@ -21,23 +21,15 @@ description:
disk , in PEM format .
version_added : 2.2
options :
c ert_c ontent:
c ontent:
description :
- When used instead of ' cert_src ' , sets the contents of a certificate directly
to the specified value . This is used with lookup plugins or for anything
with formatting or templating . Either one of C ( key_src ) ,
C ( key_content ) , C ( cert_src ) or C ( cert_content ) must be provided when
C ( state ) is C ( present ) .
key_content :
description :
- When used instead of ' key_src ' , sets the contents of a certificate key
directly to the specified value . This is used with lookup plugins or for
anything with formatting or templating . Either one of C ( key_src ) ,
C ( key_content ) , C ( cert_src ) or C ( cert_content ) must be provided when
C ( state ) is C ( present ) .
- Sets the contents of a certificate directly to the specified value .
This is used with lookup plugins or for anything with formatting or
- C ( content ) must be provided when C ( state ) is C ( present ) .
aliases : [ ' cert_content ' ]
state :
description :
- Certificate and key state . This determines if the provided certificate
- Certificate state . This determines if the provided certificate
and key is to be made C ( present ) on the device or C ( absent ) .
default : present
choices :
@ -45,27 +37,20 @@ options:
- absent
name :
description :
- SSL Certificate Name . This is the cert / key pair name used
when importing a certificate / key into the F5 . It also
determines the filenames of the objects on the LTM
( : Partition : name . cer_11111_1 and : Partition_name . key_11111_1 ) .
- SSL Certificate Name . This is the cert name used when importing a certificate
into the F5 . It also determines the filenames of the objects on the LTM .
required : True
cert_src :
description :
- This is the local filename of the certificate . Either one of C ( key_src ) ,
C ( key_content ) , C ( cert_src ) or C ( cert_content ) must be provided when
C ( state ) is C ( present ) .
key_src :
issuer_cert :
description :
- This is the local filename of the private key . Either one of C ( key_src ) ,
C ( key_content ) , C ( cert_src ) or C ( cert_content ) must be provided when
C ( state ) is C ( present ) .
pa ssphrase :
- Issuer certificate used for OCSP monitoring .
- This parameter is only valid on versions of BIG - IP 13.0 .0 or above .
version_added : 2.5
partition :
description :
- Passphrase on certificate private key
- Device partition to manage resources on .
default : Common
version_added : 2.5
notes :
- Requires the f5 - sdk Python package on the host . This is as easy as pip
install f5 - sdk .
- This module does not behave like other modules that you might include in
roles where referencing files or templates first looks in the role ' s
files or templates directory . To have it behave that way , use the Ansible
@ -73,24 +58,13 @@ notes:
a role context .
extends_documentation_fragment : f5
requirements :
- f5 - sdk > = 3.0 .3
- BIG - IP > = v12
author :
- Tim Rupp ( @caphrim007 )
'''
EXAMPLES = r '''
- name : Import PEM Certificate from local disk
bigip_ssl_certificate :
name : certificate - name
server : lb . mydomain . com
user : admin
password : secret
state : present
cert_src : / path / to / cert . crt
key_src : / path / to / key . key
delegate_to : localhost
EXAMPLES = r '''
- name : Use a file lookup to import PEM Certificate
bigip_ssl_certificate :
name : certificate - name
@ -98,8 +72,7 @@ EXAMPLES = r'''
user : admin
password : secret
state : present
cert_content : " {{ lookup( ' file ' , ' /path/to/cert.crt ' ) }} "
key_content : " {{ lookup( ' file ' , ' /path/to/key.key ' ) }} "
content : " {{ lookup( ' file ' , ' /path/to/cert.crt ' ) }} "
delegate_to : localhost
- name : Use a file lookup to import CA certificate chain
@ -109,10 +82,10 @@ EXAMPLES = r'''
user : admin
password : secret
state : present
c ert_c ontent: " {{ lookup( ' file ' , ' /path/to/ca-chain.crt ' ) }} "
c ontent: " {{ lookup( ' file ' , ' /path/to/ca-chain.crt ' ) }} "
delegate_to : localhost
- name : " Delete Certificate "
- name : Delete Certificate
bigip_ssl_certificate :
name : certificate - name
server : lb . mydomain . com
@ -128,38 +101,18 @@ cert_name:
returned : created
type : string
sample : cert1
key_filename :
description :
- The name of the SSL certificate key . The C ( key_filename ) and
C ( cert_filename ) will be similar to each other , however the
C ( key_filename ) will have a C ( . key ) extension .
