diff options
Diffstat (limited to 'ansible_collections/cisco/meraki/plugins')
48 files changed, 17527 insertions, 0 deletions
diff --git a/ansible_collections/cisco/meraki/plugins/doc_fragments/__init__.py b/ansible_collections/cisco/meraki/plugins/doc_fragments/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/doc_fragments/__init__.py diff --git a/ansible_collections/cisco/meraki/plugins/doc_fragments/meraki.py b/ansible_collections/cisco/meraki/plugins/doc_fragments/meraki.py new file mode 100644 index 00000000..d6d456f1 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/doc_fragments/meraki.py @@ -0,0 +1,84 @@ +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + + +class ModuleDocFragment(object): + # Standard files for documentation fragment + DOCUMENTATION = r''' +notes: +- More information about the Meraki API can be found at U(https://dashboard.meraki.com/api_docs). +- Some of the options are likely only used for developers within Meraki. +- As of Ansible 2.9, Meraki modules output keys as snake case. To use camel case, set the C(ANSIBLE_MERAKI_FORMAT) environment variable to C(camelcase). +- Ansible's Meraki modules will stop supporting camel case output in Ansible 2.13. Please update your playbooks. +- Check Mode downloads the current configuration from the dashboard, then compares changes against this download. Check Mode will report changed if + there are differences in the configurations, but does not submit changes to the API for validation of change. +options: + auth_key: + description: + - Authentication key provided by the dashboard. Required if environmental variable C(MERAKI_KEY) is not set. + type: str + required: yes + host: + description: + - Hostname for Meraki dashboard. + - Can be used to access regional Meraki environments, such as China. + type: str + default: api.meraki.com + use_proxy: + description: + - If C(no), it will not use a proxy, even if one is defined in an environment variable on the target hosts. + type: bool + default: False + use_https: + description: + - If C(no), it will use HTTP. Otherwise it will use HTTPS. + - Only useful for internal Meraki developers. + type: bool + default: yes + output_format: + description: + - Instructs module whether response keys should be snake case (ex. C(net_id)) or camel case (ex. C(netId)). + type: str + choices: [snakecase, camelcase] + default: snakecase + output_level: + description: + - Set amount of debug output during module execution. + type: str + choices: [ debug, normal ] + default: normal + timeout: + description: + - Time to timeout for HTTP requests. + type: int + default: 30 + validate_certs: + description: + - Whether to validate HTTP certificates. + type: bool + default: yes + org_name: + description: + - Name of organization. + type: str + aliases: [ organization ] + org_id: + description: + - ID of organization. + type: str + rate_limit_retry_time: + description: + - Number of seconds to retry if rate limiter is triggered. + type: int + default: 165 + internal_error_retry_time: + description: + - Number of seconds to retry if server returns an internal server error. + type: int + default: 60 +''' diff --git a/ansible_collections/cisco/meraki/plugins/module_utils/network/meraki/__init__.py b/ansible_collections/cisco/meraki/plugins/module_utils/network/meraki/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/module_utils/network/meraki/__init__.py diff --git a/ansible_collections/cisco/meraki/plugins/module_utils/network/meraki/meraki.py b/ansible_collections/cisco/meraki/plugins/module_utils/network/meraki/meraki.py new file mode 100644 index 00000000..4bb05962 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/module_utils/network/meraki/meraki.py @@ -0,0 +1,539 @@ +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +import time +import re +from ansible.module_utils.basic import json, env_fallback +from ansible.module_utils.common.dict_transformations import camel_dict_to_snake_dict, snake_dict_to_camel_dict, recursive_diff +from ansible.module_utils.urls import fetch_url +from ansible.module_utils.six.moves.urllib.parse import urlencode +from ansible.module_utils._text import to_native + + +RATE_LIMIT_RETRY_MULTIPLIER = 3 +INTERNAL_ERROR_RETRY_MULTIPLIER = 3 + + +def meraki_argument_spec(): + return dict(auth_key=dict(type='str', no_log=True, fallback=(env_fallback, ['MERAKI_KEY']), required=True), + host=dict(type='str', default='api.meraki.com'), + use_proxy=dict(type='bool', default=False), + use_https=dict(type='bool', default=True), + validate_certs=dict(type='bool', default=True), + output_format=dict(type='str', choices=['camelcase', 'snakecase'], default='snakecase', fallback=(env_fallback, ['ANSIBLE_MERAKI_FORMAT'])), + output_level=dict(type='str', default='normal', choices=['normal', 'debug']), + timeout=dict(type='int', default=30), + org_name=dict(type='str', aliases=['organization']), + org_id=dict(type='str'), + rate_limit_retry_time=dict(type='int', default=165), + internal_error_retry_time=dict(type='int', default=60) + ) + + +class RateLimitException(Exception): + def __init__(self, *args, **kwargs): + Exception.__init__(self, *args, **kwargs) + + +class InternalErrorException(Exception): + def __init__(self, *args, **kwargs): + Exception.__init__(self, *args, **kwargs) + + +class HTTPError(Exception): + def __init__(self, *args, **kwargs): + Exception.__init__(self, *args, **kwargs) + + +class MerakiModule(object): + + def __init__(self, module, function=None): + self.module = module + self.params = module.params + self.result = dict(changed=False) + self.headers = dict() + self.function = function + self.orgs = None + self.nets = None + self.org_id = None + self.net_id = None + self.check_mode = module.check_mode + self.key_map = {} + self.request_attempts = 0 + + # normal output + self.existing = None + + # info output + self.config = dict() + self.original = None + self.proposed = dict() + self.merged = None + self.ignored_keys = ['id', 'organizationId'] + + # debug output + self.filter_string = '' + self.method = None + self.path = None + self.response = None + self.status = None + self.url = None + self.body = None + + # rate limiting statistics + self.retry = 0 + self.retry_time = 0 + + # If URLs need to be modified or added for specific purposes, use .update() on the url_catalog dictionary + self.get_urls = {'organizations': '/organizations', + 'network': '/organizations/{org_id}/networks', + 'admins': '/organizations/{org_id}/admins', + 'configTemplates': '/organizations/{org_id}/configTemplates', + 'samlymbols': '/organizations/{org_id}/samlRoles', + 'ssids': '/networks/{net_id}/ssids', + 'groupPolicies': '/networks/{net_id}/groupPolicies', + 'staticRoutes': '/networks/{net_id}/staticRoutes', + 'vlans': '/networks/{net_id}/vlans', + 'devices': '/networks/{net_id}/devices', + } + + # Used to retrieve only one item + self.get_one_urls = {'organizations': '/organizations/{org_id}', + 'network': '/networks/{net_id}', + } + + # Module should add URLs which are required by the module + self.url_catalog = {'get_all': self.get_urls, + 'get_one': self.get_one_urls, + 'create': None, + 'update': None, + 'delete': None, + 'misc': None, + } + + if self.module._debug or self.params['output_level'] == 'debug': + self.module.warn('Enable debug output because ANSIBLE_DEBUG was set or output_level is set to debug.') + + # TODO: This should be removed as org_name isn't always required + self.module.required_if = [('state', 'present', ['org_name']), + ('state', 'absent', ['org_name']), + ] + # self.module.mutually_exclusive = [('org_id', 'org_name'), + # ] + self.modifiable_methods = ['POST', 'PUT', 'DELETE'] + + self.headers = {'Content-Type': 'application/json', + 'Authorization': 'Bearer {key}'.format(key=module.params['auth_key']), + } + + def define_protocol(self): + """Set protocol based on use_https parameters.""" + if self.params['use_https'] is True: + self.params['protocol'] = 'https' + else: + self.params['protocol'] = 'http' + + def sanitize_keys(self, data): + if isinstance(data, dict): + items = {} + for k, v in data.items(): + try: + items[self.key_map[k]] = self.sanitize_keys(data[k]) + except KeyError: + snake_k = re.sub('([a-z0-9])([A-Z])', r'\1_\2', k).lower() + # new = {snake_k: data[k]} + items[snake_k] = self.sanitize_keys(data[k]) + return items + elif isinstance(data, list): + items = [] + for i in data: + items.append(self.sanitize_keys(i)) + return items + elif isinstance(data, int) or isinstance(data, str) or isinstance(data, float): + return data + + def is_update_required(self, original, proposed, optional_ignore=None, force_include=None, debug=False): + ''' Compare two data-structures ''' + self.ignored_keys.append('net_id') + if force_include is not None: + if force_include in self.ignored_keys: + self.ignored_keys.remove(force_include) + if optional_ignore is not None: + # self.fail_json(msg="Keys", ignored_keys=self.ignored_keys, optional=optional_ignore) + self.ignored_keys = self.ignored_keys + optional_ignore + + if isinstance(original, list): + if len(original) != len(proposed): + if debug is True: + self.fail_json(msg="Length of lists don't match") + return True + for a, b in zip(original, proposed): + if self.is_update_required(a, b, debug=debug): + if debug is True: + self.fail_json(msg="List doesn't match", a=a, b=b) + return True + elif isinstance(original, dict): + try: + for k, v in proposed.items(): + if k not in self.ignored_keys: + if k in original: + if self.is_update_required(original[k], proposed[k], debug=debug): + return True + else: + if debug is True: + self.fail_json(msg="Key not in original", k=k) + return True + except AttributeError: + return True + else: + if original != proposed: + if debug is True: + self.fail_json(msg="Fallback", original=original, proposed=proposed) + return True + return False + + def generate_diff(self, before, after): + """Creates a diff based on two objects. Applies to the object and returns nothing. + """ + try: + diff = recursive_diff(before, after) + self.result['diff'] = {'before': diff[0], + 'after': diff[1]} + except AttributeError: # Normally for passing a list instead of a dict + diff = recursive_diff({'data': before}, + {'data': after}) + self.result['diff'] = {'before': diff[0]['data'], + 'after': diff[1]['data']} + + def get_orgs(self): + """Downloads all organizations for a user.""" + response = self.request('/organizations', method='GET') + if self.status != 200: + self.fail_json(msg='Organization lookup failed') + self.orgs = response + return self.orgs + + def is_org_valid(self, data, org_name=None, org_id=None): + """Checks whether a specific org exists and is duplicated. + + If 0, doesn't exist. 1, exists and not duplicated. >1 duplicated. + """ + org_count = 0 + if org_name is not None: + for o in data: + if o['name'] == org_name: + org_count += 1 + if org_id is not None: + for o in data: + if o['id'] == org_id: + org_count += 1 + return org_count + + def get_org_id(self, org_name): + """Returns an organization id based on organization name, only if unique. + + If org_id is specified as parameter, return that instead of a lookup. + """ + orgs = self.get_orgs() + # self.fail_json(msg='ogs', orgs=orgs) + if self.params['org_id'] is not None: + if self.is_org_valid(orgs, org_id=self.params['org_id']) is True: + return self.params['org_id'] + org_count = self.is_org_valid(orgs, org_name=org_name) + if org_count == 0: + self.fail_json(msg='There are no organizations with the name {org_name}'.format(org_name=org_name)) + if org_count > 1: + self.fail_json(msg='There are multiple organizations with the name {org_name}'.format(org_name=org_name)) + elif org_count == 1: + for i in orgs: + if org_name == i['name']: + # self.fail_json(msg=i['id']) + return str(i['id']) + + def get_nets(self, org_name=None, org_id=None): + """Downloads all networks in an organization.""" + if org_name: + org_id = self.get_org_id(org_name) + path = self.construct_path('get_all', org_id=org_id, function='network', params={'perPage': '1000'}) + r = self.request(path, method='GET', pagination_items=1000) + if self.status != 200: + self.fail_json(msg='Network lookup failed') + self.nets = r + templates = self.get_config_templates(org_id) + for t in templates: + self.nets.append(t) + return self.nets + + def get_net(self, org_name, net_name=None, org_id=None, data=None, net_id=None): + ''' Return network information ''' + if not data: + if not org_id: + org_id = self.get_org_id(org_name) + data = self.get_nets(org_id=org_id) + for n in data: + if net_id: + if n['id'] == net_id: + return n + elif net_name: + if n['name'] == net_name: + return n + return False + + def get_net_id(self, org_name=None, net_name=None, data=None): + """Return network id from lookup or existing data.""" + if data is None: + self.fail_json(msg='Must implement lookup') + for n in data: + if n['name'] == net_name: + return n['id'] + self.fail_json(msg='No network found with the name {0}'.format(net_name)) + + def get_config_templates(self, org_id): + path = self.construct_path('get_all', function='configTemplates', org_id=org_id) + response = self.request(path, 'GET') + if self.status != 200: + self.fail_json(msg='Unable to get configuration templates') + return response + + def get_template_id(self, name, data): + for template in data: + if name == template['name']: + return template['id'] + self.fail_json(msg='No configuration template named {0} found'.format(name)) + + def convert_camel_to_snake(self, data): + """ + Converts a dictionary or list to snake case from camel case + :type data: dict or list + :return: Converted data structure, if list or dict + """ + + if isinstance(data, dict): + return camel_dict_to_snake_dict(data, ignore_list=('tags', 'tag')) + elif isinstance(data, list): + return [camel_dict_to_snake_dict(item, ignore_list=('tags', 'tag')) for item in data] + else: + return data + + def convert_snake_to_camel(self, data): + """ + Converts a dictionary or list to camel case from snake case + :type data: dict or list + :return: Converted data structure, if list or dict + """ + + if isinstance(data, dict): + return snake_dict_to_camel_dict(data) + elif isinstance(data, list): + return [snake_dict_to_camel_dict(item) for item in data] + else: + return data + + def construct_params_list(self, keys, aliases=None): + qs = {} + for key in keys: + if key in aliases: + qs[aliases[key]] = self.module.params[key] + else: + qs[key] = self.module.params[key] + return qs + + def encode_url_params(self, params): + """Encodes key value pairs for URL""" + return "?{0}".format(urlencode(params)) + + def construct_path(self, + action, + function=None, + org_id=None, + net_id=None, + org_name=None, + custom=None, + params=None): + """Build a path from the URL catalog. + Uses function property from class for catalog lookup. + """ + built_path = None + if function is None: + built_path = self.url_catalog[action][self.function] + else: + built_path = self.url_catalog[action][function] + if org_name: + org_id = self.get_org_id(org_name) + if custom: + built_path = built_path.format(org_id=org_id, net_id=net_id, **custom) + else: + built_path = built_path.format(org_id=org_id, net_id=net_id) + if params: + built_path += self.encode_url_params(params) + return built_path + + def _set_url(self, path, method, params): + self.path = path + self.define_protocol() + + if method is not None: + self.method = method + + self.url = '{protocol}://{host}/api/v1/{path}'.format(path=self.path.lstrip('/'), **self.params) + + @staticmethod + def _parse_pagination_header(link): + rels = {'first': None, + 'next': None, + 'prev': None, + 'last': None + } + for rel in link.split(','): + kv = rel.split('rel=') + rels[kv[1]] = kv[0].split('<')[1].split('>')[0].strip() # This should return just the URL for <url> + return rels + + def _execute_request(self, path, method=None, payload=None, params=None): + """ Execute query """ + try: + resp, info = fetch_url(self.module, self.url, + headers=self.headers, + data=payload, + method=self.method, + timeout=self.params['timeout'], + use_proxy=self.params['use_proxy'], + ) + self.status = info['status'] + + if self.status == 429: + self.retry += 1 + if self.retry <= 10: + # retry-after isn't returned for over 10 concurrent connections per IP + try: + self.module.warn("Rate limiter hit, retry {0}...pausing for {1} seconds".format(self.retry, info['Retry-After'])) + time.sleep(info['Retry-After']) + except KeyError: + self.module.warn("Rate limiter hit, retry {0}...pausing for 5 seconds".format(self.retry)) + time.sleep(5) + return self._execute_request(path, method=method, payload=payload, params=params) + else: + self.fail_json(msg="Rate limit retries failed for {url}".format(url=self.url)) + elif self.status == 500: + self.retry += 1 + self.module.warn("Internal server error 500, retry {0}".format(self.retry)) + if self.retry <= 10: + self.retry_time += self.retry * INTERNAL_ERROR_RETRY_MULTIPLIER + time.sleep(self.retry_time) + return self._execute_request(path, method=method, payload=payload, params=params) + else: + # raise RateLimitException(e) + self.fail_json(msg="Rate limit retries failed for {url}".format(url=self.url)) + elif self.status == 502: + self.module.warn("Internal server error 502, retry {0}".format(self.retry)) + elif self.status == 400: + raise HTTPError("") + elif self.status >= 400: + self.fail_json(msg=self.status, url=self.url) + raise HTTPError("") + except HTTPError: + try: + self.fail_json(msg="HTTP error {0} - {1} - {2}".format(self.status, self.url, json.loads(info['body'])['errors'][0])) + except json.decoder.JSONDecodeError: + self.fail_json(msg="HTTP error {0} - {1}".format(self.status, self.url)) + self.retry = 0 # Needs to reset in case of future retries + return resp, info + + def request(self, path, method=None, payload=None, params=None, pagination_items=None): + """ Submit HTTP request to Meraki API """ + self._set_url(path, method, params) + + try: + # Gather the body (resp) and header (info) + resp, info = self._execute_request(path, method=method, payload=payload, params=params) + except HTTPError: + self.fail_json(msg="HTTP request to {url} failed with error code {code}".format(url=self.url, code=self.status)) + self.response = info['msg'] + self.status = info['status'] + # This needs to be refactored as it's not very clean + # Looping process for pagination + if pagination_items is not None: + data = None + if 'body' in info: + self.body = info['body'] + try: + data = json.loads(to_native(resp.read())) + except AttributeError: + self.fail_json(msg="Failure occurred during pagination", + response=self.response, + status=self.status, + body=self.body + ) + header_link = self._parse_pagination_header(info['link']) + while header_link['next'] is not None: + self.url = header_link['next'] + try: + # Gather the body (resp) and header (info) + resp, info = self._execute_request(header_link['next'], method=method, payload=payload, params=params) + except HTTPError: + self.fail_json(msg="HTTP request to {url} failed with error code {code}".format(url=self.url, code=self.status)) + header_link = self._parse_pagination_header(info['link']) + try: + data.extend(json.loads(to_native(resp.read()))) + except AttributeError: + self.fail_json(msg="Failure occurred during pagination", + response=self.response, + status=self.status, + body=self.body + ) + return data + else: # Non-pagination + if 'body' in info: + self.body = info['body'] + try: + return json.loads(to_native(resp.read())) + except json.decoder.JSONDecodeError: + return {} + except AttributeError: + self.fail_json(msg="Failure occurred", + response=self.response, + status=self.status, + body=self.body + ) + + def exit_json(self, **kwargs): + """Custom written method to exit from module.""" + self.result['response'] = self.response + self.result['status'] = self.status + if self.retry > 0: + self.module.warn("Rate limiter triggered - retry count {0}".format(self.retry)) + # Return the gory details when we need it + if self.params['output_level'] == 'debug': + self.result['method'] = self.method + self.result['url'] = self.url + self.result.update(**kwargs) + if self.params['output_format'] == 'camelcase': + self.module.deprecate("Update your playbooks to support snake_case format instead of camelCase format.", + date="2022-06-01", + collection_name="cisco.meraki") + else: + if 'data' in self.result: + try: + self.result['data'] = self.convert_camel_to_snake(self.result['data']) + self.result['diff'] = self.convert_camel_to_snake(self.result['diff']) + except (KeyError, AttributeError): + pass + self.module.exit_json(**self.result) + + def fail_json(self, msg, **kwargs): + """Custom written method to return info on failure.""" + self.result['response'] = self.response + self.result['status'] = self.status + + if self.params['output_level'] == 'debug': + if self.url is not None: + self.result['method'] = self.method + self.result['url'] = self.url + + self.result.update(**kwargs) + self.module.fail_json(msg=msg, **self.result) diff --git a/ansible_collections/cisco/meraki/plugins/modules/__init__.py b/ansible_collections/cisco/meraki/plugins/modules/__init__.py new file mode 100644 index 00000000..e69de29b --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/__init__.py diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_action_batch.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_action_batch.py new file mode 100644 index 00000000..3e0bed93 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_action_batch.py @@ -0,0 +1,394 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2021, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_action_batch +short_description: Manage Action Batch jobs within the Meraki Dashboard. +description: +- Allows for management of Action Batch jobs for Meraki. +notes: +- This module is in active development and the interface may change. +options: + state: + description: + - Specifies whether to lookup, create, or delete an Action Batch job. + choices: ['query', 'present', 'absent'] + default: present + type: str + net_name: + description: + - Name of network, if applicable. + type: str + net_id: + description: + - ID of network, if applicable. + type: str + action_batch_id: + description: + - ID of an existing Action Batch job. + type: str + confirmed: + description: + - Whether job is to be executed. + type: bool + default: False + synchronous: + description: + - Whether job is a synchronous or asynchronous job. + type: bool + default: True + actions: + description: + - List of actions the job should execute. + type: list + elements: dict + suboptions: + operation: + description: + - Operation type of action + type: str + choices: [ + 'create', + 'destroy', + 'update', + 'claim', + 'bind', + 'split', + 'unbind', + 'combine', + 'update_order', + 'cycle', + 'swap', + 'assignSeats', + 'move', + 'moveSeats', + 'renewSeats' + ] + resource: + description: + - Path to Action Batch resource. + type: str + body: + description: + - Required body of action. + type: raw +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + + +EXAMPLES = r""" + - name: Query all Action Batches + meraki_action_batch: + auth_key: abc123 + org_name: YourOrg + state: query + delegate_to: localhost + + - name: Query one Action Batch job + meraki_action_batch: + auth_key: abc123 + org_name: YourOrg + state: query + action_batch_id: 12345 + delegate_to: localhost + + - name: Create an Action Batch job + meraki_action_batch: + auth_key: abc123 + org_name: YourOrg + state: present + actions: + - resource: '/organizations/org_123/networks' + operation: 'create' + body: + name: 'AnsibleActionBatch1' + productTypes: + - 'switch' + delegate_to: localhost + + - name: Update Action Batch job + meraki_action_batch: + auth_key: abc123 + org_name: YourOrg + state: present + action_batch_id: 12345 + synchronous: false + + - name: Create an Action Batch job with multiple actions + meraki_action_batch: + auth_key: abc123 + org_name: YourOrg + state: present + actions: + - resource: '/organizations/org_123/networks' + operation: 'create' + body: + name: 'AnsibleActionBatch2' + productTypes: + - 'switch' + - resource: '/organizations/org_123/networks' + operation: 'create' + body: + name: 'AnsibleActionBatch3' + productTypes: + - 'switch' + delegate_to: localhost + + - name: Delete an Action Batch job + meraki_action_batch: + auth_key: abc123 + org_name: YourOrg + state: absent + action_batch_id: 12345 + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information about action batch jobs. + type: complex + returned: always + contains: + id: + description: Unique ID of action batch job. + returned: success + type: str + sample: 123 + organization_id: + description: Unique ID of organization which owns batch job. + returned: success + type: str + sample: 2930418 + confirmed: + description: Whether action batch job was confirmed for execution. + returned: success + type: bool + synchronous: + description: Whether action batch job executes synchronously or asynchronously. + returned: success + type: bool + status: + description: Information about the action batch job state. + type: complex + contains: + completed: + description: Whether job has completed. + type: bool + returned: success + failed: + description: Whether execution of action batch job failed. + type: bool + returned: success + errors: + description: List of errors, if any, created during execution. + type: list + returned: success + created_resources: + description: List of resources created during execution. + type: list + returned: success + sample: [{"id": 100, "uri": "/networks/L_XXXXX/groupPolicies/100"}] + actions: + description: List of actions associated to job. + type: dict +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import snake_dict_to_camel_dict +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def _construct_payload(meraki): + payload = dict() + payload["confirmed"] = meraki.params["confirmed"] + payload["synchronous"] = meraki.params["synchronous"] + if meraki.params["actions"] is not None: # No payload is specified for an update + payload["actions"] = list() + for action in meraki.params["actions"]: + action_detail = dict() + if action["resource"] is not None: + action_detail["resource"] = action["resource"] + if action["operation"] is not None: + action_detail["operation"] = action["operation"] + if action["body"] is not None: + action_detail["body"] = action["body"] + payload["actions"].append(action_detail) + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + actions_arg_spec = dict( + operation=dict( + type="str", + choices=[ + "create", + "destroy", + "update", + "claim", + "bind", + "split", + "unbind", + "combine", + "update_order", + "cycle", + "swap", + "assignSeats", + "move", + "moveSeats", + "renewSeats", + ], + ), + resource=dict(type="str"), + body=dict(type="raw"), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict( + type="str", choices=["present", "query", "absent"], default="present" + ), + net_name=dict(type="str"), + net_id=dict(type="str"), + action_batch_id=dict(type="str", default=None), + confirmed=dict(type="bool", default=False), + synchronous=dict(type="bool", default=True), + actions=dict( + type="list", default=None, elements="dict", options=actions_arg_spec + ), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="action_batch") + meraki.params["follow_redirects"] = "all" + + query_urls = {"action_batch": "/organizations/{org_id}/actionBatches"} + query_one_urls = { + "action_batch": "/organizations/{org_id}/actionBatches/{action_batch_id}" + } + create_urls = {"action_batch": "/organizations/{org_id}/actionBatches"} + update_urls = { + "action_batch": "/organizations/{org_id}/actionBatches/{action_batch_id}" + } + delete_urls = { + "action_batch": "/organizations/{org_id}/actionBatches/{action_batch_id}" + } + + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["get_one"].update(query_one_urls) + meraki.url_catalog["create"] = create_urls + meraki.url_catalog["update"] = update_urls + meraki.url_catalog["delete"] = delete_urls + + payload = None + + if not meraki.params["org_name"] and not meraki.params["org_id"]: + meraki.fail_json(msg="org_name or org_id is required") + + org_id = meraki.params["org_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + + if meraki.params["state"] == "query": + if meraki.params["action_batch_id"] is None: # Get all Action Batches + path = meraki.construct_path("get_all", org_id=org_id) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + meraki.exit_json(**meraki.result) + elif meraki.params["action_batch_id"] is not None: # Query one Action Batch job + path = meraki.construct_path( + "get_one", + org_id=org_id, + custom={"action_batch_id": meraki.params["action_batch_id"]}, + ) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "present": + if meraki.params["action_batch_id"] is None: # Create a new Action Batch job + payload = _construct_payload(meraki) + path = meraki.construct_path("create", org_id=org_id) + response = meraki.request(path, method="POST", payload=json.dumps(payload)) + if meraki.status == 201: + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + elif meraki.params["action_batch_id"] is not None: + path = meraki.construct_path( + "get_one", + org_id=org_id, + custom={"action_batch_id": meraki.params["action_batch_id"]}, + ) + current = meraki.request(path, method="GET") + payload = _construct_payload(meraki) + if ( + meraki.params["actions"] is not None + ): # Cannot update the body once a job is submitted + meraki.fail_json(msg="Body cannot be updated on existing job.") + if ( + meraki.is_update_required(current, payload) is True + ): # Job needs to be modified + path = meraki.construct_path( + "update", + org_id=org_id, + custom={"action_batch_id": meraki.params["action_batch_id"]}, + ) + response = meraki.request( + path, method="PUT", payload=json.dumps(payload) + ) + if meraki.status == 200: + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + else: # Idempotent response + meraki.result["data"] = current + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "absent": + path = meraki.construct_path( + "delete", + org_id=org_id, + custom={"action_batch_id": meraki.params["action_batch_id"]}, + ) + response = meraki.request(path, method="DELETE") + if meraki.status == 204: + meraki.result["data"] = response + meraki.result["changed"] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_admin.