|
|
|
@ -72,11 +72,55 @@ options:
|
|
|
|
specified, this rule applies to connections through any port.
|
|
|
|
specified, this rule applies to connections through any port.
|
|
|
|
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
|
|
|
|
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
|
|
|
|
denied:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- The list of DENY rules specified by this firewall. Each rule specifies a protocol
|
|
|
|
|
|
|
|
and port-range tuple that describes a denied connection.
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
|
|
|
|
suboptions:
|
|
|
|
|
|
|
|
ip_protocol:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- The IP protocol to which this rule applies. The protocol type is required when creating
|
|
|
|
|
|
|
|
a firewall rule. This value can either be one of the following well known protocol
|
|
|
|
|
|
|
|
strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
|
|
|
|
|
|
|
|
required: true
|
|
|
|
|
|
|
|
ports:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- An optional list of ports to which this rule applies. This field is only applicable
|
|
|
|
|
|
|
|
for UDP or TCP protocol. Each entry must be either an integer or a range. If not
|
|
|
|
|
|
|
|
specified, this rule applies to connections through any port.
|
|
|
|
|
|
|
|
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
|
|
|
|
|
|
|
|
required: false
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- An optional description of this resource. Provide this property when you create
|
|
|
|
- An optional description of this resource. Provide this property when you create
|
|
|
|
the resource.
|
|
|
|
the resource.
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
|
|
|
|
destination_ranges:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- If destination ranges are specified, the firewall will apply only to traffic that
|
|
|
|
|
|
|
|
has destination IP address in these ranges. These ranges must be expressed in CIDR
|
|
|
|
|
|
|
|
format. Only IPv4 is supported.
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
|
|
|
|
direction:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- 'Direction of traffic to which this firewall applies; default is INGRESS. Note:
|
|
|
|
|
|
|
|
For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS
|
|
|
|
|
|
|
|
traffic, it is NOT supported to specify sourceRanges OR sourceTags.'
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
|
|
|
|
choices: ['INGRESS', 'EGRESS']
|
|
|
|
|
|
|
|
disabled:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- Denotes whether the firewall rule is disabled, i.e not applied to the network it
|
|
|
|
|
|
|
|
is associated with. When set to true, the firewall rule is not enforced and the
|
|
|
|
|
|
|
|
network behaves as if it did not exist. If this is unspecified, the firewall rule
|
|
|
|
|
|
|
|
will be enabled.
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
type: bool
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
name:
|
|
|
|
name:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Name of the resource. Provided by the client when the resource is created. The name
|
|
|
|
- Name of the resource. Provided by the client when the resource is created. The name
|
|
|
|
@ -85,7 +129,7 @@ options:
|
|
|
|
which means the first character must be a lowercase letter, and all following characters
|
|
|
|
which means the first character must be a lowercase letter, and all following characters
|
|
|
|
must be a dash, lowercase letter, or digit, except the last character, which cannot
|
|
|
|
must be a dash, lowercase letter, or digit, except the last character, which cannot
|
|
|
|
be a dash.
|
|
|
|
be a dash.
|
|
|
|
required: false
|
|
|
|
required: true
|
|
|
|
network:
|
|
|
|
network:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- 'URL of the network resource for this firewall rule. If not specified when creating
|
|
|
|
- 'URL of the network resource for this firewall rule. If not specified when creating
|
|
|
|
@ -95,7 +139,22 @@ options:
|
|
|
|
U(https://www.googleapis.com/compute/v1/projects/myproject/global/)
|
|
|
|
U(https://www.googleapis.com/compute/v1/projects/myproject/global/)
|
|
|
|
networks/my-network projects/myproject/global/networks/my-network
|
|
|
|
networks/my-network projects/myproject/global/networks/my-network
|
|
|
|
global/networks/default .'
|
|
|
|
global/networks/default .'