returned : created
type : string
sample : cert1 . key
key_checksum :
description : SHA1 checksum of the key that was provided .
returned : changed and created
type : string
sample : cf23df2207d99a74fbe169e3eba035e633b65d94
key_source_path :
description : Path on BIG - IP where the source of the key is stored
returned : created
type : string
sample : / var / config / rest / downloads / cert1 . key
cert_filename :
filename :
description :
- The name of the SSL certificate . The C ( cert_filename ) and
C ( key_filename ) will be similar to each other , however the
C ( cert_filename ) will have a C ( . crt ) extension .
- The name of the SSL certificate .
returned : created
type : string
sample : cert1 . crt
c ert_c hecksum:
checksum :
description : SHA1 checksum of the cert that was provided .
returned : changed and created
type : string
sample : f7ff9e8b7bb2e09b70935a5d785e0cc5d9d0abf0
cert_ source_path:
source_path :
description : Path on BIG - IP where the source of the certificate is stored .
returned : created
type : string
@ -171,47 +124,58 @@ import hashlib
import os
import re
from ansible . module_utils . basic import AnsibleModule
from ansible . module_utils . basic import env_fallback
HAS_DEVEL_IMPORTS = False
try :
from StringIO import StringIO
# Sideband repository used for dev
from library . module_utils . network . f5 . bigip import HAS_F5SDK
from library . module_utils . network . f5 . bigip import F5Client
from library . module_utils . network . f5 . common import F5ModuleError
from library . module_utils . network . f5 . common import AnsibleF5Parameters
from library . module_utils . network . f5 . common import cleanup_tokens
from library . module_utils . network . f5 . common import fqdn_name
from library . module_utils . network . f5 . common import f5_argument_spec
try :
from library . module_utils . network . f5 . common import iControlUnexpectedHTTPError
except ImportError :
HAS_F5SDK = False
HAS_DEVEL_IMPORTS = True
except ImportError :
from io import StringIO
from ansible . module_utils . f5_utils import AnsibleF5Client
from ansible . module_utils . f5_utils import AnsibleF5Parameters
from ansible . module_utils . f5_utils import HAS_F5SDK
from ansible . module_utils . f5_utils import F5ModuleError
from ansible . module_utils . f5_utils import iteritems
# Upstream Ansible
from ansible . module_utils . network . f5 . bigip import HAS_F5SDK
from ansible . module_utils . network . f5 . bigip import F5Client
from ansible . module_utils . network . f5 . common import F5ModuleError
from ansible . module_utils . network . f5 . common import AnsibleF5Parameters
from ansible . module_utils . network . f5 . common import cleanup_tokens
from ansible . module_utils . network . f5 . common import fqdn_name
from ansible . module_utils . network . f5 . common import f5_argument_spec
try :
from ansible . module_utils . network . f5 . common import iControlUnexpectedHTTPError
except ImportError :
HAS_F5SDK = False
try :
from ansible . module_utils . f5_utils import iControlUnexpectedHTTPError
from StringIO import StringIO
except ImportError :
HAS_F5SDK = False
from io import StringIO
class Parameters ( AnsibleF5Parameters ) :
def __init__ ( self , params = None ) :
super ( Parameters , self ) . __init__ ( params )
self . _values [ ' __warnings ' ] = [ ]
api_map = {
' sourcePath ' : ' source_path ' ,
' issuerCert ' : ' issuer_cert '
}
def to_return ( self ) :
result = { }
try :
for returnable in self . returnables :
result [ returnable ] = getattr ( self , returnable )
result = self . _filter_params ( result )
except Exception :
pass
return result
updatables = [ ' content ' , ' issuer_cert ' ]
def api_params ( self ) :
result = { }
for api_attribute in self . api_attributes :
if self . api_map is not None and api_attribute in self . api_map :
result [ api_attribute ] = getattr ( self , self . api_map [ api_attribute ] )
else :
result [ api_attribute ] = getattr ( self , api_attribute )
result = self . _filter_params ( result )
return result
returnables = [
' filename ' , ' checksum ' , ' source_path ' , ' issuer_cert '
]
api_attributes = [ ' issuerCert ' ]
def _get_hash ( self , content ) :
k = hashlib . sha1 ( )
