forked from ansible-collections/community.aws
-
Notifications
You must be signed in to change notification settings - Fork 0
/
wafv2_ip_set.py
345 lines (301 loc) · 10.5 KB
/
wafv2_ip_set.py
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
#!/usr/bin/python
# Copyright: Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: wafv2_ip_set
version_added: 1.5.0
author:
- "Markus Bergholz (@markuman)"
short_description: wafv2_ip_set
description:
- Create, modify and delete IP sets for WAFv2.
requirements:
- boto3
- botocore
options:
state:
description:
- Whether the rule is present or absent.
choices: ["present", "absent"]
required: true
type: str
name:
description:
- The name of the IP set.
required: true
type: str
description:
description:
- Description of the IP set.
required: false
type: str
scope:
description:
- Specifies whether this is for an AWS CloudFront distribution or for a regional application,
such as API Gateway or Application LoadBalancer.
choices: ["CLOUDFRONT","REGIONAL"]
required: true
type: str
ip_address_version:
description:
- Specifies whether this is an IPv4 or an IPv6 IP set.
- Required when I(state=present).
choices: ["IPV4","IPV6"]
type: str
addresses:
description:
- Contains an array of strings that specify one or more IP addresses or blocks of IP addresses in
Classless Inter-Domain Routing (CIDR) notation.
- Required when I(state=present).
- When I(state=absent) and I(addresses) is defined, only the given IP addresses will be removed
from the IP set. The entire IP set itself will stay present.
type: list
elements: str
tags:
description:
- Key value pairs to associate with the resource.
- Currently tags are not visible. Nor in the web ui, nor via cli and nor in boto3.
required: false
type: dict
purge_addresses:
description:
- When set to C(no), keep the existing addresses in place. Will modify and add, but will not delete.
default: yes
type: bool
extends_documentation_fragment:
- amazon.aws.aws
- amazon.aws.ec2
'''
EXAMPLES = '''
- name: test ip set
wafv2_ip_set:
name: test02
state: present
description: hallo eins
scope: REGIONAL
ip_address_version: IPV4
addresses:
- 8.8.8.8/32
- 8.8.4.4/32
tags:
A: B
C: D
'''
RETURN = """
addresses:
description: Current addresses of the ip set
sample:
- 8.8.8.8/32
- 8.8.4.4/32
returned: Always, as long as the ip set exists
type: list
arn:
description: IP set arn
sample: "arn:aws:wafv2:eu-central-1:11111111:regional/ipset/test02/4b007330-2934-4dc5-af24-82dcb3aeb127"
type: str
returned: Always, as long as the ip set exists
description:
description: Description of the ip set
sample: Some IP set description
returned: Always, as long as the ip set exists
type: str
ip_address_version:
description: IP version of the ip set
sample: IPV4
type: str
returned: Always, as long as the ip set exists
name:
description: IP set name
sample: test02
returned: Always, as long as the ip set exists
type: str
"""
from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule, is_boto3_error_code, get_boto3_client_method_parameters
from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict, ansible_dict_to_boto3_tag_list
try:
from botocore.exceptions import ClientError, BotoCoreError
except ImportError:
pass # caught by AnsibleAWSModule
class IpSet:
def __init__(self, wafv2, name, scope, fail_json_aws):
self.wafv2 = wafv2
self.name = name
self.scope = scope
self.fail_json_aws = fail_json_aws
self.existing_set, self.id, self.locktoken = self.get_set()
def description(self):
return self.existing_set.get('Description')
def get(self):
if self.existing_set:
return camel_dict_to_snake_dict(self.existing_set)
return None
def remove(self):
try:
response = self.wafv2.delete_ip_set(
Name=self.name,
Scope=self.scope,
Id=self.id,
LockToken=self.locktoken
)
except (BotoCoreError, ClientError) as e:
self.fail_json_aws(e, msg="Failed to remove wafv2 ip set.")
return {}
def create(self, description, ip_address_version, addresses, tags):
req_obj = {
'Name': self.name,
'Scope': self.scope,
'IPAddressVersion': ip_address_version,
'Addresses': addresses,
}
if description:
req_obj['Description'] = description
if tags:
req_obj['Tags'] = ansible_dict_to_boto3_tag_list(tags)
try:
response = self.wafv2.create_ip_set(**req_obj)
except (BotoCoreError, ClientError) as e:
self.fail_json_aws(e, msg="Failed to create wafv2 ip set.")
