Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

New Module : azure_rm_firewallpolicy #705

Merged
merged 6 commits into from
Jun 7, 2022
Merged

New Module : azure_rm_firewallpolicy #705

merged 6 commits into from
Jun 7, 2022

Conversation

aparna-patil
Copy link
Contributor

SUMMARY

This module supports following features -

  1. Create a new firewall policy
  2. Update an existing firewall policy
  3. Delete firewall policy
  4. Get details about specified firewall policy
  5. List all firewall policies
ISSUE TYPE
  • New Module Pull Request
COMPONENT NAME

azure_rm_firewallpolicy
azure_rm_firewallpolicy_info

ADDITIONAL INFORMATION

@aparna-patil
Copy link
Contributor Author

Integration test results -

root@aparna-patil:~/ansible# ansible-test integration azure_rm_firewallpolicy --allow-destructive -v
Run command: /usr/bin/python /root/ansible/test/lib/ansible_test/_data/yamlcheck.py
Running azure_rm_firewallpolicy integration test role
Injecting "/tmp/python-3yrqhrqe-ansible/python" as a execv wrapper for the "/usr/bin/python" interpreter.
Run command: ansible-playbook azure_rm_firewallpolicy-krx5y4bw.yml -i inventory -v
Using /root/ansible/test/results/.tmp/integration/azure_rm_firewallpolicy-4zzbi4tk-ÅÑŚÌβŁÈ/test/integration/integration.cfg as config file
[WARNING]: The `junit_xml` python module is not installed. Disabling the `junit` callback plugin.

PLAY [testhost] *******************************************************************************************************************************************************************************************

TASK [Gathering Facts] ************************************************************************************************************************************************************************************
ok: [testhost]

TASK [azure_rm_firewallpolicy : Create firewall policy name] **********************************************************************************************************************************************
ok: [testhost] => {"ansible_facts": {"policy_name": "fpc45a0c9bf44019d01fd561"}, "changed": false}

TASK [azure_rm_firewallpolicy : Create firewall policy] ***************************************************************************************************************************************************
changed: [testhost] => {"changed": true, "state": {"child_policies": [], "etag": "35e5816f-d3b9-4aa1-84a0-6731943497e1", "firewalls": [], "id": "/subscriptions/7b1b46f1-e266-404e-96b4-8738a385c254/resourceGroups/MyAzureResourceGroup/providers/Microsoft.Network/firewallPolicies/fpc45a0c9bf44019d01fd561", "location": "centralindia", "name": "fpc45a0c9bf44019d01fd561", "provisioning_state": "Succeeded", "rule_collection_groups": [], "tags": null, "threat_intel_mode": "Alert", "threat_intel_whitelist": {"fqdns": ["*.microsoft.com", "*.azure.com"], "ip_addresses": ["10.0.0.1", "10.0.0.2"]}, "type": "Microsoft.Network/FirewallPolicies"}}

TASK [azure_rm_firewallpolicy : Assert that firewall policy is created] ***********************************************************************************************************************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_firewallpolicy : Create a firewall policy again (Idempotent test)] *************************************************************************************************************************
ok: [testhost] => {"changed": false, "state": {"child_policies": [], "etag": "35e5816f-d3b9-4aa1-84a0-6731943497e1", "firewalls": [], "id": "/subscriptions/7b1b46f1-e266-404e-96b4-8738a385c254/resourceGroups/MyAzureResourceGroup/providers/Microsoft.Network/firewallPolicies/fpc45a0c9bf44019d01fd561", "location": "centralindia", "name": "fpc45a0c9bf44019d01fd561", "provisioning_state": "Succeeded", "rule_collection_groups": [], "tags": {}, "threat_intel_mode": "Alert", "threat_intel_whitelist": {"fqdns": ["*.microsoft.com", "*.azure.com"], "ip_addresses": ["10.0.0.1", "10.0.0.2"]}, "type": "Microsoft.Network/FirewallPolicies"}}

