Hide keyboard shortcuts

Hot-keys on this page

r m x p   toggle line displays

j k   next/prev highlighted chunk

0   (zero) top of page

1   (one) first highlighted chunk

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

#!/usr/bin/python 

# -*- coding: utf-8 -*- 

 

# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> 

# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) 

 

from __future__ import absolute_import, division, print_function 

__metaclass__ = type 

 

ANSIBLE_METADATA = { 

'metadata_version': '1.1', 

'status': ['preview'], 

'supported_by': 'community' 

} 

 

DOCUMENTATION = r''' 

--- 

module: meraki_mr_l3_firewall 

short_description: Manage MR access point layer 3 firewalls in the Meraki cloud 

version_added: "2.7" 

description: 

- Allows for creation, management, and visibility into layer 3 firewalls implemented on Meraki MR access points. 

- Module is not idempotent as of current release. 

options: 

state: 

description: 

- Create or modify an organization. 

type: str 

choices: [ present, query ] 

default: present 

net_name: 

description: 

- Name of network containing access points. 

type: str 

net_id: 

description: 

- ID of network containing access points. 

type: str 

number: 

description: 

- Number of SSID to apply firewall rule to. 

type: str 

aliases: [ ssid_number ] 

ssid_name: 

description: 

- Name of SSID to apply firewall rule to. 

type: str 

aliases: [ ssid ] 

allow_lan_access: 

description: 

- Sets whether devices can talk to other devices on the same LAN. 

type: bool 

default: yes 

rules: 

description: 

- List of firewall rules. 

type: list 

suboptions: 

policy: 

description: 

- Specifies the action that should be taken when rule is hit. 

type: str 

choices: [ allow, deny ] 

protocol: 

description: 

- Specifies protocol to match against. 

type: str 

choices: [ any, icmp, tcp, udp ] 

dest_port: 

description: 

- Comma-seperated list of destination ports to match. 

type: str 

dest_cidr: 

description: 

- Comma-separated list of CIDR notation networks to match. 

type: str 

comment: 

description: 

- Optional comment describing the firewall rule. 

type: str 

author: 

- Kevin Breit (@kbreit) 

extends_documentation_fragment: meraki 

''' 

 

EXAMPLES = r''' 

- name: Create single firewall rule 

meraki_mr_l3_firewall: 

auth_key: abc123 

state: present 

org_name: YourOrg 

net_id: 12345 

number: 1 

rules: 

- comment: Integration test rule 

policy: allow 

protocol: tcp 

dest_port: 80 

dest_cidr: 192.0.2.0/24 

allow_lan_access: no 

delegate_to: localhost 

 

- name: Enable local LAN access 

meraki_mr_l3_firewall: 

auth_key: abc123 

state: present 

org_name: YourOrg 

net_id: 123 

number: 1 

rules: 

allow_lan_access: yes 

delegate_to: localhost 

 

- name: Query firewall rules 

meraki_mr_l3_firewall: 

auth_key: abc123 

state: query 

org_name: YourOrg 

net_name: YourNet 

number: 1 

delegate_to: localhost 

''' 

 

RETURN = r''' 

 

''' 

 

from ansible.module_utils.basic import AnsibleModule, json 

from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec 

 

 

def assemble_payload(meraki): 

params_map = {'policy': 'policy', 

'protocol': 'protocol', 

'dest_port': 'destPort', 

'dest_cidr': 'destCidr', 

'comment': 'comment', 

} 

rules = [] 

for rule in meraki.params['rules']: 

proposed_rule = dict() 

for k, v in rule.items(): 

proposed_rule[params_map[k]] = v 

rules.append(proposed_rule) 

payload = {'rules': rules} 

return payload 

 

 

def get_rules(meraki, net_id, number): 

path = meraki.construct_path('get_all', net_id=net_id, custom={'number': number}) 

response = meraki.request(path, method='GET') 

152 ↛ exitline 152 didn't return from function 'get_rules', because the condition on line 152 was never false if meraki.status == 200: 

return response 

 

 

def get_ssid_number(name, data): 

for ssid in data: 

if name == ssid['name']: 

return ssid['number'] 

return False 

 

 

def get_ssids(meraki, net_id): 

path = meraki.construct_path('get_all', net_id=net_id) 

return meraki.request(path, method='GET') 

 

 

def main(): 

# define the available arguments/parameters that a user can pass to 

# the module 

 

fw_rules = dict(policy=dict(type='str', choices=['allow', 'deny']), 

protocol=dict(type='str', choices=['tcp', 'udp', 'icmp', 'any']), 

dest_port=dict(type='str'), 

dest_cidr=dict(type='str'), 

comment=dict(type='str'), 

) 

 

argument_spec = meraki_argument_spec() 

argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), 

net_name=dict(type='str'), 

net_id=dict(type='str'), 

number=dict(type='str', aliases=['ssid_number']), 

ssid_name=dict(type='str', aliases=['ssid']), 

rules=dict(type='list', default=None, elements='dict', options=fw_rules), 

allow_lan_access=dict(type='bool', default=True), 

) 