|
|
|
|
|
|
|
|
- 'This field represents a link to a Network resource in GCP. It can be specified
|
|
|
|
|
|
|
|
in two ways. You can add `register: name-of-resource` to a gcp_compute_network task
|
|
|
|
|
|
|
|
and then set this network field to "{{ name-of-resource }}" Alternatively, you can
|
|
|
|
|
|
|
|
set this network to a dictionary with the selfLink key where the value is the selfLink
|
|
|
|
|
|
|
|
of your Network.'
|
|
|
|
|
|
|
|
required: true
|
|
|
|
|
|
|
|
priority:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- Priority for this rule. This is an integer between 0 and 65535, both inclusive.
|
|
|
|
|
|
|
|
When not specified, the value assumed is 1000. Relative priorities determine precedence
|
|
|
|
|
|
|
|
of conflicting rules. Lower value of priority implies higher precedence (eg, a rule
|
|
|
|
|
|
|
|
with priority 0 has higher precedence than a rule with priority 1). DENY rules take
|
|
|
|
|
|
|
|
precedence over ALLOW rules having equal priority.
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
|
|
|
|
default: 1000
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
source_ranges:
|
|
|
|
source_ranges:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If source ranges are specified, the firewall will apply only to traffic that has
|
|
|
|
- If source ranges are specified, the firewall will apply only to traffic that has
|
|
|
|
@ -105,6 +164,19 @@ options:
|
|
|
|
OR the source IP that belongs to a tag listed in the sourceTags property. The connection
|
|
|
|
OR the source IP that belongs to a tag listed in the sourceTags property. The connection
|
|
|
|
does not need to match both properties for the firewall to apply. Only IPv4 is supported.
|
|
|
|
does not need to match both properties for the firewall to apply. Only IPv4 is supported.
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
|
|
|
|
source_service_accounts:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- If source service accounts are specified, the firewall will apply only to traffic
|
|
|
|
|
|
|
|
originating from an instance with a service account in this list. Source service
|
|
|
|
|
|
|
|
accounts cannot be used to control traffic to an instance's external IP address
|
|
|
|
|
|
|
|
because service accounts are associated with an instance, not an IP address. sourceRanges
|
|
|
|
|
|
|
|
can be set at the same time as sourceServiceAccounts. If both are set, the firewall
|
|
|
|
|
|
|
|
will apply to traffic that has source IP address within sourceRanges OR the source
|
|
|
|
|
|
|
|
IP belongs to an instance with service account listed in sourceServiceAccount. The
|
|
|
|
|
|
|
|
connection does not need to match both properties for the firewall to apply. sourceServiceAccounts
|
|
|
|
|
|
|
|
cannot be used at the same time as sourceTags or targetTags.
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
source_tags:
|
|
|
|
source_tags:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If source tags are specified, the firewall will apply only to traffic with source
|
|
|
|
- If source tags are specified, the firewall will apply only to traffic with source
|
|
|
|
@ -116,6 +188,15 @@ options:
|
|
|
|
sourceTags property. The connection does not need to match both properties for the
|
|
|
|
sourceTags property. The connection does not need to match both properties for the
|
|
|
|
firewall to apply.
|
|
|
|
firewall to apply.
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
|
|
|
|
target_service_accounts:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- A list of service accounts indicating sets of instances located in the network that
|
|
|
|
|
|
|
|
may make network connections as specified in allowed[].
|
|
|
|
|
|
|
|
- targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
|
|
|
|
|
|
|
|
If neither targetServiceAccounts nor targetTags are specified, the firewall rule
|
|
|
|
|
|
|
|
applies to all instances on the specified network.
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
version_added: 2.8
|
|
|
|
target_tags:
|
|
|
|
target_tags:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- A list of instance tags indicating sets of instances located in the network that
|
|
|
|
- A list of instance tags indicating sets of instances located in the network that
|
|
|
|
@ -124,6 +205,9 @@ options:
|
|
|
|
specified network.
|
|
|
|
specified network.