@ -223,6 +187,13 @@ class Parameters(AnsibleF5Parameters):
k . update ( data . encode ( ' utf-8 ' ) )
return k . hexdigest ( )
def _fqdn_name ( self , value ) :
if value is not None and not value . startswith ( ' / ' ) :
return ' / {0} / {1} ' . format ( self . partition , value )
return value
class ApiParameters ( Parameters ) :
@property
def checksum ( self ) :
if self . _values [ ' checksum ' ] is None :
@ -234,148 +205,105 @@ class Parameters(AnsibleF5Parameters):
else :
return None
@property
def filename ( self ) :
return self . _values [ ' name ' ]
class KeyParameters ( Parameters ) :
api_map = {
' sourcePath ' : ' key_source_path '
}
updatables = [ ' key_source_path ' ]
returnables = [ ' key_filename ' , ' key_checksum ' , ' key_source_path ' ]
api_attributes = [ ' passphrase ' , ' sourcePath ' ]
class ModuleParameters ( Parameters ) :
@property
def key_filename ( self ) :
if self . name . endswith ( ' .key ' ) :
return self . name
def issuer_cert ( self ) :
if self . _values [ ' issuer_cert ' ] is None :
return None
name = self . _fqdn_name ( self . _values [ ' issuer_cert ' ] )
if name . endswith ( ' .crt ' ) :
return name
else :
return self . name + ' .key '
return name + ' .crt '
@property
def key_ checksum( self ) :
if self . key_ content is None :
def ( self ) :
if self . is None :
return None
return self . _get_hash ( self . key_ content)
return self . _get_hash ( self . )
@property
def key_src ( self ) :
if self . _values [ ' key_src ' ] is None :
return None
self . _values [ ' __warnings ' ] . append (
dict (
msg = " The key_src param is deprecated " ,
version = ' 2.4 '
)
)
try :
with open ( self . _values [ ' key_src ' ] ) as fh :
self . key_content = fh . read ( )
except IOError :
raise F5ModuleError (
" The specified ' key_src ' does not exist "
)
def filename ( self ) :
if self . name . endswith ( ' .crt ' ) :
return self . name
else :
return self . name + ' .crt '
@property
def key_ source_path( self ) :
def source_path ( self ) :
result = ' file:// ' + os . path . join (
Bas eManager. download_path ,
self . key_ filename
ModuleManager . download_path ,
self . filename
)
return result
class CertParameters ( Parameters ) :
api_map = {
' sourcePath ' : ' cert_source_path '
}
updatables = [ ' cert_source_path ' ]
class Changes ( Parameters ) :
def to_return ( self ) :
result = { }
try :
for returnable in self . returnables :
result [ returnable ] = getattr ( self , returnable )
result = self . _filter_params ( result )
except Exception :
pass
return result
returnables = [ ' cert_filename ' , ' cert_checksum ' , ' cert_source_path ' ]
api_attributes = [ ' sourcePath ' ]
class ReportableChanges ( Changes ) :
pass
@property
def cert_checksum ( self ) :
if self . cert_content is None :
return None
return self . _get_hash ( self . cert_content )
@property
def cert_filename ( self ) :
if self . name . endswith ( ' .crt ' ) :
return self . name
else :
return self . name + ' .crt '
class UsableChanges ( Changes ) :
pass
@property
def cert_src ( self ) :
if self . _values [ ' cert_src ' ] is None :
return None
self . _values [ ' __warnings ' ] . append (
dict (
msg = " The cert_src param is deprecated " ,
version = ' 2.4 '
)
)
class Difference ( object ) :
def __init__ ( self , want , have = None ) :
self . want = want
self . have = have
def compare ( self , param ) :
try :
with open ( self . _value [ ' cert_src ' ] ) as fh :
self . cert_content = fh . read ( )
except IOError :
raise F5ModuleError (
" The specified ' cert_src ' does not exist "
)
result = getattr ( self , param )
return result
except AttributeError :
result = self . __default ( param )
return result
def __default ( self , param ) :
attr1 = getattr ( self . want , param )
try :
attr2 = getattr ( self . have , param )
if attr1 != attr2 :
return attr1
except AttributeError :
return attr1
@property
def cert_source_path ( self ) :
result = ' file:// ' + os . path . join (
BaseManager . download_path ,
self . cert_filename
)
return result
def content ( self ) :
if self . want . checksum != self . have . checksum :
result = dict (
checksum = self . want . checksum ,
content = self . want . content
)
return result
class ModuleManager ( object ) :
