feat: add scaleway security_group_rule management (#45694)

* feat: add scaleway security_group_rule management
6 years ago · c5d5d08b6b
parent 83e584577a
commit c5d5d08b6b
5 changed files with 500 additions and 0 deletions
--- a/lib/ansible/module_utils/scaleway.py
+++ b/lib/ansible/module_utils/scaleway.py
@ -15,6 +15,14 @@ def scaleway_argument_spec():
    )


+def payload_from_object(scw_object):
+    return dict(
+        (k, v)
+        for k, v in scw_object.items()
+        if k != 'id' and v is not None
+    )
+
+
 class ScalewayException(Exception):

    def __init__(self, message):
--- a/lib/ansible/modules/cloud/scaleway/scaleway_security_group_rule.py
+++ b/lib/ansible/modules/cloud/scaleway/scaleway_security_group_rule.py
@ -0,0 +1,257 @@
+#!/usr/bin/python
+#
+# Scaleway Security Group Rule management module
+#
+# Copyright (C) 2018 Antoine Barbare (antoinebarbare@gmail.com).
+#
+# GNU General Public License v3.0+ (see COPYING or
+# https://www.gnu.org/licenses/gpl-3.0.txt)
+
+from __future__ import absolute_import, division, print_function
+
+__metaclass__ = type
+
+ANSIBLE_METADATA = {
+    'metadata_version': '1.1',
+    'status': ['preview'],
+    'supported_by': 'community'
+}
+
+DOCUMENTATION = '''
+---
+module: scaleway_security_group_rule
+short_description: Scaleway Security Group Rule management module
+version_added: "2.8"
+author: Antoine Barbare (@abarbare)
+description:
+    - This module manages Security Group Rule on Scaleway account
+      U(https://developer.scaleway.com)
+extends_documentation_fragment: scaleway
+
+options:
+  state:
+    description:
+      - Indicate desired state of the Security Group Rule.
+    default: present
+    choices:
+      - present
+      - absent
+
+  region:
+    description:
+      - Scaleway region to use (for example C(par1)).
+    required: true
+    choices:
+      - ams1
+      - EMEA-NL-EVS
+      - par1
+      - EMEA-FR-PAR1
+
+  protocol:
+    description:
+      - Network protocol to use
+    choices:
+      - TCP
+      - UDP
+      - ICMP
+    required: true
+
+  port:
+    description:
+      - Port related to the rule, null value for all the ports
+    required: true
+    type: int
+
+  ip_range:
+    description:
+      - IPV4 CIDR notation to apply to the rule
+    default: 0.0.0.0/0
+
+  direction:
+    description:
+      - Rule direction
+    choices:
+      - inbound
+      - outbound
+    required: true
+
+  action:
+    description:
+      - Rule action
+    choices:
+      - accept
+      - drop
+    required: true
+
+  security_group:
+    description:
+      - Security Group unique identifier
+    required: true
+'''
+
+EXAMPLES = '''
+  - name: Create a Security Group Rule
+    scaleway_security_group_rule:
+      state: present
+      region: par1
+      protocol: TCP
+      port: 80
+      ip_range: 0.0.0.0/0
+      direction: inbound
+      action: accept
+      security_group: b57210ee-1281-4820-a6db-329f78596ecb
+    register: security_group_rule_creation_task
+'''
+
+RETURN = '''
+data:
+    description: This is only present when C(state=present)
+    returned: when C(state=present)
+    type: dict
+    sample: {
+        "scaleway_security_group_rule": {
+            "direction": "inbound",
+            "protocol": "TCP",
+            "ip_range": "0.0.0.0/0",
+            "dest_port_from": 80,
+            "action": "accept",
+            "position": 2,
+            "dest_port_to": null,
+            "editable": null,
+            "id": "10cb0b9a-80f6-4830-abd7-a31cd828b5e9"
+        }
+    }
+'''
+
+from ansible.module_utils.scaleway import SCALEWAY_LOCATION, scaleway_argument_spec, Scaleway, payload_from_object
+from ansible.module_utils.compat.ipaddress import ip_network
+from ansible.module_utils._text import to_text
+from ansible.module_utils.basic import AnsibleModule
+
+
+def get_sgr_from_api(security_group_rules, security_group_rule):
+    """ Check if a security_group_rule specs are present in security_group_rules
+        Return None if no rules match the specs
+        Return the rule if found
+    """
+    for sgr in security_group_rules:
+        if (sgr['ip_range'] == security_group_rule['ip_range'] and sgr['dest_port_from'] == security_group_rule['dest_port_from'] and
+            sgr['direction'] == security_group_rule['direction'] and sgr['action'] == security_group_rule['action'] and
+                sgr['protocol'] == security_group_rule['protocol']):
+            return sgr
+
+    return None
+
+
+def present_strategy(api, security_group_id, security_group_rule):
+    ret = {'changed': False}
+
+    response = api.get('security_groups/%s/rules' % security_group_id)
+    if not response.ok:
+        api.module.fail_json(
+            msg='Error getting security group rules "%s": "%s" (%s)' %
+            (response.info['msg'], response.json['message'], response.json))
+
+    existing_rule = get_sgr_from_api(
+        response.json['rules'], security_group_rule)
+