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_admin.py new file mode 100644 index 00000000..e554bb00 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_admin.py @@ -0,0 +1,504 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_admin +short_description: Manage administrators in the Meraki cloud +version_added: '1.0.0' +description: +- Allows for creation, management, and visibility into administrators within Meraki. +options: + name: + description: + - Name of the dashboard administrator. + - Required when creating a new administrator. + type: str + email: + description: + - Email address for the dashboard administrator. + - Email cannot be updated. + - Required when creating or editing an administrator. + type: str + org_access: + description: + - Privileges assigned to the administrator in the organization. + aliases: [ orgAccess ] + choices: [ full, none, read-only ] + type: str + tags: + description: + - Tags the administrator has privileges on. + - When creating a new administrator, C(org_name), C(network), or C(tags) must be specified. + - If C(none) is specified, C(network) or C(tags) must be specified. + type: list + elements: dict + suboptions: + tag: + description: + - Object tag which privileges should be assigned. + type: str + access: + description: + - The privilege of the dashboard administrator for the tag. + type: str + networks: + description: + - List of networks the administrator has privileges on. + - When creating a new administrator, C(org_name), C(network), or C(tags) must be specified. + type: list + elements: dict + suboptions: + id: + description: + - Network ID for which administrator should have privileges assigned. + type: str + network: + description: + - Network name for which administrator should have privileges assigned. + type: str + access: + description: + - The privilege of the dashboard administrator on the network. + - Valid options are C(full), C(read-only), or C(none). + type: str + state: + description: + - Create or modify, or delete an organization + - If C(state) is C(absent), name takes priority over email if both are specified. + choices: [ absent, present, query ] + required: true + type: str + org_name: + description: + - Name of organization. + - Used when C(name) should refer to another object. + - When creating a new administrator, C(org_name), C(network), or C(tags) must be specified. + aliases: ['organization'] + type: str +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query information about all administrators associated to the organization + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Query information about a single administrator by name + meraki_admin: + auth_key: abc12345 + org_id: 12345 + state: query + name: Jane Doe + +- name: Query information about a single administrator by email + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: query + email: jane@doe.com + +- name: Create new administrator with organization access + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: present + name: Jane Doe + org_access: read-only + email: jane@doe.com + +- name: Create new administrator with organization access + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: present + name: Jane Doe + org_access: read-only + email: jane@doe.com + +- name: Create a new administrator with organization access + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: present + name: Jane Doe + org_access: read-only + email: jane@doe.com + +- name: Revoke access to an organization for an administrator + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: absent + email: jane@doe.com + +- name: Create a new administrator with full access to two tags + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: present + name: Jane Doe + orgAccess: read-only + email: jane@doe.com + tags: + - tag: tenant + access: full + - tag: corporate + access: read-only + +- name: Create a new administrator with full access to a network + meraki_admin: + auth_key: abc12345 + org_name: YourOrg + state: present + name: Jane Doe + orgAccess: read-only + email: jane@doe.com + networks: + - id: N_12345 + access: full +''' + +RETURN = r''' +data: + description: List of administrators. + returned: success + type: complex + contains: + email: + description: Email address of administrator. + returned: success + type: str + sample: your@email.com + id: + description: Unique identification number of administrator. + returned: success + type: str + sample: 1234567890 + name: + description: Given name of administrator. + returned: success + type: str + sample: John Doe + account_status: + description: Status of account. + returned: success + type: str + sample: ok + two_factor_auth_enabled: + description: Enabled state of two-factor authentication for administrator. + returned: success + type: bool + sample: false + has_api_key: + description: Defines whether administrator has an API assigned to their account. + returned: success + type: bool + sample: false + last_active: + description: Date and time of time the administrator was active within Dashboard. + returned: success + type: str + sample: 2019-01-28 14:58:56 -0800 + networks: + description: List of networks administrator has access on. + returned: success + type: complex + contains: + id: + description: The network ID. + returned: when network permissions are set + type: str + sample: N_0123456789 + access: + description: Access level of administrator. Options are 'full', 'read-only', or 'none'. + returned: when network permissions are set + type: str + sample: read-only + tags: + description: Tags the administrator has access on. + returned: success + type: complex + contains: + tag: + description: Tag name. + returned: when tag permissions are set + type: str + sample: production + access: + description: Access level of administrator. Options are 'full', 'read-only', or 'none'. + returned: when tag permissions are set + type: str + sample: full + org_access: + description: The privilege of the dashboard administrator on the organization. Options are 'full', 'read-only', or 'none'. + returned: success + type: str + sample: full + +''' + +import os +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_admins(meraki, org_id): + admins = meraki.request( + meraki.construct_path( + 'query', + function='admin', + org_id=org_id + ), + method='GET' + ) + if meraki.status == 200: + return admins + + +def get_admin_id(meraki, data, name=None, email=None): + admin_id = None + for a in data: + if meraki.params['name'] is not None: + if meraki.params['name'] == a['name']: + if admin_id is not None: + meraki.fail_json(msg='There are multiple administrators with the same name') + else: + admin_id = a['id'] + elif meraki.params['email']: + if meraki.params['email'] == a['email']: + return a['id'] + if admin_id is None: + meraki.fail_json(msg='No admin_id found') + return admin_id + + +def get_admin(meraki, data, id): + for a in data: + if a['id'] == id: + return a + meraki.fail_json(msg='No admin found by specified name or email') + + +def find_admin(meraki, data, email): + for a in data: + if a['email'] == email: + return a + return None + + +def delete_admin(meraki, org_id, admin_id): + path = meraki.construct_path('revoke', 'admin', org_id=org_id) + admin_id + r = meraki.request(path, + method='DELETE' + ) + if meraki.status == 204: + return r + + +def network_factory(meraki, networks, nets): + networks_new = [] + for n in networks: + if 'network' in n and n['network'] is not None: + networks_new.append({'id': meraki.get_net_id(org_name=meraki.params['org_name'], + net_name=n['network'], + data=nets), + 'access': n['access'] + }) + elif 'id' in n: + networks_new.append({'id': n['id'], + 'access': n['access'] + }) + + return networks_new + + +def create_admin(meraki, org_id, name, email): + payload = dict() + payload['name'] = name + payload['email'] = email + + is_admin_existing = find_admin(meraki, get_admins(meraki, org_id), email) + + if meraki.params['org_access'] is not None: + payload['orgAccess'] = meraki.params['org_access'] + if meraki.params['tags'] is not None: + payload['tags'] = meraki.params['tags'] + if meraki.params['networks'] is not None: + nets = meraki.get_nets(org_id=org_id) + networks = network_factory(meraki, meraki.params['networks'], nets) + payload['networks'] = networks + if is_admin_existing is None: # Create new admin + if meraki.module.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('create', function='admin', org_id=org_id) + r = meraki.request(path, + method='POST', + payload=json.dumps(payload) + ) + if meraki.status == 201: + meraki.result['changed'] = True + return r + elif is_admin_existing is not None: # Update existing admin + if not meraki.params['tags']: + payload['tags'] = [] + if not meraki.params['networks']: + payload['networks'] = [] + if meraki.is_update_required(is_admin_existing, payload) is True: + if meraki.module.check_mode is True: + meraki.generate_diff(is_admin_existing, payload) + is_admin_existing.update(payload) + meraki.result['changed'] = True + meraki.result['data'] = payload + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', function='admin', org_id=org_id) + is_admin_existing['id'] + r = meraki.request(path, + method='PUT', + payload=json.dumps(payload) + ) + if meraki.status == 200: + meraki.result['changed'] = True + return r + else: + meraki.result['data'] = is_admin_existing + if meraki.module.check_mode is True: + meraki.result['data'] = payload + meraki.exit_json(**meraki.result) + return -1 + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + network_arg_spec = dict(id=dict(type='str'), + network=dict(type='str'), + access=dict(type='str'), + ) + + tag_arg_spec = dict(tag=dict(type='str'), + access=dict(type='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query', 'absent'], required=True), + name=dict(type='str'), + email=dict(type='str'), + org_access=dict(type='str', aliases=['orgAccess'], choices=['full', 'read-only', 'none']), + tags=dict(type='list', elements='dict', options=tag_arg_spec), + networks=dict(type='list', elements='dict', options=network_arg_spec), + org_name=dict(type='str', aliases=['organization']), + org_id=dict(type='str'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='admin') + + meraki.function = 'admin' + meraki.params['follow_redirects'] = 'all' + + query_urls = {'admin': '/organizations/{org_id}/admins', + } + create_urls = {'admin': '/organizations/{org_id}/admins', + } + update_urls = {'admin': '/organizations/{org_id}/admins/', + } + revoke_urls = {'admin': '/organizations/{org_id}/admins/', + } + + meraki.url_catalog['query'] = query_urls + meraki.url_catalog['create'] = create_urls + meraki.url_catalog['update'] = update_urls + meraki.url_catalog['revoke'] = revoke_urls + + try: + meraki.params['auth_key'] = os.environ['MERAKI_KEY'] + except KeyError: + pass + + # if the user is working with this module in only check mode we do not + # want to make any changes to the environment, just return the current + # state with no modifications + + # execute checks for argument completeness + if meraki.params['state'] == 'query': + meraki.mututally_exclusive = ['name', 'email'] + if not meraki.params['org_name'] and not meraki.params['org_id']: + meraki.fail_json(msg='org_name or org_id required') + meraki.required_if = [(['state'], ['absent'], ['email']), + ] + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if not meraki.params['org_id']: + org_id = meraki.get_org_id(meraki.params['org_name']) + if meraki.params['state'] == 'query': + admins = get_admins(meraki, org_id) + if not meraki.params['name'] and not meraki.params['email']: # Return all admins for org + meraki.result['data'] = admins + if meraki.params['name'] is not None: # Return a single admin for org + admin_id = get_admin_id(meraki, admins, name=meraki.params['name']) + meraki.result['data'] = admin_id + admin = get_admin(meraki, admins, admin_id) + meraki.result['data'] = admin + elif meraki.params['email'] is not None: + admin_id = get_admin_id(meraki, admins, email=meraki.params['email']) + meraki.result['data'] = admin_id + admin = get_admin(meraki, admins, admin_id) + meraki.result['data'] = admin + elif meraki.params['state'] == 'present': + r = create_admin(meraki, + org_id, + meraki.params['name'], + meraki.params['email'], + ) + if r != -1: + meraki.result['data'] = r + elif meraki.params['state'] == 'absent': + if meraki.module.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + admin_id = get_admin_id(meraki, + get_admins(meraki, org_id), + email=meraki.params['email'] + ) + r = delete_admin(meraki, org_id, admin_id) + + if r != -1: + meraki.result['data'] = r + meraki.result['changed'] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_alert.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_alert.py new file mode 100644 index 00000000..e9dfe0f1 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_alert.py @@ -0,0 +1,395 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, 2019 Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_alert +version_added: "2.1.0" +short_description: Manage alerts in the Meraki cloud +description: +- Allows for creation, management, and visibility into alert settings within Meraki. +options: + state: + description: + - Create or modify an alert. + choices: [ present, query ] + default: present + type: str + net_name: + description: + - Name of a network. + aliases: [ name, network ] + type: str + net_id: + description: + - ID number of a network. + type: str + default_destinations: + description: + - Properties for destinations when alert specific destinations aren't specified. + type: dict + suboptions: + all_admins: + description: + - If true, all network admins will receive emails. + type: bool + snmp: + description: + - If true, then an SNMP trap will be sent if there is an SNMP trap server configured for this network. + type: bool + emails: + description: + - A list of emails that will recieve the alert(s). + type: list + elements: str + http_server_ids: + description: + - A list of HTTP server IDs to send a Webhook to. + type: list + elements: str + alerts: + description: + - Alert-specific configuration for each type. + type: list + elements: dict + suboptions: + alert_type: + description: + - The type of alert. + type: str + enabled: + description: + - A boolean depicting if the alert is turned on or off. + type: bool + filters: + description: + - A hash of specific configuration data for the alert. Only filters specific to the alert will be updated. + - No validation checks occur against C(filters). + type: raw + default: {} + alert_destinations: + description: + - A hash of destinations for this specific alert. + type: dict + suboptions: + all_admins: + description: + - If true, all network admins will receive emails. + type: bool + snmp: + description: + - If true, then an SNMP trap will be sent if there is an SNMP trap server configured for this network. + type: bool + emails: + description: + - A list of emails that will recieve the alert(s). + type: list + elements: str + http_server_ids: + description: + - A list of HTTP server IDs to send a Webhook to. + type: list + elements: str + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Update settings + meraki_alert: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + default_destinations: + emails: + - 'youremail@yourcorp' + - 'youremail2@yourcorp' + all_admins: yes + snmp: no + alerts: + - alert_type: "gatewayDown" + enabled: yes + filters: + timeout: 60 + alert_destinations: + emails: + - 'youremail@yourcorp' + - 'youremail2@yourcorp' + all_admins: yes + snmp: no + - alert_type: "usageAlert" + enabled: yes + filters: + period: 1200 + threshold: 104857600 + alert_destinations: + emails: + - 'youremail@yourcorp' + - 'youremail2@yourcorp' + all_admins: yes + snmp: no + +- name: Query all settings + meraki_alert: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + default_destinations: + description: Properties for destinations when alert specific destinations aren't specified. + returned: success + type: complex + contains: + all_admins: + description: If true, all network admins will receive emails. + type: bool + sample: true + returned: success + snmp: + description: If true, then an SNMP trap will be sent if there is an SNMP trap server configured for this network. + type: bool + sample: true + returned: success + emails: + description: A list of emails that will recieve the alert(s). + type: list + returned: success + http_server_ids: + description: A list of HTTP server IDs to send a Webhook to. + type: list + returned: success + alerts: + description: Alert-specific configuration for each type. + type: complex + contains: + alert_type: + description: The type of alert. + type: str + returned: success + enabled: + description: A boolean depicting if the alert is turned on or off. + type: bool + returned: success + filters: + description: + - A hash of specific configuration data for the alert. Only filters specific to the alert will be updated. + - No validation checks occur against C(filters). + type: complex + returned: success + alert_destinations: + description: A hash of destinations for this specific alert. + type: complex + contains: + all_admins: + description: If true, all network admins will receive emails. + type: bool + returned: success + snmp: + description: If true, then an SNMP trap will be sent if there is an SNMP trap server configured for this network. + type: bool + returned: success + emails: + description: A list of emails that will recieve the alert(s). + type: list + returned: success + http_server_ids: + description: A list of HTTP server IDs to send a Webhook to. + type: list + returned: success +""" + +import copy +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def get_alert_by_type(type, meraki): + for alert in meraki.params["alerts"]: + if alert["alert_type"] == type: + return alert + return None + + +def construct_payload(meraki, current): + payload = {} + if meraki.params["default_destinations"] is not None: + payload["defaultDestinations"] = {} + if meraki.params["default_destinations"]["all_admins"] is not None: + payload["defaultDestinations"]["allAdmins"] = meraki.params["default_destinations"]["all_admins"] + if meraki.params["default_destinations"]["snmp"] is not None: + payload["defaultDestinations"]["snmp"] = meraki.params["default_destinations"]["snmp"] + if meraki.params["default_destinations"]["emails"] is not None: + payload["defaultDestinations"]["emails"] = meraki.params["default_destinations"]["emails"] + if len(payload["defaultDestinations"]["emails"]) > 0 and payload["defaultDestinations"]["emails"][0] == "None": + # Ansible is setting the first item to be "None" so we need to clear this + # This happens when an empty list is provided to clear emails + del payload["defaultDestinations"]["emails"][0] + if meraki.params["default_destinations"]["http_server_ids"] is not None: + payload["defaultDestinations"]["httpServerIds"] = meraki.params["default_destinations"]["http_server_ids"] + if len(payload["defaultDestinations"]["httpServerIds"]) > 0 and payload["defaultDestinations"]["httpServerIds"][0] == "None": + # Ansible is setting the first item to be "None" so we need to clear this + # This happens when an empty list is provided to clear server IDs + del payload["defaultDestinations"]["httpServerIds"][0] + if meraki.params["alerts"] is not None: + payload["alerts"] = [] + # All data should be resubmitted, otherwise it will clear the alert + # Also, the order matters so it should go in the same order as current + modified_types = [type["alert_type"] for type in meraki.params["alerts"]] + + # for alert in meraki.params["alerts"]: + for current_alert in current["alerts"]: + if current_alert["type"] not in modified_types: + payload["alerts"].append(current_alert) + else: + alert = get_alert_by_type(current_alert["type"], meraki) + alert_temp = {"type": None} + if alert["alert_type"] is not None: + alert_temp["type"] = alert["alert_type"] + if alert["enabled"] is not None: + alert_temp["enabled"] = alert["enabled"] + if alert["filters"] is not None: + alert_temp["filters"] = alert["filters"] + if alert["alert_destinations"] is not None: + alert_temp["alertDestinations"] = dict() + if alert["alert_destinations"]["all_admins"] is not None: + alert_temp["alertDestinations"]["allAdmins"] = alert["alert_destinations"]["all_admins"] + if alert["alert_destinations"]["snmp"] is not None: + alert_temp["alertDestinations"]["snmp"] = alert["alert_destinations"]["snmp"] + if alert["alert_destinations"]["emails"] is not None: + alert_temp["alertDestinations"]["emails"] = alert["alert_destinations"]["emails"] + if len(alert_temp["alertDestinations"]["emails"]) > 0 and alert_temp["alertDestinations"]["emails"][0] == "None": + # Ansible is setting the first item to be "None" so we need to clear this + # This happens when an empty list is provided to clear emails + del alert_temp["defaultDestinations"]["emails"][0] + if alert["alert_destinations"]["http_server_ids"] is not None: + alert_temp["alertDestinations"]["httpServerIds"] = alert["alert_destinations"]["http_server_ids"] + if len(alert_temp["alertDestinations"]["httpServerIds"]) > 0 and alert_temp["alertDestinations"]["httpServerIds"][0] == "None": + # Ansible is setting the first item to be "None" so we need to clear this + # This happens when an empty list is provided to clear server IDs + del alert_temp["defaultDestinations"]["httpServerIds"][0] + payload["alerts"].append(alert_temp) + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + destinations_arg_spec = dict( + all_admins=dict(type="bool"), + snmp=dict(type="bool"), + emails=dict(type="list", elements="str"), + http_server_ids=dict(type="list", elements="str"), + ) + + alerts_arg_spec = dict( + alert_type=dict(type="str"), + enabled=dict(type="bool"), + alert_destinations=dict( + type="dict", default=None, options=destinations_arg_spec + ), + filters=dict(type="raw", default={}), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type="str"), + net_name=dict(type="str", aliases=["name", "network"]), + state=dict(type="str", choices=["present", "query"], default="present"), + default_destinations=dict( + type="dict", default=None, options=destinations_arg_spec + ), + alerts=dict(type="list", elements="dict", options=alerts_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function="alert") + module.params["follow_redirects"] = "all" + + query_urls = {"alert": "/networks/{net_id}/alerts/settings"} + update_urls = {"alert": "/networks/{net_id}/alerts/settings"} + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["update"] = update_urls + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params["org_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + net_id = meraki.params["net_id"] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params["net_name"], data=nets) + + if meraki.params["state"] == "query": + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "present": + path = meraki.construct_path("get_all", net_id=net_id) + original = meraki.request(path, method="GET") + payload = construct_payload(meraki, original) + if meraki.is_update_required(original, payload): + if meraki.check_mode is True: + meraki.generate_diff(original, payload) + meraki.result["data"] = payload + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update", net_id=net_id) + response = meraki.request(path, method="PUT", payload=json.dumps(payload)) + if meraki.status == 200: + meraki.generate_diff(original, payload) + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + else: + meraki.result["data"] = original + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_config_template.