def __init__ ( self , client ) :
self . client = client
def exec_module ( self ) :
manager1 = self . get_manager ( ' certificate ' )
manager2 = self . get_manager ( ' key ' )
result = self . execute_managers ( [ manager1 , manager2 ] )
return result
def execute_managers ( self , managers ) :
results = dict ( changed = False )
for manager in managers :
result = manager . exec_module ( )
for k , v in iteritems ( result ) :
if k == ' changed ' :
if v is True :
results [ ' changed ' ] = True
else :
results [ k ] = v
return results
def get_manager ( self , type ) :
if type == ' certificate ' :
return CertificateManager ( self . client )
elif type == ' key ' :
return KeyManager ( self . client )
class BaseManager ( object ) :
download_path = ' /var/config/rest/downloads '
def __init__ ( self , client ) :
self . client = client
self . have = None
def __init__ ( self , * args , * * kwargs ) :
self . module = kwargs . get ( ' module ' , None )
self . client = kwargs . get ( ' client ' , None )
self . want = ModuleParameters ( params = self . module . params )
self . have = ApiParameters ( )
self . changes = UsableChanges ( )
def exec_module ( self ) :
changed = False
@ -390,20 +318,17 @@ class BaseManager(object):
except iControlUnexpectedHTTPError as e :
raise F5ModuleError ( str ( e ) )
changes = self . changes . to_return ( )
reportable = ReportableChanges ( params = self . changes . to_return ( ) )
changes = reportable . to_return ( )
result . update ( * * changes )
result . update ( dict ( changed = changed ) )
self . _announce_deprecations ( )
self . _announce_deprecations ( result )
return result
def _announce_deprecations ( self ) :
warnings = [ ]
if self . want :
warnings + = self . want . _values . get ( ' __warnings ' , [ ] )
if self . have :
warnings + = self . have . _values . get ( ' __warnings ' , [ ] )
def _announce_deprecations ( self , result ) :
warnings = result . pop ( ' __warnings ' , [ ] )
for warning in warnings :
self . client. module. deprecate (
self . module . deprecate (
msg = warning [ ' msg ' ] ,
version = warning [ ' version ' ]
)
@ -416,7 +341,7 @@ class BaseManager(object):
def create ( self ) :
self . _set_changed_options ( )
if self . client . check_mode :
if self . module . check_mode :
return True
self . create_on_device ( )
return True
@ -431,7 +356,7 @@ class BaseManager(object):
self . have = self . read_current_from_device ( )
if not self . should_update ( ) :
return False
if self . client . check_mode :
if self . module . check_mode :
return True
self . update_on_device ( )
return True
@ -442,257 +367,138 @@ class BaseManager(object):
return False
def remove ( self ) :
if self . client . check_mode :
if self . module . check_mode :
return True
self . remove_from_device ( )
return True
class CertificateManager ( BaseManager ) :
def __init__ ( self , client ) :
super ( CertificateManager , self ) . __init__ ( client )
self . want = CertParameters ( self . client . module . params )
self . changes = CertParameters ( )
def _set_changed_options ( self ) :
changed = { }
try :
for key in CertParameters . returnables :
if getattr ( self . want , key ) is not None :
changed [ key ] = getattr ( self . want , key )
if changed :
self . changes = CertParameters ( changed )
except Exception :
pass
for key in Parameters . returnables :
if getattr ( self . want , key ) is not None :
changed [ key ] = getattr ( self . want , key )
if changed :
self . changes = UsableChanges ( params = changed )
def _update_changed_options ( self ) :
changed = { }
try :
for key in CertParameters . updatables :
if getattr ( self . want , key ) is not None :
attr1 = getattr ( self . want , key )
attr2 = getattr ( self . have , key )
if attr1 != attr2 :
changed [ key ] = attr1
if self . want . cert_checksum != self . have . checksum :
changed [ ' cert_checksum ' ] = self . want . cert_checksum
if changed :
self . changes = CertParameters ( changed )
return True
except Exception :
pass
diff = Difference ( self . want , self . have )
updatables = Parameters . updatables
changed = dict ( )
for k in updatables :
change = diff . compare ( k )
if change is None :
continue
else :
if isinstance ( change , dict ) :
changed . update ( change )
else :
