Coverage for plugins/modules/meraki_mx_l3_firewall.py : 83%

Hot-keys on this page
r m x p toggle line displays
j k next/prev highlighted chunk
0 (zero) top of page
1 (one) first highlighted chunk
#!/usr/bin/python # -*- coding: utf-8 -*-
# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> # GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
'metadata_version': '1.1', 'status': ['preview'], 'supported_by': 'community' }
--- module: meraki_mx_l3_firewall short_description: Manage MX appliance layer 3 firewalls in the Meraki cloud version_added: "2.7" description: - Allows for creation, management, and visibility into layer 3 firewalls implemented on Meraki MX firewalls. notes: - Module assumes a complete list of firewall rules are passed as a parameter. - If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module. options: state: description: - Create or modify an organization. choices: ['present', 'query'] default: present type: str net_name: description: - Name of network which MX firewall is in. type: str net_id: description: - ID of network which MX firewall is in. type: str rules: description: - List of firewall rules. type: list suboptions: policy: description: - Policy to apply if rule is hit. choices: [allow, deny] type: str protocol: description: - Protocol to match against. choices: [any, icmp, tcp, udp] type: str dest_port: description: - Comma separated list of destination port numbers to match against. - C(Any) must be capitalized. type: str dest_cidr: description: - Comma separated list of CIDR notation destination networks. - C(Any) must be capitalized. type: str src_port: description: - Comma separated list of source port numbers to match against. - C(Any) must be capitalized. type: str src_cidr: description: - Comma separated list of CIDR notation source networks. - C(Any) must be capitalized. type: str comment: description: - Optional comment to describe the firewall rule. type: str syslog_enabled: description: - Whether to log hints against the firewall rule. - Only applicable if a syslog server is specified against the network. type: bool syslog_default_rule: description: - Whether to log hits against the default firewall rule. - Only applicable if a syslog server is specified against the network. - This is not shown in response from Meraki. Instead, refer to the C(syslog_enabled) value in the default rule. type: bool default: no author: - Kevin Breit (@kbreit) extends_documentation_fragment: meraki '''
- name: Query firewall rules meraki_mx_l3_firewall: auth_key: abc123 org_name: YourOrg net_name: YourNet state: query delegate_to: localhost
- name: Set two firewall rules meraki_mx_l3_firewall: auth_key: abc123 org_name: YourOrg net_name: YourNet state: present rules: - comment: Block traffic to server src_cidr: 192.0.1.0/24 src_port: any dest_cidr: 192.0.2.2/32 dest_port: any protocol: any policy: deny - comment: Allow traffic to group of servers src_cidr: 192.0.1.0/24 src_port: any dest_cidr: 192.0.2.0/24 dest_port: any protocol: any policy: permit delegate_to: localhost
- name: Set one firewall rule and enable logging of the default rule meraki_mx_l3_firewall: auth_key: abc123 org_name: YourOrg net_name: YourNet state: present rules: - comment: Block traffic to server src_cidr: 192.0.1.0/24 src_port: any dest_cidr: 192.0.2.2/32 dest_port: any protocol: any policy: deny syslog_default_rule: yes delegate_to: localhost '''
data: description: Firewall rules associated to network. returned: success type: complex contains: comment: description: Comment to describe the firewall rule. returned: always type: str sample: Block traffic to server src_cidr: description: Comma separated list of CIDR notation source networks. returned: always type: str sample: 192.0.1.1/32,192.0.1.2/32 src_port: description: Comma separated list of source ports. returned: always type: str sample: 80,443 dest_cidr: description: Comma separated list of CIDR notation destination networks. returned: always type: str sample: 192.0.1.1/32,192.0.1.2/32 dest_port: description: Comma separated list of destination ports. returned: always type: str sample: 80,443 protocol: description: Network protocol for which to match against. returned: always type: str sample: tcp policy: description: Action to take when rule is matched. returned: always type: str syslog_enabled: description: Whether to log to syslog when rule is matched. returned: always type: bool sample: true '''
'protocol': 'protocol', 'dest_port': 'destPort', 'dest_cidr': 'destCidr', 'src_port': 'srcPort', 'src_cidr': 'srcCidr', 'syslog_enabled': 'syslogEnabled', 'comment': 'comment', }
if rule['destCidr'] in any: rule['destCidr'] = 'Any'
# define the available arguments/parameters that a user can pass to # the module
protocol=dict(type='str', choices=['tcp', 'udp', 'icmp', 'any']), dest_port=dict(type='str'), dest_cidr=dict(type='str'), src_port=dict(type='str'), src_cidr=dict(type='str'), comment=dict(type='str'), syslog_enabled=dict(type='bool', default=False), )
net_name=dict(type='str'), net_id=dict(type='str'), rules=dict(type='list', default=None, elements='dict', options=fw_rules), syslog_default_rule=dict(type='bool'), )
# the AnsibleModule object will be our abstraction working with Ansible # this includes instantiation, a couple of common attr would be the # args/params passed to the execution, as well as if the module # supports check mode supports_check_mode=True, )
payload = None
# execute checks for argument completeness
# manipulate or modify the state as needed (this is going to be the # part where your module will do what it needs to do) data=meraki.get_nets(org_id=org_id))
else: # meraki.fail_json(msg='Compare', original=rules, payload=payload) else: # meraki.fail_json(msg='Full Compare', original=rules, payload=payload) else: else:
# in the event of a successful module execution, you will want to # simple AnsibleModule.exit_json(), passing the key/value results
|