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_config_template.py new file mode 100644 index 00000000..8438d41b --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_config_template.py @@ -0,0 +1,331 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_config_template +short_description: Manage configuration templates in the Meraki cloud +version_added: "1.0.0" +description: +- Allows for querying, deleting, binding, and unbinding of configuration templates. +notes: +- Module is not idempotent as the Meraki API is limited in what information it provides about configuration templates. +- Meraki's API does not support creating new configuration templates. +- To use the configuration template, simply pass its ID via C(net_id) parameters in Meraki modules. +options: + state: + description: + - Specifies whether configuration template information should be queried, modified, or deleted. + choices: ['absent', 'query', 'present'] + default: query + type: str + org_name: + description: + - Name of organization containing the configuration template. + type: str + org_id: + description: + - ID of organization associated to a configuration template. + type: str + config_template: + description: + - Name of the configuration template within an organization to manipulate. + aliases: ['name'] + type: str + net_name: + description: + - Name of the network to bind or unbind configuration template to. + type: str + net_id: + description: + - ID of the network to bind or unbind configuration template to. + type: str + auto_bind: + description: + - Optional boolean indicating whether the network's switches should automatically bind to profiles of the same model. + - This option only affects switch networks and switch templates. + - Auto-bind is not valid unless the switch template has at least one profile and has at most one profile per switch model. + type: bool + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query configuration templates + meraki_config_template: + auth_key: abc12345 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Bind a template from a network + meraki_config_template: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + config_template: DevConfigTemplate + delegate_to: localhost + +- name: Unbind a template from a network + meraki_config_template: + auth_key: abc123 + state: absent + org_name: YourOrg + net_name: YourNet + config_template: DevConfigTemplate + delegate_to: localhost + +- name: Delete a configuration template + meraki_config_template: + auth_key: abc123 + state: absent + org_name: YourOrg + config_template: DevConfigTemplate + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about queried object. + returned: success + type: complex + contains: + id: + description: Unique identification number of organization. + returned: success + type: int + sample: L_2930418 + name: + description: Name of configuration template. + returned: success + type: str + sample: YourTemplate + product_types: + description: List of products which can exist in the network. + returned: success + type: list + sample: [ "appliance", "switch" ] + time_zone: + description: Timezone applied to each associated network. + returned: success + type: str + sample: "America/Chicago" + +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_config_templates(meraki, org_id): + path = meraki.construct_path('get_all', org_id=org_id) + response = meraki.request(path, 'GET') + if meraki.status != 200: + meraki.fail_json(msg='Unable to get configuration templates') + return response + + +def get_template_id(meraki, name, data): + for template in data: + if name == template['name']: + return template['id'] + meraki.fail_json(msg='No configuration template named {0} found'.format(name)) + + +def is_template_valid(meraki, nets, template_id): + for net in nets: + if net['id'] == template_id: + return True + return False + + +def is_network_bound(meraki, nets, net_id, template_id): + for net in nets: + if net['id'] == net_id: + try: + if net['configTemplateId'] == template_id: + return True + except KeyError: + pass + return False + + +def delete_template(meraki, org_id, name, data): + template_id = get_template_id(meraki, name, data) + path = meraki.construct_path('delete', org_id=org_id) + path = path + '/' + template_id + response = meraki.request(path, 'DELETE') + if meraki.status != 204: + meraki.fail_json(msg='Unable to remove configuration template') + return response + + +def bind(meraki, net_id, template_id): + path = meraki.construct_path('bind', net_id=net_id) + payload = {'configTemplateId': template_id} + if meraki.params['auto_bind']: + payload['autoBind'] = meraki.params['auto_bind'] + r = meraki.request(path, method='POST', payload=json.dumps(payload)) + return r + + +def unbind(meraki, net_id): + path = meraki.construct_path('unbind', net_id=net_id) + meraki.result['changed'] = True + return meraki.request(path, method='POST') + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'query', 'present'], default='query'), + config_template=dict(type='str', aliases=['name']), + net_name=dict(type='str'), + net_id=dict(type='str'), + # config_template_id=dict(type='str', aliases=['id']), + auto_bind=dict(type='bool'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='config_template') + meraki.params['follow_redirects'] = 'all' + + query_urls = {'config_template': '/organizations/{org_id}/configTemplates'} + delete_urls = {'config_template': '/organizations/{org_id}/configTemplates'} + bind_urls = {'config_template': '/networks/{net_id}/bind'} + unbind_urls = {'config_template': '/networks/{net_id}/unbind'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['delete'] = delete_urls + meraki.url_catalog['bind'] = bind_urls + meraki.url_catalog['unbind'] = unbind_urls + + # if the user is working with this module in only check mode we do not + # want to make any changes to the environment, just return the current + # state with no modifications + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if meraki.params['org_name']: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + nets = None + if net_id is None: + if meraki.params['net_name'] is not None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + else: + nets = meraki.get_nets(org_id=org_id) + + if meraki.params['state'] == 'query': + meraki.result['data'] = get_config_templates(meraki, org_id) + elif meraki.params['state'] == 'present': + template_id = get_template_id(meraki, + meraki.params['config_template'], + get_config_templates(meraki, org_id)) + if nets is None: + nets = meraki.get_nets(org_id=org_id) + if is_network_bound(meraki, nets, net_id, template_id) is False: # Bind template + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + template_bind = bind(meraki, + net_id, + template_id) + if meraki.status != 200: + meraki.fail_json(msg='Unable to bind configuration template to network') + meraki.result['changed'] = True + meraki.result['data'] = template_bind + else: # Network is already bound, being explicit + if meraki.check_mode is True: # Include to be explicit + meraki.result['data'] = {} + meraki.result['changed'] = False + meraki.exit_json(**meraki.result) + meraki.result['data'] = {} + meraki.result['changed'] = False + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'absent': + template_id = get_template_id(meraki, + meraki.params['config_template'], + get_config_templates(meraki, org_id)) + if not meraki.params['net_name'] and not meraki.params['net_id']: # Delete template + if is_template_valid(meraki, nets, template_id) is True: + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + meraki.result['data'] = delete_template(meraki, + org_id, + meraki.params['config_template'], + get_config_templates(meraki, org_id)) + if meraki.status == 204: + meraki.result['data'] = {} + meraki.result['changed'] = True + else: + meraki.fail_json(msg="No template named {0} found.".format(meraki.params['config_template'])) + else: # Unbind template + if nets is None: + nets = meraki.get_nets(org_id=org_id) + if meraki.check_mode is True: + meraki.result['data'] = {} + if is_template_valid(meraki, nets, template_id) is True: + meraki.result['changed'] = True + else: + meraki.result['changed'] = False + meraki.exit_json(**meraki.result) + template_id = get_template_id(meraki, + meraki.params['config_template'], + get_config_templates(meraki, org_id)) + if is_network_bound(meraki, nets, net_id, template_id) is True: + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + config_unbind = unbind(meraki, + net_id) + if meraki.status != 200: + meraki.fail_json(msg='Unable to unbind configuration template from network') + meraki.result['changed'] = True + meraki.result['data'] = config_unbind + else: # No network is bound, nothing to do + if meraki.check_mode is True: # Include to be explicit + meraki.result['data'] = {} + meraki.result['changed'] = False + meraki.exit_json(**meraki.result) + meraki.result['data'] = {} + meraki.result['changed'] = False + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_device.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_device.py new file mode 100644 index 00000000..2152e494 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_device.py @@ -0,0 +1,431 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_device +short_description: Manage devices in the Meraki cloud +description: +- Visibility into devices associated to a Meraki environment. +notes: +- This module does not support claiming of devices or licenses into a Meraki organization. +- More information about the Meraki API can be found at U(https://dashboard.meraki.com/api_docs). +- Some of the options are likely only used for developers within Meraki. +options: + state: + description: + - Query an organization. + choices: [absent, present, query] + default: query + type: str + net_name: + description: + - Name of a network. + aliases: [network] + type: str + net_id: + description: + - ID of a network. + type: str + serial: + description: + - Serial number of a device to query. + type: str + hostname: + description: + - Hostname of network device to search for. + aliases: [name] + type: str + model: + description: + - Model of network device to search for. + type: str + tags: + description: + - Space delimited list of tags to assign to device. + type: list + elements: str + lat: + description: + - Latitude of device's geographic location. + - Use negative number for southern hemisphere. + aliases: [latitude] + type: float + lng: + description: + - Longitude of device's geographic location. + - Use negative number for western hemisphere. + aliases: [longitude] + type: float + address: + description: + - Postal address of device's location. + type: str + move_map_marker: + description: + - Whether or not to set the latitude and longitude of a device based on the new address. + - Only applies when C(lat) and C(lng) are not specified. + type: bool + lldp_cdp_timespan: + description: + - Timespan, in seconds, used to query LLDP and CDP information. + - Must be less than 1 month. + type: int + note: + description: + - Informational notes about a device. + - Limited to 255 characters. + type: str + query: + description: + - Specifies what information should be queried. + type: str + choices: [lldp_cdp, uplink] + + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query all devices in an organization. + meraki_device: + auth_key: abc12345 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Query all devices in a network. + meraki_device: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + +- name: Query a device by serial number. + meraki_device: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + serial: ABC-123 + state: query + delegate_to: localhost + +- name: Lookup uplink information about a device. + meraki_device: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + serial_uplink: ABC-123 + state: query + delegate_to: localhost + +- name: Lookup LLDP and CDP information about devices connected to specified device. + meraki_device: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + serial_lldp_cdp: ABC-123 + state: query + delegate_to: localhost + +- name: Lookup a device by hostname. + meraki_device: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + hostname: main-switch + state: query + delegate_to: localhost + +- name: Query all devices of a specific model. + meraki_device: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + model: MR26 + state: query + delegate_to: localhost + +- name: Update information about a device. + meraki_device: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + serial: '{{serial}}' + name: mr26 + address: 1060 W. Addison St., Chicago, IL + lat: 41.948038 + lng: -87.65568 + tags: recently-added + delegate_to: localhost + +- name: Claim a device into a network. + meraki_device: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + serial: ABC-123 + state: present + delegate_to: localhost + +- name: Remove a device from a network. + meraki_device: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + serial: ABC-123 + state: absent + delegate_to: localhost +''' + +RETURN = r''' +response: + description: Data returned from Meraki dashboard. + type: dict + returned: info +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def is_device_valid(meraki, serial, data): + """ Parse a list of devices for a serial and return True if it's in the list """ + for device in data: + if device['serial'] == serial: + return True + return False + + +def get_org_devices(meraki, org_id): + """ Get all devices in an organization """ + path = meraki.construct_path('get_all_org', org_id=org_id) + response = meraki.request(path, method='GET') + if meraki.status != 200: + meraki.fail_json(msg='Failed to query all devices belonging to the organization') + return response + + +def get_net_devices(meraki, net_id): + """ Get all devices in a network """ + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + if meraki.status != 200: + meraki.fail_json(msg='Failed to query all devices belonging to the network') + return response + + +def construct_payload(params): + """ Create payload based on inputs """ + payload = {} + if params['hostname'] is not None: + payload['name'] = params['hostname'] + if params['tags'] is not None: + payload['tags'] = params['tags'] + if params['lat'] is not None: + payload['lat'] = params['lat'] + if params['lng'] is not None: + payload['lng'] = params['lng'] + if params['address'] is not None: + payload['address'] = params['address'] + if params['move_map_marker'] is not None: + payload['moveMapMarker'] = params['move_map_marker'] + if params['note'] is not None: + payload['notes'] = params['note'] + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'present', 'query'], default='query'), + net_name=dict(type='str', aliases=['network']), + net_id=dict(type='str'), + serial=dict(type='str'), + lldp_cdp_timespan=dict(type='int'), + hostname=dict(type='str', aliases=['name']), + model=dict(type='str'), + tags=dict(type='list', elements='str', default=None), + lat=dict(type='float', aliases=['latitude'], default=None), + lng=dict(type='float', aliases=['longitude'], default=None), + address=dict(type='str', default=None), + move_map_marker=dict(type='bool', default=None), + note=dict(type='str', default=None), + query=dict(type='str', default=None, choices=['lldp_cdp', 'uplink']) + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=False, + ) + meraki = MerakiModule(module, function='device') + + if meraki.params['query'] is not None \ + and meraki.params['query'] == 'lldp_cdp' \ + and not meraki.params['lldp_cdp_timespan']: + meraki.fail_json(msg='lldp_cdp_timespan is required when querying LLDP and CDP information') + if meraki.params['net_name'] and meraki.params['net_id']: + meraki.fail_json(msg='net_name and net_id are mutually exclusive') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'device': '/networks/{net_id}/devices'} + query_org_urls = {'device': '/organizations/{org_id}/devices'} + query_device_urls = {'device': '/networks/{net_id}/devices/{serial}'} + query_device_lldp_urls = {'device': '/devices/{serial}/lldpCdp'} + claim_device_urls = {'device': '/networks/{net_id}/devices/claim'} + bind_org_urls = {'device': '/organizations/{org_id}/claim'} + update_device_urls = {'device': '/networks/{net_id}/devices/'} + delete_device_urls = {'device': '/networks/{net_id}/devices/{serial}/remove'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['get_all_org'] = query_org_urls + meraki.url_catalog['get_device'] = query_device_urls + meraki.url_catalog['get_device_uplink'] = query_device_urls + meraki.url_catalog['get_device_lldp'] = query_device_lldp_urls + meraki.url_catalog['create'] = claim_device_urls + meraki.url_catalog['bind_org'] = bind_org_urls + meraki.url_catalog['update'] = update_device_urls + meraki.url_catalog['delete'] = delete_device_urls + + payload = None + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + nets = meraki.get_nets(org_id=org_id) + net_id = None + if meraki.params['net_id'] or meraki.params['net_name']: + net_id = meraki.params['net_id'] + if net_id is None: + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + if meraki.params['net_name'] or meraki.params['net_id']: + device = [] + if meraki.params['serial']: + path = meraki.construct_path('get_device', net_id=net_id, custom={'serial': meraki.params['serial']}) + request = meraki.request(path, method='GET') + device.append(request) + meraki.result['data'] = device + if meraki.params['query'] == 'uplink': + path = meraki.construct_path('get_device_uplink', net_id=net_id, custom={'serial': meraki.params['serial']}) + meraki.result['data'] = (meraki.request(path, method='GET')) + elif meraki.params['query'] == 'lldp_cdp': + if meraki.params['lldp_cdp_timespan'] > 2592000: + meraki.fail_json(msg='LLDP/CDP timespan must be less than a month (2592000 seconds)') + path = meraki.construct_path('get_device_lldp', net_id=net_id, custom={'serial': meraki.params['serial']}) + path = path + '?timespan=' + str(meraki.params['lldp_cdp_timespan']) + device.append(meraki.request(path, method='GET')) + meraki.result['data'] = device + elif meraki.params['hostname']: + path = meraki.construct_path('get_all', net_id=net_id) + devices = meraki.request(path, method='GET') + for unit in devices: + try: + if unit['name'] == meraki.params['hostname']: + device.append(unit) + meraki.result['data'] = device + except KeyError: + pass + elif meraki.params['model']: + path = meraki.construct_path('get_all', net_id=net_id) + devices = meraki.request(path, method='GET') + device_match = [] + for device in devices: + if device['model'] == meraki.params['model']: + device_match.append(device) + meraki.result['data'] = device_match + else: + path = meraki.construct_path('get_all', net_id=net_id) + request = meraki.request(path, method='GET') + meraki.result['data'] = request + else: + path = meraki.construct_path('get_all_org', org_id=org_id, params={'perPage': '1000'}) + devices = meraki.request(path, method='GET', pagination_items=1000) + if meraki.params['serial']: + for device in devices: + if device['serial'] == meraki.params['serial']: + meraki.result['data'] = device + else: + meraki.result['data'] = devices + elif meraki.params['state'] == 'present': + device = [] + if net_id is None: # Claim a device to an organization + device_list = get_org_devices(meraki, org_id) + if is_device_valid(meraki, meraki.params['serial'], device_list) is False: + payload = {'serial': meraki.params['serial']} + path = meraki.construct_path('bind_org', org_id=org_id) + created_device = [] + created_device.append(meraki.request(path, method='POST', payload=json.dumps(payload))) + meraki.result['data'] = created_device + meraki.result['changed'] = True + else: # A device is assumed to be in an organization + device_list = get_net_devices(meraki, net_id) + if is_device_valid(meraki, meraki.params['serial'], device_list) is True: # Device is in network, update + query_path = meraki.construct_path('get_all', net_id=net_id) + if is_device_valid(meraki, meraki.params['serial'], device_list): + payload = construct_payload(meraki.params) + query_path = meraki.construct_path('get_device', net_id=net_id, custom={'serial': meraki.params['serial']}) + device_data = meraki.request(query_path, method='GET') + ignore_keys = ['lanIp', 'serial', 'mac', 'model', 'networkId', 'moveMapMarker', 'wan1Ip', 'wan2Ip'] + if meraki.is_update_required(device_data, payload, optional_ignore=ignore_keys): + path = meraki.construct_path('update', net_id=net_id) + meraki.params['serial'] + updated_device = [] + updated_device.append(meraki.request(path, method='PUT', payload=json.dumps(payload))) + meraki.result['data'] = updated_device + meraki.result['changed'] = True + else: + meraki.result['data'] = device_data + else: # Claim device into network + query_path = meraki.construct_path('get_all', net_id=net_id) + device_list = meraki.request(query_path, method='GET') + if is_device_valid(meraki, meraki.params['serial'], device_list) is False: + if net_id: + payload = {'serials': [meraki.params['serial']]} + path = meraki.construct_path('create', net_id=net_id) + created_device = [] + created_device.append(meraki.request(path, method='POST', payload=json.dumps(payload))) + meraki.result['data'] = created_device + meraki.result['changed'] = True + elif meraki.params['state'] == 'absent': + device = [] + query_path = meraki.construct_path('get_all', net_id=net_id) + device_list = meraki.request(query_path, method='GET') + if is_device_valid(meraki, meraki.params['serial'], device_list) is True: + path = meraki.construct_path('delete', net_id=net_id, custom={'serial': meraki.params['serial']}) + request = meraki.request(path, method='POST') + meraki.result['changed'] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_firewalled_services.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_firewalled_services.py new file mode 100644 index 00000000..ec78c068 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_firewalled_services.py @@ -0,0 +1,233 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_firewalled_services +short_description: Edit firewall policies for administrative network services +description: +- Allows for setting policy firewalled services for Meraki network devices. + +options: + auth_key: + description: + - Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set. + type: str + net_name: + description: + - Name of a network. + aliases: [ network ] + type: str + net_id: + description: + - ID number of a network. + type: str + org_name: + description: + - Name of organization associated to a network. + type: str + org_id: + description: + - ID of organization associated to a network. + type: str + state: + description: + - States that a policy should be created or modified. + choices: [present, query] + default: present + type: str + service: + description: + - Network service to query or modify. + choices: [ICMP, SNMP, web] + type: str + access: + description: + - Network service to query or modify. + choices: [blocked, restricted, unrestricted] + type: str + allowed_ips: + description: + - List of IP addresses allowed to access a service. + - Only used when C(access) is set to restricted. + type: list + elements: str + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set icmp service to blocked + meraki_firewalled_services: + auth_key: '{{ auth_key }}' + state: present + org_name: '{{test_org_name}}' + net_name: IntTestNetworkAppliance + service: ICMP + access: blocked + delegate_to: localhost + +- name: Set icmp service to restricted + meraki_firewalled_services: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + service: web + access: restricted + allowed_ips: + - 192.0.1.1 + - 192.0.1.2 + delegate_to: localhost + +- name: Query appliance services + meraki_firewalled_services: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + delegate_to: localhost + +- name: Query services + meraki_firewalled_services: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + service: ICMP + delegate_to: localhost +''' + +RETURN = r''' +data: + description: List of network services. + returned: info + type: complex + contains: + access: + description: Access assigned to a service type. + returned: success + type: str + sample: unrestricted + service: + description: Service to apply policy to. + returned: success + type: str + sample: ICMP + allowed_ips: + description: List of IP addresses to have access to service. + returned: success + type: str + sample: 192.0.1.0 +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['network']), + state=dict(type='str', default='present', choices=['query', 'present']), + service=dict(type='str', default=None, choices=['ICMP', 'SNMP', 'web']), + access=dict(type='str', choices=['blocked', 'restricted', 'unrestricted']), + allowed_ips=dict(type='list', elements='str'), + ) + + mutually_exclusive = [('net_name', 'net_id')] + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + mutually_exclusive=mutually_exclusive + ) + + meraki = MerakiModule(module, function='firewalled_services') + module.params['follow_redirects'] = 'all' + + net_services_urls = {'firewalled_services': '/networks/{net_id}/appliance/firewall/firewalledServices'} + services_urls = {'firewalled_services': '/networks/{net_id}/appliance/firewall/firewalledServices/{service}'} + + meraki.url_catalog['network_services'] = net_services_urls + meraki.url_catalog['service'] = services_urls + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'present': + if meraki.params['access'] != 'restricted' and meraki.params['allowed_ips'] is not None: + meraki.fail_json(msg="allowed_ips is only allowed when access is restricted.") + payload = {'access': meraki.params['access']} + if meraki.params['access'] == 'restricted': + payload['allowedIps'] = meraki.params['allowed_ips'] + + if meraki.params['state'] == 'query': + if meraki.params['service'] is None: + path = meraki.construct_path('network_services', net_id=net_id) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + else: + path = meraki.construct_path('service', net_id=net_id, custom={'service': meraki.params['service']}) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + path = meraki.construct_path('service', net_id=net_id, custom={'service': meraki.params['service']}) + original = meraki.request(path, method='GET') + if meraki.is_update_required(original, payload, optional_ignore=['service']): + if meraki.check_mode is True: + diff_payload = {'service': meraki.params['service']} # Need to add service as it's not in payload + diff_payload.update(payload) + meraki.generate_diff(original, diff_payload) + original.update(payload) + meraki.result['data'] = original + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('service', net_id=net_id, custom={'service': meraki.params['service']}) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.generate_diff(original, response) + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_management_interface.