-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathapply-access-policies-git.yml
132 lines (112 loc) · 3.92 KB
/
apply-access-policies-git.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
# REQUIREMENTS
# pip install pan-python
# pip install pandevice
# pip install xmltodict
# ansible-galaxy install paloaltonetworks.paloaltonetworks
# https://www.bountysource.com/issues/59738537-certificate-verify-failed
# set verify to disable in the virtual environment
---
- name: Set up ACL entries
hosts: localhost
gather_facts: False
# vars:
# csvfile: "{{ lookup('file', '/tmp/acl-data/global/acl_entries_to_apply.csv') }}"
vars_files:
- "{{ playbook_dir }}/vars/default_vars.yml"
tasks:
- ansible.builtin.debug:
msg: "The Policy State is {{ policy_state }}"
- name: Recursively ACL Data Repository
file:
path: /tmp/acl-data
state: absent
- name: Clone ACL Data Repository
ansible.builtin.git:
repo: 'https://github.com/michaelford85/acl-data.git'
dest: /tmp/acl-data
- name: List all git commits
ansible.builtin.command:
chdir: /tmp/acl-data
cmd: git log --oneline
register: gitlog
when: policy_state == "update"
- ansible.builtin.debug:
var: gitlog
when: policy_state == "update"
- name: Retrieve the commit ID of the previous ACLs
ansible.builtin.set_fact:
previous_acls: "{{ gitlog.stdout_lines[1] | regex_search(regexp) }}"
vars:
regexp: '^([\w\-]+)'
when: policy_state == "update"
- name: Debug previous_acls
ansible.builtin.debug:
var: previous_acls
when: policy_state == "update"
- name: Checkout commit with Previous Rules
ansible.builtin.command:
chdir: /tmp/acl-data
cmd: "git checkout {{ previous_acls }}"
when: policy_state == "update"
- name: Check to see if acl_entries.yml exists
stat:
path: /tmp/acl_entries.yml
register: acl_entries_output
- name: Delete acl_entries.yml if it already exists
file:
path: /tmp/acl_entries.yml
state: absent
when: acl_entries_output.stat.exists == True
- name: Include acl csv file
ansible.builtin.set_fact:
csvfile: "{{ lookup('file', '/tmp/acl-data/global/acl_entries_to_apply.csv') }}"
- name: Create acl_entries.yml file from template
template:
src: "{{ playbook_dir }}/templates/acl_entries.j2"
dest: /tmp/acl_entries.yml
- name: Apply ACLs to PAN Firewalls
hosts: panos
connection: local
gather_facts: False
vars:
erase: false
vars_files:
- "{{ playbook_dir }}/vars/default_vars.yml"
- "{{ playbook_dir }}/credentials/pan_credentials.yml"
- "{{ playbook_dir }}/credentials/servicenow_credentials.yml"
tasks:
- name: Load acl_entries variable into the playbook
include_vars:
file: /tmp/acl_entries.yml
run_once: yes
- block:
- name: Add ACL entries
paloaltonetworks.panos.panos_security_rule:
provider:
ip_address: "{{ ansible_host }}"
username: "{{ PAN_USERNAME }}"
password: "{{ PAN_PASSWORD }}"
rule_name: "{{item.rule_name}}"
description: "{{item.rule_name}}"
source_ip: "{{item.source_ip}}"
destination_ip: "{{ item.destination_ip }}"
# source_zone: "['{{item.source_zone}}']"
# destination_zone: "['{{item.destination_zone}}']"
source_zone: "{{item.source_zone}}"
destination_zone: "{{item.destination_zone}}"
action: "{{ item.action}}"
state: present
loop: "{{ acl_entries }}"
ignore_errors: True
when: policy_state == "add"
- block:
- name: Remove ACL entries
paloaltonetworks.panos.panos_security_rule:
provider:
ip_address: "{{ ansible_host }}"
username: "{{ PAN_USERNAME }}"
password: "{{ PAN_PASSWORD }}"
rule_name: "{{item.rule_name}}"
state: absent
loop: "{{ acl_entries }}"
when: (policy_state == "remove") or (policy_state == "update")