TASK [azure_rm_firewallpolicy : Assert that output is not changed] ****************************************************************************************************************************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_firewallpolicy : Update a firewall policy] *************************************************************************************************************************************************
changed: [testhost] => {"changed": true, "state": {"child_policies": [], "etag": "7505583f-a215-466b-82e9-b4657930b979", "firewalls": [], "id": "/subscriptions/7b1b46f1-e266-404e-96b4-8738a385c254/resourceGroups/MyAzureResourceGroup/providers/Microsoft.Network/firewallPolicies/fpc45a0c9bf44019d01fd561", "location": "centralindia", "name": "fpc45a0c9bf44019d01fd561", "provisioning_state": "Succeeded", "rule_collection_groups": [], "tags": {"key1": "value1"}, "threat_intel_mode": "Deny", "threat_intel_whitelist": {"fqdns": ["*.microsoft.com"], "ip_addresses": ["10.0.0.1"]}, "type": "Microsoft.Network/FirewallPolicies"}}

TASK [azure_rm_firewallpolicy : Assert that firewall policy is updated] ***********************************************************************************************************************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_firewallpolicy : Get firewall policy facts] ************************************************************************************************************************************************
ok: [testhost] => {"changed": false, "firewallpolicies": [{"base_policy": null, "child_policies": [], "dns_settings": {}, "etag": "7505583f-a215-466b-82e9-b4657930b979", "firewalls": [], "id": "/subscriptions/7b1b46f1-e266-404e-96b4-8738a385c254/resourceGroups/MyAzureResourceGroup/providers/Microsoft.Network/firewallPolicies/fpc45a0c9bf44019d01fd561", "location": "centralindia", "name": "fpc45a0c9bf44019d01fd561", "provisioning_state": "Succeeded", "rule_collection_groups": [], "tags": {"key1": "value1"}, "threat_intel_mode": "Deny", "threat_intel_whitelist": {"fqdns": ["*.microsoft.com"], "ip_addresses": ["10.0.0.1"]}, "type": "Microsoft.Network/FirewallPolicies"}]}

TASK [azure_rm_firewallpolicy : assert] *******************************************************************************************************************************************************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_firewallpolicy : Delete the firewall policy] ***********************************************************************************************************************************************
changed: [testhost] => {"changed": true, "state": "Deleted"}

TASK [azure_rm_firewallpolicy : Assert that firewall policy is deleted] ***********************************************************************************************************************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

TASK [azure_rm_firewallpolicy : Delete firewall policy again (Idempotent test)] ***************************************************************************************************************************
ok: [testhost] => {"changed": false, "state": {}}

TASK [azure_rm_firewallpolicy : Asset that output is not changed] *****************************************************************************************************************************************
ok: [testhost] => {
    "changed": false,
    "msg": "All assertions passed"
}

