Browse Source

add draft for wafv2 ip set

master
Markus Bergholz 3 months ago
parent
commit
0c788409f3
Signed by: m GPG Key ID: B45724801354B174
1 changed files with 263 additions and 0 deletions
  1. +263
    -0
      wafv2_ip_set.py

+ 263
- 0
wafv2_ip_set.py View File

@ -0,0 +1,263 @@
#!/usr/bin/python
# Copyright: Ansible Project
# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
from __future__ import absolute_import, division, print_function
__metaclass__ = type
DOCUMENTATION = '''
---
module: wafv2_ip_set
version_added: 1.4.0
author:
- "Markus Bergholz (@markuman)"
short_description: wafv2_ip_set
description:
- Create, modify and delete CloudWatch log group metric filter.
- CloudWatch log group metric filter can be use with M(community.aws.ec2_metric_alarm).
requirements:
- boto3
- botocore
options:
state:
description:
- Whether the rule is present or absent.
choices: ["present", "absent"]
required: true
type: str
name:
description:
- The name of the IP set.
required: true
type: str
description:
description:
- Description of the IP set.
required: false
type: str
scope:
description:
- Specifies whether this is for an AWS CloudFront distribution or for a regional application.
choices: ["CLOUDFRONT","REGIONAL"]
required: true
type: str
ip_address_version:
description:
- Specifies whether this is an IPv4 or an IPv6 IP set.
choices: ["IPV4","IPV6"]
required: true
type: str
addresses:
description:
- Contains an array of strings that specify one or more IP addresses or blocks of IP addresses in
Classless Inter-Domain Routing (CIDR) notation.
required: true
type: list
tags:
description:
- Key value pairs to associate with the resource.
required: false
type: dict
extends_documentation_fragment:
- amazon.aws.aws
- amazon.aws.ec2
'''
EXAMPLES = '''
- name: test ip set
wafv2_ip_set:
name: test02
state: present
description: hallo eins
scope: REGIONAL
ip_address_version: IPV4
addresses:
- 8.8.8.8/32
- 8.8.4.4/32
tags:
A: B
C: D
'''
RETURN = """
"""
from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule, is_boto3_error_code, get_boto3_client_method_parameters
from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
try:
from botocore.exceptions import ClientError, BotoCoreError, WaiterError
except ImportError:
pass # caught by AnsibleAWSModule
def remove_ip_set(wafv2, name, scope, id, locktoken):
response = wafv2.delete_ip_set(
Name=name,
Scope=scope,
Id=id,
LockToken=locktoken
)
return response
def list_ip_sets(wafv2, scope):
response = wafv2.list_ip_sets(
Scope=scope,
Limit=100
)
return response
def get_ip_set(wafv2, name, scope, id):
response = wafv2.get_ip_set(
Name=name,
Scope=scope,
Id=id
)
return response
def create_ip_set(wafv2, name, scope, description, ip_address_version, addresses, tags):
req_obj = {
'Name': name,
'Scope': scope,
'IPAddressVersion': ip_address_version,
'Addresses': addresses,
}
if description:
req_obj['Description'] = description
if tags:
req_obj['Tags'] = prepare_tags(tags)
response = wafv2.create_ip_set(**req_obj)
return response
def update_ip_set(wafv2, name, scope, id, description, addresses, locktoken):
req_obj = {
'Name': name,
'Scope': scope,
'Id': id,
'Addresses': addresses,
'LockToken': locktoken
}
if description:
req_obj['Description'] = description
response = wafv2.update_ip_set(**req_obj)
return response
def compare(existing_set, addresses):
diff = False
addresses.sort()
existing_set.get('IPSet').get('Addresses').sort()
if addresses != existing_set.get('IPSet').get('Addresses'):
diff = True
return diff
def prepare_tags(tags):
_tags = list()
for key in tags.keys():
_tags.append(
{
'Key': key,
'Value': tags.get(key)
}
)
return _tags
def main():
arg_spec = dict(
state=dict(type='str', required=True, choices=['present', 'absent']),
name=dict(type='str', required=True),
scope=dict(type='str', required=True, choices=['CLOUDFRONT', 'REGIONAL']),
description=dict(type='str'),
ip_address_version=dict(type='str', choices=['IPV4', 'IPV6']),
addresses=dict(type='list'),
tags=dict(type='dict')
)
module = AnsibleAWSModule(
argument_spec=arg_spec,
supports_check_mode=True,
)
state = module.params.get("state")
name = module.params.get("name")
scope = module.params.get("scope")
description = module.params.get("description")
ip_address_version = module.params.get("ip_address_version")
addresses = module.params.get("addresses")
tags = module.params.get("tags")
wafv2 = module.client('wafv2')
# check if ip set exist
response = list_ip_sets(wafv2, scope)
id = None
locktoken = None
arn = None
change = False
retval = None
for item in response.get('IPSets'):
if item.get('Name') == name:
id = item.get('Id')
locktoken = item.get('LockToken')
arn = item.get('ARN')
existing_set = None
if id:
existing_set = get_ip_set(wafv2, name, scope, id)
if state == 'present':
if existing_set:
if compare(existing_set, addresses) or existing_set.get('IPSet').get('Description') != description:
retval = update_ip_set(
wafv2,
name=name,
scope=scope,
id=id,
description=description,
addresses=addresses,
locktoken=locktoken
)
change = True
else:
retval = existing_set.get('IPSet')
else:
retval = create_ip_set(
wafv2,
name=name,
scope=scope,
description=description,
ip_address_version=ip_address_version,
addresses=addresses,
tags=tags
)
change = True
if state == 'absent':
if existing_set:
retval = remove_ip_set(
wafv2,
name=name,
scope=scope,
id=id,
locktoken=locktoken
)
change = True
module.exit_json(changed=change, ip_set=retval)
if __name__ == '__main__':
main()

Loading…
Cancel
Save