+    if not existing_rule:
+        ret['changed'] = True
+        if api.module.check_mode:
+            return ret
+
+        # Create Security Group Rule
+        response = api.post('/security_groups/%s/rules' % security_group_id,
+                            data=payload_from_object(security_group_rule))
+
+        if not response.ok:
+            api.module.fail_json(
+                msg='Error during security group rule creation: "%s": "%s" (%s)' %
+                (response.info['msg'], response.json['message'], response.json))
+        ret['scaleway_security_group_rule'] = response.json['rule']
+
+    else:
+        ret['scaleway_security_group_rule'] = existing_rule
+
+    return ret
+
+
+def absent_strategy(api, security_group_id, security_group_rule):
+    ret = {'changed': False}
+
+    response = api.get('security_groups/%s/rules' % security_group_id)
+    if not response.ok:
+        api.module.fail_json(
+            msg='Error getting security group rules "%s": "%s" (%s)' %
+            (response.info['msg'], response.json['message'], response.json))
+
+    existing_rule = get_sgr_from_api(
+        response.json['rules'], security_group_rule)
+
+    if not existing_rule:
+        return ret
+
+    ret['changed'] = True
+    if api.module.check_mode:
+        return ret
+
+    response = api.delete(
+        '/security_groups/%s/rules/%s' %
+        (security_group_id, existing_rule['id']))
+    if not response.ok:
+        api.module.fail_json(
+            msg='Error deleting security group rule "%s": "%s" (%s)' %
+            (response.info['msg'], response.json['message'], response.json))
+
+    return ret
+
+
+def core(module):
+    api = Scaleway(module=module)
+
+    security_group_rule = {
+        'protocol': module.params['protocol'],
+        'dest_port_from': module.params['port'],
+        'ip_range': module.params['ip_range'],
+        'direction': module.params['direction'],
+        'action': module.params['action'],
+    }
+
+    region = module.params['region']
+    module.params['api_url'] = SCALEWAY_LOCATION[region]['api_endpoint']
+
+    if module.params['state'] == 'present':
+        summary = present_strategy(
+            api=api,
+            security_group_id=module.params['security_group'],
+            security_group_rule=security_group_rule)
+    else:
+        summary = absent_strategy(
+            api=api,
+            security_group_id=module.params['security_group'],
+            security_group_rule=security_group_rule)
+    module.exit_json(**summary)
+
+
+def main():
+    argument_spec = scaleway_argument_spec()
+    argument_spec.update(dict(
+        state=dict(default='present', choices=['absent', 'present']),
+        region=dict(required=True, choices=SCALEWAY_LOCATION.keys()),
+        protocol=dict(required=True, choices=['TCP', 'UDP', 'ICMP']),
+        port=dict(required=True, type=int),
+        ip_range=dict(default='0.0.0.0/0', type=lambda x: to_text(ip_network(to_text(x)))),
+        direction=dict(required=True, choices=['inbound', 'outbound']),
+        action=dict(required=True, choices=['accept', 'drop']),
+        security_group=dict(required=True),
+    ))
+    module = AnsibleModule(
+        argument_spec=argument_spec,
+        supports_check_mode=True,
+    )
+
+    core(module)
+
+
+if __name__ == '__main__':
+    main()
--- a/test/legacy/roles/scaleway_security_group_rule/defaults/main.yml
+++ b/test/legacy/roles/scaleway_security_group_rule/defaults/main.yml
@ -0,0 +1,8 @@
+---
+scaleway_organization: '{{ scw_org }}'
+scaleway_region: par1
+protocol: "TCP"
+port: 80
+ip_range: "0.0.0.0/0"
+direction: "inbound"
+action: "accept"
--- a/test/legacy/roles/scaleway_security_group_rule/tasks/main.yml
+++ b/test/legacy/roles/scaleway_security_group_rule/tasks/main.yml
@ -0,0 +1,226 @@
+# SCW_API_KEY='XXX' SCW_SG='GGG' ansible-playbook ./test/legacy/scaleway.yml --tags test_scaleway_security_group_rule
+
+- name: Set security group fact
+  set_fact:
+    security_group: "{{ lookup('env','SCW_SG') }}"
+
+- name: Check if SCW_SG is defined
+  debug:
+    msg: "SCW_SG env variable is required"
+  failed_when: security_group == ""
+
+- name: Create security_group_rule check
+  check_mode: true
+  scaleway_security_group_rule:
+    state: present
+    region: '{{ scaleway_region }}'
+    protocol: '{{ protocol }}'
+    port: '{{ port }}'
+    ip_range: '{{ ip_range }}'
+    direction: '{{ direction }}'
+    action: '{{ action }}'
+    security_group: '{{ security_group }}'
+  register: security_group_rule_creation_task
+
+- debug: var=security_group_rule_creation_task
+
+- assert:
+    that:
+      - security_group_rule_creation_task is success
+      - security_group_rule_creation_task is changed
+
+- block:
+  - name: Create security_group_rule check
+    scaleway_security_group_rule:
+      state: present
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: '{{ port }}'
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_creation_task