PLAY RECAP ************************************************************************************************************************************************************************************************
testhost                   : ok=14   changed=3    unreachable=0    failed=0    skipped=0    rescued=0    ignored=0`
```

Fred-sun
Fred-sun reviewed Dec 6, 2021
View reviewed changes
Copy link
Collaborator

@Fred-sun Fred-sun left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

small change request!

plugins/modules/azure_rm_firewallpolicy.py Outdated Show resolved Hide resolved
plugins/modules/azure_rm_firewallpolicy.py Outdated
self.threat_intel_mode.lower() != results['threat_intel_mode'].lower():
changed = True
results['threat_intel_mode'] = self.threat_intel_mode
if self.threat_intel_whitelist:
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The processing logic here doesn't make sense. The recommendation is to compare the current parameter with the obtained result. If the resource does not exist, the parameter is the current configuration and is created directly. If the resource exists and the obtained configuration information contains the current parameters, then no update is made and idempotency holds. If the resource exists, the obtained configuration information does not contain the current configuration parameters. Will update and add new configurations. Thank you very much!

Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

You can also refer to the update logic of tags. Thank you very much!

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Sure @Fred-sun Thank you for suggestions! Let me work on it.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Hi @Fred-sun, I have updated the logic for self.threat_intel_whitelist as suggested. Could you please check it once again? Thank you very much!

@Fred-sun Fred-sun added medium_priority Medium priority new_module_pr Add new modules work in In trying to solve, or in working with contributors labels Dec 6, 2021
@Fred-sun
Copy link
Collaborator

Fred-sun commented Dec 6, 2021

@aparna-patil self. threat_intel_whitelist update logic also needs your help to change. Thank you very much!

The processing logic here doesn't make sense. The recommendation is to compare the current parameter with the obtained result. If the resource does not exist, the parameter is the current configuration and is created directly. If the resource exists and the obtained configuration information contains the current parameters, then no update is made and idempotency holds. If the resource exists, the obtained configuration information does not contain the current configuration parameters. Will update and add new configurations. Thank you very much!

@aparna-patil
Copy link
Contributor Author

Hi @Fred-sun, I have made the suggested changes. Could you please review this PR once again?
Thank you very much!

@Fred-sun
Copy link
Collaborator

Fred-sun commented Jan 7, 2022

@aparna-patil The update logic is not reasonable. If the current resource contains the configuration in the script, do not update it. If some parameters in the configuration do not belong to the current configuration, add new parameters. Thank you very much!

@aparna-patil
Copy link
Contributor Author

@aparna-patil The update logic is not reasonable. If the current resource contains the configuration in the script, do not update it. If some parameters in the configuration do not belong to the current configuration, add new parameters. Thank you very much!

Hi @Fred-sun Thank you for reviewing! Just wanted to check if update logic needs to be revised for all the parameters or self.threat_intel_whitelist param only? Also, If you could share the reference module which I can refer to for correct implementation of this update logic would really help me.

Thank you very much!

@Fred-sun
Copy link
Collaborator

@aparna-patil The update logic is not reasonable. If the current resource contains the configuration in the script, do not update it. If some parameters in the configuration do not belong to the current configuration, add new parameters. Thank you very much!

Hi @Fred-sun Thank you for reviewing! Just wanted to check if update logic needs to be revised for all the parameters or self.threat_intel_whitelist param only? Also, If you could share the reference module which I can refer to for correct implementation of this update logic would really help me.

Thank you very much!

@aparna-patil You can refer to module -- azure_rm_virtualnetwork.py.

@Fred-sun
Copy link
Collaborator

@aparna-patil Thank you for your contribution. The dependencies related to network have been updated. Please help rebase this PR and apply the latest SDK. Thank you very much!

@Fred-sun
Copy link
Collaborator

kindly ping!

@aparna-patil
Copy link
Contributor Author

Hi @Fred-sun , Sure will work on the changes using new SDK. Thanks!

@Fred-sun
Copy link
Collaborator

Fred-sun commented Apr 1, 2022

@aparna-patil Thanks for your reply, you can rebase PR and retest below, as the new SDK functions have different names from the old SDK functions. Thank you very much!

@Fred-sun Fred-sun closed this Apr 6, 2022
@Fred-sun Fred-sun reopened this Apr 6, 2022
@Fred-sun
Copy link
Collaborator

@aparna-patil If you don't have time, you can authorize me to change this PR together, thank you!

@aparna-patil
Copy link
Contributor Author

@aparna-patil If you don't have time, you can authorize me to change this PR together, thank you!

Hi @Fred-sun Thank you for helping! I am unable to take out time to work on this PR due to some other commitments. I have provided the access to this PR. Could you please check once? Thank you once again!

@Fred-sun
Copy link
Collaborator

Fred-sun commented Jun 6, 2022

@aparna-patil I am sorry that I do not have your authorization to modify this change together. Thank you very much!

@aparna-patil
Copy link
Contributor Author

@aparna-patil I am sorry that I do not have your authorization to modify this change together. Thank you very much!

Hi @Fred-sun I have added you as a collaborator on my repository. Could you please check now if you have the write access to the branch? Thank you very much!

@Fred-sun Fred-sun added ready_for_review The PR has been modified and can be reviewed and merged and removed work in In trying to solve, or in working with contributors labels Jun 6, 2022
@xuzhang3
Copy link
Collaborator

xuzhang3 commented Jun 7, 2022

LGTM

@xuzhang3 xuzhang3 merged commit 1a51a9d into ansible-collections:dev Jun 7, 2022
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Fred-sun Fred-sun Fred-sun left review comments

Assignees

@xuzhang3 xuzhang3

Labels
medium_priority Medium priority new_module_pr Add new modules ready_for_review The PR has been modified and can be reviewed and merged
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@aparna-patil @Fred-sun @xuzhang3