changed [ k ] = change
if changed :
self . changes = UsableChanges ( params = changed )
return True
return False
def exists ( self ) :
result = self . client . api . tm . sys . file . ssl_certs . ssl_cert . exists (
name = self . want . cert_ filename,
name = self . want . ,
partition = self . want . partition
)
return result
def present ( self ) :
if self . want . cert_content is None :
return False
return super ( CertificateManager , self ) . present ( )
def should_update ( self ) :
result = self . _update_changed_options ( )
if result :
return True
return False
def update_on_device ( self ) :
content = StringIO ( self . want . cert_content )
params = self . changes . api_params ( )
content = StringIO ( self . want . content )
self . client . api . shared . file_transfer . uploads . upload_stringio (
content , self . want . cert_ filename
content , self . want . filename
)
resource = self . client . api . tm . sys . file . ssl_certs . ssl_cert . load (
name = self . want . cert_ filename,
name = self . want . filename ,
partition = self . want . partition
)
resource . update ( )
resource . update ( * * params )
def create_on_device ( self ) :
content = StringIO ( self . want . c ert_c ontent)
content = StringIO ( self . want . c ontent)
self . client . api . shared . file_transfer . uploads . upload_stringio (
content , self . want . cert_filename
)
self . client . api . tm . sys . file . ssl_certs . ssl_cert . create (
sourcePath = self . want . cert_source_path ,
name = self . want . cert_filename ,
partition = self . want . partition
)
def read_current_from_device ( self ) :
resource = self . client . api . tm . sys . file . ssl_certs . ssl_cert . load (
name = self . want . cert_filename ,
partition = self . want . partition
content , self . want . filename
)
result = resource . attrs
return CertParameters ( result )
def remove_from_device ( self ) :
resource = self . client . api . tm . sys . file . ssl_certs . ssl_cert . load (
name = self . want . cert_ filename,
resource = self . client . api . tm . sys . file . ssl_certs . ssl_cert . create (
sourcePath = self . want . source_path ,
name = self . want . filename ,
partition = self . want . partition
)
resource . delete ( )
def remove ( self ) :
result = super ( CertificateManager , self ) . remove ( )
if self . exists ( ) and not self . client . check_mode :
raise F5ModuleError ( " Failed to delete the certificate " )
return result
class KeyManager ( BaseManager ) :
def __init__ ( self , client ) :
super ( KeyManager , self ) . __init__ ( client )
self . want = KeyParameters ( self . client . module . params )
self . changes = KeyParameters ( )
def _set_changed_options ( self ) :
changed = { }
try :
for key in KeyParameters . returnables :
if getattr ( self . want , key ) is not None :
changed [ key ] = getattr ( self . want , key )
if changed :
self . changes = KeyParameters ( changed )
except Exception :
pass
def _update_changed_options ( self ) :
changed = { }
try :
for key in KeyParameters . updatables :
if getattr ( self . want , key ) is not None :
attr1 = getattr ( self . want , key )
attr2 = getattr ( self . have , key )
if attr1 != attr2 :
changed [ key ] = attr1
if self . want . key_checksum != self . have . checksum :
changed [ ' key_checksum ' ] = self . want . key_checksum
if changed :
self . changes = KeyParameters ( changed )
return True
except Exception :
pass
return False
def should_update ( self ) :
result = self . _update_changed_options ( )
if result :
return True
return False
def update_on_device ( self ) :
content = StringIO ( self . want . key_content )
self . client . api . shared . file_transfer . uploads . upload_stringio (
content , self . want . key_filename
)
resource = self . client . api . tm . sys . file . ssl_keys . ssl_key . load (
name = self . want . key_filename ,
partition = self . want . partition
)
resource . update ( )
def exists ( self ) :
result = self . client . api . tm . sys . file . ssl_keys . ssl_key . exists (
name = self . want . key_filename ,
partition = self . want . partition
)
return result
def present ( self ) :
if self . want . key_content is None :
return False
return super ( KeyManager , self ) . present ( )
