1#!/usr/bin/python
2# -*- coding: utf-8 -*-
3#
4# Copyright (C) 2017 Google
5# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
6# ----------------------------------------------------------------------------
7#
8#     ***     AUTO GENERATED CODE    ***    AUTO GENERATED CODE     ***
9#
10# ----------------------------------------------------------------------------
11#
12#     This file is automatically generated by Magic Modules and manual
13#     changes will be clobbered when the file is regenerated.
14#
15#     Please read more about how to change this file at
16#     https://www.github.com/GoogleCloudPlatform/magic-modules
17#
18# ----------------------------------------------------------------------------
19
20from __future__ import absolute_import, division, print_function
21
22__metaclass__ = type
23
24################################################################################
25# Documentation
26################################################################################
27
28ANSIBLE_METADATA = {'metadata_version': '1.1', 'status': ["preview"], 'supported_by': 'community'}
29
30DOCUMENTATION = '''
31---
32module: gcp_compute_firewall_info
33description:
34- Gather info for GCP Firewall
35- This module was called C(gcp_compute_firewall_facts) before Ansible 2.9. The usage
36  has not changed.
37short_description: Gather info for GCP Firewall
38version_added: 2.7
39author: Google Inc. (@googlecloudplatform)
40requirements:
41- python >= 2.6
42- requests >= 2.18.4
43- google-auth >= 1.3.0
44options:
45  filters:
46    description:
47    - A list of filter value pairs. Available filters are listed here U(https://cloud.google.com/sdk/gcloud/reference/topic/filters).
48    - Each additional filter in the list will act be added as an AND condition (filter1
49      and filter2) .
50    type: list
51extends_documentation_fragment: gcp
52'''
53
54EXAMPLES = '''
55- name: get info on a firewall
56  gcp_compute_firewall_info:
57    filters:
58    - name = test_object
59    project: test_project
60    auth_kind: serviceaccount
61    service_account_file: "/tmp/auth.pem"
62'''
63
64RETURN = '''
65resources:
66  description: List of resources
67  returned: always
68  type: complex
69  contains:
70    allowed:
71      description:
72      - The list of ALLOW rules specified by this firewall. Each rule specifies a
73        protocol and port-range tuple that describes a permitted connection.
74      returned: success
75      type: complex
76      contains:
77        ip_protocol:
78          description:
79          - The IP protocol to which this rule applies. The protocol type is required
80            when creating a firewall rule. This value can either be one of the following
81            well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP
82            protocol number.
83          returned: success
84          type: str
85        ports:
86          description:
87          - An optional list of ports to which this rule applies. This field is only
88            applicable for UDP or TCP protocol. Each entry must be either an integer
89            or a range. If not specified, this rule applies to connections through
90            any port.
91          - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
92          returned: success
93          type: list
94    creationTimestamp:
95      description:
96      - Creation timestamp in RFC3339 text format.
97      returned: success
98      type: str
99    denied:
100      description:
101      - The list of DENY rules specified by this firewall. Each rule specifies a protocol
102        and port-range tuple that describes a denied connection.
103      returned: success
104      type: complex
105      contains:
106        ip_protocol:
107          description:
108          - The IP protocol to which this rule applies. The protocol type is required
109            when creating a firewall rule. This value can either be one of the following
110            well known protocol strings (tcp, udp, icmp, esp, ah, sctp), or the IP
111            protocol number.
112          returned: success
113          type: str
114        ports:
115          description:
116          - An optional list of ports to which this rule applies. This field is only
117            applicable for UDP or TCP protocol. Each entry must be either an integer
118            or a range. If not specified, this rule applies to connections through
119            any port.
120          - 'Example inputs include: ["22"], ["80","443"], and ["12345-12349"].'
121          returned: success
122          type: list
123    description:
124      description:
125      - An optional description of this resource. Provide this property when you create
126        the resource.
127      returned: success
128      type: str
129    destinationRanges:
130      description:
131      - If destination ranges are specified, the firewall will apply only to traffic
132        that has destination IP address in these ranges. These ranges must be expressed
133        in CIDR format. Only IPv4 is supported.
134      returned: success
135      type: list
136    direction:
137      description:
138      - 'Direction of traffic to which this firewall applies; default is INGRESS.
139        Note: For INGRESS traffic, it is NOT supported to specify destinationRanges;
140        For EGRESS traffic, it is NOT supported to specify sourceRanges OR sourceTags.'
141      returned: success
142      type: str
143    disabled:
144      description:
145      - Denotes whether the firewall rule is disabled, i.e not applied to the network
146        it is associated with. When set to true, the firewall rule is not enforced
147        and the network behaves as if it did not exist. If this is unspecified, the
148        firewall rule will be enabled.
149      returned: success
150      type: bool
151    id:
152      description:
153      - The unique identifier for the resource.
154      returned: success
155      type: int
156    name:
157      description:
158      - Name of the resource. Provided by the client when the resource is created.
159        The name must be 1-63 characters long, and comply with RFC1035. Specifically,
160        the name must be 1-63 characters long and match the regular expression `[a-z]([-a-z0-9]*[a-z0-9])?`
161        which means the first character must be a lowercase letter, and all following
162        characters must be a dash, lowercase letter, or digit, except the last character,
163        which cannot be a dash.
