archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

cs_network: implement support acl (#35706)

Browse Source
pull/35741/head
René Moser 7 years ago committed by GitHub
parent 02b28d4584
commit 588cd749ac
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
5 changed files with 414 additions and 6 deletions
Show Stats Download Patch File Download Diff File

114
lib/ansible/modules/cloud/cloudstack/cs_network.py
Unescape Escape View File

@ -85,10 +85,14 @@ options:
type: bool
acl_type:
description:
- Access control type.
- Access control type for the VPC network tier.
- Only considered on create.
default: account
choices: [ account, domain ]
acl:
description:
- The name of the access control list for the VPC network tier.
version_added: "2.5"
subdomain_access:
description:
- Defines whether to allow subdomains to use networks dedicated to their parent domain(s).
@ -134,6 +138,17 @@ EXAMPLES = '''
network_offering: DefaultIsolatedNetworkOfferingWithSourceNatService
network_domain: example.com
- name: Create a VPC tier
local_action:
module: cs_network
name: my VPC tier 1
zone: gva-01
vpc: my VPC
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
acl: my web acl
- name: Update a network
local_action:
module: cs_network
@ -233,10 +248,22 @@ tags:
type: dict
sample: '[ { "key": "foo", "value": "bar" } ]'
acl_type:
description: Access type of the network (Domain, Account).
description: Access type of the VPC network tier (Domain, Account).
returned: success
type: string
sample: Account
acl:
description: Name of the access control list for the VPC network tier.
returned: success
type: string
sample: My ACL
version_added: "2.5"
acl_id:
description: ID of the access control list for the VPC network tier.
returned: success
type: string
sample: dfafcd55-0510-4b8c-b6c5-b8cedb4cfd88
version_added: "2.5"
broadcast_domain_type:
description: Broadcast domain type of the network.
returned: success
@ -272,6 +299,30 @@ network_offering:
returned: success
type: string
sample: DefaultIsolatedNetworkOfferingWithSourceNatService
network_offering_display_text:
description: The network offering display text.
returned: success
type: string
sample: Offering for Isolated Vpc networks with Source Nat service enabled
version_added: "2.5"
network_offering_conserve_mode:
description: Whether the network offering has IP conserve mode enabled or not.
returned: success
type: bool
sample: false
version_added: "2.5"
network_offering_availability:
description: The availability of the network offering the network is created from
returned: success
type: string
sample: Optional
version_added: "2.5"
is_system:
description: Whether the network is system related or not.
returned: success
type: bool
sample: false
version_added: "2.5"
'''
from ansible.module_utils.basic import AnsibleModule
@ -287,8 +338,13 @@ class AnsibleCloudStackNetwork(AnsibleCloudStack):
def __init__(self, module):
super(AnsibleCloudStackNetwork, self).__init__(module)
self.returns = {
'networkdomain': 'network domain',
'networkdomain': 'network_domain',
'networkofferingname': 'network_offering',
'networkofferingdisplaytext': 'network_offering_display_text',
'networkofferingconservemode': 'network_offering_conserve_mode',
'networkofferingavailability': 'network_offering_availability',
'aclid': 'acl_id',
'issystem': 'is_system',