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
extends_documentation_fragment: gcp
|
|
|
|
extends_documentation_fragment: gcp
|
|
|
|
|
|
|
|
notes:
|
|
|
|
|
|
|
|
- "API Reference: U(https://cloud.google.com/compute/docs/reference/latest/firewalls)"
|
|
|
|
|
|
|
|
- "Official Documentation: U(https://cloud.google.com/vpc/docs/firewalls)"
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
|
EXAMPLES = '''
|
|
|
|
EXAMPLES = '''
|
|
|
|
@ -140,7 +224,7 @@ EXAMPLES = '''
|
|
|
|
source_tags:
|
|
|
|
source_tags:
|
|
|
|
- test-ssh-clients
|
|
|
|
- test-ssh-clients
|
|
|
|
project: "test_project"
|
|
|
|
project: "test_project"
|
|
|
|
auth_kind: "service_account"
|
|
|
|
auth_kind: "serviceaccount"
|
|
|
|
service_account_file: "/tmp/auth.pem"
|
|
|
|
service_account_file: "/tmp/auth.pem"
|
|
|
|
state: present
|
|
|
|
state: present
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
@ -168,17 +252,61 @@ RETURN = '''
|
|
|
|
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
|
|
|
|
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
|
|
|
|
returned: success
|
|
|
|
returned: success
|
|
|
|
type: list
|
|
|
|
type: list
|
|
|
|
creation_timestamp:
|
|
|
|
creationTimestamp:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- Creation timestamp in RFC3339 text format.
|
|
|
|
- Creation timestamp in RFC3339 text format.
|
|
|
|
returned: success
|
|
|
|
returned: success
|
|
|
|
type: str
|
|
|
|
type: str
|
|
|
|
|
|
|
|
denied:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- The list of DENY rules specified by this firewall. Each rule specifies a protocol
|
|
|
|
|
|
|
|
and port-range tuple that describes a denied connection.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: complex
|
|
|
|
|
|
|
|
contains:
|
|
|
|
|
|
|
|
ip_protocol:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- The IP protocol to which this rule applies. The protocol type is required when creating
|
|
|
|
|
|
|
|
a firewall rule. This value can either be one of the following well known protocol
|
|
|
|
|
|
|
|
strings (tcp, udp, icmp, esp, ah, sctp), or the IP protocol number.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: str
|
|
|
|
|
|
|
|
ports:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- An optional list of ports to which this rule applies. This field is only applicable
|
|
|
|
|
|
|
|
for UDP or TCP protocol. Each entry must be either an integer or a range. If not
|
|
|
|
|
|
|
|
specified, this rule applies to connections through any port.
|
|
|
|
|
|
|
|
- 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: list
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- An optional description of this resource. Provide this property when you create
|
|
|
|
- An optional description of this resource. Provide this property when you create
|
|
|
|
the resource.
|
|
|
|
the resource.
|
|
|
|
returned: success
|
|
|
|
returned: success
|
|
|
|
type: str
|
|
|
|
type: str
|
|
|
|
|
|
|
|
destinationRanges:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- If destination ranges are specified, the firewall will apply only to traffic that
|
|
|
|
|
|
|
|
has destination IP address in these ranges. These ranges must be expressed in CIDR
|
|
|
|
|
|
|
|
format. Only IPv4 is supported.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: list
|
|
|
|
|
|
|
|
direction:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- 'Direction of traffic to which this firewall applies; default is INGRESS. Note:
|
|
|
|
|
|
|
|
For INGRESS traffic, it is NOT supported to specify destinationRanges; For EGRESS
|
|
|
|
|
|
|
|
traffic, it is NOT supported to specify sourceRanges OR sourceTags.'
