changed'] = True
result['checkpoint_access_rules'] = response
else:
if code == 200:
# Handle deletion
code, response = delete_access_rule(module, connection)
publish(module, connection)
install_policy(module, connection)
if module.params['auto_publish_session']:
publish(connection)
if module.params['auto_install_policy']:
install_policy(connection, module.params['policy_package'], module.params['targets'])
result['changed'] = True
elif code == 404:
pass
result['checkpoint_sid'] = connection.get_sid()
module.exit_json(**result)

@ -49,6 +49,27 @@ options:
- State of the access rule (present or absent). Defaults to present.
type: str
default: present
auto_publish_session:
description:
- Publish the current session if changes have been performed
after task completes.
type: bool
default: 'yes'
auto_install_policy:
description:
- Install the package policy if changes have been performed
after the task completes.
type: bool
default: 'yes'
policy_package:
description:
- Package policy name to be installed.
type: bool
default: 'standard'
targets:
description:
- Targets to install the package policy on.
type: list
"""
EXAMPLES = """
@ -73,7 +94,7 @@ checkpoint_hosts:
from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.connection import Connection
from ansible.module_utils.network.checkpoint.checkpoint import publish, install_policy
from ansible.module_utils.network.checkpoint.checkpoint import checkpoint_argument_spec, publish, install_policy
import json
@ -137,6 +158,7 @@ def main():
ip_address=dict(type='str'),
state=dict(type='str', default='present')
)
argument_spec.update(checkpoint_argument_spec)
required_if = [('state', 'present', 'ip_address')]
module = AnsibleModule(argument_spec=argument_spec)
@ -148,24 +170,39 @@ def main():
if code == 200:
if needs_update(module, response):
code, response = update_host(module, connection)
publish(module, connection)
install_policy(module, connection)
if module.params['auto_publish_session']:
publish(connection)
if module.params['auto_install_policy']:
install_policy(connection, module.params['policy_package'], module.params['targets'])
result['changed'] = True
result['checkpoint_hosts'] = response
else:
pass
elif code == 404:
code, response = create_host(module, connection)
publish(module, connection)
install_policy(module, connection)
if module.params['auto_publish_session']:
publish(connection)
if module.params['auto_install_policy']:
install_policy(connection, module.params['policy_package'], module.params['targets'])
result['changed'] = True
result['checkpoint_hosts'] = response
else:
if code == 200:
# Handle deletion
code, response = delete_host(module, connection)
publish(module, connection)
install_policy(module, connection)
if module.params['auto_publish_session']:
publish(connection)
if module.params['auto_install_policy']:
install_policy(connection, module.params['policy_package'], module.params['targets'])
result['changed'] = True
elif code == 404:
pass

@ -49,6 +49,9 @@ class HttpApi(HttpApiBase):
response, dummy = self.send_request(url, None)
def get_sid(self):
return self.connection._auth['X-chkp-sid']
def send_request(self, path, body_params):
data = json.dumps(body_params) if body_params else '{}'

Loading…
Cancel
Save