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_management_interface.py new file mode 100644 index 00000000..c0297861 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_management_interface.py @@ -0,0 +1,384 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_management_interface +short_description: Configure Meraki management interfaces +version_added: "1.1.0" +description: +- Allows for configuration of management interfaces on Meraki MX, MS, and MR devices. +notes: +- C(WAN2) parameter is only valid for MX appliances. +- C(wan_enabled) should not be provided for non-MX devies. +options: + state: + description: + - Specifies whether configuration template information should be queried, modified, or deleted. + choices: ['absent', 'query', 'present'] + default: query + type: str + org_name: + description: + - Name of organization containing the configuration template. + type: str + org_id: + description: + - ID of organization associated to a configuration template. + type: str + net_name: + description: + - Name of the network to bind or unbind configuration template to. + type: str + net_id: + description: + - ID of the network to bind or unbind configuration template to. + type: str + serial: + description: + - serial number of the device to configure. + type: str + required: true + wan1: + description: + - Management interface details for management interface. + aliases: [mgmt1] + type: dict + suboptions: + wan_enabled: + description: + - States whether the management interface is enabled. + - Only valid for MX devices. + type: str + choices: [disabled, enabled, not configured] + using_static_ip: + description: + - Configures the interface to use static IP or DHCP. + type: bool + static_ip: + description: + - IP address assigned to Management interface. + - Valid only if C(using_static_ip) is C(True). + type: str + static_gateway_ip: + description: + - IP address for default gateway. + - Valid only if C(using_static_ip) is C(True). + type: str + static_subnet_mask: + description: + - Netmask for static IP address. + - Valid only if C(using_static_ip) is C(True). + type: str + static_dns: + description: + - DNS servers to use. + - Allows for a maximum of 2 addresses. + type: list + elements: str + vlan: + description: + - VLAN number to use for the management network. + type: int + wan2: + description: + - Management interface details for management interface. + type: dict + aliases: [mgmt2] + suboptions: + wan_enabled: + description: + - States whether the management interface is enabled. + - Only valid for MX devices. + type: str + choices: [disabled, enabled, not configured] + using_static_ip: + description: + - Configures the interface to use static IP or DHCP. + type: bool + static_ip: + description: + - IP address assigned to Management interface. + - Valid only if C(using_static_ip) is C(True). + type: str + static_gateway_ip: + description: + - IP address for default gateway. + - Valid only if C(using_static_ip) is C(True). + type: str + static_subnet_mask: + description: + - Netmask for static IP address. + - Valid only if C(using_static_ip) is C(True). + type: str + static_dns: + description: + - DNS servers to use. + - Allows for a maximum of 2 addresses. + type: list + elements: str + vlan: + description: + - VLAN number to use for the management network. + type: int + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set WAN2 as static IP + meraki_management_interface: + auth_key: abc123 + state: present + org_name: YourOrg + net_id: YourNetId + serial: AAAA-BBBB-CCCC + wan2: + wan_enabled: enabled + using_static_ip: yes + static_ip: 192.168.16.195 + static_gateway_ip: 192.168.16.1 + static_subnet_mask: 255.255.255.0 + static_dns: + - 1.1.1.1 + vlan: 1 + delegate_to: localhost + +- name: Query management information + meraki_management_interface: + auth_key: abc123 + state: query + org_name: YourOrg + net_id: YourNetId + serial: AAAA-BBBB-CCCC + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about queried object. + returned: success + type: complex + contains: + wan1: + description: Management configuration for WAN1 interface + returned: success + type: complex + contains: + wan_enabled: + description: Enabled state of interface + returned: success + type: str + sample: enabled + using_static_ip: + description: Boolean value of whether static IP assignment is used on interface + returned: success + type: bool + sample: True + static_ip: + description: Assigned static IP + returned: only if static IP assignment is used + type: str + sample: 192.0.1.2 + static_gateway_ip: + description: Assigned static gateway IP + returned: only if static IP assignment is used + type: str + sample: 192.0.1.1 + static_subnet_mask: + description: Assigned netmask for static IP + returned: only if static IP assignment is used + type: str + sample: 255.255.255.0 + static_dns: + description: List of DNS IP addresses + returned: only if static IP assignment is used + type: list + sample: ["1.1.1.1"] + vlan: + description: VLAN tag id of management VLAN + returned: success + type: int + sample: 2 + wan2: + description: Management configuration for WAN1 interface + returned: success + type: complex + contains: + wan_enabled: + description: Enabled state of interface + returned: success + type: str + sample: enabled + using_static_ip: + description: Boolean value of whether static IP assignment is used on interface + returned: success + type: bool + sample: True + static_ip: + description: Assigned static IP + returned: only if static IP assignment is used + type: str + sample: 192.0.1.2 + static_gateway_ip: + description: Assigned static gateway IP + returned: only if static IP assignment is used + type: str + sample: 192.0.1.1 + static_subnet_mask: + description: Assigned netmask for static IP + returned: only if static IP assignment is used + type: str + sample: 255.255.255.0 + static_dns: + description: List of DNS IP addresses + returned: only if static IP assignment is used + type: list + sample: ["1.1.1.1"] + vlan: + description: VLAN tag id of management VLAN + returned: success + type: int + sample: 2 +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import recursive_diff +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + int_arg_spec = dict(wan_enabled=dict(type='str', choices=['enabled', 'disabled', 'not configured']), + using_static_ip=dict(type='bool'), + static_ip=dict(type='str'), + static_gateway_ip=dict(type='str'), + static_subnet_mask=dict(type='str'), + static_dns=dict(type='list', elements='str'), + vlan=dict(type='int'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'query', 'present'], default='query'), + net_name=dict(type='str'), + net_id=dict(type='str'), + serial=dict(type='str', required=True), + wan1=dict(type='dict', default=None, options=int_arg_spec, aliases=['mgmt1']), + wan2=dict(type='dict', default=None, options=int_arg_spec, aliases=['mgmt2']), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='management_interface') + meraki.params['follow_redirects'] = 'all' + + query_urls = {'management_interface': '/devices/{serial}/managementInterface'} + + meraki.url_catalog['get_one'].update(query_urls) + + if meraki.params['net_id'] and meraki.params['net_name']: + meraki.fail_json('net_id and net_name are mutually exclusive.') + if meraki.params['state'] == 'present': + interfaces = ('wan1', 'wan2') + for interface in interfaces: + if meraki.params[interface] is not None: + if meraki.params[interface]['using_static_ip'] is True: + if len(meraki.params[interface]['static_dns']) > 2: + meraki.fail_json("Maximum number of static DNS addresses is 2.") + + payload = dict() + + if meraki.params['state'] == 'present': + interfaces = ('wan1', 'wan2') + for interface in interfaces: + if meraki.params[interface] is not None: + wan_int = dict() + if meraki.params[interface]['wan_enabled'] is not None: + wan_int['wanEnabled'] = meraki.params[interface]['wan_enabled'] + if meraki.params[interface]['using_static_ip'] is not None: + wan_int['usingStaticIp'] = meraki.params[interface]['using_static_ip'] + if meraki.params[interface]['vlan'] is not None: + wan_int['vlan'] = meraki.params[interface]['vlan'] + if meraki.params[interface]['using_static_ip'] is True: + wan_int['staticIp'] = meraki.params[interface]['static_ip'] + wan_int['staticGatewayIp'] = meraki.params[interface]['static_gateway_ip'] + wan_int['staticSubnetMask'] = meraki.params[interface]['static_subnet_mask'] + wan_int['staticDns'] = meraki.params[interface]['static_dns'] + payload[interface] = wan_int + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if meraki.params['org_name']: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_one', net_id=net_id, custom={'serial': meraki.params['serial']}) + response = meraki.request(path, method='GET') + if meraki.status == 200: + meraki.result['data'] = response + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_one', custom={'serial': meraki.params['serial']}) + original = meraki.request(path, method='GET') + update_required = False + if 'wan1' in original: + if 'wanEnabled' in original['wan1']: + update_required = meraki.is_update_required(original, payload) + else: + update_required = meraki.is_update_required(original, payload, optional_ignore=['wanEnabled']) + if 'wan2' in original and update_required is False: + if 'wanEnabled' in original['wan2']: + update_required = meraki.is_update_required(original, payload) + else: + update_required = meraki.is_update_required(original, payload, optional_ignore=['wanEnabled']) + if update_required is True: + if meraki.check_mode is True: + diff = recursive_diff(original, payload) + original.update(payload) + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1]} + meraki.result['data'] = original + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + diff = recursive_diff(original, response) + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1]} + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_l3_firewall.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_l3_firewall.py new file mode 100644 index 00000000..d2a70052 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_l3_firewall.py @@ -0,0 +1,300 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mr_l3_firewall +short_description: Manage MR access point layer 3 firewalls in the Meraki cloud +description: +- Allows for creation, management, and visibility into layer 3 firewalls implemented on Meraki MR access points. +- Module is not idempotent as of current release. +options: + state: + description: + - Create or modify an organization. + type: str + choices: [ present, query ] + default: present + net_name: + description: + - Name of network containing access points. + type: str + net_id: + description: + - ID of network containing access points. + type: str + number: + description: + - Number of SSID to apply firewall rule to. + type: str + aliases: [ ssid_number ] + ssid_name: + description: + - Name of SSID to apply firewall rule to. + type: str + aliases: [ ssid ] + allow_lan_access: + description: + - Sets whether devices can talk to other devices on the same LAN. + type: bool + default: yes + rules: + description: + - List of firewall rules. + type: list + elements: dict + suboptions: + policy: + description: + - Specifies the action that should be taken when rule is hit. + type: str + choices: [ allow, deny ] + protocol: + description: + - Specifies protocol to match against. + type: str + choices: [ any, icmp, tcp, udp ] + dest_port: + description: + - Comma-seperated list of destination ports to match. + type: str + dest_cidr: + description: + - Comma-separated list of CIDR notation networks to match. + type: str + comment: + description: + - Optional comment describing the firewall rule. + type: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Create single firewall rule + meraki_mr_l3_firewall: + auth_key: abc123 + state: present + org_name: YourOrg + net_id: 12345 + number: 1 + rules: + - comment: Integration test rule + policy: allow + protocol: tcp + dest_port: 80 + dest_cidr: 192.0.2.0/24 + allow_lan_access: no + delegate_to: localhost + +- name: Enable local LAN access + meraki_mr_l3_firewall: + auth_key: abc123 + state: present + org_name: YourOrg + net_id: 123 + number: 1 + rules: + allow_lan_access: yes + delegate_to: localhost + +- name: Query firewall rules + meraki_mr_l3_firewall: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + number: 1 + delegate_to: localhost +''' + +RETURN = r''' + +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def assemble_payload(meraki): + params_map = {'policy': 'policy', + 'protocol': 'protocol', + 'dest_port': 'destPort', + 'dest_cidr': 'destCidr', + 'comment': 'comment', + } + rules = [] + for rule in meraki.params['rules']: + proposed_rule = dict() + for k, v in rule.items(): + proposed_rule[params_map[k]] = v + rules.append(proposed_rule) + payload = {'rules': rules} + return payload + + +def get_rules(meraki, net_id, number): + path = meraki.construct_path('get_all', net_id=net_id, custom={'number': number}) + response = meraki.request(path, method='GET') + if meraki.status == 200: + return normalize_rule_case(response) + + +def normalize_rule_case(rules): + excluded = ['comment'] + try: + for r in rules['rules']: + for k in r: + if k not in excluded: + r[k] = r[k].lower() + except KeyError: + return rules + return rules + + +def get_ssid_number(name, data): + for ssid in data: + if name == ssid['name']: + return ssid['number'] + return False + + +def get_ssids(meraki, net_id): + path = meraki.construct_path('get_all', net_id=net_id) + return meraki.request(path, method='GET') + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + fw_rules = dict(policy=dict(type='str', choices=['allow', 'deny']), + protocol=dict(type='str', choices=['tcp', 'udp', 'icmp', 'any']), + dest_port=dict(type='str'), + dest_cidr=dict(type='str'), + comment=dict(type='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + net_name=dict(type='str'), + net_id=dict(type='str'), + number=dict(type='str', aliases=['ssid_number']), + ssid_name=dict(type='str', aliases=['ssid']), + rules=dict(type='list', default=None, elements='dict', options=fw_rules), + allow_lan_access=dict(type='bool', default=True), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mr_l3_firewall') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'mr_l3_firewall': '/networks/{net_id}/wireless/ssids/{number}/firewall/l3FirewallRules'} + update_urls = {'mr_l3_firewall': '/networks/{net_id}/wireless/ssids/{number}/firewall/l3FirewallRules'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update'] = update_urls + + payload = None + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + orgs = None + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + net_id = meraki.params['net_id'] + if net_id is None: + if orgs is None: + orgs = meraki.get_orgs() + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], + data=meraki.get_nets(org_id=org_id)) + number = meraki.params['number'] + if meraki.params['ssid_name']: + number = get_ssid_number(meraki.params['ssid_name'], get_ssids(meraki, net_id)) + + if meraki.params['state'] == 'query': + meraki.result['data'] = get_rules(meraki, net_id, number) + elif meraki.params['state'] == 'present': + rules = get_rules(meraki, net_id, number) + path = meraki.construct_path('get_all', net_id=net_id, custom={'number': number}) + if meraki.params['rules']: + payload = assemble_payload(meraki) + else: + payload = dict() + update = False + try: + if len(rules) != len(payload['rules']): # Quick and simple check to avoid more processing + update = True + if update is False: + for r in range(len(rules) - 2): + if meraki.is_update_required(rules[r], payload[r]) is True: + update = True + except KeyError: + pass + # meraki.fail_json(msg=rules) + if rules['rules'][len(rules['rules']) - 2] != meraki.params['allow_lan_access']: + update = True + if update is True: + payload['allowLanAccess'] = meraki.params['allow_lan_access'] + if meraki.check_mode is True: + # This code is disgusting, rework it at some point + if 'rules' in payload: + cleansed_payload = payload['rules'] + cleansed_payload.append(rules['rules'][len(rules['rules']) - 1]) + cleansed_payload.append(rules['rules'][len(rules['rules']) - 2]) + if meraki.params['allow_lan_access'] is None: + cleansed_payload[len(cleansed_payload) - 2]['policy'] = rules['rules'][len(rules['rules']) - 2]['policy'] + else: + if meraki.params['allow_lan_access'] is True: + cleansed_payload[len(cleansed_payload) - 2]['policy'] = 'allow' + else: + cleansed_payload[len(cleansed_payload) - 2]['policy'] = 'deny' + else: + if meraki.params['allow_lan_access'] is True: + rules['rules'][len(rules['rules']) - 2]['policy'] = 'allow' + else: + rules['rules'][len(rules['rules']) - 2]['policy'] = 'deny' + cleansed_payload = rules + meraki.result['data'] = cleansed_payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = rules + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_l7_firewall.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_l7_firewall.py new file mode 100644 index 00000000..a9584091 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_l7_firewall.py @@ -0,0 +1,503 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2022, Joshua Coronado (@joshuajcoronado) <joshua@coronado.io> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_mr_l7_firewall +short_description: Manage MR access point layer 7 firewalls in the Meraki cloud +description: +- Allows for creation, management, and visibility into layer 7 firewalls implemented on Meraki MR access points. +- Module assumes a complete list of firewall rules are passed as a parameter. +- If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module. +options: + state: + description: + - Query or modify a firewall rule. + choices: ['present', 'query'] + default: present + type: str + net_name: + description: + - Name of network containing access points. + type: str + net_id: + description: + - ID of network containing access points. + type: str + number: + description: + - Number of SSID to apply firewall rule to. + type: str + aliases: [ ssid_number ] + ssid_name: + description: + - Name of SSID to apply firewall rule to. + type: str + aliases: [ ssid ] + rules: + description: + - List of layer 7 firewall rules. + type: list + elements: dict + suboptions: + policy: + description: + - Policy to apply if rule is hit. + choices: [deny] + default: deny + type: str + type: + description: + - Type of policy to apply. + choices: [application, + application_category, + host, + ip_range, + port] + type: str + application: + description: + - Application to filter. + type: dict + suboptions: + name: + description: + - Name of application to filter as defined by Meraki. + type: str + id: + description: + - URI of application as defined by Meraki. + type: str + host: + description: + - FQDN of host to filter. + type: str + ip_range: + description: + - CIDR notation range of IP addresses to apply rule to. + - Port can be appended to range with a C(":"). + type: str + port: + description: + - TCP or UDP based port to filter. + type: str + categories: + description: + - When C(True), specifies that applications and application categories should be queried instead of firewall rules. + type: bool +author: +- Joshua Coronado (@joshuajcoronado) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Query firewall rules + meraki_mr_l7_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + number: 1 + delegate_to: localhost + +- name: Query applications and application categories + meraki_mr_l7_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + number: 1 + categories: yes + state: query + delegate_to: localhost + +- name: Set firewall rules + meraki_mr_l7_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + number: 1 + state: present + rules: + - policy: deny + type: port + port: 8080 + - type: port + port: 1234 + - type: host + host: asdf.com + - type: application + application: + id: meraki:layer7/application/205 + - type: application_category + application: + id: meraki:layer7/category/24 + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Firewall rules associated to network SSID. + returned: success + type: complex + contains: + rules: + description: Ordered list of firewall rules. + returned: success, when not querying applications + type: list + contains: + policy: + description: Action to apply when rule is hit. + returned: success + type: str + sample: deny + type: + description: Type of rule category. + returned: success + type: str + sample: applications + applications: + description: List of applications within a category. + type: list + contains: + id: + description: URI of application. + returned: success + type: str + sample: Gmail + name: + description: Descriptive name of application. + returned: success + type: str + sample: meraki:layer7/application/4 + applicationCategory: + description: List of application categories within a category. + type: list + contains: + id: + description: URI of application. + returned: success + type: str + sample: Gmail + name: + description: Descriptive name of application. + returned: success + type: str + sample: meraki:layer7/application/4 + port: + description: Port number in rule. + returned: success + type: str + sample: 23 + ipRange: + description: Range of IP addresses in rule. + returned: success + type: str + sample: 1.1.1.0/23 + application_categories: + description: List of application categories and applications. + type: list + returned: success, when querying applications + contains: + applications: + description: List of applications within a category. + type: list + contains: + id: + description: URI of application. + returned: success + type: str + sample: Gmail + name: + description: Descriptive name of application. + returned: success + type: str + sample: meraki:layer7/application/4 + id: + description: URI of application category. + returned: success + type: str + sample: Email + name: + description: Descriptive name of application category. + returned: success + type: str + sample: layer7/category/1 +""" + +import copy +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def get_applications(meraki, net_id): + path = meraki.construct_path("get_categories", net_id=net_id) + return meraki.request(path, method="GET") + + +def lookup_application(meraki, net_id, application): + response = get_applications(meraki, net_id) + for category in response["applicationCategories"]: + if category["name"].lower() == application.lower(): + return category["id"] + for app in category["applications"]: + if app["name"].lower() == application.lower(): + return app["id"] + meraki.fail_json( + msg="No application or category named {0} found".format(application) + ) + + +def assemble_payload(meraki, net_id, rule): + new_rule = {} + if rule["type"] == "application": + new_rule = { + "policy": rule["policy"], + "type": "application", + } + if rule["application"]["id"]: + new_rule["value"] = {"id": rule["application"]["id"]} + elif rule["application"]["name"]: + new_rule["value"] = { + "id": lookup_application(meraki, net_id, rule["application"]["name"]) + } + elif rule["type"] == "application_category": + new_rule = { + "policy": rule["policy"], + "type": "applicationCategory", + } + if rule["application"]["id"]: + new_rule["value"] = {"id": rule["application"]["id"]} + elif rule["application"]["name"]: + new_rule["value"] = { + "id": lookup_application(meraki, net_id, rule["application"]["name"]) + } + elif rule["type"] == "ip_range": + new_rule = { + "policy": rule["policy"], + "type": "ipRange", + "value": rule["ip_range"], + } + elif rule["type"] == "host": + new_rule = { + "policy": rule["policy"], + "type": rule["type"], + "value": rule["host"], + } + elif rule["type"] == "port": + new_rule = { + "policy": rule["policy"], + "type": rule["type"], + "value": rule["port"], + } + return new_rule + + +def restructure_response(rules): + for rule in rules["rules"]: + type = rule["type"] + rule[type] = copy.deepcopy(rule["value"]) + del rule["value"] + return rules + + +def get_ssid_number(name, data): + for ssid in data: + if name == ssid["name"]: + return ssid["number"] + return False + + +def get_ssids(meraki, net_id): + path = meraki.construct_path("get_ssids", net_id=net_id) + return meraki.request(path, method="GET") + + +def get_rules(meraki, net_id, number): + path = meraki.construct_path("get_all", net_id=net_id, custom={"number": number}) + response = meraki.request(path, method="GET") + if meraki.status == 200: + return response + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + application_arg_spec = dict( + id=dict(type="str"), + name=dict(type="str"), + ) + + rule_arg_spec = dict( + policy=dict(type="str", choices=["deny"], default="deny"), + type=dict( + type="str", + choices=["application", "application_category", "host", "ip_range", "port"], + ), + ip_range=dict(type="str"), + application=dict(type="dict", default=None, options=application_arg_spec), + host=dict(type="str"), + port=dict(type="str"), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict(type="str", choices=["present", "query"], default="present"), + net_name=dict(type="str"), + net_id=dict(type="str"), + number=dict(type="str", aliases=["ssid_number"]), + ssid_name=dict(type="str", aliases=["ssid"]), + rules=dict(type="list", default=None, elements="dict", options=rule_arg_spec), + categories=dict(type="bool"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="mr_l7_firewall") + + # check