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: str
|
|
|
|
|
|
|
|
disabled:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- Denotes whether the firewall rule is disabled, i.e not applied to the network it
|
|
|
|
|
|
|
|
is associated with. When set to true, the firewall rule is not enforced and the
|
|
|
|
|
|
|
|
network behaves as if it did not exist. If this is unspecified, the firewall rule
|
|
|
|
|
|
|
|
will be enabled.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: bool
|
|
|
|
id:
|
|
|
|
id:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- The unique identifier for the resource.
|
|
|
|
- The unique identifier for the resource.
|
|
|
|
@ -204,8 +332,17 @@ RETURN = '''
|
|
|
|
networks/my-network projects/myproject/global/networks/my-network
|
|
|
|
networks/my-network projects/myproject/global/networks/my-network
|
|
|
|
global/networks/default .'
|
|
|
|
global/networks/default .'
|
|
|
|
returned: success
|
|
|
|
returned: success
|
|
|
|
type: str
|
|
|
|
type: dict
|
|
|
|
source_ranges:
|
|
|
|
priority:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- Priority for this rule. This is an integer between 0 and 65535, both inclusive.
|
|
|
|
|
|
|
|
When not specified, the value assumed is 1000. Relative priorities determine precedence
|
|
|
|
|
|
|
|
of conflicting rules. Lower value of priority implies higher precedence (eg, a rule
|
|
|
|
|
|
|
|
with priority 0 has higher precedence than a rule with priority 1). DENY rules take
|
|
|
|
|
|
|
|
precedence over ALLOW rules having equal priority.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: int
|
|
|
|
|
|
|
|
sourceRanges:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If source ranges are specified, the firewall will apply only to traffic that has
|
|
|
|
- If source ranges are specified, the firewall will apply only to traffic that has
|
|
|
|
source IP address in these ranges. These ranges must be expressed in CIDR format.
|
|
|
|
source IP address in these ranges. These ranges must be expressed in CIDR format.
|
|
|
|
@ -215,7 +352,20 @@ RETURN = '''
|
|
|
|
does not need to match both properties for the firewall to apply. Only IPv4 is supported.
|
|
|
|
does not need to match both properties for the firewall to apply. Only IPv4 is supported.
|
|
|
|
returned: success
|
|
|
|
returned: success
|
|
|
|
type: list
|
|
|
|
type: list
|
|
|
|
source_tags:
|
|
|
|
sourceServiceAccounts:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- If source service accounts are specified, the firewall will apply only to traffic
|
|
|
|
|
|
|
|
originating from an instance with a service account in this list. Source service
|
|
|
|
|
|
|
|
accounts cannot be used to control traffic to an instance's external IP address
|
|
|
|
|
|
|
|
because service accounts are associated with an instance, not an IP address. sourceRanges
|
|
|
|
|
|
|
|
can be set at the same time as sourceServiceAccounts. If both are set, the firewall
|
|
|
|
|
|
|
|
will apply to traffic that has source IP address within sourceRanges OR the source
|
|
|
|
|
|
|
|
IP belongs to an instance with service account listed in sourceServiceAccount. The
|
|
|
|
|
|
|
|
connection does not need to match both properties for the firewall to apply. sourceServiceAccounts
|
|
|
|
|
|
|
|
cannot be used at the same time as sourceTags or targetTags.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: list
|
|
|
|
|
|
|
|
sourceTags:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- If source tags are specified, the firewall will apply only to traffic with source
|
|
|
|
- If source tags are specified, the firewall will apply only to traffic with source
|
|
|
|
IP that belongs to a tag listed in source tags. Source tags cannot be used to control
|
|
|
|
IP that belongs to a tag listed in source tags. Source tags cannot be used to control
|
|
|
|
@ -227,7 +377,16 @@ RETURN = '''
|
|
|
|
firewall to apply.
|
|
|
|
firewall to apply.
|
|
|
|
returned: success
|
|
|
|
returned: success
|
|
|
|
type: list
|
|
|
|
type: list
|
|
|
|
target_tags:
|
|
|
|
targetServiceAccounts:
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- A list of service accounts indicating sets of instances located in the network that
|
|
|
|
|
|
|
|
may make network connections as specified in allowed[].
|
|
|
|
|
|
|
|
- targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
|
|
|
|
|
|
|
|
If neither targetServiceAccounts nor targetTags are specified, the firewall rule
|
|
|
|
|
|
|
|
applies to all instances on the specified network.