'ispersistent': 'is_persistent',
'acltype': 'acl_type',
'type': 'type',
@ -304,6 +360,26 @@ class AnsibleCloudStackNetwork(AnsibleCloudStack):
}
self.network = None
def get_network_acl(self, key=None, acl_id=None):
if acl_id is not None:
args = {
'id': acl_id,
'vpcid': self.get_vpc(key='id'),
}
else:
acl_name = self.module.params.get('acl')
if not acl_name:
return
args = {
'name': acl_name,
'vpcid': self.get_vpc(key='id'),
}
network_acls = self.query_api('listNetworkACLLists', **args)
if network_acls:
acl = network_acls['networkacllist'][0]
return self._get_by_key(key, acl)
def get_network_offering(self, key=None):
network_offering = self.module.params.get('network_offering')
if not network_offering:
@ -329,24 +405,29 @@ class AnsibleCloudStackNetwork(AnsibleCloudStack):
}
return args
def get_network(self):
if not self.network:
def get_network(self, refresh=False):
if not self.network or refresh:
network = self.module.params.get('name')
args = {
'zoneid': self.get_zone(key='id'),
'projectid': self.get_project(key='id'),
'account': self.get_account(key='name'),
'domainid': self.get_domain(key='id')
'domainid': self.get_domain(key='id'),
'vpcid': self.get_vpc(key='id'),
}
networks = self.query_api('listNetworks', **args)
if networks:
for n in networks['network']:
if network in [n['name'], n['displaytext'], n['id']]:
self.network = n
self.network['acl'] = self.get_network_acl(key='name', acl_id=n.get('aclid'))
break
return self.network
def present_network(self):
if self.module.params.get('acl') is not None and self.module.params.get('vpc') is None:
self.module.fail_json(msg="Missing required params: vpc")
network = self.get_network()
if not network:
network = self.create_network(network)
@ -366,6 +447,19 @@ class AnsibleCloudStackNetwork(AnsibleCloudStack):
poll_async = self.module.params.get('poll_async')
if network and poll_async:
network = self.poll_job(network, 'network')
# Skip ACL check if the network is not a VPC tier
if network.get('aclid') != self.get_network_acl(key='id'):
self.result['changed'] = True
if not self.module.check_mode:
args = {
'aclid': self.get_network_acl(key='id'),
'networkid': network['id'],
}
network = self.query_api('replaceNetworkACLList', **args)
if self.module.params.get('poll_async'):
self.poll_job(network, 'networkacllist')
network = self.get_network(refresh=True)
return network
def create_network(self, network):
@ -374,6 +468,7 @@ class AnsibleCloudStackNetwork(AnsibleCloudStack):
args = self._get_args()
args.update({
'acltype': self.module.params.get('acl_type'),
'aclid': self.get_network_acl(key='id'),
'zoneid': self.get_zone(key='id'),
'projectid': self.get_project(key='id'),
'account': self.get_account(key='name'),
@ -438,6 +533,12 @@ class AnsibleCloudStackNetwork(AnsibleCloudStack):
self.poll_job(res, 'network')
return network
def get_result(self, network):
super(AnsibleCloudStackNetwork, self).get_result(network)
if network:
self.result['acl'] = self.get_network_acl(key='name', acl_id=network.get('aclid'))
return self.result
def main():
argument_spec = cs_argument_spec()
@ -461,6 +562,7 @@ def main():
network_domain=dict(),
subdomain_access=dict(type='bool'),
state=dict(choices=['present', 'absent', 'restarted'], default='present'),
acl=dict(),
acl_type=dict(choices=['account', 'domain']),
project=dict(),
domain=dict(),