for argument completeness + if meraki.params["rules"]: + for rule in meraki.params["rules"]: + if rule["type"] == "application" and rule["application"] is None: + meraki.fail_json( + msg="application argument is required when type is application." + ) + elif rule["type"] == "application_category" and rule["application"] is None: + meraki.fail_json( + msg="application argument is required when type is application_category." + ) + elif rule["type"] == "host" and rule["host"] is None: + meraki.fail_json(msg="host argument is required when type is host.") + elif rule["type"] == "port" and rule["port"] is None: + meraki.fail_json(msg="port argument is required when type is port.") + + meraki.params["follow_redirects"] = "all" + query_ssids_urls = {"mr_l7_firewall": "/networks/{net_id}/wireless/ssids"} + query_urls = { + "mr_l7_firewall": "/networks/{net_id}/wireless/ssids/{number}/firewall/l7FirewallRules" + } + update_urls = { + "mr_l7_firewall": "/networks/{net_id}/wireless/ssids/{number}/firewall/l7FirewallRules" + } + query_category_urls = { + "mr_l7_firewall": "/networks/{net_id}/trafficShaping/applicationCategories" + } + + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["get_categories"] = query_category_urls + meraki.url_catalog["get_ssids"] = query_ssids_urls + meraki.url_catalog["update"] = update_urls + + payload = None + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params["org_id"] + orgs = None + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org["name"] == meraki.params["org_name"]: + org_id = org["id"] + net_id = meraki.params["net_id"] + if net_id is None: + if orgs is None: + orgs = meraki.get_orgs() + net_id = meraki.get_net_id( + net_name=meraki.params["net_name"], data=meraki.get_nets(org_id=org_id) + ) + number = meraki.params["number"] + if meraki.params["ssid_name"]: + ssids = get_ssids(meraki, net_id) + number = get_ssid_number(meraki.params["ssid_name"], ssids) + + if meraki.params["state"] == "query": + if meraki.params["categories"] is True: # Output only applications + meraki.result["data"] = get_applications(meraki, net_id) + else: + meraki.result["data"] = restructure_response( + get_rules(meraki, net_id, number) + ) + elif meraki.params["state"] == "present": + rules = get_rules(meraki, net_id, number) + path = meraki.construct_path( + "get_all", net_id=net_id, custom={"number": number} + ) + + # Detect if no rules are given, special case + if len(meraki.params["rules"]) == 0: + # Conditionally wrap parameters in rules makes it comparable + if isinstance(meraki.params["rules"], list): + param_rules = {"rules": meraki.params["rules"]} + else: + param_rules = meraki.params["rules"] + if meraki.is_update_required(rules, param_rules): + if meraki.module.check_mode is True: + meraki.result["data"] = meraki.params["rules"] + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + payload = {"rules": []} + response = meraki.request( + path, method="PUT", payload=json.dumps(payload) + ) + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + else: + meraki.result["data"] = param_rules + meraki.exit_json(**meraki.result) + if meraki.params["rules"]: + payload = {"rules": []} + for rule in meraki.params["rules"]: + payload["rules"].append(assemble_payload(meraki, net_id, rule)) + else: + payload = dict() + if meraki.is_update_required(rules, payload, force_include="id"): + if meraki.module.check_mode is True: + response = restructure_response(payload) + meraki.generate_diff(restructure_response(rules), response) + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + response = meraki.request(path, method="PUT", payload=json.dumps(payload)) + response = restructure_response(response) + if meraki.status == 200: + meraki.generate_diff(restructure_response(rules), response) + meraki.result["data"] = response + meraki.result["changed"] = True + else: + if meraki.module.check_mode is True: + meraki.result["data"] = rules + meraki.result["changed"] = False + meraki.exit_json(**meraki.result) + meraki.result["data"] = payload + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_radio.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_radio.py new file mode 100644 index 00000000..c61f1e22 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_radio.py @@ -0,0 +1,490 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2021, Tyler Christiansen (@supertylerc) <code@tylerc.me> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_mr_radio +short_description: Manage device radio settings for Meraki wireless networks +description: +- Allows for configuration of radio settings in Meraki MR wireless networks. +options: + state: + description: + - Query or edit radio settings on a device. + type: str + choices: [present, query] + default: present + serial: + description: + - Serial number of a device to query. + type: str + rf_profile_id: + description: + - The ID of an RF profile to assign to the device. + - If the value of this parameter is null, the appropriate basic RF profile (indoor or outdoor) will be assigned to the device. + - Assigning an RF profile will clear ALL manually configured overrides on the device (channel width, channel, power). + type: str + rf_profile_name: + description: + - The name of an RF profile to assign to the device. + - Similar to ``rf_profile_id``, but requires ``net_id`` (preferred) or ``net_name``. + type: str + net_name: + description: + - Name of a network. + aliases: [network] + type: str + net_id: + description: + - ID of a network. + type: str + five_ghz_settings: + description: + - Manual radio settings for 5 GHz. + type: dict + default: {} + suboptions: + target_power: + description: + - Set a manual target power for 5 GHz. + - Can be between '8' or '30' or null for using auto power range. + type: int + channel_width: + description: + - Sets a manual channel for 5 GHz. + - Can be '0', '20', '40', or '80' or null for using auto channel width. + choices: + - auto + - '20' + - '40' + - '80' + type: str + channel: + description: + - Sets a manual channel for 5 GHz. + type: int + choices: + - 36 + - 40 + - 44 + - 48 + - 52 + - 56 + - 60 + - 64 + - 100 + - 104 + - 108 + - 112 + - 116 + - 120 + - 124 + - 128 + - 132 + - 136 + - 140 + - 144 + - 149 + - 153 + - 157 + - 161 + - 165 + two_four_ghz_settings: + description: + - Manual radio settings for 2.4 GHz. + type: dict + default: {} + suboptions: + target_power: + description: + - Set a manual target power for 2.4 GHz. + - Can be between '5' or '30' or null for using auto power range. + type: int + channel: + description: + - Sets a manual channel for 2.4 GHz. + - Can be '1', '2', '3', '4', '5', '6', '7', '8', '9', '10', '11', '12', '13' or '14' or null for using auto channel. + choices: + - 1 + - 2 + - 3 + - 4 + - 5 + - 6 + - 7 + - 8 + - 9 + - 10 + - 11 + - 12 + - 13 + - 14 + type: int +author: +- Tyler Christiansen (@supertylerc) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Query a device's radio configuration + meraki_mr_radio: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + serial: YourSerialNumber + state: query + delegate_to: localhost +- name: Configure a device's radios + meraki_mr_radio: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + serial: YourSerialNumber + state: present + five_ghz_settings: + channel: 56 + channel_width: 20 + target_power: 10 + two_four_ghz_settings: + channel: 6 + target_power: 12 + rf_profile_name: Test Profile + delegate_to: localhost +""" + +RETURN = r""" +data: + description: RF settings configured on a specific device. + returned: success + type: complex + contains: + serial: + description: + - Serial number of the device that was configured. + type: str + returned: success + sample: xyz + rf_profile_id: + description: + - The ID of an RF profile assigned to the device. + - Null indicates the appropriate basic RF profile (indoor or outdoor) is assigned to the device. + type: str + returned: success + sample: null + five_ghz_settings: + description: + - Configured manual radio settings for 5 GHz. + type: dict + returned: success + contains: + target_power: + description: + - Configured manual target power for 5 GHz. + - Null indicates auto power. + type: int + sample: 25 + channel_width: + description: + - Configured manual channel for 5 GHz. + - Null indicates auto channel width. + type: str + sample: 40 + channel: + description: + - Configured manual channel for 5 GHz. + - Null indicates auto channel. + type: str + sample: 56 + two_four_ghz_settings: + description: + - Configured manual radio settings for 2.4 GHz. + type: dict + returned: success + contains: + target_power: + description: + - Configured manual target power for 2.4 GHz. + - Null indicates auto power. + type: int + sample: 15 + channel: + description: + - Configured manual channel for 2.4 GHz. + - Null indicates auto channel. + type: str + sample: 11 +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) +from re import sub + + +def convert_to_camel_case(string): + """Convert "snake case" to "camel case".""" + string = sub(r"(_|-)+", " ", string).title().replace(" ", "") + return string[0].lower() + string[1:] + + +def _construct_payload(params): + """Recursively convert key names. + + This function recursively updates all dict key names from the + Ansible/Python-style "snake case" to the format the Meraki API expects + ("camel case"). + """ + payload = {} + for k, v in params.items(): + if isinstance(v, dict): + v = _construct_payload(v) + payload[convert_to_camel_case(k)] = v + return payload + + +def construct_payload(meraki): + """Construct API payload dict. + + This function uses a ``valid_params`` variable to filter out keys from + ``meraki.params`` that aren't relevant to the Meraki API call. + """ + params = {} + valid_params = [ + "serial", + "rf_profile_id", + "five_ghz_settings", + "two_four_ghz_settings", + ] + for k, v in meraki.params.items(): + if k not in valid_params: + continue + params[k] = v + return _construct_payload(params) + + +# Ansible spec for the 'five_ghz_settings' param, based on Meraki API. +FIVE_GHZ_SETTINGS_SPEC = { + "options": { + "target_power": {"type": "int"}, + "channel_width": {"type": "str", "choices": ["auto", "20", "40", "80"]}, + "channel": { + "type": "int", + "choices": [ + 36, + 40, + 44, + 48, + 52, + 56, + 60, + 64, + 100, + 104, + 108, + 112, + 116, + 120, + 124, + 128, + 132, + 136, + 140, + 144, + 149, + 153, + 157, + 161, + 165, + ], + }, + }, + "default": {}, +} + +# Ansible spec for the 'two_four_ghz_settings' param, based on Meraki API. +TWO_FOUR_GHZ_SETTINGS_SPEC = { + "options": { + "target_power": {"type": "int"}, + "channel": { + "type": "int", + "choices": list(range(1, 15)), + }, + }, + "default": {}, +} + + +def get_org_id(meraki): + """Get the Organization ID based on the Organization Name.""" + org_id = meraki.params["org_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + return org_id + + +def get_net_id(meraki): + """Get the Network ID based on a Network Name.""" + net_id = meraki.params["net_id"] + if net_id is None: + org_id = get_org_id(meraki) + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params["net_name"], data=nets) + return net_id + + +def get_rf_profile_id(meraki): + """Get the RF Profile ID for a given RF Profile Name.""" + profile_id = meraki.params["rf_profile_id"] + profile_name = meraki.params["rf_profile_name"] + if profile_id is None and profile_name is not None: + net_id = get_net_id(meraki) + path = meraki.construct_path("get_all", "mr_rf_profile", net_id=net_id) + profiles = meraki.request(path, method="GET") + profile_id = next( + ( + profile["id"] + for profile in profiles + if profile["name"] == meraki.params["rf_profile_name"] + ), + None, + ) + return profile_id + + +def meraki_get_radio_settings(meraki): + """Query the Meraki API for the current radio settings.""" + path = meraki.construct_path("get_one", custom={"serial": meraki.params["serial"]}) + return meraki.request(path, method="GET") + + +def _meraki_run_query(meraki): + """Get the radio settings on the specified device.""" + meraki.result["data"] = meraki_get_radio_settings(meraki) + meraki.exit_json(**meraki.result) + + +def _meraki_run_present(meraki): + """Update / check radio settings for a specified device.""" + original = meraki_get_radio_settings(meraki) + meraki.result["data"] = original + meraki.params["rf_profile_id"] = get_rf_profile_id(meraki) + payload = construct_payload(meraki) + if meraki.is_update_required(original, payload) is True: + if meraki.check_mode is True: + meraki.result["data"] = payload + meraki.result["changed"] = True + meraki.result["original"] = original + else: + path = meraki.construct_path( + "update", custom={"serial": meraki.params["serial"]} + ) + response = meraki.request(path, method="PUT", payload=json.dumps(payload)) + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + + +def _meraki_run_func_lookup(state): + """Return the function that `meraki_run` will use based on `state`.""" + return { + "query": _meraki_run_query, + "present": _meraki_run_present, + }[state] + + +def meraki_run(meraki): + """Perform API calls and generate responses based on the 'state' param.""" + meraki_run_func = _meraki_run_func_lookup(meraki.params["state"]) + meraki_run_func(meraki) + + +def update_url_catalog(meraki): + """Update the URL catalog available to the helper.""" + query_urls = {"mr_radio": "/devices/{serial}/wireless/radio/settings"} + update_urls = {"mr_radio": "/devices/{serial}/wireless/radio/settings"} + query_all_urls = {"mr_rf_profile": "/networks/{net_id}/wireless/rfProfiles"} + + meraki.url_catalog["get_one"].update(query_urls) + meraki.url_catalog["update"] = update_urls + meraki.url_catalog["get_all"].update(query_all_urls) + + +def validate_params(params): + """Validate parameters passed to this Ansible module. + + When ``rf_profile_name`` is passed, we need to lookup the ID as that's what + the API expects. To look up the RF Profile ID, we need the network ID, + which might be derived based on the network name, in which case we need the + org ID or org name to complete the process. + """ + valid = True + msg = None + + if ( + params["rf_profile_name"] is not None + and params["rf_profile_id"] is None + and params["net_id"] is None + ): + if params["net_name"] is None: + valid = False + msg = "When specifying 'rf_profile_name', either 'net_id' (preferred) or 'net_name' is required." + elif params["org_id"] is None and params["org_name"] is None: + valid = False + msg = "When specifying 'rf_profile_name' and omitting 'net_id', either 'org_id' (preferred) or 'org_name' is required." + return (valid, msg) + + +def main(): + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict(type="str", choices=["present", "query"], default="present"), + org_name=dict(type="str", aliases=["organization"]), + org_id=dict(type="str"), + net_name=dict(type="str", aliases=["network"]), + net_id=dict(type="str"), + serial=dict(type="str"), + rf_profile_name=(dict(type="str")), + rf_profile_id=dict(type="str"), + five_ghz_settings=dict( + type="dict", + options=FIVE_GHZ_SETTINGS_SPEC["options"], + default=FIVE_GHZ_SETTINGS_SPEC["default"], + ), + two_four_ghz_settings=dict( + type="dict", + options=TWO_FOUR_GHZ_SETTINGS_SPEC["options"], + default=TWO_FOUR_GHZ_SETTINGS_SPEC["default"], + ), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="mr_radio") + meraki.params["follow_redirects"] = "all" + valid_params, msg = validate_params(meraki.params) + if not valid_params: + meraki.fail_json(msg=msg) + + update_url_catalog(meraki) + meraki_run(meraki) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_rf_profile.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_rf_profile.py new file mode 100644 index 00000000..cd8d9c41 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_rf_profile.py @@ -0,0 +1,662 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mr_rf_profile +short_description: Manage RF profiles for Meraki wireless networks +description: +- Allows for configuration of radio frequency (RF) profiles in Meraki MR wireless networks. +options: + state: + description: + - Query, edit, or delete wireless RF profile settings. + type: str + choices: [ present, query, absent] + default: present + net_name: + description: + - Name of network. + type: str + net_id: + description: + - ID of network. + type: str + profile_id: + description: + - Unique identifier of existing RF profile. + type: str + aliases: [ id ] + band_selection_type: + description: + - Sets whether band selection is assigned per access point or SSID. + - This param is required on creation. + choices: [ ssid, ap ] + type: str + min_bitrate_type: + description: + - Type of minimum bitrate. + choices: [ band, ssid ] + type: str + name: + description: + - The unique name of the new profile. + - This param is required on creation. + type: str + client_balancing_enabled: + description: + - Steers client to best available access point. + type: bool + ap_band_settings: + description: + - Settings that will be enabled if selectionType is set to 'ap'. + type: dict + suboptions: + mode: + description: + - Sets which RF band the AP will support. + choices: [ 2.4ghz, 5ghz, dual ] + aliases: [ band_operation_mode ] + type: str + band_steering_enabled: + description: + - Steers client to most open band. + type: bool + five_ghz_settings: + description: + - Settings related to 5Ghz band. + type: dict + suboptions: + max_power: + description: + - Sets max power (dBm) of 5Ghz band. + - Can be integer between 8 and 30. + type: int + min_power: + description: + - Sets minmimum power (dBm) of 5Ghz band. + - Can be integer between 8 and 30. + type: int + min_bitrate: + description: + - Sets minimum bitrate (Mbps) of 5Ghz band. + choices: [ 6, 9, 12, 18, 24, 36, 48, 54 ] + type: int + rxsop: + description: + - The RX-SOP level controls the sensitivity of the radio. + - It is strongly recommended to use RX-SOP only after consulting a wireless expert. + - RX-SOP can be configured in the range of -65 to -95 (dBm). + type: int + channel_width: + description: + - Sets channel width (MHz) for 5Ghz band. + choices: [ auto, '20', '40', '80' ] + type: str + valid_auto_channels: + description: + - Sets valid auto channels for 5Ghz band. + type: list + elements: int + choices: [36, + 40, + 44, + 48, + 52, + 56, + 60, + 64, + 100, + 104, + 108, + 112, + 116, + 120, + 124, + 128, + 132, + 136, + 140, + 144, + 149, + 153, + 157, + 161, + 165] + two_four_ghz_settings: + description: + - Settings related to 2.4Ghz band + type: dict + suboptions: + max_power: + description: + - Sets max power (dBm) of 2.4Ghz band. + - Can be integer between 5 and 30. + type: int + min_power: + description: + - Sets minmimum power (dBm) of 2.4Ghz band. + - Can be integer between 5 and 30. + type: int + min_bitrate: + description: + - Sets minimum bitrate (Mbps) of 2.4Ghz band. + choices: [ 1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54 ] + type: float + rxsop: + description: + - The RX-SOP level controls the sensitivity of the radio. + - It is strongly recommended to use RX-SOP only after consulting a wireless expert. + - RX-SOP can be configured in the range of -65 to -95 (dBm). + type: int + ax_enabled: + description: + - Determines whether ax radio on 2.4Ghz band is on or off. + type: bool + valid_auto_channels: + description: + - Sets valid auto channels for 2.4Ghz band. + choices: [ 1, 6, 11 ] + type: list + elements: int +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Create RF profile in check mode + meraki_mr_rf_profile: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + name: Test Profile + band_selection_type: ap + client_balancing_enabled: True + ap_band_settings: + mode: dual + band_steering_enabled: true + five_ghz_settings: + max_power: 10 + min_bitrate: 12 + min_power: 8 + rxsop: -65 + channel_width: 20 + valid_auto_channels: + - 36 + - 40 + - 44 + two_four_ghz_settings: + max_power: 10 + min_bitrate: 12 + min_power: 8 + rxsop: -65 + ax_enabled: false + valid_auto_channels: + - 1 + delegate_to: localhost + +- name: Query all RF profiles + meraki_mr_rf_profile: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + +- name: Query one RF profile by ID + meraki_mr_rf_profile: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + profile_id: '{{ profile_id }}' + delegate_to: localhost + +- name: Update profile + meraki_mr_rf_profile: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + profile_id: 12345 + band_selection_type: ap + client_balancing_enabled: True + ap_band_settings: + mode: dual + band_steering_enabled: true + five_ghz_settings: + max_power: 10 + min_bitrate: 12 + min_power: 8 + rxsop: -65 + channel_width: 20 + valid_auto_channels: + - 36 + - 44 + two_four_ghz_settings: + max_power: 10 + min_bitrate: 12 + min_power: 8 + rxsop: -75 + ax_enabled: false + valid_auto_channels: + - 1 + delegate_to: localhost + +- name: Delete RF profile + meraki_mr_rf_profile: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: absent + profile_id: 12345 + delegate_to: localhost +''' + +RETURN = r''' +data: + description: List of wireless RF profile settings. + returned: success + type: complex + contains: + id: + description: + - Unique identifier of existing RF profile. + type: str + returned: success + sample: 12345 + band_selection_type: + description: + - Sets whether band selection is assigned per access point or SSID. + - This param is required on creation. + type: str + returned: success + sample: ap + min_bitrate_type: + description: + - Type of minimum bitrate. + type: str + returned: success + sample: ssid + name: + description: + - The unique name of the new profile. + - This param is required on creation. + type: str + returned: success + sample: Guest RF profile + client_balancing_enabled: + description: + - Steers client to best available access point. + type: bool + returned: success + sample: true + ap_band_settings: + description: + - Settings that will be enabled if selectionType is set to 'ap'. + type: complex + returned: success + contains: + mode: + description: + - Sets which RF band the AP will support. + type: str + returned: success + sample: dual + band_steering_enabled: + description: + - Steers client to most open band. + type: bool + returned: success + sample: true + five_ghz_settings: + description: + - Settings related to 5Ghz band. + type: complex + returned: success + contains: + max_power: + description: + - Sets max power (dBm) of 5Ghz band. + - Can be integer between 8 and 30. + type: int + returned: success + sample: 12 + min_power: + description: + - Sets minmimum power (dBm) of 5Ghz band. + - Can be integer between 8 and 30. + type: int + returned: success + sample: 12 + min_bitrate: + description: + - Sets minimum bitrate (Mbps) of 5Ghz band. + type: int + returned: success + sample: 6 + rxsop: + description: + - The RX-SOP level controls the sensitivity of the radio. + type: int + returned: success + sample: -70 + channel_width: + description: + - Sets channel width (MHz) for 5Ghz band. + type: str + returned: success + sample: auto + valid_auto_channels: + description: + - Sets valid auto channels for 5Ghz band. + type: list + returned: success + two_four_ghz_settings: + description: + - Settings related to 2.4Ghz band + type: complex + returned: success + contains: + max_power: + description: + - Sets max power (dBm) of 2.4Ghz band. + type: int + returned: success + sample: 12 + min_power: + description: + - Sets minmimum power (dBm) of 2.4Ghz band. + type: int + returned: success + sample: 12 + min_bitrate: + description: + - Sets minimum bitrate (Mbps) of 2.4Ghz band. + type: float + returned: success + sample: 5.5 + rxsop: + description: + - The RX-SOP level controls the sensitivity of the radio. + type: int + returned: success + sample: -70 + ax_enabled: + description: + - Determines whether ax radio on 2.4Ghz band is on or off. + type: bool + returned: success + sample: true + valid_auto_channels: + description: + - Sets valid auto channels for 2.4Ghz band. + type: list + returned: success + sample: 6 +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_profile(meraki, profiles, name): + for profile in profiles: + if profile['name'] == name: + return profile + return None + + +def construct_payload(meraki): + payload = {} + if meraki.params['name'] is not None: + payload['name'] = meraki.params['name'] + if meraki.params['band_selection_type'] is not None: + payload['bandSelectionType'] = meraki.params['band_selection_type'] + if meraki.params['min_bitrate_type'] is not None: + payload['minBitrateType'] = meraki.params['min_bitrate_type'] + if meraki.params['client_balancing_enabled'] is not None: + payload['clientBalancingEnabled'] = meraki.params['client_balancing_enabled'] + if meraki.params['ap_band_settings'] is not None: + payload['apBandSettings'] = {} + if meraki.params['ap_band_settings']['mode'] is not None: + payload['apBandSettings']['bandOperationMode'] = meraki.params['ap_band_settings']['mode'] + if meraki.params['ap_band_settings']['band_steering_enabled'] is not None: + payload['apBandSettings']['bandSteeringEnabled'] = meraki.params['ap_band_settings']['band_steering_enabled'] + if meraki.params['five_ghz_settings'] is not None: + payload['fiveGhzSettings'] = {} + if meraki.params['five_ghz_settings']['max_power'] is not None: + payload['fiveGhzSettings']['maxPower'] = meraki.params['five_ghz_settings']['max_power'] + if meraki.params['five_ghz_settings']['min_bitrate'] is not None: + payload['fiveGhzSettings']['minBitrate'] = meraki.params['five_ghz_settings']['min_bitrate'] + if meraki.params['five_ghz_settings']['min_power'] is not None: + payload['fiveGhzSettings']['minPower'] = meraki.params['five_ghz_settings']['min_power'] + if meraki.params['five_ghz_settings']['rxsop'] is not None: + payload['fiveGhzSettings']['rxsop'] = meraki.params['five_ghz_settings']['rxsop'] + if meraki.params['five_ghz_settings']['channel_width'] is not None: + payload['fiveGhzSettings']['channelWidth'] = meraki.params['five_ghz_settings']['channel_width'] + if meraki.params['five_ghz_settings']['valid_auto_channels'] is not None: + payload['fiveGhzSettings']['validAutoChannels'] = meraki.params['five_ghz_settings']['valid_auto_channels'] + if meraki.params['two_four_ghz_settings'] is not None: + payload['twoFourGhzSettings'] = {} + if meraki.params['two_four_ghz_settings']['max_power'] is not None: + payload['twoFourGhzSettings']['maxPower'] = meraki.params['two_four_ghz_settings']['max_power'] + if meraki.params['two_four_ghz_settings']['min_bitrate'] is not None: + payload['twoFourGhzSettings']['minBitrate'] = meraki.params['two_four_ghz_settings']['min_bitrate'] + if