|
|
|
|
|
|
|
|
returned: success
|
|
|
|
|
|
|
|
type: list
|
|
|
|
|
|
|
|
targetTags:
|
|
|
|
description:
|
|
|
|
description:
|
|
|
|
- A list of instance tags indicating sets of instances located in the network that
|
|
|
|
- A list of instance tags indicating sets of instances located in the network that
|
|
|
|
may make network connections as specified in allowed[].
|
|
|
|
may make network connections as specified in allowed[].
|
|
|
|
@ -260,11 +419,21 @@ def main():
|
|
|
|
ip_protocol=dict(required=True, type='str'),
|
|
|
|
ip_protocol=dict(required=True, type='str'),
|
|
|
|
ports=dict(type='list', elements='str')
|
|
|
|
ports=dict(type='list', elements='str')
|
|
|
|
)),
|
|
|
|
)),
|
|
|
|
|
|
|
|
denied=dict(type='list', elements='dict', options=dict(
|
|
|
|
|
|
|
|
ip_protocol=dict(required=True, type='str'),
|
|
|
|
|
|
|
|
ports=dict(type='list', elements='str')
|
|
|
|
|
|
|
|
)),
|
|
|
|
description=dict(type='str'),
|
|
|
|
description=dict(type='str'),
|
|
|
|
name=dict(type='str'),
|
|
|
|
destination_ranges=dict(type='list', elements='str'),
|
|
|
|
network=dict(type='str'),
|
|
|
|
direction=dict(type='str', choices=['INGRESS', 'EGRESS']),
|
|
|
|
|
|
|
|
disabled=dict(type='bool'),
|
|
|
|
|
|
|
|
name=dict(required=True, type='str'),
|
|
|
|
|
|
|
|
network=dict(required=True, type='dict'),
|
|
|
|
|
|
|
|
priority=dict(default=1000, type='int'),
|
|
|
|
source_ranges=dict(type='list', elements='str'),
|
|
|
|
source_ranges=dict(type='list', elements='str'),
|
|
|
|
|
|
|
|
source_service_accounts=dict(type='list', elements='str'),
|
|
|
|
source_tags=dict(type='list', elements='str'),
|
|
|
|
source_tags=dict(type='list', elements='str'),
|
|
|
|
|
|
|
|
target_service_accounts=dict(type='list', elements='str'),
|
|
|
|
target_tags=dict(type='list', elements='str')
|
|
|
|
target_tags=dict(type='list', elements='str')
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
)
|
|
|
|
@ -281,7 +450,8 @@ def main():
|
|
|
|
if fetch:
|
|
|
|
if fetch:
|
|
|
|
if state == 'present':
|
|
|
|
if state == 'present':
|
|
|
|
if is_different(module, fetch):
|
|
|
|
if is_different(module, fetch):
|
|
|
|
fetch = update(module, self_link(module), kind)
|
|
|
|
update(module, self_link(module), kind)
|
|
|
|
|
|
|
|
fetch = fetch_resource(module, self_link(module), kind)
|
|
|
|
changed = True
|
|
|
|
changed = True
|
|
|
|
else:
|
|
|
|
else:
|
|
|
|
delete(module, self_link(module), kind)
|
|
|
|
delete(module, self_link(module), kind)
|
|
|
|
@ -306,7 +476,7 @@ def create(module, link, kind):
|
|
|
|
|
|
|
|
|
|
|
|
def update(module, link, kind):
|
|
|
|
def update(module, link, kind):
|
|
|
|
auth = GcpSession(module, 'compute')
|
|
|
|
auth = GcpSession(module, 'compute')
|
|
|
|
return wait_for_operation(module, auth.put(link, resource_to_request(module)))
|
|
|
|
return wait_for_operation(module, auth.patch(link, resource_to_request(module)))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def delete(module, link, kind):
