From ff2009136f51e177e9593c121fbd6f2cf8945b64 Mon Sep 17 00:00:00 2001 From: Benno Joy Date: Thu, 23 Jul 2015 15:47:32 +0530 Subject: [PATCH] Module for modifying NAT rules in vcloud or vcd --- cloud/vmware/vca_nat.py | 384 ++++++++++++++++++++++++++++++++++++++++ 1 file changed, 384 insertions(+) create mode 100644 cloud/vmware/vca_nat.py diff --git a/cloud/vmware/vca_nat.py b/cloud/vmware/vca_nat.py new file mode 100644 index 00000000000..bde72dc07ac --- /dev/null +++ b/cloud/vmware/vca_nat.py @@ -0,0 +1,384 @@ +#!/usr/bin/python + +# Copyright (c) 2015 VMware, Inc. All Rights Reserved. +# +# Licensed under the Apache License, Version 2.0 (the "License"); +# you may not use this file except in compliance with the License. +# You may obtain a copy of the License at +# +# http://www.apache.org/licenses/LICENSE-2.0 +# +# Unless required by applicable law or agreed to in writing, software +# distributed under the License is distributed on an "AS IS" BASIS, +# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. +# See the License for the specific language governing permissions and +# limitations under the License. + +DOCUMENTATION = ''' +--- +module: vca_nat +short_description: add remove nat rules in a gateway in a vca +description: + - Adds or removes nat rules from a gateway in a vca environment +version_added: "2.0" +options: + username: + version_added: "2.0" + description: + - The vca username or email address, if not set the environment variable VCA_USER is checked for the username. + required: false + default: None + password: + version_added: "2.0" + description: + - The vca password, if not set the environment variable VCA_PASS is checked for the password + required: false + default: None + org: + version_added: "2.0" + description: + - The org to login to for creating vapp, mostly set when the service_type is vdc. + required: false + default: None + service_id: + version_added: "2.0" + description: + - The service id in a vchs environment to be used for creating the vapp + required: false + default: None + host: + version_added: "2.0" + description: + - The authentication host to be used when service type is vcd. + required: false + default: None + api_version: + version_added: "2.0" + description: + - The api version to be used with the vca + required: false + default: "5.7" + service_type: + version_added: "2.0" + description: + - The type of service we are authenticating against + required: false + default: vca + choices: [ "vca", "vchs", "vcd" ] + state: + version_added: "2.0" + description: + - if the object should be added or removed + required: false + default: present + choices: [ "present", "absent" ] + verify_certs: + version_added: "2.0" + description: + - If the certificates of the authentication is to be verified + required: false + default: True + vdc_name: + version_added: "2.0" + description: + - The name of the vdc where the gateway is located. + required: false + default: None + gateway_name: + version_added: "2.0" + description: + - The name of the gateway of the vdc where the rule should be added + required: false + default: gateway + purge_rules: + version_added: "2.0" + description: + - If set to true, it will delete all rules in the gateway that are not given as paramter to this module. + required: false + default: false + nat_rules: + version_added: "2.0" + description: + - A list of rules to be added to the gateway, Please see examples on valid entries + required: True + default: false + + +''' + +EXAMPLES = ''' + +#An example for a source nat + +- hosts: localhost + connection: local + tasks: + - vca_nat: + instance_id: 'b15ff1e5-1024-4f55-889f-ea0209726282' + vdc_name: 'benz_ansible' + state: 'present' + nat_rules: + - rule_type: SNAT + original_ip: 192.168.2.10 + translated_ip: 107.189.95.208 + +#example for a DNAT +- hosts: localhost + connection: local + tasks: + - vca_nat: + instance_id: 'b15ff1e5-1024-4f55-889f-ea0209726282' + vdc_name: 'benz_ansible' + state: 'present' + nat_rules: + - rule_type: DNAT + original_ip: 107.189.95.208 + original_port: 22 + translated_ip: 192.168.2.10 + translated_port: 22 + +''' + +import time, json, xmltodict + +HAS_PYVCLOUD = False +try: + from pyvcloud.vcloudair import VCA + HAS_PYVCLOUD = True +except ImportError: + pass + +SERVICE_MAP = {'vca': 'ondemand', 'vchs': 'subscription', 'vcd': 'vcd'} +LOGIN_HOST = {} +LOGIN_HOST['vca'] = 'vca.vmware.com' +LOGIN_HOST['vchs'] = 'vchs.vmware.com' +VALID_RULE_KEYS = ['rule_type', 'original_ip', 'original_port', 'translated_ip', 'translated_port', 'protocol'] + +def vca_login(module=None): + service_type = module.params.get('service_type') + username = module.params.get('username') + password = module.params.get('password') + instance = module.params.get('instance_id') + org = module.params.get('org') + service = module.params.get('service_id') + vdc_name = module.params.get('vdc_name') + version = module.params.get('api_version') + verify = module.params.get('verify_certs') + if not vdc_name: + if service_type == 'vchs': + vdc_name = module.params.get('service_id') + if not org: + if service_type == 'vchs': + if vdc_name: + org = vdc_name + else: + org = service + if service_type == 'vcd': + host = module.params.get('host') + else: + host = LOGIN_HOST[service_type] + + if not username: + if 'VCA_USER' in os.environ: + username = os.environ['VCA_USER'] + if not password: + if 'VCA_PASS' in os.environ: + password = os.environ['VCA_PASS'] + if not username or not password: + module.fail_json(msg = "Either the username or password is not set, please check") + + if service_type == 'vchs': + version = '5.6' + if service_type == 'vcd': + if not version: + version == '5.6' + + + vca = VCA(host=host, username=username, service_type=SERVICE_MAP[service_type], version=version, verify=verify) + + if service_type == 'vca': + if not vca.login(password=password): + module.fail_json(msg = "Login Failed: Please check username or password", error=vca.response.content) + if not vca.login_to_instance(password=password, instance=instance, token=None, org_url=None): + s_json = serialize_instances(vca.instances) + module.fail_json(msg = "Login to Instance failed: Seems like instance_id provided is wrong .. Please check",\ + valid_instances=s_json) + if not vca.login_to_instance(instance=instance, password=None, token=vca.vcloud_session.token, + org_url=vca.vcloud_session.org_url): + module.fail_json(msg = "Error logging into org for the instance", error=vca.response.content) + return vca + + if service_type == 'vchs': + if not vca.login(password=password): + module.fail_json(msg = "Login Failed: Please check username or password", error=vca.response.content) + if not vca.login(token=vca.token): + module.fail_json(msg = "Failed to get the token", error=vca.response.content) + if not vca.login_to_org(service, org): + module.fail_json(msg = "Failed to login to org, Please check the orgname", error=vca.response.content) + return vca + + if service_type == 'vcd': + if not vca.login(password=password, org=org): + module.fail_json(msg = "Login Failed: Please check username or password or host parameters") + if not vca.login(password=password, org=org): + module.fail_json(msg = "Failed to get the token", error=vca.response.content) + if not vca.login(token=vca.token, org=org, org_url=vca.vcloud_session.org_url): + module.fail_json(msg = "Failed to login to org", error=vca.response.content) + return vca + +def validate_nat_rules(module=None, nat_rules=None): + for rule in nat_rules: + if not isinstance(rule, dict): + module.fail_json(msg="nat rules must be a list of dictionaries, Please check", valid_keys=VALID_RULE_KEYS) + for k in rule.keys(): + if k not in VALID_RULE_KEYS: + module.fail_json(msg="%s is not a valid key in nat rules, Please check above.." %k, valid_keys=VALID_RULE_KEYS) + rule['original_port'] = rule.get('original_port', 'any') + rule['original_ip'] = rule.get('original_ip', 'any') + rule['translated_ip'] = rule.get('translated_ip', 'any') + rule['translated_port'] = rule.get('translated_port', 'any') + rule['protocol'] = rule.get('protocol', 'any') + rule['rule_type'] = rule.get('rule_type', 'DNAT') + return nat_rules + + +def nat_rules_to_dict(natRules): + result = [] + for natRule in natRules: + ruleId = natRule.get_Id() + enable = natRule.get_IsEnabled() + ruleType = natRule.get_RuleType() + gatewayNatRule = natRule.get_GatewayNatRule() + originalIp = gatewayNatRule.get_OriginalIp() + originalPort = gatewayNatRule.get_OriginalPort() + translatedIp = gatewayNatRule.get_TranslatedIp() + translatedPort = gatewayNatRule.get_TranslatedPort() + protocol = gatewayNatRule.get_Protocol() + interface = gatewayNatRule.get_Interface().get_name() + result.append(dict(rule_type=ruleType, original_ip=originalIp, original_port="any" if not originalPort else originalPort, translated_ip=translatedIp, translated_port="any" if not translatedPort else translatedPort, + protocol="any" if not protocol else protocol)) + return result + + +def main(): + module = AnsibleModule( + argument_spec=dict( + username = dict(default=None), + password = dict(default=None), + org = dict(default=None), + service_id = dict(default=None), + instance_id = dict(default=None), + host = dict(default=None), + api_version = dict(default='5.7'), + service_type = dict(default='vca', choices=['vchs', 'vca', 'vcd']), + state = dict(default='present', choices = ['present', 'absent']), + vdc_name = dict(default=None), + gateway_name = dict(default='gateway'), + nat_rules = dict(required=True, default=None, type='list'), + purge_rules = dict(default=False), + ) + ) + + + vdc_name = module.params.get('vdc_name') + org = module.params.get('org') + service = module.params.get('service_id') + state = module.params.get('state') + service_type = module.params.get('service_type') + host = module.params.get('host') + instance_id = module.params.get('instance_id') + nat_rules = module.params.get('nat_rules') + gateway_name = module.params.get('gateway_name') + purge_rules = module.params.get('purge_rules') + verify_certs = dict(default=True, type='bool'), + + if not HAS_PYVCLOUD: + module.fail_json(msg="python module pyvcloud is needed for this module") + if service_type == 'vca': + if not instance_id: + module.fail_json(msg="When service type is vca the instance_id parameter is mandatory") + if not vdc_name: + module.fail_json(msg="When service type is vca the vdc_name parameter is mandatory") + + if service_type == 'vchs': + if not service: + module.fail_json(msg="When service type vchs the service_id parameter is mandatory") + if not org: + org = service + if not vdc_name: + vdc_name = service + if service_type == 'vcd': + if not host: + module.fail_json(msg="When service type is vcd host parameter is mandatory") + + vca = vca_login(module) + vdc = vca.get_vdc(vdc_name) + if not vdc: + module.fail_json(msg = "Error getting the vdc, Please check the vdc name") + + mod_rules = validate_nat_rules(module, nat_rules) + gateway = vca.get_gateway(vdc_name, gateway_name) + if not gateway: + module.fail_json(msg="Not able to find the gateway %s, please check the gateway_name param" %gateway_name) + rules = gateway.get_nat_rules() + cur_rules = nat_rules_to_dict(rules) + delete_cur_rule = [] + delete_rules = [] + for rule in cur_rules: + match = False + for idx, val in enumerate(mod_rules): + match = False + if cmp(rule, val) == 0: + delete_cur_rule.append(val) + mod_rules.pop(idx) + match = True + if not match: + delete_rules.append(rule) + if state == 'absent': + if purge_rules: + if not gateway.del_all_nat_rules(): + module.fail_json(msg="Error deleting all rules") + module.exit_json(changed=True, msg="Removed all rules") + if len(delete_cur_rule) < 1: + module.exit_json(changed=False, msg="No rules to be removed", rules=cur_rules) + else: + for i in delete_cur_rule: + gateway.del_nat_rule(i['rule_type'], i['original_ip'],\ + i['original_port'], i['translated_ip'], i['translated_port'], i['protocol']) + task = gateway.save_services_configuration() + if not task: + module.fail_json(msg="Unable to delete Rule, please check above error", error=gateway.response.content) + if not vca.block_until_completed(task): + module.fail_json(msg="Failure in waiting for removing network rule", error=gateway.response.content) + module.exit_json(changed=True, msg="The rules have been deleted", rules=delete_cur_rule) + changed = False + if len(mod_rules) < 1: + if not purge_rules: + module.exit_json(changed=False, msg="all rules are available", rules=cur_rules) + for i in mod_rules: + gateway.add_nat_rule(i['rule_type'], i['original_ip'], i['original_port'],\ + i['translated_ip'], i['translated_port'], i['protocol']) + task = gateway.save_services_configuration() + if not task: + module.fail_json(msg="Unable to add rule, please check above error", rules=mod_rules, error=gateway.response.content) + if not vca.block_until_completed(task): + module.fail_json(msg="Failure in waiting for adding network rule", error=gateway.response.content) + if purge_rules: + if len(delete_rules) < 1 and len(mod_rules) < 1: + module.exit_json(changed=False, rules=cur_rules) + for i in delete_rules: + gateway.del_nat_rule(i['rule_type'], i['original_ip'],\ + i['original_port'], i['translated_ip'], i['translated_port'], i['protocol']) + task = gateway.save_services_configuration() + if not task: + module.fail_json(msg="Unable to delete Rule, please check above error", error=gateway.response.content) + if not vca.block_until_completed(task): + module.fail_json(msg="Failure in waiting for removing network rule", error=gateway.response.content) + + module.exit_json(changed=True, rules_added=mod_rules) + + +# import module snippets +from ansible.module_utils.basic import * +if __name__ == '__main__': + main()