meraki.params['two_four_ghz_settings']['min_power'] is not None: + payload['twoFourGhzSettings']['minPower'] = meraki.params['two_four_ghz_settings']['min_power'] + if meraki.params['two_four_ghz_settings']['rxsop'] is not None: + payload['twoFourGhzSettings']['rxsop'] = meraki.params['two_four_ghz_settings']['rxsop'] + if meraki.params['two_four_ghz_settings']['ax_enabled'] is not None: + payload['twoFourGhzSettings']['axEnabled'] = meraki.params['two_four_ghz_settings']['ax_enabled'] + if meraki.params['two_four_ghz_settings']['valid_auto_channels'] is not None: + payload['twoFourGhzSettings']['validAutoChannels'] = meraki.params['two_four_ghz_settings']['valid_auto_channels'] + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + band_arg_spec = dict(mode=dict(type='str', aliases=['band_operation_mode'], choices=['2.4ghz', '5ghz', 'dual']), + band_steering_enabled=dict(type='bool'), + ) + + five_arg_spec = dict(max_power=dict(type='int'), + min_bitrate=dict(type='int', choices=[6, 9, 12, 18, 24, 36, 48, 54]), + min_power=dict(type='int'), + rxsop=dict(type='int'), + channel_width=dict(type='str', choices=['auto', '20', '40', '80']), + valid_auto_channels=dict(type='list', elements='int', choices=[36, + 40, + 44, + 48, + 52, + 56, + 60, + 64, + 100, + 104, + 108, + 112, + 116, + 120, + 124, + 128, + 132, + 136, + 140, + 144, + 149, + 153, + 157, + 161, + 165]), + ) + + two_arg_spec = dict(max_power=dict(type='int'), + min_bitrate=dict(type='float', choices=[1, + 2, + 5.5, + 6, + 9, + 11, + 12, + 18, + 24, + 36, + 48, + 54]), + min_power=dict(type='int'), + rxsop=dict(type='int'), + ax_enabled=dict(type='bool'), + valid_auto_channels=dict(type='list', elements='int', choices=[1, 6, 11]), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query', 'absent'], default='present'), + org_name=dict(type='str', aliases=['organization']), + org_id=dict(type='str'), + net_name=dict(type='str'), + net_id=dict(type='str'), + profile_id=dict(type='str', aliases=['id']), + band_selection_type=dict(type='str', choices=['ssid', 'ap']), + min_bitrate_type=dict(type='str', choices=['band', 'ssid']), + name=dict(type='str'), + client_balancing_enabled=dict(type='bool'), + ap_band_settings=dict(type='dict', options=band_arg_spec), + five_ghz_settings=dict(type='dict', options=five_arg_spec), + two_four_ghz_settings=dict(type='dict', options=two_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mr_rf_profile') + + meraki.params['follow_redirects'] = 'all' + + query_all_urls = {'mr_rf_profile': '/networks/{net_id}/wireless/rfProfiles'} + query_urls = {'mr_rf_profile': '/networks/{net_id}/wireless/rfProfiles/{profile_id}'} + create_urls = {'mr_rf_profile': '/networks/{net_id}/wireless/rfProfiles'} + update_urls = {'mr_rf_profile': '/networks/{net_id}/wireless/rfProfiles/{profile_id}'} + delete_urls = {'mr_rf_profile': '/networks/{net_id}/wireless/rfProfiles/{profile_id}'} + + meraki.url_catalog['get_all'].update(query_all_urls) + meraki.url_catalog['get_one'].update(query_urls) + meraki.url_catalog['create'] = create_urls + meraki.url_catalog['update'] = update_urls + meraki.url_catalog['delete'] = delete_urls + + if meraki.params['five_ghz_settings'] is not None: + if meraki.params['five_ghz_settings']['max_power'] is not None: + if meraki.params['five_ghz_settings']['max_power'] < 8 or meraki.params['five_ghz_settings']['max_power'] > 30: + meraki.fail_json(msg="5ghz max power must be between 8 and 30.") + if meraki.params['five_ghz_settings']['min_power'] is not None: + if meraki.params['five_ghz_settings']['min_power'] < 8 or meraki.params['five_ghz_settings']['min_power'] > 30: + meraki.fail_json(msg="5ghz min power must be between 8 and 30.") + if meraki.params['five_ghz_settings']['rxsop'] is not None: + if meraki.params['five_ghz_settings']['rxsop'] < -95 or meraki.params['five_ghz_settings']['rxsop'] > -65: + meraki.fail_json(msg="5ghz min power must be between 8 and 30.") + if meraki.params['two_four_ghz_settings'] is not None: + if meraki.params['two_four_ghz_settings']['max_power'] is not None: + if meraki.params['two_four_ghz_settings']['max_power'] < 5 or meraki.params['two_four_ghz_settings']['max_power'] > 30: + meraki.fail_json(msg="5ghz max power must be between 5 and 30.") + if meraki.params['two_four_ghz_settings']['min_power'] is not None: + if meraki.params['two_four_ghz_settings']['min_power'] < 5 or meraki.params['two_four_ghz_settings']['min_power'] > 30: + meraki.fail_json(msg="5ghz min power must be between 5 and 30.") + if meraki.params['two_four_ghz_settings']['rxsop'] is not None: + if meraki.params['two_four_ghz_settings']['rxsop'] < -95 or meraki.params['two_four_ghz_settings']['rxsop'] > -65: + meraki.fail_json(msg="5ghz min power must be between 8 and 30.") + + org_id = meraki.params['org_id'] + net_id = meraki.params['net_id'] + profile_id = meraki.params['profile_id'] + profile = None + profiles = None + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + if profile_id is None: + path = meraki.construct_path('get_all', net_id=net_id) + profiles = meraki.request(path, method='GET') + # profile = get_profile(meraki, profiles, meraki.params['name']) + profile_id = next((profile['id'] for profile in profiles if profile['name'] == meraki.params['name']), None) + + if meraki.params['state'] == 'query': + if profile_id is not None: + path = meraki.construct_path('get_one', net_id=net_id, custom={'profile_id': profile_id}) + result = meraki.request(path, method='GET') + meraki.result['data'] = result + meraki.exit_json(**meraki.result) + if profiles is None: + path = meraki.construct_path('get_all', net_id=net_id) + profiles = meraki.request(path, method='GET') + meraki.result['data'] = profiles + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + payload = construct_payload(meraki) + if profile_id is None: # Create a new RF profile + if meraki.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('create', net_id=net_id) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + path = meraki.construct_path('get_one', net_id=net_id, custom={'profile_id': profile_id}) + original = meraki.request(path, method='GET') + if meraki.is_update_required(original, payload) is True: + if meraki.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id, custom={'profile_id': profile_id}) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + meraki.result['data'] = original + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'absent': + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('delete', net_id=net_id, custom={'profile_id': profile_id}) + response = meraki.request(path, method='DELETE') + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_settings.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_settings.py new file mode 100644 index 00000000..7858c208 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_settings.py @@ -0,0 +1,221 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mr_settings +short_description: Manage general settings for Meraki wireless networks +description: +- Allows for configuration of general settings in Meraki MR wireless networks. +options: + state: + description: + - Query or edit wireless settings. + type: str + choices: [ present, query] + default: present + net_name: + description: + - Name of network. + type: str + net_id: + description: + - ID of network. + type: str + upgrade_strategy: + description: + - The upgrade strategy to apply to the network. + - Requires firmware version MR 26.8 or higher. + choices: [ minimize_upgrade_time, minimize_client_downtime ] + type: str + ipv6_bridge_enabled: + description: + - Toggle for enabling or disabling IPv6 bridging in a network. + - If enabled, SSIDs must also be configured to use bridge mode. + type: bool + led_lights_on: + description: + - Toggle for enabling or disabling LED lights on all APs in the network. + type: bool + location_analytics_enabled: + description: + - Toggle for enabling or disabling location analytics for your network. + type: bool + meshing_enabled: + description: Toggle for enabling or disabling meshing in a network. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query all settings + meraki_mr_settings: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost +- name: Configure settings + meraki_mr_settings: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + upgrade_strategy: minimize_upgrade_time + ipv6_bridge_enabled: false + led_lights_on: true + location_analytics_enabled: true + meshing_enabled: true + delegate_to: localhost +''' + +RETURN = r''' +data: + description: List of wireless settings. + returned: success + type: complex + contains: + upgrade_strategy: + description: + - The upgrade strategy to apply to the network. + - Requires firmware version MR 26.8 or higher. + type: str + returned: success + sample: minimize_upgrade_time + ipv6_bridge_enabled: + description: + - Toggle for enabling or disabling IPv6 bridging in a network. + - If enabled, SSIDs must also be configured to use bridge mode. + type: bool + returned: success + sample: True + led_lights_on: + description: + - Toggle for enabling or disabling LED lights on all APs in the network. + type: bool + returned: success + sample: True + location_analytics_enabled: + description: + - Toggle for enabling or disabling location analytics for your network. + type: bool + returned: success + sample: True + meshing_enabled: + description: Toggle for enabling or disabling meshing in a network. + type: bool + returned: success + sample: True +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec +from re import sub + + +def convert_to_camel_case(string): + string = sub(r"(_|-)+", " ", string).title().replace(" ", "") + return string[0].lower() + string[1:] + + +def construct_payload(meraki): + payload = {} + if meraki.params['upgrade_strategy'] is not None: + payload['upgradeStrategy'] = convert_to_camel_case(meraki.params['upgrade_strategy']) + if meraki.params['ipv6_bridge_enabled'] is not None: + payload['ipv6BridgeEnabled'] = meraki.params['ipv6_bridge_enabled'] + if meraki.params['led_lights_on'] is not None: + payload['ledLightsOn'] = meraki.params['led_lights_on'] + if meraki.params['location_analytics_enabled'] is not None: + payload['locationAnalyticsEnabled'] = meraki.params['location_analytics_enabled'] + if meraki.params['meshing_enabled'] is not None: + payload['meshingEnabled'] = meraki.params['meshing_enabled'] + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + org_name=dict(type='str', aliases=['organization']), + org_id=dict(type='str'), + net_name=dict(type='str'), + net_id=dict(type='str'), + upgrade_strategy=dict(type='str', choices=['minimize_upgrade_time', + 'minimize_client_downtime']), + ipv6_bridge_enabled=dict(type='bool'), + led_lights_on=dict(type='bool'), + location_analytics_enabled=dict(type='bool'), + meshing_enabled=dict(type='bool'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mr_settings') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'mr_settings': '/networks/{net_id}/wireless/settings'} + update_urls = {'mr_settings': '/networks/{net_id}/wireless/settings'} + + meraki.url_catalog['get_one'].update(query_urls) + meraki.url_catalog['update'] = update_urls + + org_id = meraki.params['org_id'] + net_id = meraki.params['net_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_one', net_id=net_id) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_one', net_id=net_id) + original = meraki.request(path, method='GET') + payload = construct_payload(meraki) + if meraki.is_update_required(original, payload) is True: + if meraki.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + meraki.result['data'] = original + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_ssid.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_ssid.py new file mode 100644 index 00000000..f6c242e0 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mr_ssid.py @@ -0,0 +1,744 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_mr_ssid +short_description: Manage wireless SSIDs in the Meraki cloud +description: +- Allows for management of SSIDs in a Meraki wireless environment. +notes: +- Deleting an SSID does not delete RADIUS servers. +options: + state: + description: + - Specifies whether SNMP information should be queried or modified. + type: str + choices: [ absent, query, present ] + default: present + number: + description: + - SSID number within network. + type: int + aliases: [ssid_number] + name: + description: + - Name of SSID. + type: str + net_name: + description: + - Name of network. + type: str + net_id: + description: + - ID of network. + type: str + enabled: + description: + - Enable or disable SSID network. + type: bool + auth_mode: + description: + - Set authentication mode of network. + type: str + choices: [open, psk, open-with-radius, 8021x-meraki, 8021x-radius] + encryption_mode: + description: + - Set encryption mode of network. + type: str + choices: [wpa, eap, wpa-eap] + psk: + description: + - Password for wireless network. + - Requires auth_mode to be set to psk. + type: str + wpa_encryption_mode: + description: + - Encryption mode within WPA specification. + type: str + choices: [WPA1 and WPA2, WPA2 only, WPA3 Transition Mode, WPA3 only] + splash_page: + description: + - Set to enable splash page and specify type of splash. + type: str + choices: ['None', + 'Click-through splash page', + 'Billing', + 'Password-protected with Meraki RADIUS', + 'Password-protected with custom RADIUS', + 'Password-protected with Active Directory', + 'Password-protected with LDAP', + 'SMS authentication', + 'Systems Manager Sentry', + 'Facebook Wi-Fi', + 'Google OAuth', + 'Sponsored guest', + 'Cisco ISE'] + radius_servers: + description: + - List of RADIUS servers. + type: list + elements: dict + suboptions: + host: + description: + - IP address or hostname of RADIUS server. + type: str + required: true + port: + description: + - Port number RADIUS server is listening to. + type: int + secret: + description: + - RADIUS password. + - Setting password is not idempotent. + type: str + radius_proxy_enabled: + description: + - Enable or disable RADIUS Proxy on SSID. + type: bool + radius_coa_enabled: + description: + - Enable or disable RADIUS CoA (Change of Authorization) on SSID. + type: bool + radius_failover_policy: + description: + - Set client access policy in case RADIUS servers aren't available. + type: str + choices: [Deny access, Allow access] + radius_load_balancing_policy: + description: + - Set load balancing policy when multiple RADIUS servers are specified. + type: str + choices: [Strict priority order, Round robin] + radius_accounting_enabled: + description: + - Enable or disable RADIUS accounting. + type: bool + radius_accounting_servers: + description: + - List of RADIUS servers for RADIUS accounting. + type: list + elements: dict + suboptions: + host: + description: + - IP address or hostname of RADIUS server. + type: str + required: true + port: + description: + - Port number RADIUS server is listening to. + type: int + secret: + description: + - RADIUS password. + - Setting password is not idempotent. + type: str + ip_assignment_mode: + description: + - Method of which SSID uses to assign IP addresses. + type: str + choices: ['NAT mode', + 'Bridge mode', + 'Layer 3 roaming', + 'Layer 3 roaming with a concentrator', + 'VPN'] + lan_isolation_enabled: + description: + - Enable or disable Layer 2 Lan isolation. + - Requires C(ip_assignment_mode) to be C(Bridge mode). + type: bool + use_vlan_tagging: + description: + - Set whether to use VLAN tagging. + - Requires C(default_vlan_id) to be set. + type: bool + visible: + description: + - Enable or disable whether APs should broadcast this SSID. + type: bool + default_vlan_id: + description: + - Default VLAN ID. + - Requires C(ip_assignment_mode) to be C(Bridge mode) or C(Layer 3 roaming). + type: int + vlan_id: + description: + - ID number of VLAN on SSID. + - Requires C(ip_assignment_mode) to be C(ayer 3 roaming with a concentrator) or C(VPN). + type: int + ap_tags_vlan_ids: + description: + - List of VLAN tags. + - Requires C(ip_assignment_mode) to be C(Bridge mode) or C(Layer 3 roaming). + - Requires C(use_vlan_tagging) to be C(True). + type: list + elements: dict + suboptions: + tags: + description: + - List of AP tags. + type: list + elements: str + vlan_id: + description: + - Numerical identifier that is assigned to the VLAN. + type: int + walled_garden_enabled: + description: + - Enable or disable walled garden functionality. + type: bool + walled_garden_ranges: + description: + - List of walled garden ranges. + type: list + elements: str + available_on_all_aps: + description: + - Set whether all APs should broadcast the SSID or if it should be restricted to APs matching any availability tags. + - Requires C(ap_availability_tags) to be defined when set to C(False). + type: bool + ap_availability_tags: + description: + - Set whether SSID will be broadcast by APs with tags matching any of the tags in this list. + - Requires C(available_on_all_aps) to be C(false). + type: list + elements: str + min_bitrate: + description: + - Minimum bitrate (Mbps) allowed on SSID. + type: float + choices: [1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54] + band_selection: + description: + - Set band selection mode. + type: str + choices: ['Dual band operation', '5 GHz band only', 'Dual band operation with Band Steering'] + per_client_bandwidth_limit_up: + description: + - Maximum bandwidth in Mbps devices on SSID can upload. + type: int + per_client_bandwidth_limit_down: + description: + - Maximum bandwidth in Mbps devices on SSID can download. + type: int + concentrator_network_id: + description: + - The concentrator to use for 'Layer 3 roaming with a concentrator' or 'VPN'. + type: str + enterprise_admin_access: + description: + - Whether SSID is accessible by enterprise administrators. + type: str + choices: ['access disabled', 'access enabled'] + splash_guest_sponsor_domains: + description: + - List of valid sponsor email domains for sponsored guest portal. + type: list + elements: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Enable and name SSID + meraki_ssid: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: WiFi + name: GuestSSID + enabled: true + visible: true + delegate_to: localhost + +- name: Set PSK with invalid encryption mode + meraki_ssid: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: WiFi + name: GuestSSID + auth_mode: psk + psk: abc1234 + encryption_mode: eap + ignore_errors: yes + delegate_to: localhost + +- name: Configure RADIUS servers + meraki_ssid: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: WiFi + name: GuestSSID + auth_mode: open-with-radius + radius_servers: + - host: 192.0.1.200 + port: 1234 + secret: abc98765 + delegate_to: localhost + +- name: Enable click-through splash page + meraki_ssid: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: WiFi + name: GuestSSID + splash_page: Click-through splash page + delegate_to: localhost +""" + +RETURN = r""" +data: + description: List of wireless SSIDs. + returned: success + type: complex + contains: + number: + description: Zero-based index number for SSIDs. + returned: success + type: int + sample: 0 + name: + description: + - Name of wireless SSID. + - This value is what is broadcasted. + returned: success + type: str + sample: CorpWireless + enabled: + description: Enabled state of wireless network. + returned: success + type: bool + sample: true + splash_page: + description: Splash page to show when user authenticates. + returned: success + type: str + sample: Click-through splash page + ssid_admin_accessible: + description: Whether SSID is administratively accessible. + returned: success + type: bool + sample: true + auth_mode: + description: Authentication method. + returned: success + type: str + sample: psk + psk: + description: Secret wireless password. + returned: success + type: str + sample: SecretWiFiPass + encryption_mode: + description: Wireless traffic encryption method. + returned: success + type: str + sample: wpa + wpa_encryption_mode: + description: Enabled WPA versions. + returned: success + type: str + sample: WPA2 only + ip_assignment_mode: + description: Wireless client IP assignment method. + returned: success + type: str + sample: NAT mode + min_bitrate: + description: Minimum bitrate a wireless client can connect at. + returned: success + type: int + sample: 11 + band_selection: + description: Wireless RF frequency wireless network will be broadcast on. + returned: success + type: str + sample: 5 GHz band only + per_client_bandwidth_limit_up: + description: Maximum upload bandwidth a client can use. + returned: success + type: int + sample: 1000 + per_client_bandwidth_limit_down: + description: Maximum download bandwidth a client can use. + returned: success + type: int + sample: 0 +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def get_available_number(data): + for item in data: + if "Unconfigured SSID" in item["name"]: + return item["number"] + return False + + +def get_ssid_number(name, data): + for ssid in data: + if name == ssid["name"]: + return ssid["number"] + return False + + +def get_ssids(meraki, net_id): + path = meraki.construct_path("get_all", net_id=net_id) + return meraki.request(path, method="GET") + + +def construct_payload(meraki): + param_map = { + "name": "name", + "enabled": "enabled", + "authMode": "auth_mode", + "encryptionMode": "encryption_mode", + "psk": "psk", + "wpaEncryptionMode": "wpa_encryption_mode", + "splashPage": "splash_page", + "radiusServers": "radius_servers", + "radiusProxyEnabled": "radius_proxy_enabled", + "radiusCoaEnabled": "radius_coa_enabled", + "radiusFailoverPolicy": "radius_failover_policy", + "radiusLoadBalancingPolicy": "radius_load_balancing_policy", + "radiusAccountingEnabled": "radius_accounting_enabled", + "radiusAccountingServers": "radius_accounting_servers", + "ipAssignmentMode": "ip_assignment_mode", + "useVlanTagging": "use_vlan_tagging", + "visible": "visible", + "concentratorNetworkId": "concentrator_network_id", + "vlanId": "vlan_id", + "lanIsolationEnabled": "lan_isolation_enabled", + "availableOnAllAps": "available_on_all_aps", + "availabilityTags": "ap_availability_tags", + "defaultVlanId": "default_vlan_id", + "apTagsAndVlanIds": "ap_tags_vlan_ids", + "walledGardenEnabled": "walled_garden_enabled", + "walledGardenRanges": "walled_garden_ranges", + "minBitrate": "min_bitrate", + "bandSelection": "band_selection", + "perClientBandwidthLimitUp": "per_client_bandwidth_limit_up", + "perClientBandwidthLimitDown": "per_client_bandwidth_limit_down", + "enterpriseAdminAccess": "enterprise_admin_access", + "splashGuestSponsorDomains": "splash_guest_sponsor_domains", + } + + payload = dict() + for k, v in param_map.items(): + if meraki.params[v] is not None: + payload[k] = meraki.params[v] + + if meraki.params["ap_tags_vlan_ids"] is not None: + for i in payload["apTagsAndVlanIds"]: + try: + i["vlanId"] = i["vlan_id"] + del i["vlan_id"] + except KeyError: + pass + + return payload + + +def per_line_to_str(data): + return data.replace("\n", " ") + + +def main(): + default_payload = { + "name": "Unconfigured SSID", + "auth_mode": "open", + "splashPage": "None", + "perClientBandwidthLimitUp": 0, + "perClientBandwidthLimitDown": 0, + "ipAssignmentMode": "NAT mode", + "enabled": False, + "bandSelection": "Dual band operation", + "minBitrate": 11, + } + + # define the available arguments/parameters that a user can pass to + # the module + radius_arg_spec = dict( + host=dict(type="str", required=True), + port=dict(type="int"), + secret=dict(type="str", no_log=True), + ) + vlan_arg_spec = dict( + tags=dict(type="list", elements="str"), + vlan_id=dict(type="int"), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict( + type="str", choices=["absent", "present", "query"], default="present" + ), + number=dict(type="int", aliases=["ssid_number"]), + name=dict(type="str"), + org_name=dict(type="str", aliases=["organization"]), + org_id=dict(type="str"), + net_name=dict(type="str"), + net_id=dict(type="str"), + enabled=dict(type="bool"), + auth_mode=dict( + type="str", + choices=["open", "psk", "open-with-radius", "8021x-meraki", "8021x-radius"], + ), + encryption_mode=dict(type="str", choices=["wpa", "eap", "wpa-eap"]), + psk=dict(type="str", no_log=True), + wpa_encryption_mode=dict( + type="str", + choices=["WPA1 and WPA2", "WPA2 only", "WPA3 Transition Mode", "WPA3 only"], + ), + splash_page=dict( + type="str", + choices=[ + "None", + "Click-through splash page", + "Billing", + "Password-protected with Meraki RADIUS", + "Password-protected with custom RADIUS", + "Password-protected with Active Directory", + "Password-protected with LDAP", + "SMS authentication", + "Systems Manager Sentry", + "Facebook Wi-Fi", + "Google OAuth", + "Sponsored guest", + "Cisco ISE", + ], + ), + radius_servers=dict( + type="list", default=None, elements="dict", options=radius_arg_spec + ), + radius_proxy_enabled=dict(type="bool"), + radius_coa_enabled=dict(type="bool"), + radius_failover_policy=dict( + type="str", choices=["Deny access", "Allow access"] + ), + radius_load_balancing_policy=dict( + type="str", choices=["Strict priority order", "Round robin"] + ), + radius_accounting_enabled=dict(type="bool"), + radius_accounting_servers=dict( + type="list", elements="dict", options=radius_arg_spec + ), + ip_assignment_mode=dict( + type="str", + choices=[ + "NAT mode", + "Bridge mode", + "Layer 3 roaming", + "Layer 3 roaming with a concentrator", + "VPN", + ], + ), + use_vlan_tagging=dict(type="bool"), + visible=dict(type="bool"), + lan_isolation_enabled=dict(type="bool"), + available_on_all_aps=dict(type="bool"), + ap_availability_tags=dict(type="list", elements="str"), + concentrator_network_id=dict(type="str"), + vlan_id=dict(type="int"), + default_vlan_id=dict(type="int"), + ap_tags_vlan_ids=dict( + type="list", default=None, elements="dict", options=vlan_arg_spec + ), + walled_garden_enabled=dict(type="bool"), + walled_garden_ranges=dict(type="list", elements="str"), + min_bitrate=dict( + type="float", choices=[1, 2, 5.5, 6, 9, 11, 12, 18, 24, 36, 48, 54] + ), + band_selection=dict( + type="str", + choices=[ + "Dual band operation", + "5 GHz band only", + "Dual band operation with Band Steering", + ], + ), + per_client_bandwidth_limit_up=dict(type="int"), + per_client_bandwidth_limit_down=dict(type="int"), + enterprise_admin_access=dict( + type="str", choices=["access disabled", "access enabled"] + ), + splash_guest_sponsor_domains=dict(type="list", elements="str"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="ssid") + meraki.params["follow_redirects"] = "all" + + query_urls = {"ssid": "/networks/{net_id}/wireless/ssids"} + query_url = {"ssid": "/networks/{net_id}/wireless/ssids/{number}"} + update_url = {"ssid": "/networks/{net_id}/wireless/ssids/"} + + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["get_one"].update(query_url) + meraki.url_catalog["update"] = update_url + + payload = None + + # execute checks for argument completeness + if meraki.params["psk"]: + if meraki.params["auth_mode"] != "psk": + meraki.fail_json(msg="PSK is only allowed when auth_mode is set to psk") + if meraki.params["encryption_mode"] != "wpa": + meraki.fail_json(msg="PSK requires encryption_mode be set to wpa") + if meraki.params["radius_servers"]: + if meraki.params["auth_mode"] not in ("open-with-radius", "8021x-radius"): + meraki.fail_json( + msg="radius_servers requires auth_mode to be open-with-radius or 8021x-radius" + ) + if meraki.params["radius_accounting_enabled"] is True: + if meraki.params["auth_mode"] not in ("open-with-radius", "8021x-radius"): + meraki.fail_json( + msg="radius_accounting_enabled is only allowed when auth_mode is open-with-radius or 8021x-radius" + ) + if meraki.params["radius_accounting_servers"] is True: + if ( + meraki.params["auth_mode"] not in ("open-with-radius", "8021x-radius") + or meraki.params["radius_accounting_enabled"] is False + ): + meraki.fail_json( + msg="radius_accounting_servers is only allowed when auth_mode is open_with_radius or 8021x-radius and \ + radius_accounting_enabled is true" + ) + if meraki.params["use_vlan_tagging"] is True: + if meraki.params["default_vlan_id"] is None: + meraki.fail_json( + msg="default_vlan_id is required when use_vlan_tagging is True" + ) + if meraki.params["lan_isolation_enabled"] is not None: + if meraki.params["ip_assignment_mode"] not in ("Bridge mode"): + meraki.fail_json( + msg="lan_isolation_enabled is only allowed when ip_assignment_mode is Bridge mode" + ) + if meraki.params["available_on_all_aps"] is False: + if not meraki.params["ap_availability_tags"]: + meraki.fail_json( + msg="available_on_all_aps is only allowed to be false when ap_availability_tags is defined" + ) + if meraki.params["ap_availability_tags"]: + if meraki.params["available_on_all_aps"] is not False: + meraki.fail_json( + msg="ap_availability_tags is only allowed when available_on_all_aps is false" + ) + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params["org_id"] + net_id = meraki.params["net_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params["net_name"], data=nets) + + if meraki.params["state"] == "query": + if meraki.params["name"]: + ssid_id = get_ssid_number(meraki.params["name"], get_ssids(meraki, net_id)) + path = meraki.construct_path( + "get_one", net_id=net_id, custom={"number": ssid_id} + ) + meraki.result["data"] = meraki.request(path, method="GET") + elif meraki.params["number"] is not None: + path = meraki.construct_path( + "get_one", net_id=net_id, custom={"number": meraki.params["number"]} + ) + meraki.result["data"] = meraki.request(path, method="GET") + else: + meraki.result["data"] = get_ssids(meraki, net_id) + elif meraki.params["state"] == "present": + payload = construct_payload(meraki) + ssids = get_ssids(meraki, net_id) + number = meraki.params["number"] + if number is None: + number = get_ssid_number(meraki.params["name"], ssids) + original = ssids[number] + if meraki.is_update_required(original, payload, optional_ignore=["secret"]): + ssid_id = meraki.params["number"] + if ssid_id is None: # Name should be used to lookup number + ssid_id = get_ssid_number(meraki.params["name"], ssids) + if ssid_id is False: + ssid_id = get_available_number(ssids) + if ssid_id is False: + meraki.fail_json( + msg="No unconfigured SSIDs are available. Specify a number." + ) + if meraki.check_mode is True: + original.update(payload) + meraki.result["data"] = original + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update", net_id=net_id) + str(ssid_id) + result = meraki.request(path, "PUT", payload=json.dumps(payload)) + meraki.result["data"] = result + meraki.result["changed"] = True + else: + meraki.result["data"] = original + elif meraki.params["state"] == "absent": + ssids = get_ssids(meraki, net_id) + ssid_id = meraki.params["number"] + if ssid_id is None: # Name should be used to lookup number + ssid_id = get_ssid_number(meraki.params["name"], ssids) + if ssid_id is False: + # This will return True as long as there's an unclaimed SSID number! + ssid_id = get_available_number(ssids) + # There are no available SSIDs or SSID numbers + if ssid_id is False: + meraki.fail_json( + msg="No SSID found by specified name and no numbers unclaimed." + ) + meraki.result["changed"] = False + meraki.result["data"] = {} + meraki.exit_json(**meraki.result) + if meraki.check_mode is True: + meraki.result["data"] = {} + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update", net_id=net_id) + str(ssid_id) + payload = default_payload + payload["name"] = payload["name"] + " " + str(ssid_id + 1) + result = meraki.request(path, "PUT", payload=json.dumps(payload)) + meraki.result["data"] = result + meraki.result["changed"] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_access_list.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_access_list.py new file mode 100644 index 00000000..bd5e9205 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_access_list.py @@ -0,0 +1,319 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_access_list +short_description: Manage access lists for Meraki switches in the Meraki cloud +version_added: "0.1.0" +description: +- Configure and query information about access lists on Meraki switches within the Meraki cloud. +notes: +- Some of the options are likely only used for developers within Meraki. +options: + state: + description: + - Specifies whether object should be queried, created/modified, or removed. + choices: [absent, present, query] + default: query + type: str + net_name: + description: + - Name of network which configuration is applied to. + aliases: [network] + type: str + net_id: + description: + - ID of network which configuration is applied to. + type: str + rules: + description: + - List of access control rules. + type: list + elements: dict + suboptions: + comment: + description: + - Description of the rule. + type: str + policy: + description: + - Action to take on matching traffic. + choices: [allow, deny] + type: str + ip_version: + description: + - Type of IP packets to match. + choices: [any, ipv4, ipv6] + type: str + protocol: + description: + - Type of protocol to match. + choices: [any, tcp, udp] + type: str + src_cidr: + description: + - CIDR notation of source IP address to match. + type: str + src_port: + description: + - Port number of source port to match. + - May be a port number or 'any'. + type: str + dst_cidr: + description: + - CIDR notation of source IP address to match. + type: str + dst_port: + description: + - Port number of destination port to match. + - May be a port number or 'any'. + type: str + vlan: + description: + - Incoming traffic VLAN. + - May be any port between 1-4095 or 'any'. + type: str +author: + Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set access list + meraki_switch_access_list: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + rules: + - comment: Fake rule + policy: allow + ip_version: ipv4 + protocol: udp + src_cidr: 192.0.1.0/24 + src_port: "4242" + dst_cidr: 1.2.3.4/32 + dst_port: "80" + vlan: "100" + delegate_to: localhost + +- name: Query access lists + meraki_switch_access_list: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + delegate_to: localhost +''' + +RETURN = r''' +data: + description: List of administrators. + returned: success + type: complex + contains: + rules: + description: + - List of access control rules. + type: list + contains: + comment: + description: + - Description of the rule. + type: str + sample: User rule + returned: success + policy: + description: + - Action to take on matching traffic. + type: str + sample: allow + returned: success + ip_version: + description: + - Type of IP packets to match. + type: str + sample: ipv4 + returned: success + protocol: + description: + - Type of protocol to match. + type: str + sample: udp + returned: success + src_cidr: + description: + - CIDR notation of source IP address to match. + type: str + sample: 192.0.1.0/24 + returned: success + src_port: + description: + - Port number of source port to match. + type: str + sample: 1234 + returned: success + dst_cidr: + description: + - CIDR notation of source IP address to match. + type: str + sample: 1.2.3.4/32 + returned: success + dst_port: + description: + - Port number of destination port to match. + type: str + sample: 80 + returned: success + vlan: + description: + - Incoming traffic VLAN. + type: str + sample: 100 + returned: success +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import recursive_diff +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec +from copy import deepcopy + + +def construct_payload(params): + payload = {'rules': []} + for rule in params['rules']: + new_rule = dict() + if 'comment' in rule: + new_rule['comment'] = rule['comment'] + if 'policy' in rule: + new_rule['policy'] = rule['policy'] + if 'ip_version' in rule: + new_rule['ipVersion'] = rule['ip_version'] + if 'protocol' in rule: + new_rule['protocol'] = rule['protocol'] + if 'src_cidr' in rule: + new_rule['srcCidr'] = rule['src_cidr'] + if 'src_port' in rule: + try: # Need to convert to int for comparison later + new_rule['srcPort'] = int(rule['src_port']) + except ValueError: + pass + if 'dst_cidr' in rule: + new_rule['dstCidr'] = rule['dst_cidr'] + if 'dst_port' in rule: + try: # Need to convert to int for comparison later + new_rule['dstPort'] = int(rule['dst_port']) + except ValueError: + pass + if 'vlan' in rule: + try: # Need to convert to int for comparison later + new_rule['vlan'] = int(rule['vlan']) + except ValueError: + pass + payload['rules'].append(new_rule) + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + rules_arg_spec = dict(comment=dict(type='str'), + policy=dict(type='str', choices=['allow', 'deny']), + ip_version=dict(type='str', choices=['ipv4', 'ipv6', 'any']), + protocol=dict(type='str', choices=['tcp', 'udp', 'any']), + src_cidr=dict(type='str'), + src_port=dict(type='str'), + dst_cidr=dict(type='str'), + dst_port=dict(type='str'), + vlan=dict(type='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'present', 'query'], default='query'), + net_name=dict(type='str', aliases=['network']), + net_id=dict(type='str'), + rules=dict(type='list', elements='dict', options=rules_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='switch_access_list') + + meraki.params['follow_redirects'] = 'all' + + query_url = {'switch_access_list': '/networks/{net_id}/switch/accessControlLists'} + update_url = {'switch_access_list': '/networks/{net_id}/switch/accessControlLists'} + + meraki.url_catalog['get_all'].update(query_url) + meraki.url_catalog['update'] = update_url + + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_all', net_id=net_id) + result = meraki.request(path, method='GET') + if meraki.status == 200: + meraki.result['data'] = result + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_all', net_id=net_id) + original = meraki.request(path, method='GET') + payload = construct_payload(meraki.params) + comparable = deepcopy(original) + if len(comparable['rules']) > 1: + del comparable['rules'][len(comparable['rules']) - 1] # Delete the default rule for comparison + else: + del comparable['rules'][0] + if meraki.is_update_required(comparable, payload): + if meraki.check_mode is True: + default_rule = original['rules'][len(original['rules']) - 1] + payload['rules'].append(default_rule) + new_rules = {'rules': payload['rules']} + meraki.result['data'] = new_rules + meraki.result['changed'] = True + diff = recursive_diff(original, new_rules) + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1]} + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + diff = recursive_diff(original, payload) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1]} + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_access_policies.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_access_policies.py new file mode 100644 index 00000000..ebf35c35 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_access_policies.py @@ -0,0 +1,608 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2022 +# Marcin Woźniak (@y0rune) <y0rune@aol.com> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_ms_access_policies +short_description: Manage Switch Access Policies in the Meraki cloud +description: Module for managing a Switch Access Policies in the Meraki cloud +options: + state: + description: + - Specifies whether SNMP information should be queried or modified. + type: str + choices: [ absent, query, present ] + default: present + number: + description: + - Number of the access_policy. + type: int + aliases: [access_policy_number] + name: + description: + - Name of Access Policy. + type: str + net_id: + description: + - ID of network. + type: str + org_id: + description: + - ID of organization associated to a network. + type: str + net_name: + description: + - Name of a network. + aliases: [name, network] + type: str + auth_method: + description: + - Set authentication method in the policy. + type: str + choices: ["Meraki authentication", "my RADIUS server"] + guest_vlan: + description: + - Guest Vlan + type: int + access_policy_type: + description: + - Set type of the access policy + type: str + choices: ["802.1x", "MAC authentication bypass", "Hybrid authentication"] + systems_management_enrollment: + description: + - Set if the Systems Management Enrollemnt is enabled or disabled + type: bool + default: False + radius_servers: + description: + - List of RADIUS servers. + type: list + elements: dict + suboptions: + host: + description: + - IP address or hostname of RADIUS server. + type: str + required: true + port: + description: + - Port number RADIUS server is listening to. + type: int + secret: + description: + - RADIUS password. + - Setting password is not idempotent. + type: str + radius_testing: + description: + - Set status of testing a radius. + type: bool + default: True + voice_vlan_clients: + description: + - If is enabled that means Voice VLAN client require authentication + type: bool + default: True + radius_coa_enabled: + description: + - Enable or disable RADIUS CoA (Change of Authorization). + type: bool + radius_accounting_enabled: + description: + - Enable or disable RADIUS accounting. + type: bool + radius_accounting_servers: + description: + - List of RADIUS servers for RADIUS accounting. + type: list + elements: dict + suboptions: + host: + description: + - IP address or hostname of RADIUS server. + type: str + required: true + port: + description: + - Port number RADIUS server is listening to. + type: int + secret: + description: + - RADIUS password. + type: str + host_mode: + description: + - Choose the Host Mode for the access policy. + type: str + choices: ["Single-Host", "Multi-Domain", "Multi-Host", "Multi-Auth"] + data_vlan_id: + description: + - Set a Data VLAN ID for Critical Auth VLAN + type: int + voice_vlan_id: + description: + - Set a Voice VLAN ID for Critical Auth VLAN + type: int + suspend_port_bounce: + description: + - Enable or disable the Suspend Port Bounce when RADIUS servers are unreachable. + type: bool + default: False + radius_attribute_group_policy_name: + description: + - Enable that attribute for a RADIUS + type: str + choices: ["Filter-Id", ""] + default: "" +author: +- Marcin Woźniak (@y0rune) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Create access policy with auth_method is "Meraki authentication" + cisco.meraki.meraki_ms_access_policies: + auth_key: abc123 + state: present + name: "Meraki authentication policy" + auth_method: "Meraki authentication" + net_name: YourNet + org_name: YourOrg + delegate_to: localhost + +- name: Create access policy with auth_method is "my Radius Server" + cisco.meraki.meraki_ms_access_policies: + auth_key: abc123 + access_policy_type: "802.1x" + host_mode: "Single-Host" + state: present + name: "Meraki authentication policy" + auth_method: "my RADIUS server" + radius_servers: + - host: 192.0.1.18 + port: 7890 + secret: secret123 + net_name: YourNet + org_name: YourOrg + radius_coa_enabled: False + radius_accounting_enabled: False + guest_vlan: 10 + voice_vlan_clients: False +""" + +RETURN = r""" +data: + description: List of Access Policies + returned: success + type: complex + contains: + number: + description: Number of the Access Policy + returned: success + type: int + sample: 1 + name: + description: Name of the Access Policy + returned: success + type: str + sample: Policy with 802.1x + access_policy_type: + description: Type of the access policy + returned: success + type: str + sample: 802.1x + guest_vlan_id: + description: ID of the Guest Vlan + returned: success + type: int + sample: 10 + host_mode: + description: Choosen teh Host Mode for the access policy + returned: success + type: str + sample: Single-Host + radius: + description: List of radius specific list + returned: success + type: complex + contains: + critial_auth: + description: Critial Auth List + returned: success + type: complex + contains: + data_vlan_id: + description: VLAN ID for data + returned: success + type: int + sample: 10 + suspend_port_bounce: + description: Enable or disable suspend port bounce + returned: success + type: bool + sample: False + voice_vlan_id: + description: VLAN ID for voice + returned: success + type: int + sample: 10 + failed_auth_vlan_id: + description: VLAN ID when failed auth + returned: success + type: int + sample: 11 + re_authentication_interval: + description: Interval of re-authentication + returned: success + type: int + sample: + radius_coa_enabled: + description: + - Enable or disable RADIUS CoA (Change of Authorization). + type: bool + radius_accounting_enabled: + description: + - Enable or disable RADIUS accounting. + type: bool + radius_accounting_servers: + description: + - List of RADIUS servers for RADIUS accounting. + type: list + elements: dict + radius_servers: + description: + - List of RADIUS servers. + type: list + elements: dict + radius_attribute_group_policy_name: + description: Enable the radius group attribute + returned: success + type: str + choices: [ "11", ""] + sample: 11 + radius_testing_enabled: + description: Enable or disable Radius Testing + returned: success + type: bool + sample: True + voice_vlan_clients: + description: Enable or disable Voice Vlan Clients + returned: success + type: bool + sample: False +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import recursive_diff +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def convert_vlan_id(vlan_id): + if vlan_id == "": + return None + elif vlan_id == 0: + return None + elif vlan_id in range(1, 4094): + return vlan_id + + +def convert_radius_attribute_group_policy_name(arg): + if arg == "Filter-Id": + return 11 + else: + return "" + + +def main(): + argument_spec = meraki_argument_spec() + + radius_arg_spec = dict( + host=dict(type="str", required=True), + port=dict(type="int"), + secret=dict(type="str", no_log=True), + ) + + argument_spec.update( + state=dict( + type="str", + choices=["present", "query", "absent"], + default="present", + ), + net_id=dict(type="str"), + net_name=dict(type="str", aliases=["network"]), + number=dict(type="int", aliases=["access_policy_number"]), + name=dict(type="str"), + auth_method=dict( + type="str", + choices=["Meraki authentication", "my RADIUS server"], + ), + guest_vlan=dict(type="int"), + access_policy_type=dict( + type="str", + choices=[ + "802.1x", + "MAC authentication bypass", + "Hybrid authentication", + ], + ), + systems_management_enrollment=dict(type="bool", default=False), + radius_servers=dict( + type="list", default=None, elements="dict", options=radius_arg_spec + ), + radius_testing=dict(type="bool", default="True"), + voice_vlan_clients=dict(type="bool", default="True"), + radius_coa_enabled=dict(type="bool"), + radius_accounting_enabled=dict(type="bool"), + radius_accounting_servers=dict( + type="list", elements="dict", options=radius_arg_spec + ), + host_mode=dict( + type="str", + choices=["Single-Host", "Multi-Domain", "Multi-Host", "Multi-Auth"], + ), + data_vlan_id=dict(type="int"), + voice_vlan_id=dict(type="int"), + suspend_port_bounce=dict(type="bool", default="False"), + radius_attribute_group_policy_name=dict( + type="str", choices=["Filter-Id", ""], default="" + ), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="access_policies") + + net_id = meraki.params["net_id"] + net_name = meraki.params["net_name"] + + org_id = meraki.params["org_id"] + org_name = meraki.params["org_name"] + + if meraki.params["net_name"] and meraki.params["net_id"]: + meraki.fail_json(msg="net_name and net_id are mutually exclusive") + + if meraki.params["org_name"] and meraki.params["org_id"]: + meraki.fail_json(msg="org_name and org_id are mutually exclusive") + + if net_id or net_name: + if net_id is None: + if org_id is None: + org_id = meraki.get_org_id(org_name) + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=net_name, data=nets) + + query_urls = {"access_policies": "/networks/{net_id}/switch/accessPolicies"} + query_url = { + "access_policies": "/networks/{net_id}/switch/accessPolicies/{number}" + } + update_url = { + "access_policies": "/networks/{net_id}/switch/accessPolicies/{number}" + } + create_url = {"access_policies": "/networks/{net_id}/switch/accessPolicies"} + + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["get_one"].update(query_url) + meraki.url_catalog["update"] = update_url + meraki.url_catalog["create"] = create_url + + payload_auth = { + "name": meraki.params["name"], + "radiusServers": [], + "radiusTestingEnabled": False, + "radiusGroupAttribute": meraki.params[ + "radius_attribute_group_policy_name" + ], + "radius": { + "criticalAuth": { + "dataVlanId": None, + "voiceVlanId": None, + "suspendPortBounce": False, + }, + "failedAuthVlanId": None, + "reAuthenticationInterval": None, + }, + "radiusCoaSupportEnabled": False, + "radiusAccountingEnabled": False, + "radiusAccountingServers": [], + "hostMode": "Single-Host", + "accessPolicyType": "802.1x", + "voiceVlanClients": True, + "systems_management_enrollment": meraki.params[ + "systems_management_enrollment" + ], + "guestVlanId": meraki.params["guest_vlan"], + "urlRedirectWalledGardenEnabled": False, + } + + payload_radius = { + "name": meraki.params["name"], + "radiusServers": meraki.params["radius_servers"], + "radiusTestingEnabled": meraki.params["radius_testing"], + "radiusGroupAttribute": convert_radius_attribute_group_policy_name( + meraki.params["radius_attribute_group_policy_name"] + ), + "radius": { + "criticalAuth": { + "dataVlanId": convert_vlan_id(meraki.params["data_vlan_id"]), + "voiceVlanId": convert_vlan_id(meraki.params["voice_vlan_id"]), + "suspendPortBounce": meraki.params["suspend_port_bounce"], + }, + "failedAuthVlanId": None, + "reAuthenticationInterval": None, + }, + "radiusCoaSupportEnabled": meraki.params["radius_coa_enabled"], + "hostMode": meraki.params["host_mode"], + "accessPolicyType": meraki.params["access_policy_type"], + "guestVlanId": meraki.params["guest_vlan"], + "voiceVlanClients": meraki.params["voice_vlan_clients"], + "urlRedirectWalledGardenEnabled": False, + "radiusAccountingEnabled": meraki.params["radius_accounting_enabled"], + "radiusAccountingServers": meraki.params["radius_accounting_servers"], + "systems_management_enrollment": meraki.params[ + "systems_management_enrollment" + ], + } + + if meraki.params["state"] == "query": + if meraki.params["number"]: + path = meraki.construct_path( + "get_one", + net_id=net_id, + custom={ + "number": meraki.params["number"], + }, + ) + response = meraki.request(path, method="GET") + meraki.result["data"] = response + else: + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, method="GET") + meraki.result["data"] = response + elif meraki.params["state"] == "present": + + query_path_all = meraki.construct_path( + "get_all", + net_id=net_id, + ) + + original_all = meraki.request(query_path_all, method="GET") + + for i in original_all: + if i.get("name") == meraki.params["name"]: + meraki.params["number"] = i.get("accessPolicyNumber") + + if meraki.params["number"] is None: + path = meraki.construct_path( + "create", + net_id=net_id, + ) + if meraki.params["auth_method"] == "Meraki authentication": + response = meraki.request( + path, method="POST", payload=json.dumps(payload_auth) + ) + meraki.result["changed"] = True + meraki.result["data"] = response + elif meraki.params["auth_method"] == "my RADIUS server": + response = meraki.request( + path, method="POST", payload=json.dumps(payload_radius) + ) + meraki.result["changed"] = True + meraki.result["data"] = response + else: + query_path = meraki.construct_path( + "get_one", + net_id=net_id, + custom={ + "number": meraki.params["number"], + }, + ) + + update_path = meraki.construct_path( + "update", + net_id=net_id, + custom={ + "number": meraki.params["number"], + }, + ) + + proposed = "" + + if meraki.params["auth_method"] == "Meraki authentication": + proposed = payload_auth.copy() + elif meraki.params["auth_method"] == "my RADIUS server": + proposed = payload_radius.copy() + + original = meraki.request(query_path, method="GET") + + ignored_parameters = [ + "accessPolicyNumber", + "secret", + "systems_management_enrollment", + ] + + if meraki.params["radius_accounting_enabled"]: + proposed.update( + { + "radiusAccountingServers": meraki.params[ + "radius_accounting_servers" + ], + } + ) + else: + proposed.update( + { + "radiusAccountingServers": [], + } + ) + + if meraki.params["radius_servers"]: + proposed.update( + { + "radiusServers": meraki.params["radius_servers"], + } + ) + else: + proposed.update( + { + "radiusServers": [], + } + ) + + if meraki.is_update_required( + original, + proposed, + optional_ignore=ignored_parameters, + ): + + if meraki.check_mode is True: + original.update(proposed) + meraki.result["data"] = original + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + + response = meraki.request( + update_path, method="PUT", payload=json.dumps(proposed) + ) + meraki.result["changed"] = True + meraki.result["data"] = response + else: + meraki.result["data"] = original + + elif meraki.params["state"] == "absent": + path = meraki.construct_path( + "update", + net_id=net_id, + custom={ + "number": meraki.params["number"], + }, + ) + + response = meraki.request(path, method="DELETE") + meraki.result["changed"] = True + meraki.result["data"] = response + + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_l3_interface.