2018-03-08 16:02:07 -05:00
|
|
|
#!/usr/bin/env python
|
|
|
|
|
"""
|
|
|
|
|
* *******************************************************
|
|
|
|
|
* Copyright (c) VMware, Inc. 2018. All Rights Reserved.
|
|
|
|
|
* SPDX-License-Identifier: MIT
|
|
|
|
|
* *******************************************************
|
|
|
|
|
*
|
|
|
|
|
* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT
|
|
|
|
|
* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN,
|
|
|
|
|
* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED
|
|
|
|
|
* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY,
|
|
|
|
|
* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE.
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
__author__ = 'VMware, Inc.'
|
|
|
|
|
|
|
|
|
|
import argparse
|
2018-11-22 02:51:21 -05:00
|
|
|
|
|
|
|
|
from com.vmware.vmc.model_client import (AddressFWSourceDestination,
|
|
|
|
|
Application, FirewallRules,
|
|
|
|
|
Nsxfirewallrule, Nsxfirewallservice)
|
2018-03-08 16:02:07 -05:00
|
|
|
from vmware.vapi.vmc.client import create_vmc_client
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
class FirewallRulesCrud(object):
|
|
|
|
|
"""
|
|
|
|
|
Demonstrates firewall rule CRUD operations
|
|
|
|
|
|
|
|
|
|
Sample Prerequisites:
|
|
|
|
|
- An organization associated with the calling user.
|
|
|
|
|
- A SDDC in the organization
|
|
|
|
|
"""
|
|
|
|
|
|
|
|
|
|
def __init__(self):
|
|
|
|
|
parser = argparse.ArgumentParser(
|
|
|
|
|
formatter_class=argparse.ArgumentDefaultsHelpFormatter)
|
2018-11-22 02:51:21 -05:00
|
|
|
parser.add_argument(
|
|
|
|
|
'-r',
|
|
|
|
|
'--refresh-token',
|
|
|
|
|
required=True,
|
|
|
|
|
help='VMware Cloud API refresh token')
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'-o', '--org-id', required=True, help='Organization identifier.')
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'-s', '--sddc-id', required=True, help='Sddc Identifier.')
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'--rule-name',
|
|
|
|
|
default='Sample Firewall Rule',
|
|
|
|
|
help='Name of the new firewall rule')
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'--use-compute-gateway',
|
|
|
|
|
action='store_true',
|
|
|
|
|
default=False,
|
|
|
|
|
help='Use compute gateway. Default is using '
|
|
|
|
|
'management gateway')
|
|
|
|
|
|
|
|
|
|
parser.add_argument(
|
|
|
|
|
'-c',
|
|
|
|
|
'--cleardata',
|
|
|
|
|
action='store_true',
|
|
|
|
|
help='Clean up after sample run')
|
2018-03-08 16:02:07 -05:00
|
|
|
args = parser.parse_args()
|
|
|
|
|
|
|
|
|
|
self.edge_id = None
|
|
|
|
|
self.rule_id = None
|
|
|
|
|
self.nfwr = None
|
|
|
|
|
self.org_id = args.org_id
|
|
|
|
|
self.sddc_id = args.sddc_id
|
|
|
|
|
self.rule_name = args.rule_name
|
|
|
|
|
self.compute_gw = args.use_compute_gateway
|
|
|
|
|
self.cleanup = args.cleardata
|
|
|
|
|
self.vmc_client = create_vmc_client(args.refresh_token)
|
|
|
|
|
|
|
|
|
|
def setup(self):
|
|
|
|
|
# Check if the organization exists
|
|
|
|
|
orgs = self.vmc_client.Orgs.list()
|
|
|
|
|
if self.org_id not in [org.id for org in orgs]:
|
2018-11-22 02:51:21 -05:00
|
|
|