# This needs to be done because of the way that BIG-IP creates certificates.
#
# The extra params (such as OCSP and issuer stuff) are not available in the
# payload. In a nutshell, the available resource attributes *change* after
# a create so that *more* are available.
params = self . want . api_params ( )
if params :
resource . update ( * * params )
def read_current_from_device ( self ) :
resource = self . client . api . tm . sys . file . ssl_keys . ssl_key . load (
name = self . want . key_filename ,
partition = self . want . partition
resource = self . client . api . tm . sys . file . ssl_certs . ssl_cert . load (
name = self . want . filename ,
partition = self . want . partition ,
requests_params = dict (
params = ' expandSubcollections=true '
)
)
result = resource . attrs
return KeyParameters ( result )
def create_on_device ( self ) :
content = StringIO ( self . want . key_content )
self . client . api . shared . file_transfer . uploads . upload_stringio (
content , self . want . key_filename
)
self . client . api . tm . sys . file . ssl_keys . ssl_key . create (
sourcePath = self . want . key_source_path ,
name = self . want . key_filename ,
partition = self . want . partition
)
return ApiParameters ( params = result )
def remove_from_device ( self ) :
resource = self . client . api . tm . sys . file . ssl_ keys. ssl_key . load (
name = self . want . key_ filename,
resource = self . client . api . tm . sys . file . ssl_certs . ssl_cert . load (
name = self . want . filename ,
partition = self . want . partition
)
resource . delete ( )
def remove ( self ) :
result = super ( KeyManager , self ) . remove ( )
if self . exists ( ) and not self . client . check_mode :
raise F5ModuleError ( " Failed to delete the key " )
return result
class ArgumentSpec ( object ) :
def __init__ ( self ) :
self . supports_check_mode = True
self . argument_spec = dict (
argument_spec = dict (
name = dict (
required = True
) ,
cert_content = dict ( aliases = [ ' content ' ] ) ,
cert_src = dict (
type = ' path ' ,
removed_in_version = ' 2.4 '
) ,
key_content = dict ( ) ,
key_src = dict (
type = ' path ' ,
removed_in_version = ' 2.4 '
) ,
passphrase = dict (
no_log = True
) ,
content = dict ( aliases = [ ' cert_content ' ] ) ,
state = dict (
default = ' present ' ,
choices = [ ' absent ' , ' present ' ]
) ,
issuer_cert = dict ( ) ,
partition = dict (
default = ' Common ' ,
fallback = ( env_fallback , [ ' F5_PARTITION ' ] )
)
)
self . mutually_exclusive = [
[ ' key_content ' , ' key_src ' ] ,
[ ' cert_content ' , ' cert_src ' ]
]
self . f5_product_name = ' bigip '
self . argument_spec = { }
self . argument_spec . update ( f5_argument_spec )
self . argument_spec . update ( argument_spec )
def main ( ) :
if not HAS_F5SDK :
raise F5ModuleError ( " The python f5-sdk module is required " )
spec = ArgumentSpec ( )
client = AnsibleF5Client (
module = AnsibleModule (
argument_spec = spec . argument_spec ,
mutually_exclusive = spec . mutually_exclusive ,
supports_check_mode = spec . supports_check_mode ,
f5_product_name = spec . f5_product_name
supports_check_mode = spec . supports_check_mode
)
if not HAS_F5SDK :
module . fail_json ( msg = " The python f5-sdk module is required " )
try :
mm = ModuleManager ( client )
client = F5Client ( * * module . params )
mm = ModuleManager ( module = module , client = client )
results = mm . exec_module ( )
client . module . exit_json ( * * results )
except F5ModuleError as e :
client . module . fail_json ( msg = str ( e ) )
cleanup_tokens ( client )
module . exit_json ( * * results )
except F5ModuleError as ex :
cleanup_tokens ( client )
module . fail_json ( msg = str ( ex ) )
if __name__ == ' __main__ ' :
Tim Rupp
7 years ago
committed by