mirror of https://github.com/ansible/ansible.git
Add OpenStack Security Group support
Two modules - one for security groups and one to manage rules in a security group.pull/18777/head
parent
ecae3403af
commit
234a6c93c7
@ -0,0 +1,113 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
# Copyright (c) 2015 Hewlett-Packard Development Company, L.P.
|
||||
# Copyright (c) 2013, Benno Joy <benno@ansible.com>
|
||||
#
|
||||
# This module is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This software is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this software. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
try:
|
||||
import shade
|
||||
except ImportError:
|
||||
print("failed=True msg='shade is required for this module'")
|
||||
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: os_security_group
|
||||
short_description: Add/Delete security groups from an OpenStack cloud.
|
||||
extends_documentation_fragment: openstack
|
||||
version_added: "2.0"
|
||||
description:
|
||||
- Add or Remove security groups from an OpenStack cloud.
|
||||
options:
|
||||
name:
|
||||
description:
|
||||
- Name that has to be given to the security group
|
||||
required: true
|
||||
description:
|
||||
description:
|
||||
- Long description of the purpose of the security group
|
||||
required: false
|
||||
default: None
|
||||
state:
|
||||
description:
|
||||
- Should the resource be present or absent.
|
||||
choices: [present, absent]
|
||||
default: present
|
||||
|
||||
requirements: ["shade"]
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
# Create a security group
|
||||
- os_security_group: cloud=mordred name=foo
|
||||
description=security group for foo servers
|
||||
'''
|
||||
|
||||
|
||||
def _security_group(module, nova_client, action='create', **kwargs):
|
||||
f = getattr(nova_client.security_groups, action)
|
||||
try:
|
||||
secgroup = f(**kwargs)
|
||||
except Exception, e:
|
||||
module.fail_json(msg='Failed to %s security group %s: %s' %
|
||||
(action, module.params['name'], e.message))
|
||||
|
||||
|
||||
def main():
|
||||
|
||||
argument_spec = openstack_full_argument_spec(
|
||||
name = dict(required=True),
|
||||
description = dict(default=None),
|
||||
state = dict(default='present', choices=['absent', 'present']),
|
||||
)
|
||||
module_kwargs = openstack_module_kwargs()
|
||||
module = AnsibleModule(argument_spec, **module_kwargs)
|
||||
|
||||
try:
|
||||
cloud = shade.openstack_cloud(**module.params)
|
||||
nova_client = cloud.nova_client
|
||||
changed = False
|
||||
secgroup = cloud.get_security_group(module.params['name'])
|
||||
|
||||
if module.params['state'] == 'present':
|
||||
secgroup = cloud.get_security_group(module.params['name'])
|
||||
if not secgroup:
|
||||
_security_group(module, nova_client, action='create',
|
||||
name=module.params['name'],
|
||||
description=module.params['description'])
|
||||
changed = True
|
||||
|
||||
if secgroup and secgroup.description != module.params['description']:
|
||||
_security_group(module, nova_client, action='update',
|
||||
group=secgroup.id,
|
||||
name=module.params['name'],
|
||||
description=module.params['description'])
|
||||
changed = True
|
||||
|
||||
if module.params['state'] == 'absent':
|
||||
if secgroup:
|
||||
_security_group(module, nova_client, action='delete',
|
||||
group=secgroup.id)
|
||||
changed = True
|
||||
|
||||
module.exit_json(changed=changed, id=module.params['name'], result="success")
|
||||
|
||||
except shade.OpenStackCloudException as e:
|
||||
module.fail_json(msg=e.message)
|
||||
|
||||
# this is magic, see lib/ansible/module_common.py
|
||||
from ansible.module_utils.basic import *
|
||||
from ansible.module_utils.openstack import *
|
||||
main()