raise ValueError("Org with ID {} doesn't exist".format(
|
|
|
|
|
self.org_id))
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
# Check if the SDDC exists
|
|
|
|
|
sddcs = self.vmc_client.orgs.Sddcs.list(self.org_id)
|
|
|
|
|
if self.sddc_id not in [sddc.id for sddc in sddcs]:
|
2018-11-22 02:51:21 -05:00
|
|
|
raise ValueError("SDDC with ID {} doesn't exist in org {}".format(
|
|
|
|
|
self.sddc_id, self.org_id))
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
def create_firewall_rule(self):
|
|
|
|
|
|
|
|
|
|
if self.compute_gw:
|
|
|
|
|
print('\n# Example: Add a firewall rule to the Compute Gateway')
|
|
|
|
|
else:
|
|
|
|
|
print('\n# Example: Add a firewall rule to the Management Gateway')
|
|
|
|
|
|
|
|
|
|
print('# List network gateway edges:')
|
|
|
|
|
edges = self.vmc_client.orgs.sddcs.networks.Edges.get(
|
2018-11-22 02:51:21 -05:00
|
|
|
org=self.org_id, sddc=self.sddc_id,
|
2018-03-08 16:02:07 -05:00
|
|
|
edge_type='gatewayServices').edge_page.data
|
|
|
|
|
|
|
|
|
|
print(' Management Gateway ID: {}'.format(edges[0].id))
|
|
|
|
|
print(' Compute Gateway ID: {}'.format(edges[1].id))
|
|
|
|
|
self.edge_id = edges[1].id if self.compute_gw else edges[0].id
|
|
|
|
|
|
|
|
|
|
sddc = self.vmc_client.orgs.Sddcs.get(self.org_id, self.sddc_id)
|
|
|
|
|
|
|
|
|
|
# Construct an destination object for the new firewall rule
|
|
|
|
|
# You can use one of following destination IP addresses
|
|
|
|
|
# IPs for vCenter
|
2018-11-22 02:51:21 -05:00
|
|
|
ip_address = [
|
|
|
|
|
sddc.resource_config.vc_public_ip,
|
|
|
|
|
sddc.resource_config.vc_management_ip
|
|
|
|
|
]
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
# TODO: IPs for ESXi
|
|
|
|
|
# TODO: IPs for Site Recovery Manager
|
|
|
|
|
# TODO: IPs for vSphere Replication
|
|
|
|
|
# TODO: IPs for Management Gateway
|
|
|
|
|
# IPs for NSX Manager
|
|
|
|
|
# ip_address = [sddc.resource_config.nsx_mgr_management_ip]
|
|
|
|
|
|
|
|
|
|
destination = AddressFWSourceDestination(
|
|
|
|
|
exclude=False,
|
|
|
|
|
ip_address=ip_address,
|
|
|
|
|
grouping_object_id=[],
|
|
|
|
|
vnic_group_id=[])
|
|
|
|
|
|
|
|
|
|
# Construct a new NSX firewall rule object
|
2018-11-22 02:51:21 -05:00
|
|
|
self.nfwr = Nsxfirewallrule(
|
|
|
|
|
rule_type='user',
|
|
|
|
|
name=self.rule_name,
|
|
|
|
|
enabled=True,
|
|
|
|
|
action='accept',
|
|
|
|
|
source=AddressFWSourceDestination(
|
|
|
|
|
exclude=False,
|
|
|
|
|
ip_address=['any'],
|
|
|
|
|
grouping_object_id=[],
|
|
|
|
|
vnic_group_id=[]),
|
|
|
|
|
destination=destination,
|
|
|
|
|
logging_enabled=False,
|
|
|
|
|
application=Application(
|
|
|
|
|
application_id=[],
|
|
|
|
|
service=[
|
|
|
|
|
Nsxfirewallservice(
|
|
|
|
|
source_port=['any'],
|
|
|
|
|
protocol='TCP',
|
|
|
|
|
port=['443'],
|
|
|
|
|
icmp_type=None)
|
|
|
|
|
]))
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
self.vmc_client.orgs.sddcs.networks.edges.firewall.config.Rules.add(
|
|
|
|
|
org=self.org_id,
|
|
|
|
|
sddc=self.sddc_id,
|
|
|
|
|
edge_id=self.edge_id,
|
|
|
|
|
firewall_rules=FirewallRules([self.nfwr]))
|
|
|
|
|
|
|
|
|
|
print('# New firewall rule "{}" is added'.format(self.rule_name))
