1#!/usr/bin/python 2# -*- coding: utf-8 -*- 3# 4# Copyright (C) 2017 Google 5# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) 6# ---------------------------------------------------------------------------- 7# 8# *** AUTO GENERATED CODE *** AUTO GENERATED CODE *** 9# 10# ---------------------------------------------------------------------------- 11# 12# This file is automatically generated by Magic Modules and manual 13# changes will be clobbered when the file is regenerated. 14# 15# Please read more about how to change this file at 16# https://www.github.com/GoogleCloudPlatform/magic-modules 17# 18# ---------------------------------------------------------------------------- 19 20from __future__ import absolute_import, division, print_function 21 22__metaclass__ = type 23 24################################################################################ 25# Documentation 26################################################################################ 27 28ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'} 29 30DOCUMENTATION = ''' 31--- 32module: gcp_compute_firewall_info 33description: 34- Gather info for GCP Firewall 35- This module was called C(gcp_compute_firewall_facts) before Ansible 2.9. The usage 36 has not changed. 37short_description: Gather info for GCP Firewall 38version_added: 2.7 39author: Google Inc. (@googlecloudplatform) 40requirements: 41- python >= 2.6 42- requests >= 2.18.4 43- google-auth >= 1.3.0 44options: 45 filters: 46 description: 47 - A list of filter value pairs. Available filters are listed here U(https://cloud.google.com/sdk/gcloud/reference/topic/filters). 48 - Each additional filter in the list will act be added as an AND condition (filter1 49 and filter2) . 50 type: list 51extends_documentation_fragment: gcp 52''' 53 54EXAMPLES = ''' 55- name: get info on a firewall 56 gcp_compute_firewall_info: 57 filters: 58 - name = test_object 59 project: test_project 60 auth_kind: serviceaccount 61 service_account_file: "/tmp/auth.pem" 62''' 63 64RETURN = ''' 65resources: 66 description: List of resources 67 returned: always 68 type: complex 69 contains: 70 allowed: 71 description: 72 - The list of ALLOW rules specified by this firewall. Each rule specifies a 73 protocol and port-range tuple that describes a permitted connection. 74 returned: success 75 type: complex 76 contains: 77 ip_protocol: 78 description: 79 - The IP protocol to which this rule applies. The protocol type is required 80 when creating a firewall rule. This value can either be one of the following 81 well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP 82 protocol number. 83 returned: success 84 type: str 85 ports: 86 description: 87 - An optional list of ports to which this rule applies. This field is only 88 applicable for UDP or TCP protocol. Each entry must be either an integer 89 or a range. If not specified, this rule applies to connections through 90 any port. 91 - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' 92 returned: success 93 type: list 94 creationTimestamp: 95 description: 96 - Creation timestamp in RFC3339 text format. 97 returned: success 98 type: str 99 denied: 100 description: 101 - The list of DENY rules specified by this firewall. Each rule specifies a protocol 102 and port-range tuple that describes a denied connection. 103 returned: success 104 type: complex 105 contains: 106 ip_protocol: 107 description: 108 - The IP protocol to which this rule applies. The protocol type is required 109 when creating a firewall rule. This value can either be one of the following 110 well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP 111 protocol number. 112 returned: success 113 type: str 114 ports: 115 description: 116 - An optional list of ports to which this rule applies. This field is only 117 applicable for UDP or TCP protocol. Each entry must be either an integer 118 or a range. If not specified, this rule applies to connections through 119 any port. 120 - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].' 121 returned: success 122 type: list 123 description: 124 description: 125 - An optional description of this resource. Provide this property when you create 126 the resource. 127 returned: success 128 type: str 129 destinationRanges: 130 description: 131 - If destination ranges are specified, the firewall will apply only to traffic 132 that has destination IP address in these ranges. These ranges must be expressed 133 in CIDR format. Only IPv4 is supported. 134 returned: success 135 type: list 136 direction: 137 description: 138 - 'Direction of traffic to which this firewall applies; default is INGRESS. 139 Note: For INGRESS traffic, it is NOT supported to specify destinationRanges; 140 For EGRESS traffic, it is NOT supported to specify sourceRanges OR sourceTags.' 141 returned: success 142 type: str 143 disabled: 144 description: 145 - Denotes whether the firewall rule is disabled, i.e not applied to the network 146 it is associated with. When set to true, the firewall rule is not enforced 147 and the network behaves as if it did not exist. If this is unspecified, the 148 firewall rule will be enabled. 149 returned: success 150 type: bool 151 id: 152 description: 153 - The unique identifier for the resource. 154 returned: success 155 type: int 156 name: 157 description: 158 - Name of the resource. Provided by the client when the resource is created. 159 The name must be 1-63 characters long, and comply with RFC1035. Specifically, 160 the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?` 161 which means the first character must be a lowercase letter, and all following 162 characters must be a dash, lowercase letter, or digit, except the last character, 163 which cannot be a dash. 164 returned: success 165 type: str 166 network: 167 description: 168 - 'URL of the network resource for this firewall rule. If not specified when 169 creating a firewall rule, the default network is used: global/networks/default 170 If you choose to specify this property, you can specify the network as a full 171 or partial URL. For example, the following are all valid URLs: U(https://www.googleapis.com/compute/v1/projects/myproject/global/) 172 networks/my-network projects/myproject/global/networks/my-network global/networks/default 173 .' 