mirror of
https://opendev.org/openstack/ansible-collections-openstack.git
synced 2026-03-26 21:43:02 +00:00
ab6f2e45c6
Security group rules in module openstack.cloud.security_group are changed/updated only when option 'security_group_rules' was defined explicitly. This follows our policy of "apply no change" when module options in our Ansible modules have not been set. Story: 2010691 Task: 47795 Change-Id: I4a0cda46cb160b5321913b63ff1123d8b8a19705
395 lines
11 KiB
YAML
395 lines
11 KiB
YAML
---
|
|
- name: Create security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: present
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is changed
|
|
|
|
- name: Create security group again
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: present
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is not changed
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length in [1, 2]
|
|
- security_group_rules.security_group_rules | map(attribute='ether_type') | list | sort in
|
|
[['IPv4'], ['IPv6'], ['IPv4', 'IPv6']]
|
|
|
|
- name: Delete security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: absent
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is changed
|
|
|
|
- name: Delete security group again
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: absent
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is not changed
|
|
|
|
- name: Create security group without security group rules
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: []
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is changed
|
|
|
|
- name: Create security group without security group rules again
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: []
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is not changed
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length == 0
|
|
|
|
- name: Delete security group without security group rules
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: absent
|
|
|
|
- name: Create security group including security group rules
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules:
|
|
- ether_type: IPv6
|
|
direction: egress
|
|
- ether_type: IPv4
|
|
direction: egress
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is changed
|
|
|
|
- name: Create security group including security group rules again
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules:
|
|
- ether_type: IPv6
|
|
direction: egress
|
|
- ether_type: IPv4
|
|
direction: egress
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is not changed
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length == 2
|
|
- security_group_rules.security_group_rules | map(attribute='ether_type') | list | sort == ['IPv4', 'IPv6']
|
|
|
|
- name: Update security group with new set of security group rules, dropping egress rules for IPv4 and IPv6
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules:
|
|
- protocol: udp
|
|
ether_type: IPv6
|
|
direction: ingress
|
|
port_range_min: 547
|
|
port_range_max: 547
|
|
- protocol: tcp
|
|
ether_type: IPv4
|
|
direction: ingress
|
|
port_range_min: 22
|
|
port_range_max: 22
|
|
remote_ip_prefix: 1.2.3.40/32
|
|
- protocol: tcp
|
|
ether_type: IPv4
|
|
direction: ingress
|
|
port_range_min: 22
|
|
port_range_max: 22
|
|
remote_ip_prefix: 1.2.3.41/32
|
|
- protocol: tcp
|
|
ether_type: IPv4
|
|
direction: ingress
|
|
port_range_min: 22
|
|
port_range_max: 22
|
|
remote_ip_prefix: 1.2.3.42/32
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length == 4
|
|
- security_group_rules.security_group_rules | map(attribute='direction') | list | unique == ['ingress']
|
|
|
|
- name: Remove all security group rules from security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: []
|
|
register: security_group
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length == 0
|
|
|
|
- name: Delete security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: absent
|
|
|
|
- name: Create security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules:
|
|
- ether_type: IPv6
|
|
direction: egress
|
|
- ether_type: IPv4
|
|
direction: egress
|
|
state: present
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group.security_group.security_group_rules | length == 2
|
|
|
|
- name: Define set of additional security group rules
|
|
set_fact:
|
|
security_group_rules:
|
|
- protocol: udp
|
|
ether_type: IPv6
|
|
direction: ingress
|
|
port_range_min: 547
|
|
port_range_max: 547
|
|
- protocol: tcp
|
|
ether_type: IPv4
|
|
direction: ingress
|
|
port_range_min: 22
|
|
port_range_max: 22
|
|
remote_ip_prefix: 1.2.3.40/32
|
|
|
|
- name: Prepare existing security group rules for appending
|
|
loop: '{{ security_group.security_group.security_group_rules | default([]) }}'
|
|
set_fact:
|
|
security_group_rule:
|
|
description: '{{ item.description or omit }}'
|
|
direction: '{{ item.direction or omit }}'
|
|
ether_type: '{{ item.ethertype or omit }}'
|
|
port_range_max: '{{ item.port_range_max or omit }}'
|
|
port_range_min: '{{ item.port_range_min or omit }}'
|
|
protocol: '{{ item.protocol or omit }}'
|
|
remote_group: '{{ item.remote_group_id or omit }}'
|
|
remote_ip_prefix: '{{ item.remote_ip_prefix or omit }}'
|
|
register: previous_security_group_rules
|
|
|
|
- name: Flatten existing security group rules
|
|
set_fact:
|
|
previous_security_group_rules: "{{
|
|
previous_security_group_rules.results
|
|
| map(attribute='ansible_facts.security_group_rule')
|
|
| flatten(levels=1)
|
|
}}"
|
|
|
|
- name: Append security group rules to security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: '{{ previous_security_group_rules + security_group_rules }}'
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is changed
|
|
|
|
- name: Append security group rules to security group again
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: '{{ previous_security_group_rules + security_group_rules }}'
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is not changed
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
# 2 ingress rules and egress rules for IPv4 and IPv6
|
|
- security_group_rules.security_group_rules | length == 4
|
|
|
|
- name: Delete security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: absent
|
|
|
|
- name: Create security group without security group rules
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: []
|
|
state: present
|
|
register: security_group
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length == 0
|
|
|
|
- name: Define dense representation of security group rules with multiple remote ip prefixes per rule
|
|
set_fact:
|
|
security_group_rules:
|
|
- protocol: udp
|
|
ether_type: IPv6
|
|
direction: ingress
|
|
port_range_min: 547
|
|
port_range_max: 547
|
|
- protocol: tcp
|
|
ether_type: IPv4
|
|
direction: ingress
|
|
port_range_min: 22
|
|
port_range_max: 22
|
|
remote_ip_prefixes:
|
|
- 1.2.3.40/32
|
|
- 1.2.3.41/32
|
|
- 1.2.3.42/32
|
|
|
|
- name: Convert dense representation into default representation of security group rules
|
|
loop: '{{ security_group_rules }}'
|
|
set_fact:
|
|
security_group_rules: >-
|
|
{{ [item]
|
|
if 'remote_ip_prefixes' not in item
|
|
else item.remote_ip_prefixes
|
|
| map('community.general.dict_kv', 'remote_ip_prefix')
|
|
| map('combine', item | dict2items | rejectattr('key', 'eq', 'remote_ip_prefixes') | list | items2dict)
|
|
| list
|
|
}}
|
|
register: security_group_rules
|
|
|
|
- name: Flatten security group rules
|
|
set_fact:
|
|
security_group_rules: "{{
|
|
security_group_rules.results
|
|
| map(attribute='ansible_facts.security_group_rules')
|
|
| flatten(levels=1) | list
|
|
}}"
|
|
|
|
- name: Update security group with set of security group rules
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
security_group_rules: '{{ security_group_rules }}'
|
|
register: security_group
|
|
|
|
- name: Assert return values of security_group module
|
|
assert:
|
|
that:
|
|
- security_group is changed
|
|
|
|
- name: Fetch security group rules
|
|
openstack.cloud.security_group_rule_info:
|
|
cloud: "{{ cloud }}"
|
|
security_group: ansible_security_group
|
|
register: security_group_rules
|
|
|
|
- name: Assert return values of security_group_rule_info module
|
|
assert:
|
|
that:
|
|
- security_group_rules.security_group_rules | length == 4
|
|
|
|
- name: Delete security group
|
|
openstack.cloud.security_group:
|
|
cloud: "{{ cloud }}"
|
|
name: ansible_security_group
|
|
state: absent
|