-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathconfirm-security-policies-controller.yml
142 lines (126 loc) · 4.75 KB
/
confirm-security-policies-controller.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
# REQUIREMENTS
# pip install pan-python
# pip install pandevice
# pip install xmltodict
# ansible-galaxy install paloaltonetworks.paloaltonetworks
# https://www.bountysource.com/issues/59738537-certificate-verify-failed
# set verify to disable in the virtual environment
---
- name: Confirm presence of ACLs on PAN Firewalls
hosts: panos
connection: local
gather_facts: no
vars:
firewall_inventory_webpage_name: "panos-inventory"
ec2_region: us-east-1
dns_zone: "mford.io"
s3_state: present
alias_s3_zone_id: "Z3AQBSTGFYJSTF"
vars_files:
- ./vars/default_vars.yml
- ./credentials/pan_credentials.yml
- ./credentials/webserver_credentials.yml
tasks:
- name: Query ACL Policies
paloaltonetworks.panos.panos_security_rule_facts:
provider:
ip_address: "{{ ansible_host }}"
username: "{{ PAN_USERNAME }}"
password: "{{ PAN_PASSWORD }}"
details: true
register: security_rule_output
- name: Print Security Rules
ansible.builtin.debug:
var: security_rule_output
- name: Print Security Rule Names
ansible.builtin.debug:
msg: "{{ msg.split('\n') }}"
vars:
msg: |
The RULE NAME is {{ item.description }}
The SOURCE IP ADDRESS is {{ item.source_ip[0] }}
The DESTINATION IP ADDRESS is {{ item.destination_ip[0] }}
The SOURCE ZONE is {{ item.source_zone[0] }}
The DESTINATION ZONE is {{ item.destination_zone[0] }}
The ACTION is {{ item.action }}
loop: "{{security_rule_output.rule_details}}"
loop_control:
label: "{{ item.description }}"
when: security_rule_output.rule_details is defined
- name: Create ACL file
ansible.builtin.copy:
dest: "/tmp/{{ inventory_hostname }}.csv"
content: "rule_name,description,source_ip,destination_ip,source_zone,destination_zone,action"
delegate_to: localhost
- name: Insert new ACL entry at the end of the file.
ansible.builtin.lineinfile:
path: "/tmp/{{ inventory_hostname }}.csv"
line: "{{item.rule_name}},{{item.rule_name}},{{item.source_ip[0]}},{{item.destination_ip[0]}},{{item.source_zone[0]}},{{item.destination_zone[0]}},{{item.action}}"
loop: "{{security_rule_output.rule_details}}"
when: security_rule_output.rule_details is defined
delegate_to: localhost
- name: Read rules from CSV file and return a dictionary
community.general.read_csv:
path: "/tmp/{{ inventory_hostname }}.csv"
register: rules
- name: Show the contents of the rules output
ansible.builtin.debug:
var: rules
- name: Build Current ACLs report
ansible.builtin.include_role:
name: acl_reports
tasks_from: current_acls
when: security_rule_output.rule_details is defined
vars:
current_rules: "{{ rules.list }}"
- name: Ensure S3 bucket exists
amazon.aws.s3_bucket:
name: "{{firewall_inventory_webpage_name|lower}}.{{dns_zone|lower}}"
state: "{{ s3_state }}"
region: "{{ec2_region}}"
force: yes
run_once: yes
- name: Enable web hosting
community.aws.s3_website:
name: "{{firewall_inventory_webpage_name|lower}}.{{dns_zone|lower}}"
state: "{{ s3_state }}"
region: "{{ec2_region}}"
suffix: "index.html"
register: s3_site
when: s3_state == 'present'
run_once: yes
# Route53 S3 Hosted Zone IDs
# https://docs.aws.amazon.com/general/latest/gr/s3.html#s3_website_region_endpoints
- name: DNS for firewall inventory page
community.aws.route53:
state: "{{ s3_state }}"
zone: "{{dns_zone}}"
record: "{{firewall_inventory_webpage_name|lower}}.{{dns_zone}}"
type: A
alias: yes
validate_certs: no
overwrite: yes
alias_hosted_zone_id: "{{ alias_s3_zone_id }}"
value: "s3-website-us-east-1.amazonaws.com"
run_once: yes
- name: DNS for firewall rules
community.aws.route53:
state: "{{ s3_state }}"
zone: "{{dns_zone}}"
record: "{{hostvars[inventory_hostname]['tags']['Name']|lower}}.{{dns_zone}}"
type: CNAME
ttl: 60
overwrite: yes
value: "s3.amazonaws.com/{{firewall_inventory_webpage_name|lower}}.{{dns_zone}}/{{hostvars[inventory_hostname]['tags']['Name']|lower}}.html"
- name: Put webpage
community.aws.s3_sync:
bucket: "{{firewall_inventory_webpage_name|lower}}.{{dns_zone}}"
region: "{{ec2_region}}"
file_root: "{{ working_dir }}/acl_reports/"
mime_map:
.html: text/html
permission: public-read
file_change_strategy: force
include: "*"
when: s3_state == 'present'
run_once: yes