164      returned: success
165      type: str
166    network:
167      description:
168      - 'URL of the network resource for this firewall rule. If not specified when
169        creating a firewall rule, the default network is used: global/networks/default
170        If you choose to specify this property, you can specify the network as a full
171        or partial URL. For example, the following are all valid URLs: U(https://www.googleapis.com/compute/v1/projects/myproject/global/)
172        networks/my-network projects/myproject/global/networks/my-network global/networks/default
173        .'
174      returned: success
175      type: dict
176    priority:
177      description:
178      - Priority for this rule. This is an integer between 0 and 65535, both inclusive.
179        When not specified, the value assumed is 1000. Relative priorities determine
180        precedence of conflicting rules. Lower value of priority implies higher precedence
181        (eg, a rule with priority 0 has higher precedence than a rule with priority
182        1). DENY rules take precedence over ALLOW rules having equal priority.
183      returned: success
184      type: int
185    sourceRanges:
186      description:
187      - If source ranges are specified, the firewall will apply only to traffic that
188        has source IP address in these ranges. These ranges must be expressed in CIDR
189        format. One or both of sourceRanges and sourceTags may be set. If both properties
190        are set, the firewall will apply to traffic that has source IP address within
191        sourceRanges OR the source IP that belongs to a tag listed in the sourceTags
192        property. The connection does not need to match both properties for the firewall
193        to apply. Only IPv4 is supported.
194      returned: success
195      type: list
196    sourceServiceAccounts:
197      description:
198      - If source service accounts are specified, the firewall will apply only to
199        traffic originating from an instance with a service account in this list.
200        Source service accounts cannot be used to control traffic to an instance's
201        external IP address because service accounts are associated with an instance,
202        not an IP address. sourceRanges can be set at the same time as sourceServiceAccounts.
203        If both are set, the firewall will apply to traffic that has source IP address
204        within sourceRanges OR the source IP belongs to an instance with service account
205        listed in sourceServiceAccount. The connection does not need to match both
206        properties for the firewall to apply. sourceServiceAccounts cannot be used
207        at the same time as sourceTags or targetTags.
208      returned: success
209      type: list
210    sourceTags:
211      description:
212      - If source tags are specified, the firewall will apply only to traffic with
213        source IP that belongs to a tag listed in source tags. Source tags cannot
214        be used to control traffic to an instance's external IP address. Because tags
215        are associated with an instance, not an IP address. One or both of sourceRanges
216        and sourceTags may be set. If both properties are set, the firewall will apply
217        to traffic that has source IP address within sourceRanges OR the source IP
218        that belongs to a tag listed in the sourceTags property. The connection does
219        not need to match both properties for the firewall to apply.
220      returned: success
221      type: list
222    targetServiceAccounts:
223      description:
224      - A list of service accounts indicating sets of instances located in the network
225        that may make network connections as specified in allowed[].
226      - targetServiceAccounts cannot be used at the same time as targetTags or sourceTags.
227        If neither targetServiceAccounts nor targetTags are specified, the firewall
228        rule applies to all instances on the specified network.
229      returned: success
230      type: list
231    targetTags:
232      description:
233      - A list of instance tags indicating sets of instances located in the network
234        that may make network connections as specified in allowed[].
235      - If no targetTags are specified, the firewall rule applies to all instances
236        on the specified network.
237      returned: success
238      type: list
239'''
240
241################################################################################
242# Imports
243################################################################################
244from ansible.module_utils.gcp_utils import navigate_hash, GcpSession, GcpModule, GcpRequest
245import json
246
247################################################################################
248# Main
249################################################################################
250
251
252def main():
253    module = GcpModule(argument_spec=dict(filters=dict(type='list', elements='str')))
254
255    if module._name == 'gcp_compute_firewall_facts':
256        module.deprecate("The 'gcp_compute_firewall_facts' module has been renamed to 'gcp_compute_firewall_info'", version='2.13')
257
258    if not module.params['scopes']:
259        module.params['scopes'] = ['https://www.googleapis.com/auth/compute']
260
261    return_value = {'resources': fetch_list(module, collection(module), query_options(module.params['filters']))}
262    module.exit_json(**return_value)
263
264
265def collection(module):
266    return "https://www.googleapis.com/compute/v1/projects/{project}/global/firewalls".format(**module.params)
267
268
269def fetch_list(module, link, query):
270    auth = GcpSession(module, 'compute')
271    return auth.list(link, return_if_object, array_name='items', params={'filter': query})
272
273
274def query_options(filters):
275    if not filters:
276        return ''
277
278    if len(filters) == 1:
279        return filters[0]
280    else:
281        queries = []
282        for f in filters:
283            # For multiple queries, all queries should have ()
284            if f[0] != '(' and f[-1] != ')':
285                queries.append("(%s)" % ''.join(f))
286            else:
287                queries.append(f)
288
289        return ' '.join(queries)
290
291
292def return_if_object(module, response):
293    # If not found, return nothing.
294    if response.status_code == 404:
295        return None
296
297    # If no content, return nothing.
298    if response.status_code == 204:
299        return None
300
301    try:
302        module.raise_for_status(response)
303        result = response.json()
304    except getattr(json.decoder, 'JSONDecodeError', ValueError) as inst:
305        module.fail_json(msg="Invalid JSON response with error: %s" % inst)
306
307    if navigate_hash(result, ['error', 'errors']):
308        module.fail_json(msg=navigate_hash(result, ['error', 'errors']))
309
310    return result
311
312
313if __name__ == "__main__":
314    main()
315