self.existing_set, self.id, self.locktoken = self.get_set()
return camel_dict_to_snake_dict(self.existing_set)
def update(self, description, addresses):
req_obj = {
'Name': self.name,
'Scope': self.scope,
'Id': self.id,
'Addresses': addresses,
'LockToken': self.locktoken
}
if description:
req_obj['Description'] = description
try:
response = self.wafv2.update_ip_set(**req_obj)
except (BotoCoreError, ClientError) as e:
self.fail_json_aws(e, msg="Failed to update wafv2 ip set.")
self.existing_set, self.id, self.locktoken = self.get_set()
return camel_dict_to_snake_dict(self.existing_set)
def get_set(self):
response = self.list()
existing_set = None
id = None
locktoken = None
for item in response.get('IPSets'):
if item.get('Name') == self.name:
id = item.get('Id')
locktoken = item.get('LockToken')
arn = item.get('ARN')
if id:
try:
existing_set = self.wafv2.get_ip_set(
Name=self.name,
Scope=self.scope,
Id=id
).get('IPSet')
except (BotoCoreError, ClientError) as e:
self.fail_json_aws(e, msg="Failed to get wafv2 ip set.")
return existing_set, id, locktoken
def list(self, Nextmarker=None):
# there is currently no paginator for wafv2
req_obj = {
'Scope': self.scope,
'Limit': 100
}
if Nextmarker:
req_obj['NextMarker'] = Nextmarker
try:
response = self.wafv2.list_ip_sets(**req_obj)
if response.get('NextMarker'):
response['IPSets'] += self.list(Nextmarker=response.get('NextMarker')).get('IPSets')
except (BotoCoreError, ClientError) as e:
self.fail_json_aws(e, msg="Failed to list wafv2 ip set.")
return response
def compare(existing_set, addresses, purge_addresses, state):
diff = False
new_rules = []
existing_rules = existing_set.get('addresses')
if state == 'present':
if purge_addresses:
new_rules = addresses
if sorted(addresses) != sorted(existing_set.get('addresses')):
diff = True
else:
for requested_rule in addresses:
if requested_rule not in existing_rules:
diff = True
new_rules.append(requested_rule)
new_rules += existing_rules
else:
if purge_addresses and addresses:
for requested_rule in addresses:
if requested_rule in existing_rules:
diff = True
existing_rules.pop(existing_rules.index(requested_rule))
new_rules = existing_rules
return diff, new_rules
def main():
arg_spec = dict(
state=dict(type='str', required=True, choices=['present', 'absent']),
name=dict(type='str', required=True),
scope=dict(type='str', required=True, choices=['CLOUDFRONT', 'REGIONAL']),
description=dict(type='str'),
ip_address_version=dict(type='str', choices=['IPV4', 'IPV6']),
addresses=dict(type='list', elements='str'),
tags=dict(type='dict'),
purge_addresses=dict(type='bool', default=True)
)
module = AnsibleAWSModule(
argument_spec=arg_spec,
supports_check_mode=True,
required_if=[['state', 'present', ['ip_address_version', 'addresses']]]
)
state = module.params.get("state")
name = module.params.get("name")
scope = module.params.get("scope")
description = module.params.get("description")
ip_address_version = module.params.get("ip_address_version")
addresses = module.params.get("addresses")
tags = module.params.get("tags")
purge_addresses = module.params.get("purge_addresses")
check_mode = module.check_mode
wafv2 = module.client('wafv2')
change = False
retval = {}
ip_set = IpSet(wafv2, name, scope, module.fail_json_aws)
if state == 'present':
if ip_set.get():
change, addresses = compare(ip_set.get(), addresses, purge_addresses, state)
if (change or ip_set.description() != description) and not check_mode:
retval = ip_set.update(
description=description,
addresses=addresses
)
else:
retval = ip_set.get()
else:
if not check_mode:
retval = ip_set.create(
description=description,
ip_address_version=ip_address_version,
addresses=addresses,
tags=tags
)
change = True
if state == 'absent':
if ip_set.get():
if addresses:
if len(addresses) > 0:
change, addresses = compare(ip_set.get(), addresses, purge_addresses, state)
if change and not check_mode:
retval = ip_set.update(
description=description,
addresses=addresses
)
else:
if not check_mode:
retval = ip_set.remove()
change = True
module.exit_json(changed=change, **retval)
if __name__ == '__main__':
main()