2
test/integration/targets/cs_network/aliases
Unescape Escape View File

@ -0,0 +1,2 @@
cloud/cs
posix/ci/cloud/group1/cs

3
test/integration/targets/cs_network/meta/main.yml
Unescape Escape View File

@ -0,0 +1,3 @@
---
dependencies:
- cs_common

3
test/integration/targets/cs_network/tasks/main.yml
Unescape Escape View File

@ -0,0 +1,3 @@
---
- include_tasks: vpc_network_tier.yml

298
test/integration/targets/cs_network/tasks/vpc_network_tier.yml
Unescape Escape View File

@ -0,0 +1,298 @@
---
- name: setup cleanup vpc network tier
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
vpc: vpc_network_test
state: absent
ignore_errors: yes
- name: setup cleanup existing vpc
cs_vpc:
name: vpc_network_test
zone: "{{ cs_common_zone_adv }}"
state: absent
register: vpc
- name: verify cleanup existing vpc
assert:
that:
- vpc is successful
- name: setup vpc
cs_vpc:
name: vpc_network_test
cidr: 10.43.0.0/16
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
register: vpc
- name: verify setup vpc
assert:
that:
- vpc is successful
- name: setup network acl
cs_network_acl:
name: my_network_acl1
vpc: vpc_network_test
zone: "{{ cs_common_zone_adv }}"
register: acl
- name: verify setup network acl
assert:
that:
- acl is successful
- name: setup network acl rule
cs_network_acl_rule:
network_acl: my_network_acl1
rule_position: 1
vpc: vpc_network_test
traffic_type: ingress
action_policy: allow
port: 80
cidr: 0.0.0.0/0
zone: "{{ cs_common_zone_adv }}"
register: acl_rule
- name: verify setup network acl rule
assert:
that:
- acl_rule is successful
- name: setup vpc network tier
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
vpc: vpc_network_test
state: absent
register: network
- name: verify setup vpc network tier
assert:
that:
- network is successful
- name: test fail vpc network tier if vpc not given
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
acl: my_network_acl1
check_mode: yes
register: network
ignore_errors: yes
- name: verify test fail vpc network tier if vpc not given
assert:
that:
- network is failed
- "network.msg == 'Missing required params: vpc'"
- name: test create a vpc network tier in check mode
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
vpc: vpc_network_test
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
check_mode: yes
register: network
- name: verify test create a vpc network tier in check mode
assert:
that:
- network is changed
- name: test create a vpc network tier
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
vpc: vpc_network_test
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
register: network
- name: verify test create a vpc network tier
assert:
that:
- network is changed
- network.acl_type == 'Account'
- not network.acl
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test create a vpc network tier idempotence
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
vpc: vpc_network_test
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
register: network
- name: verify test create a vpc network tier idempotence
assert:
that:
- network is not changed
- network.acl_type == 'Account'
- not network.acl
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test update a vpc network tier in check mode
cs_network:
name: vpc tier 1
display_text: vpc tier 1 description
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
vpc: vpc_network_test
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
acl: my_network_acl1
check_mode: yes
register: network
- name: verify test update a vpc network tier in check mode
assert:
that:
- network is changed
- network.acl_type == 'Account'
- network.acl == 'my_network_acl1'
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test update a vpc network tier
cs_network:
name: vpc tier 1
display_text: vpc tier 1 description
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
vpc: vpc_network_test
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
acl: my_network_acl1
register: network
- name: verify test update a vpc network tier
assert:
that:
- network is changed
- network.acl_type == 'Account'
- network.acl == 'my_network_acl1'
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1 description'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test update a vpc network tier idempotence
cs_network:
name: vpc tier 1
display_text: vpc tier 1 description
zone: "{{ cs_common_zone_adv }}"
network_domain: cs2sandbox.simulator.example.com
vpc: vpc_network_test
network_offering: DefaultIsolatedNetworkOfferingForVpcNetworks
gateway: 10.43.0.1
netmask: 255.255.255.0
acl: my_network_acl1
register: network
- name: verify test update a vpc network tier idempotence
assert:
that:
- network is not changed
- network.acl_type == 'Account'
- network.acl == 'my_network_acl1'
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1 description'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test absent a vpc network tier in check mode
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
vpc: vpc_network_test
state: absent
register: network
check_mode: yes
- name: verify test absent a vpc network tier in check mode
assert:
that:
- network is changed
- network.acl_type == 'Account'
- network.acl == 'my_network_acl1'
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1 description'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test absent a vpc network tier
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
vpc: vpc_network_test
state: absent
register: network
- name: verify test absent a vpc network tier
assert:
that:
- network is changed
- network.acl_type == 'Account'
- network.acl == 'my_network_acl1'
- network.broadcast_domain_type == 'Vlan'
- network.cidr == '10.43.0.0/24'
- network.gateway == '10.43.0.1'
- network.display_text == 'vpc tier 1 description'
- network.network_offering == 'DefaultIsolatedNetworkOfferingForVpcNetworks'
- network.vpc == 'vpc_network_test'
- network.network_domain == 'cs2sandbox.simulator.example.com'
- name: test absent a vpc network tier idempotence
cs_network:
name: vpc tier 1
zone: "{{ cs_common_zone_adv }}"
vpc: vpc_network_test
state: absent
register: network
- name: verify test absent a vpc network tier idempotence
assert:
that:
- network is not changed
- name: cleanup vpc
cs_vpc:
name: vpc_network_test
cidr: 10.43.0.0/16
zone: "{{ cs_common_zone_adv }}"
state: absent
register: vpc
- name: verify cleanup vpc
assert:
that:
- vpc is successful
Write Preview
Loading…
Cancel
Save