174 returned: success 175 type: dict 176 priority: 177 description: 178 - Priority for this rule. This is an integer between 0 and 65535, both inclusive. 179 When not specified, the value assumed is 1000. Relative priorities determine 180 precedence of conflicting rules. Lower value of priority implies higher precedence 181 (eg, a rule with priority 0 has higher precedence than a rule with priority 182 1). DENY rules take precedence over ALLOW rules having equal priority. 183 returned: success 184 type: int 185 sourceRanges: 186 description: 187 - If source ranges are specified, the firewall will apply only to traffic that 188 has source IP address in these ranges. These ranges must be expressed in CIDR 189 format. One or both of sourceRanges and sourceTags may be set. If both properties 190 are set, the firewall will apply to traffic that has source IP address within 191 sourceRanges OR the source IP that belongs to a tag listed in the sourceTags 192 property. The connection does not need to match both properties for the firewall 193 to apply. Only IPv4 is supported. 194 returned: success 195 type: list 196 sourceServiceAccounts: 197 description: 198 - If source service accounts are specified, the firewall will apply only to 199 traffic originating from an instance with a service account in this list. 200 Source service accounts cannot be used to control traffic to an instance's 201 external IP address because service accounts are associated with an instance, 202 not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts. 203 If both are set, the firewall will apply to traffic that has source IP address 204 within sourceRanges OR the source IP belongs to an instance with service account 205 listed in sourceServiceAccount. The connection does not need to match both 206 properties for the firewall to apply. sourceServiceAccounts cannot be used 207 at the same time as sourceTags or targetTags. 208 returned: success 209 type: list 210 sourceTags: 211 description: 212 - If source tags are specified, the firewall will apply only to traffic with 213 source IP that belongs to a tag listed in source tags. Source tags cannot 214 be used to control traffic to an instance's external IP address. Because tags 215 are associated with an instance, not an IP address. One or both of sourceRanges 216 and sourceTags may be set. If both properties are set, the firewall will apply 217 to traffic that has source IP address within sourceRanges OR the source IP 218 that belongs to a tag listed in the sourceTags property. The connection does 219 not need to match both properties for the firewall to apply. 220 returned: success 221 type: list 222 targetServiceAccounts: 223 description: 224 - A list of service accounts indicating sets of instances located in the network 225 that may make network connections as specified in allowed[]. 226 - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags. 227 If neither targetServiceAccounts nor targetTags are specified, the firewall 228 rule applies to all instances on the specified network. 229 returned: success 230 type: list 231 targetTags: 232 description: 233 - A list of instance tags indicating sets of instances located in the network 234 that may make network connections as specified in allowed[]. 235 - If no targetTags are specified, the firewall rule applies to all instances 236 on the specified network. 237 returned: success 238 type: list 239''' 240 241################################################################################ 242# Imports 243################################################################################ 244from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest 245import json 246 247################################################################################ 248# Main 249################################################################################ 250 251 252def main(): 253 module = GcpModule(argument_spec=dict(filters=dict(type='list', elements='str'))) 254 255 if module._name == 'gcp_compute_firewall_facts': 256 module.deprecate("The 'gcp_compute_firewall_facts' module has been renamed to 'gcp_compute_firewall_info'", version='2.13') 257 258 if not module.params['scopes']: 259 module.params['scopes'] = ['https://www.googleapis.com/auth/compute'] 260 261 return_value = {'resources': fetch_list(module, collection(module), query_options(module.params['filters']))} 262 module.exit_json(**return_value) 263 264 265def collection(module): 266 return "https://www.googleapis.com/compute/v1/projects/{project}/global/firewalls".format(**module.params) 267 268 269def fetch_list(module, link, query): 270 auth = GcpSession(module, 'compute') 271 return auth.list(link, return_if_object, array_name='items', params={'filter': query}) 272 273 274def query_options(filters): 275 if not filters: 276 return '' 277 278 if len(filters) == 1: 279 return filters[0] 280 else: 281 queries = [] 282 for f in filters: 283 # For multiple queries, all queries should have () 284 if f[0] != '(' and f[-1] != ')': 285 queries.append("(%s)" % ''.join(f)) 286 else: 287 queries.append(f) 288 289 return ' '.join(queries) 290 291 292def return_if_object(module, response): 293 # If not found, return nothing. 294 if response.status_code == 404: 295 return None 296 297 # If no content, return nothing. 298 if response.status_code == 204: 299 return None 300 301 try: 302 module.raise_for_status(response) 303 result = response.json() 304 except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst: 305 module.fail_json(msg="Invalid JSON response with error: %s" % inst) 306 307 if navigate_hash(result, ['error', 'errors']): 308 module.fail_json(msg=navigate_hash(result, ['error', 'errors'])) 309 310 return result 311 312 313if __name__ == "__main__": 314 main() 315