|
|
|
|
def delete(module, link, kind):
|
|
|
|
@ -318,11 +488,18 @@ def resource_to_request(module):
|
|
|
|
request = {
|
|
|
|
request = {
|
|
|
|
u'kind': 'compute#firewall',
|
|
|
|
u'kind': 'compute#firewall',
|
|
|
|
u'allowed': FirewallAllowedArray(module.params.get('allowed', []), module).to_request(),
|
|
|
|
u'allowed': FirewallAllowedArray(module.params.get('allowed', []), module).to_request(),
|
|
|
|
|
|
|
|
u'denied': FirewallDeniedArray(module.params.get('denied', []), module).to_request(),
|
|
|
|
u'description': module.params.get('description'),
|
|
|
|
u'description': module.params.get('description'),
|
|
|
|
|
|
|
|
u'destinationRanges': module.params.get('destination_ranges'),
|
|
|
|
|
|
|
|
u'direction': module.params.get('direction'),
|
|
|
|
|
|
|
|
u'disabled': module.params.get('disabled'),
|
|
|
|
u'name': module.params.get('name'),
|
|
|
|
u'name': module.params.get('name'),
|
|
|
|
u'network': module.params.get('network'),
|
|
|
|
u'network': replace_resource_dict(module.params.get(u'network', {}), 'selfLink'),
|
|
|
|
|
|
|
|
u'priority': module.params.get('priority'),
|
|
|
|
u'sourceRanges': module.params.get('source_ranges'),
|
|
|
|
u'sourceRanges': module.params.get('source_ranges'),
|
|
|
|
|
|
|
|
u'sourceServiceAccounts': module.params.get('source_service_accounts'),
|
|
|
|
u'sourceTags': module.params.get('source_tags'),
|
|
|
|
u'sourceTags': module.params.get('source_tags'),
|
|
|
|
|
|
|
|
u'targetServiceAccounts': module.params.get('target_service_accounts'),
|
|
|
|
u'targetTags': module.params.get('target_tags')
|
|
|
|
u'targetTags': module.params.get('target_tags')
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return_vals = {}
|
|
|
|
return_vals = {}
|
|
|
|
@ -333,9 +510,9 @@ def resource_to_request(module):
|
|
|
|
return return_vals
|
|
|
|
return return_vals
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def fetch_resource(module, link, kind):
|
|
|
|
def fetch_resource(module, link, kind, allow_not_found=True):
|
|
|
|
auth = GcpSession(module, 'compute')
|
|
|
|
auth = GcpSession(module, 'compute')
|
|
|
|
return return_if_object(module, auth.get(link), kind)
|
|
|
|
return return_if_object(module, auth.get(link), kind, allow_not_found)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def self_link(module):
|
|
|
|
def self_link(module):
|
|
|
|
@ -346,9 +523,9 @@ def collection(module):
|
|
|
|
return "https://www.googleapis.com/compute/v1/projects/{project}/global/firewalls".format(**module.params)
|
|
|
|
return "https://www.googleapis.com/compute/v1/projects/{project}/global/firewalls".format(**module.params)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def return_if_object(module, response, kind):
|
|
|
|
def return_if_object(module, response, kind, allow_not_found=False):
|
|
|
|
# If not found, return nothing.
|
|
|
|
# If not found, return nothing.
|
|
|
|
if response.status_code == 404:
|
|
|
|
if allow_not_found and response.status_code == 404:
|
|
|
|
return None
|
|
|
|
return None
|
|
|
|
|
|
|
|
|
|
|
|
# If no content, return nothing.
|
|
|
|
# If no content, return nothing.
|
|
|
|
@ -363,8 +540,6 @@ def return_if_object(module, response, kind):
|
|
|
|
|
|
|
|
|
|
|
|
if navigate_hash(result, ['error', 'errors']):
|
|
|
|
if navigate_hash(result, ['error', 'errors']):
|
|
|
|
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
|
|
|
|
module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
|
|
|
|
if result['kind'] != kind:
|
|
|
|
|
|
|
|
module.fail_json(msg="Incorrect result: {kind}".format(**result))
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
return result
|
|
|
|
return result
|
|
|
|
|
|
|
|
|
|
|
|
@ -393,12 +568,19 @@ def response_to_hash(module, response):
|
|
|
|
return {
|
|
|
|
return {
|
|
|
|
u'allowed': FirewallAllowedArray(response.get(u'allowed', []), module).from_response(),
|
|
|
|
u'allowed': FirewallAllowedArray(response.get(u'allowed', []), module).from_response(),
|
|
|
|
u'creationTimestamp': response.get(u'creationTimestamp'),
|
|
|
|
u'creationTimestamp': response.get(u'creationTimestamp'),
|
|
|
|
|
|
|
|
u'denied': FirewallDeniedArray(response.get(u'denied', []), module).from_response(),
|
|
|
|
u'description': response.get(u'description'),
|
|
|
|
u'description': response.get(u'description'),
|
|
|
|
|
|
|
|
u'destinationRanges': response.get(u'destinationRanges'),
|
|
|
|
|
|
|
|
u'direction': response.get(u'direction'),
|
|
|
|
|
|
|
|
u'disabled': response.get(u'disabled'),
|
|
|
|
u'id': response.get(u'id'),
|
|
|
|
u'id': response.get(u'id'),
|
|
|
|
u'name': response.get(u'name'),
|
|
|
|
u'name': module.params.get('name'),
|
|
|
|
u'network': response.get(u'network'),
|
|
|
|
u'network': response.get(u'network'),
|
|
|
|
|
|
|
|
u'priority': response.get(u'priority'),
|
|
|
|
u'sourceRanges': response.get(u'sourceRanges'),
|
|
|
|
u'sourceRanges': response.get(u'sourceRanges'),
|
|
|
|
|
|
|
|
u'sourceServiceAccounts': response.get(u'sourceServiceAccounts'),
|
|
|
|
u'sourceTags': response.get(u'sourceTags'),
|
|
|
|
u'sourceTags': response.get(u'sourceTags'),
|
|
|
|
|
|
|
|
u'targetServiceAccounts': response.get(u'targetServiceAccounts'),
|
|
|
|
u'targetTags': response.get(u'targetTags')
|
|
|
|
u'targetTags': response.get(u'targetTags')
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
|
|
@ -473,5 +655,38 @@ class FirewallAllowedArray(object):
|
|
|
|
})
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class FirewallDeniedArray(object):
|
|
|
|
|
|
|
|
def __init__(self, request, module):
|
|
|
|
|
|
|
|
self.module = module
|
|
|
|
|
|
|
|
if request:
|
|
|
|
|
|
|
|
self.request = request
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
self.request = []
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def to_request(self):
|
|
|
|
|
|
|
|
items = []
|
|
|
|
|
|
|
|
for item in self.request:
|
|
|
|
|
|
|
|
items.append(self._request_for_item(item))
|
|
|
|
|
|
|
|
return items
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def from_response(self):
|
|
|
|
|
|
|
|
items = []
|
|
|
|
|
|
|
|
for item in self.request:
|
|
|
|
|
|
|
|
items.append(self._response_from_item(item))
|
|
|
|
|
|
|
|
return items
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _request_for_item(self, item):
|
|
|
|
|
|
|
|
return remove_nones_from_dict({
|
|
|
|
|
|
|
|
u'IPProtocol': item.get('ip_protocol'),
|
|
|
|
|
|
|
|
u'ports': item.get('ports')
|
|
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
def _response_from_item(self, item):
|
|
|
|
|
|
|
|
return remove_nones_from_dict({
|
|
|
|
|
|
|
|
u'IPProtocol': item.get(u'ip_protocol'),
|
|
|
|
|
|
|
|
u'ports': item.get(u'ports')
|
|
|
|
|
|
|
|
})
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
if __name__ == '__main__':
|
|
|
|
main()
|
|
|
|
main()
|
|
|
|
|
Ryan Brown
6 years ago
committed by