|
|
|
|
|
|
|
|
|
|
def get_firewall_rule(self):
|
|
|
|
|
|
|
|
|
|
print('\n# Example: List basic firewall rule specs')
|
|
|
|
|
fw_config = self.vmc_client.orgs.sddcs.networks.edges.firewall.Config.get(
|
2018-11-22 02:51:21 -05:00
|
|
|
org=self.org_id, sddc=self.sddc_id, edge_id=self.edge_id)
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
fw_rules = fw_config.firewall_rules.firewall_rules
|
|
|
|
|
|
|
|
|
|
for r in fw_rules:
|
|
|
|
|
if r.name == self.rule_name:
|
|
|
|
|
self.rule_id = r.rule_id
|
|
|
|
|
break
|
|
|
|
|
else:
|
2018-11-22 02:51:21 -05:00
|
|
|
raise Exception("Can't find firewall rule with name {}".format(
|
|
|
|
|
self.rule_name))
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
rule = self.vmc_client.orgs.sddcs.networks.edges.firewall.config.Rules.get(
|
|
|
|
|
org=self.org_id,
|
|
|
|
|
sddc=self.sddc_id,
|
|
|
|
|
edge_id=self.edge_id,
|
|
|
|
|
rule_id=self.rule_id)
|
|
|
|
|
|
|
|
|
|
self.print_output(rule)
|
|
|
|
|
|
|
|
|
|
def update_firewall_rule(self):
|
|
|
|
|
|
|
|
|
|
print('\n# Example: Update the firewall rule')
|
|
|
|
|
self.nfwr.description = 'Updated description'
|
|
|
|
|
self.nfwr.name = 'Updated ' + self.rule_name
|
|
|
|
|
self.nfwr.action = 'deny'
|
|
|
|
|
self.nfwr.source.ip_address = ['127.0.0.1']
|
|
|
|
|
|
|
|
|
|
self.vmc_client.orgs.sddcs.networks.edges.firewall.config.Rules.update(
|
|
|
|
|
org=self.org_id,
|
|
|
|
|
sddc=self.sddc_id,
|
|
|
|
|
edge_id=self.edge_id,
|
|
|
|
|
rule_id=self.rule_id,
|
|
|
|
|
nsxfirewallrule=self.nfwr)
|
|
|
|
|
|
|
|
|
|
rule = self.vmc_client.orgs.sddcs.networks.edges.firewall.config.Rules.get(
|
|
|
|
|
org=self.org_id,
|
|
|
|
|
sddc=self.sddc_id,
|
|
|
|
|
edge_id=self.edge_id,
|
|
|
|
|
rule_id=self.rule_id)
|
|
|
|
|
|
|
|
|
|
print('# List the updated firewall rule specs')
|
|
|
|
|
self.print_output(rule)
|
|
|
|
|
|
|
|
|
|
def delete_firewall_rule(self):
|
|
|
|
|
if self.cleanup:
|
|
|
|
|
self.vmc_client.orgs.sddcs.networks.edges.firewall.config.Rules.delete(
|
|
|
|
|
org=self.org_id,
|
|
|
|
|
sddc=self.sddc_id,
|
|
|
|
|
edge_id=self.edge_id,
|
|
|
|
|
rule_id=self.rule_id)
|
2018-11-22 02:51:21 -05:00
|
|
|
print('\n# Example: Firewall rule {} is deleted'.format(
|
|
|
|
|
self.rule_name))
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
def print_output(self, rule):
|
2018-11-22 02:51:21 -05:00
|
|
|
print(
|
|
|
|
|
'Name: {}, Action: {}, Source IPs: {}, Destination IPs: {},Service Protocol: {}, Service Port: {}'
|
|
|
|
|
.format(rule.name, rule.action, rule.source.ip_address,
|
|
|
|
|
rule.destination.ip_address,
|
|
|
|
|
rule.application.service[0].protocol,
|
|
|
|
|
rule.application.service[0].port))
|
2018-03-08 16:02:07 -05:00
|
|
|
|
|
|
|
|
|
|
|
|
|
def main():
|
|
|
|
|
firewall_rules = FirewallRulesCrud()
|
|
|
|
|
firewall_rules.setup()
|
|
|
|
|
firewall_rules.create_firewall_rule()
|
|
|
|
|
firewall_rules.get_firewall_rule()
|
|
|
|
|
firewall_rules.update_firewall_rule()
|
|
|
|
|
firewall_rules.delete_firewall_rule()
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if __name__ == '__main__':
|
|
|
|
|
main()
|