+
+  - debug: var=security_group_rule_creation_task
+
+  - assert:
+      that:
+        - security_group_rule_creation_task is success
+        - security_group_rule_creation_task is changed
+
+  - name: Create security_group_rule duplicate
+    scaleway_security_group_rule:
+      state: present
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: '{{ port }}'
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_creation_task
+
+  - debug: var=security_group_rule_creation_task
+
+  - assert:
+      that:
+        - security_group_rule_creation_task is success
+        - security_group_rule_creation_task is not changed
+
+  - name: Delete security_group_rule check
+    check_mode: true
+    scaleway_security_group_rule:
+      state: absent
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: '{{ port }}'
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_deletion_task
+
+  - debug: var=security_group_rule_deletion_task
+
+  - assert:
+      that:
+        - security_group_rule_deletion_task is success
+        - security_group_rule_deletion_task is changed
+
+  always:
+  - name: Delete security_group_rule check
+    scaleway_security_group_rule:
+      state: absent
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: '{{ port }}'
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_deletion_task
+
+  - debug: var=security_group_rule_deletion_task
+
+  - assert:
+      that:
+        - security_group_rule_deletion_task is success
+        - security_group_rule_deletion_task is changed
+
+- name: Delete security_group_rule check
+  scaleway_security_group_rule:
+    state: absent
+    region: '{{ scaleway_region }}'
+    protocol: '{{ protocol }}'
+    port: '{{ port }}'
+    ip_range: '{{ ip_range }}'
+    direction: '{{ direction }}'
+    action: '{{ action }}'
+    security_group: '{{ security_group }}'
+  register: security_group_rule_deletion_task
+
+- debug: var=security_group_rule_deletion_task
+
+- assert:
+    that:
+      - security_group_rule_deletion_task is success
+      - security_group_rule_deletion_task is not changed
+
+- block:
+  - name: Create security_group_rule with null check
+    scaleway_security_group_rule:
+      state: present
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: null
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_creation_task
+
+  - debug: var=security_group_rule_creation_task
+
+  - assert:
+      that:
+        - security_group_rule_creation_task is success
+        - security_group_rule_creation_task is changed
+
+  - name: Create security_group_rule with null duplicate
+    scaleway_security_group_rule:
+      state: present
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: null
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_creation_task
+
+  - debug: var=security_group_rule_creation_task
+
+  - assert:
+      that:
+        - security_group_rule_creation_task is success
+        - security_group_rule_creation_task is not changed
+
+  - name: Delete security_group_rule with null check
+    check_mode: true
+    scaleway_security_group_rule:
+      state: absent
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: null
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_deletion_task
+
+  - debug: var=security_group_rule_deletion_task
+
+  - assert:
+      that:
+        - security_group_rule_deletion_task is success
+        - security_group_rule_deletion_task is changed
+
+  always:
+  - name: Delete security_group_rule with null check
+    scaleway_security_group_rule:
+      state: absent
+      region: '{{ scaleway_region }}'
+      protocol: '{{ protocol }}'
+      port: null
+      ip_range: '{{ ip_range }}'
+      direction: '{{ direction }}'
+      action: '{{ action }}'
+      security_group: '{{ security_group }}'
+    register: security_group_rule_deletion_task
+
+  - debug: var=security_group_rule_deletion_task
+
+  - assert:
+      that:
+        - security_group_rule_deletion_task is success
+        - security_group_rule_deletion_task is changed
+
+- name: Delete security_group_rule with null check
+  scaleway_security_group_rule:
+    state: absent
+    region: '{{ scaleway_region }}'
+    protocol: '{{ protocol }}'
+    port: null
+    ip_range: '{{ ip_range }}'
+    direction: '{{ direction }}'
+    action: '{{ action }}'
+    security_group: '{{ security_group }}'
+  register: security_group_rule_deletion_task
+
+- debug: var=security_group_rule_deletion_task
+
+- assert:
+    that:
+      - security_group_rule_deletion_task is success
+      - security_group_rule_deletion_task is not changed
--- a/test/legacy/scaleway.yml
+++ b/test/legacy/scaleway.yml
@ -19,3 +19,4 @@
    - { role: scaleway_volume, tags: test_scaleway_volume }
    - { role: scaleway_volume_facts, tags: test_scaleway_volume_facts }
    - { role: scaleway_security_group, tags: test_scaleway_security_group }
+    - { role: scaleway_security_group_rule, tags: test_scaleway_security_group_rule }