 

# the AnsibleModule object will be our abstraction working with Ansible 

# this includes instantiation, a couple of common attr would be the 

# args/params passed to the execution, as well as if the module 

# supports check mode 

module = AnsibleModule(argument_spec=argument_spec, 

supports_check_mode=True, 

) 

meraki = MerakiModule(module, function='mr_l3_firewall') 

 

meraki.params['follow_redirects'] = 'all' 

 

query_urls = {'mr_l3_firewall': '/networks/{net_id}/ssids/{number}/l3FirewallRules'} 

update_urls = {'mr_l3_firewall': '/networks/{net_id}/ssids/{number}/l3FirewallRules'} 

 

meraki.url_catalog['get_all'].update(query_urls) 

meraki.url_catalog['update'] = update_urls 

 

payload = None 

 

# execute checks for argument completeness 

 

# manipulate or modify the state as needed (this is going to be the 

# part where your module will do what it needs to do) 

org_id = meraki.params['org_id'] 

orgs = None 

214 ↛ 219line 214 didn't jump to line 219, because the condition on line 214 was never false if org_id is None: 

orgs = meraki.get_orgs() 

for org in orgs: 

if org['name'] == meraki.params['org_name']: 

org_id = org['id'] 

net_id = meraki.params['net_id'] 

220 ↛ 221line 220 didn't jump to line 221, because the condition on line 220 was never true if net_id is None: 

if orgs is None: 

orgs = meraki.get_orgs() 

net_id = meraki.get_net_id(net_name=meraki.params['net_name'], 

data=meraki.get_nets(org_id=org_id)) 

number = meraki.params['number'] 

if meraki.params['ssid_name']: 

number = get_ssid_number(meraki.params['ssid_name'], get_ssids(meraki, net_id)) 

 

if meraki.params['state'] == 'query': 

meraki.result['data'] = get_rules(meraki, net_id, number) 

231 ↛ 283line 231 didn't jump to line 283, because the condition on line 231 was never false elif meraki.params['state'] == 'present': 

rules = get_rules(meraki, net_id, number) 

path = meraki.construct_path('get_all', net_id=net_id, custom={'number': number}) 

if meraki.params['rules']: 

payload = assemble_payload(meraki) 

else: 

payload = dict() 

update = False 

try: 

240 ↛ 242line 240 didn't jump to line 242, because the condition on line 240 was never false if len(rules) != len(payload['rules']): # Quick and simple check to avoid more processing 

update = True 

if update is False: 

243 ↛ 248line 243 didn't jump to line 248, because the loop on line 243 didn't complete for r in range(len(rules) - 2): 

244 ↛ 243line 244 didn't jump to line 243, because the condition on line 244 was never false if meraki.is_update_required(rules[r], payload[r]) is True: 

update = True 

except KeyError: 

pass 

248 ↛ 250line 248 didn't jump to line 250, because the condition on line 248 was never false if rules[len(rules) - 2] != meraki.params['allow_lan_access']: 

update = True 

250 ↛ 279line 250 didn't jump to line 279, because the condition on line 250 was never false if update is True: 

payload['allowLanAccess'] = meraki.params['allow_lan_access'] 

if meraki.check_mode is True: 

# This code is disgusting, rework it at some point 

if 'rules' in payload: 

cleansed_payload = payload['rules'] 

cleansed_payload.append(rules[len(rules) - 1]) 

cleansed_payload.append(rules[len(rules) - 2]) 

if meraki.params['allow_lan_access'] is None: 

cleansed_payload[len(cleansed_payload) - 2]['policy'] = rules[len(rules) - 2]['policy'] 

else: 

if meraki.params['allow_lan_access'] is True: 

cleansed_payload[len(cleansed_payload) - 2]['policy'] = 'allow' 

else: 

cleansed_payload[len(cleansed_payload) - 2]['policy'] = 'deny' 

else: 

266 ↛ 269line 266 didn't jump to line 269, because the condition on line 266 was never false if meraki.params['allow_lan_access'] is True: 

rules[len(rules) - 2]['policy'] = 'allow' 

else: 

rules[len(rules) - 2]['policy'] = 'deny' 

cleansed_payload = rules 

meraki.result['data'] = cleansed_payload 

meraki.result['changed'] = True 

meraki.exit_json(**meraki.result) 

response = meraki.request(path, method='PUT', payload=json.dumps(payload)) 

275 ↛ 283line 275 didn't jump to line 283, because the condition on line 275 was never false if meraki.status == 200: 

meraki.result['data'] = response 

meraki.result['changed'] = True 

else: 

meraki.result['data'] = rules 

 

# in the event of a successful module execution, you will want to 

# simple AnsibleModule.exit_json(), passing the key/value results 

meraki.exit_json(**meraki.result) 

 

 

286 ↛ exitline 286 didn't exit the module, because the condition on line 286 was never falseif __name__ == '__main__': 

main()