|
@ -0,0 +1,156 @@
|
||||
#!/usr/bin/python
|
||||
|
||||
# Copyright (c) 2015 Hewlett-Packard Development Company, L.P.
|
||||
# Copyright (c) 2013, Benno Joy <benno@ansible.com>
|
||||
#
|
||||
# This module is free software: you can redistribute it and/or modify
|
||||
# it under the terms of the GNU General Public License as published by
|
||||
# the Free Software Foundation, either version 3 of the License, or
|
||||
# (at your option) any later version.
|
||||
#
|
||||
# This software is distributed in the hope that it will be useful,
|
||||
# but WITHOUT ANY WARRANTY; without even the implied warranty of
|
||||
# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
||||
# GNU General Public License for more details.
|
||||
#
|
||||
# You should have received a copy of the GNU General Public License
|
||||
# along with this software. If not, see <http://www.gnu.org/licenses/>.
|
||||
|
||||
try:
|
||||
import shade
|
||||
except ImportError:
|
||||
print("failed=True msg='shade is required for this module'")
|
||||
|
||||
|
||||
DOCUMENTATION = '''
|
||||
---
|
||||
module: os_security_group_rule
|
||||
short_description: Add/Delete rule from an existing security group
|
||||
extends_documentation_fragment: openstack
|
||||
version_added: "2.0"
|
||||
description:
|
||||
- Add or Remove rule from an existing security group
|
||||
options:
|
||||
security_group:
|
||||
description:
|
||||
- Name of the security group
|
||||
required: true
|
||||
protocol:
|
||||
description:
|
||||
- IP protocol
|
||||
choices: ['tcp', 'udp', 'icmp']
|
||||
default: tcp
|
||||
port_range_min:
|
||||
description:
|
||||
- Starting port
|
||||
required: true
|
||||
port_range_max:
|
||||
description:
|
||||
- Ending port
|
||||
required: true
|
||||
remote_ip_prefix:
|
||||
description:
|
||||
- Source IP address(es) in CIDR notation (exclusive with remote_group)
|
||||
required: false
|
||||
remote_group:
|
||||
description:
|
||||
- ID of Security group to link (exclusive with remote_ip_prefix)
|
||||
required: false
|
||||
state:
|
||||
description:
|
||||
- Should the resource be present or absent.
|
||||
choices: [present, absent]
|
||||
default: present
|
||||
|
||||
requirements: ["shade"]
|
||||
'''
|
||||
# TODO(mordred): add ethertype and direction
|
||||
|
||||
EXAMPLES = '''
|
||||
# Create a security group rule
|
||||
- os_security_group_rule:
|
||||
cloud: mordred
|
||||
security_group: foo
|
||||
protocol: tcp
|
||||
port_range_min: 80
|
||||
port_range_max: 80
|
||||
remote_ip_prefix: 0.0.0.0/0
|
||||
'''
|
||||
|
||||
|
||||
def _security_group_rule(module, nova_client, action='create', **kwargs):
|
||||
f = getattr(nova_client.security_group_rules, action)
|
||||
try:
|
||||
secgroup = f(**kwargs)
|
||||
except Exception, e:
|
||||
module.fail_json(msg='Failed to %s security group rule: %s' %
|
||||
(action, e.message))
|
||||
|
||||
|
||||
def _get_rule_from_group(module, secgroup):
|
||||
for rule in secgroup.rules:
|
||||
if (rule['ip_protocol'] == module.params['protocol'] and
|
||||
rule['from_port'] == module.params['port_range_min'] and
|
||||
rule['to_port'] == module.params['port_range_max'] and
|
||||
rule['ip_range']['cidr'] == module.params['remote_ip_prefix']):
|
||||
return rule
|
||||
return None
|
||||
|
||||
def main():
|
||||
|
||||
argument_spec = openstack_full_argument_spec(
|
||||
security_group = dict(required=True),
|
||||
protocol = dict(default='tcp', choices=['tcp', 'udp', 'icmp']),
|
||||
port_range_min = dict(required=True),
|
||||
port_range_max = dict(required=True),
|
||||
remote_ip_prefix = dict(required=False, default=None),
|
||||
# TODO(mordred): Make remote_group handle name and id
|
||||
remote_group = dict(required=False, default=None),
|
||||
state = dict(default='present', choices=['absent', 'present']),
|
||||
)
|
||||
module_kwargs = openstack_module_kwargs(
|
||||
mutually_exclusive=[
|
||||
['remote_ip_prefix', 'remote_group'],
|
||||
],
|
||||
)
|
||||
module = AnsibleModule(argument_spec, **module_kwargs)
|
||||
|
||||
try:
|
||||
cloud = shade.openstack_cloud(**module.params)
|
||||
nova_client = cloud.nova_client
|
||||
changed = False
|
||||
|
||||
secgroup = cloud.get_security_group(module.params['security_group'])
|
||||
|
||||
if module.params['state'] == 'present':
|
||||
if not secgroup:
|
||||
module.fail_json(msg='Could not find security group %s' %
|
||||
module.params['security_group'])
|
||||
|
||||
if not _get_rule_from_group(module, secgroup):
|
||||
_security_group_rule(module, nova_client, 'create',
|
||||
parent_group_id=secgroup.id,
|
||||
ip_protocol=module.params['protocol'],
|
||||
from_port=module.params['port_range_min'],
|
||||
to_port=module.params['port_range_max'],
|
||||
cidr=module.params['remote_ip'],
|
||||
group_id=module.params['remote_group'],
|
||||
changed = True
|
||||
|
||||
|
||||
if module.params['state'] == 'absent' and secgroup:
|
||||
rule = _get_rule_from_group(module, secgroup)
|
||||
if secgroup and rule:
|
||||
_security_group_rule(module, nova_client, 'delete',
|
||||
rule=rule['id'])
|
||||
changed = True
|
||||
|
||||
module.exit_json(changed=changed, result="success")
|
||||
|
||||
except shade.OpenStackCloudException as e:
|
||||
module.fail_json(msg=e.message)
|
||||
|
||||
# this is magic, see lib/ansible/module_common.py
|
||||
from ansible.module_utils.basic import *
|
||||
from ansible.module_utils.openstack import *
|
||||
main()
|
Loading…
Reference in New Issue