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_l3_interface.py new file mode 100644 index 00000000..716ec8d9 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_l3_interface.py @@ -0,0 +1,373 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_l3_interface +short_description: Manage routed interfaces on MS switches +description: +- Allows for creation, management, and visibility into routed interfaces on Meraki MS switches. +notes: +- Once a layer 3 interface is created, the API does not allow updating the interface and specifying C(default_gateway). +options: + state: + description: + - Create or modify an organization. + type: str + choices: [ present, query, absent ] + default: present + serial: + description: + - Serial number of MS switch hosting the layer 3 interface. + type: str + vlan_id: + description: + - The VLAN this routed interface is on. + - VLAN must be between 1 and 4094. + type: int + default_gateway: + description: + - The next hop for any traffic that isn't going to a directly connected subnet or over a static route. + - This IP address must exist in a subnet with a routed interface. + type: str + interface_ip: + description: + - The IP address this switch will use for layer 3 routing on this VLAN or subnet. + - This cannot be the same as the switch's management IP. + type: str + interface_id: + description: + - Uniqiue identification number for layer 3 interface. + type: str + multicast_routing: + description: + - Enable multicast support if multicast routing between VLANs is required. + type: str + choices: [disabled, enabled, IGMP snooping querier] + name: + description: + - A friendly name or description for the interface or VLAN. + type: str + subnet: + description: + - The network that this routed interface is on, in CIDR notation. + type: str + ospf_settings: + description: + - The OSPF routing settings of the interface. + type: dict + suboptions: + cost: + description: + - The path cost for this interface. + type: int + area: + description: + - The OSPF area to which this interface should belong. + - Can be either 'disabled' or the identifier of an existing OSPF area. + type: str + is_passive_enabled: + description: + - When enabled, OSPF will not run on the interface, but the subnet will still be advertised. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query all l3 interfaces + meraki_ms_l3_interface: + auth_key: abc123 + state: query + serial: aaa-bbb-ccc + +- name: Query one l3 interface + meraki_ms_l3_interface: + auth_key: abc123 + state: query + serial: aaa-bbb-ccc + name: Test L3 interface + +- name: Create l3 interface + meraki_ms_l3_interface: + auth_key: abc123 + state: present + serial: aaa-bbb-ccc + name: "Test L3 interface 2" + subnet: "192.168.3.0/24" + interface_ip: "192.168.3.2" + multicast_routing: disabled + vlan_id: 11 + ospf_settings: + area: 0 + cost: 1 + is_passive_enabled: true + +- name: Update l3 interface + meraki_ms_l3_interface: + auth_key: abc123 + state: present + serial: aaa-bbb-ccc + name: "Test L3 interface 2" + subnet: "192.168.3.0/24" + interface_ip: "192.168.3.2" + multicast_routing: disabled + vlan_id: 11 + ospf_settings: + area: 0 + cost: 2 + is_passive_enabled: true + +- name: Delete l3 interface + meraki_ms_l3_interface: + auth_key: abc123 + state: absent + serial: aaa-bbb-ccc + interface_id: abc123344566 +''' + +RETURN = r''' +data: + description: Information about the layer 3 interfaces. + returned: success + type: complex + contains: + vlan_id: + description: The VLAN this routed interface is on. + returned: success + type: int + sample: 10 + default_gateway: + description: The next hop for any traffic that isn't going to a directly connected subnet or over a static route. + returned: success + type: str + sample: 192.168.2.1 + interface_ip: + description: The IP address this switch will use for layer 3 routing on this VLAN or subnet. + returned: success + type: str + sample: 192.168.2.2 + interface_id: + description: Uniqiue identification number for layer 3 interface. + returned: success + type: str + sample: 62487444811111120 + multicast_routing: + description: Enable multicast support if multicast routing between VLANs is required. + returned: success + type: str + sample: disabled + name: + description: A friendly name or description for the interface or VLAN. + returned: success + type: str + sample: L3 interface + subnet: + description: The network that this routed interface is on, in CIDR notation. + returned: success + type: str + sample: 192.168.2.0/24 + ospf_settings: + description: The OSPF routing settings of the interface. + returned: success + type: complex + contains: + cost: + description: The path cost for this interface. + returned: success + type: int + sample: 1 + area: + description: The OSPF area to which this interface should belong. + returned: success + type: str + sample: 0 + is_passive_enabled: + description: When enabled, OSPF will not run on the interface, but the subnet will still be advertised. + returned: success + type: bool + sample: true +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def construct_payload(meraki): + payload = {} + if meraki.params['name'] is not None: + payload['name'] = meraki.params['name'] + if meraki.params['subnet'] is not None: + payload['subnet'] = meraki.params['subnet'] + if meraki.params['interface_ip'] is not None: + payload['interfaceIp'] = meraki.params['interface_ip'] + if meraki.params['multicast_routing'] is not None: + payload['multicastRouting'] = meraki.params['multicast_routing'] + if meraki.params['vlan_id'] is not None: + payload['vlanId'] = meraki.params['vlan_id'] + if meraki.params['default_gateway'] is not None: + payload['defaultGateway'] = meraki.params['default_gateway'] + if meraki.params['ospf_settings'] is not None: + payload['ospfSettings'] = {} + if meraki.params['ospf_settings']['area'] is not None: + payload['ospfSettings']['area'] = meraki.params['ospf_settings']['area'] + if meraki.params['ospf_settings']['cost'] is not None: + payload['ospfSettings']['cost'] = meraki.params['ospf_settings']['cost'] + if meraki.params['ospf_settings']['is_passive_enabled'] is not None: + payload['ospfSettings']['isPassiveEnabled'] = meraki.params['ospf_settings']['is_passive_enabled'] + return payload + + +def get_interface_id(meraki, data, name): + # meraki.fail_json(msg=data) + for interface in data: + if interface['name'] == name: + return interface['interfaceId'] + return None + + +def get_interface(interfaces, interface_id): + for interface in interfaces: + if interface['interfaceId'] == interface_id: + return interface + return None + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + ospf_arg_spec = dict(area=dict(type='str'), + cost=dict(type='int'), + is_passive_enabled=dict(type='bool'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query', 'absent'], default='present'), + serial=dict(type='str'), + name=dict(type='str'), + subnet=dict(type='str'), + interface_id=dict(type='str'), + interface_ip=dict(type='str'), + multicast_routing=dict(type='str', choices=['disabled', 'enabled', 'IGMP snooping querier']), + vlan_id=dict(type='int'), + default_gateway=dict(type='str'), + ospf_settings=dict(type='dict', default=None, options=ospf_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='ms_l3_interfaces') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'ms_l3_interfaces': '/devices/{serial}/switch/routing/interfaces'} + query_one_urls = {'ms_l3_interfaces': '/devices/{serial}/switch/routing/interfaces'} + create_urls = {'ms_l3_interfaces': '/devices/{serial}/switch/routing/interfaces'} + update_urls = {'ms_l3_interfaces': '/devices/{serial}/switch/routing/interfaces/{interface_id}'} + delete_urls = {'ms_l3_interfaces': '/devices/{serial}/switch/routing/interfaces/{interface_id}'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['get_one'].update(query_one_urls) + meraki.url_catalog['create'] = create_urls + meraki.url_catalog['update'] = update_urls + meraki.url_catalog['delete'] = delete_urls + + payload = None + + if meraki.params['vlan_id'] is not None: + if meraki.params['vlan_id'] < 1 or meraki.params['vlan_id'] > 4094: + meraki.fail_json(msg='vlan_id must be between 1 and 4094') + + interface_id = meraki.params['interface_id'] + interfaces = None + if interface_id is None: + if meraki.params['name'] is not None: + path = meraki.construct_path('get_all', custom={'serial': meraki.params['serial']}) + interfaces = meraki.request(path, method='GET') + interface_id = get_interface_id(meraki, interfaces, meraki.params['name']) + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + if meraki.params['state'] == 'query': + if interface_id is not None: # Query one interface + path = meraki.construct_path('get_one', custom={'serial': meraki.params['serial'], + 'interface_id': interface_id}) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + else: # Query all interfaces + path = meraki.construct_path('get_all', custom={'serial': meraki.params['serial']}) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + if interface_id is None: # Create a new interface + payload = construct_payload(meraki) + if meraki.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('create', custom={'serial': meraki.params['serial']}) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + if interfaces is None: + path = meraki.construct_path('get_all', custom={'serial': meraki.params['serial']}) + interfaces = meraki.request(path, method='GET') + payload = construct_payload(meraki) + interface = get_interface(interfaces, interface_id) + if meraki.is_update_required(interface, payload): + if meraki.check_mode is True: + interface.update(payload) + meraki.result['data'] = interface + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', custom={'serial': meraki.params['serial'], + 'interface_id': interface_id}) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + meraki.result['data'] = interface + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'absent': + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('delete', custom={'serial': meraki.params['serial'], + 'interface_id': meraki.params['interface_id']}) + response = meraki.request(path, method='DELETE') + meraki.result['data'] = response + meraki.result['changed'] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_link_aggregation.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_link_aggregation.py new file mode 100644 index 00000000..a38eda7d --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_link_aggregation.py @@ -0,0 +1,258 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_link_aggregation +short_description: Manage link aggregations on MS switches +version_added: "1.2.0" +description: +- Allows for management of MS switch link aggregations in a Meraki environment. +notes: +- Switch profile ports are not supported in this module. +options: + state: + description: + - Specifies whether SNMP information should be queried or modified. + type: str + choices: [ absent, query, present ] + default: present + net_name: + description: + - Name of network. + type: str + net_id: + description: + - ID of network. + type: str + lag_id: + description: + - ID of lag to query or modify. + type: str + switch_ports: + description: + - List of switchports to include in link aggregation. + type: list + elements: dict + suboptions: + serial: + description: + - Serial number of switch to own link aggregation. + type: str + port_id: + description: + - Port number which should be included in link aggregation. + type: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Create LAG + meraki_ms_link_aggregation: + auth_key: '{{auth_key}}' + state: present + org_name: '{{test_org_name}}' + net_name: '{{test_switch_net_name}}' + switch_ports: + - serial: '{{serial_switch}}' + port_id: "1" + - serial: '{{serial_switch}}' + port_id: "2" + delegate_to: localhost + +- name: Update LAG + meraki_ms_link_aggregation: + auth_key: '{{auth_key}}' + state: present + org_name: '{{test_org_name}}' + net_name: '{{test_switch_net_name}}' + lag_id: '{{lag_id}}' + switch_ports: + - serial: '{{serial_switch}}' + port_id: "1" + - serial: '{{serial_switch}}' + port_id: "2" + - serial: '{{serial_switch}}' + port_id: "3" + - serial: '{{serial_switch}}' + port_id: "4" + delegate_to: localhost +''' + +RETURN = r''' +data: + description: List of aggregated links. + returned: success + type: complex + contains: + id: + description: + - ID of link aggregation. + returned: success + type: str + sample: "MTK3M4A2ZDdfM3==" + switch_ports: + description: + - List of switch ports to be included in link aggregation. + returned: success + type: complex + contains: + port_id: + description: + - Port number. + type: str + returned: success + sample: "1" + serial: + description: + - Serial number of switch on which port resides. + type: str + returned: success + sample: "ABCD-1234-WXYZ" +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_lags(meraki, net_id): + path = meraki.construct_path('get_all', net_id=net_id) + return meraki.request(path, method='GET') + + +def is_lag_valid(lags, lag_id): + for lag in lags: + if lag['id'] == lag_id: + return lag + return False + + +def construct_payload(meraki): + payload = dict() + if meraki.params['switch_ports'] is not None: + payload['switchPorts'] = [] + for port in meraki.params['switch_ports']: + port_config = {'serial': port['serial'], + 'portId': port['port_id'], + } + payload['switchPorts'].append(port_config) + # if meraki.params['switch_profile_ports'] is not None: + # payload['switchProfilePorts'] = [] + # for port in meraki.params['switch_profile_ports']: + # port_config = {'profile': port['profile'], + # 'portId': port['port_id'], + # } + # payload['switchProfilePorts'].append(port_config) + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + switch_ports_args = dict(serial=dict(type='str'), + port_id=dict(type='str'), + ) + + # switch_profile_ports_args = dict(profile=dict(type='str'), + # port_id=dict(type='str'), + # ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'present', 'query'], default='present'), + org_name=dict(type='str', aliases=['organization']), + org_id=dict(type='str'), + net_name=dict(type='str'), + net_id=dict(type='str'), + lag_id=dict(type='str'), + switch_ports=dict(type='list', default=None, elements='dict', options=switch_ports_args), + # switch_profile_ports=dict(type='list', default=None, elements='dict', options=switch_profile_ports_args), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='ms_link_aggregation') + meraki.params['follow_redirects'] = 'all' + + query_urls = {'ms_link_aggregation': '/networks/{net_id}/switch/linkAggregations'} + create_url = {'ms_link_aggregation': '/networks/{net_id}/switch/linkAggregations'} + update_url = {'ms_link_aggregation': '/networks/{net_id}/switch/linkAggregations/{lag_id}'} + delete_url = {'ms_link_aggregation': '/networks/{net_id}/switch/linkAggregations/{lag_id}'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['create'] = create_url + meraki.url_catalog['update'] = update_url + meraki.url_catalog['delete'] = delete_url + + payload = None + + # execute checks for argument completeness + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + if meraki.params['lag_id'] is not None: # Need to update + lag = is_lag_valid(get_lags(meraki, net_id), meraki.params['lag_id']) + if lag is not False: # Lag ID is valid + payload = construct_payload(meraki) + if meraki.is_update_required(lag, payload) is True: + path = meraki.construct_path('update', net_id=net_id, custom={'lag_id': meraki.params['lag_id']}) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['changed'] = True + meraki.result['data'] = response + else: + meraki.result['data'] = lag + else: + meraki.fail_json("Provided lag_id is not valid.") + else: + path = meraki.construct_path('create', net_id=net_id) + payload = construct_payload(meraki) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + meraki.result['changed'] = True + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'absent': + path = meraki.construct_path('delete', net_id=net_id, custom={'lag_id': meraki.params['lag_id']}) + response = meraki.request(path, method='DELETE') + meraki.result['data'] = {} + meraki.result['changed'] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_ospf.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_ospf.py new file mode 100644 index 00000000..a8aaed00 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_ospf.py @@ -0,0 +1,323 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_ospf +short_description: Manage OSPF configuration on MS switches +description: +- Configure OSPF for compatible Meraki MS switches. +options: + state: + description: + - Read or edit OSPF settings. + type: str + choices: [ present, query ] + default: present + net_name: + description: + - Name of network containing OSPF configuration. + type: str + aliases: [ name, network ] + net_id: + description: + - ID of network containing OSPF configuration. + type: str + enabled: + description: + - Enable or disable OSPF on the network. + type: bool + hello_timer: + description: + - Time interval, in seconds, at which hello packets will be sent to OSPF neighbors to maintain connectivity. + - Value must be between 1 and 255. + - Default is 10 seconds. + type: int + dead_timer: + description: + - Time interval to determine when the peer will be declared inactive. + - Value must be between 1 and 65535. + type: int + md5_authentication_enabled: + description: + - Whether to enable or disable MD5 authentication. + type: bool + md5_authentication_key: + description: + - MD5 authentication credentials. + type: dict + suboptions: + id: + description: + - MD5 authentication key index. + - Must be between 1 and 255. + type: str + passphrase: + description: + - Plain text authentication passphrase + type: str + areas: + description: + - List of areas in OSPF network. + type: list + elements: dict + suboptions: + area_id: + description: + - OSPF area ID + type: int + aliases: [ id ] + area_name: + description: + - Descriptive name of OSPF area. + type: str + aliases: [ name ] + area_type: + description: + - OSPF area type. + choices: [normal, stub, nssa] + type: str + aliases: [ type ] +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' + - name: Query OSPF settings + meraki_ms_ospf: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + + - name: Enable OSPF with check mode + meraki_ms_ospf: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + enabled: true + hello_timer: 20 + dead_timer: 60 + areas: + - area_id: 0 + area_name: Backbone + area_type: normal + - area_id: 1 + area_name: Office + area_type: nssa + md5_authentication_enabled: false +''' + +RETURN = r''' +data: + description: Information about queried object. + returned: success + type: complex + contains: + enabled: + description: + - Enable or disable OSPF on the network. + type: bool + hello_timer_in_seconds: + description: + - Time interval, in seconds, at which hello packets will be sent to OSPF neighbors to maintain connectivity. + type: int + dead_timer_in_seconds: + description: + - Time interval to determine when the peer will be declared inactive. + type: int + areas: + description: + - List of areas in OSPF network. + type: complex + contains: + area_id: + description: + - OSPF area ID + type: int + area_name: + description: + - Descriptive name of OSPF area. + type: str + area_type: + description: + - OSPF area type. + type: str + md5_authentication_enabled: + description: + - Whether to enable or disable MD5 authentication. + type: bool + md5_authentication_key: + description: + - MD5 authentication credentials. + type: complex + contains: + id: + description: + - MD5 key index. + type: int + passphrase: + description: + - Passphrase for MD5 key. + type: str +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def construct_payload(meraki): + payload_key_mapping = {'enabled': 'enabled', + 'hello_timer': 'helloTimerInSeconds', + 'dead_timer': 'deadTimerInSeconds', + 'areas': 'areas', + 'area_id': 'areaId', + 'area_name': 'areaName', + 'area_type': 'areaType', + 'md5_authentication_enabled': 'md5AuthenticationEnabled', + 'md5_authentication_key': 'md5AuthenticationKey', + 'id': 'id', + 'passphrase': 'passphrase', + } + payload = {} + + # This may need to be reworked to avoid overwiting + for snake, camel in payload_key_mapping.items(): + try: + if meraki.params[snake] is not None: + payload[camel] = meraki.params[snake] + if snake == 'areas': + if meraki.params['areas'] is not None and len(meraki.params['areas']) > 0: + payload['areas'] = [] + for area in meraki.params['areas']: + area_settings = {'areaName': area['area_name'], + 'areaId': area['area_id'], + 'areaType': area['area_type'], + } + payload['areas'].append(area_settings) + # TODO: Does this code below have a purpose? + # elif snake == 'md5_authentication_key': + # if meraki.params['md5_authentication_key'] is not None: + # md5_settings = {'id': meraki.params['md5_authentication_key']['id'], + # 'passphrase': meraki.params['md5_authentication_key']['passphrase'], + # } + except KeyError: + pass + + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + areas_arg_spec = dict(area_id=dict(type='int', aliases=['id']), + area_name=dict(type='str', aliases=['name']), + area_type=dict(type='str', aliases=['type'], choices=['normal', 'stub', 'nssa']), + ) + + md5_auth_arg_spec = dict(id=dict(type='str'), + passphrase=dict(type='str', no_log=True), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['name', 'network']), + enabled=dict(type='bool'), + hello_timer=dict(type='int'), + dead_timer=dict(type='int'), + areas=dict(type='list', default=None, elements='dict', options=areas_arg_spec), + md5_authentication_enabled=dict(type='bool'), + md5_authentication_key=dict(type='dict', default=None, options=md5_auth_arg_spec, no_log=True), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='ms_ospf') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'ms_ospf': '/networks/{net_id}/switch/routing/ospf'} + update_urls = {'ms_ospf': '/networks/{net_id}/switch/routing/ospf'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update'] = update_urls + + payload = None + + # execute checks for argument completeness + + if meraki.params['dead_timer'] is not None: + if meraki.params['dead_timer'] < 1 or meraki.params['dead_timer'] > 65535: + meraki.fail_json(msg='dead_timer must be between 1 and 65535') + if meraki.params['hello_timer'] is not None: + if meraki.params['hello_timer'] < 1 or meraki.params['hello_timer'] > 255: + meraki.fail_json(msg='hello_timer must be between 1 and 65535') + if meraki.params['md5_authentication_enabled'] is False: + if meraki.params['md5_authentication_key'] is not None: + meraki.fail_json(msg='md5_authentication_key must not be configured when md5_authentication_enabled is false') + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None and meraki.params['net_name']: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + original = meraki.request(meraki.construct_path('get_all', net_id=net_id), method='GET') + payload = construct_payload(meraki) + if meraki.is_update_required(original, payload) is True: + if meraki.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if 'md5_authentication_key' in response: + response['md5_authentication_key']['passphrase'] = 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + if 'md5_authentication_key' in original: + original['md5_authentication_key']['passphrase'] = 'VALUE_SPECIFIED_IN_NO_LOG_PARAMETER' + meraki.result['data'] = original + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_stack.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_stack.py new file mode 100644 index 00000000..bbe6282a --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_stack.py @@ -0,0 +1,278 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_stack +short_description: Modify switch stacking configuration in Meraki. +version_added: "1.3.0" +description: +- Allows for modification of Meraki MS switch stacks. +notes: +- Not all actions are idempotent. Specifically, creating a new stack will error if any switch is already in a stack. +options: + state: + description: + - Create or modify an organization. + choices: ['present', 'query', 'absent'] + default: present + type: str + net_name: + description: + - Name of network which MX firewall is in. + type: str + net_id: + description: + - ID of network which MX firewall is in. + type: str + stack_id: + description: + - ID of stack which is to be modified or deleted. + type: str + serials: + description: + - List of switch serial numbers which should be included or removed from a stack. + type: list + elements: str + name: + description: + - Name of stack. + type: str + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Create new stack + meraki_switch_stack: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + name: Test stack + serials: + - "ABCD-1231-4579" + - "ASDF-4321-0987" + +- name: Add switch to stack + meraki_switch_stack: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + stack_id: ABC12340987 + serials: + - "ABCD-1231-4579" + +- name: Remove switch from stack + meraki_switch_stack: + auth_key: abc123 + state: absent + org_name: YourOrg + net_name: YourNet + stack_id: ABC12340987 + serials: + - "ABCD-1231-4579" + +- name: Query one stack + meraki_switch_stack: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + stack_id: ABC12340987 +''' + +RETURN = r''' +data: + description: VPN settings. + returned: success + type: complex + contains: + id: + description: ID of switch stack. + returned: always + type: str + sample: 7636 + name: + description: Descriptive name of switch stack. + returned: always + type: str + sample: MyStack + serials: + description: List of serial numbers in switch stack. + returned: always + type: list + sample: + - "QBZY-XWVU-TSRQ" + - "QBAB-CDEF-GHIJ" +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec +from copy import deepcopy + + +def get_stacks(meraki, net_id): + path = meraki.construct_path('get_all', net_id=net_id) + return meraki.request(path, method='GET') + + +def get_stack(stack_id, stacks): + for stack in stacks: + if stack_id == stack['id']: + return stack + return None + + +def get_stack_id(meraki, net_id): + stacks = get_stacks(meraki, net_id) + for stack in stacks: + if stack['name'] == meraki.params['name']: + return stack['id'] + + +def does_stack_exist(meraki, stacks): + for stack in stacks: + have = set(meraki.params['serials']) + want = set(stack['serials']) + if have == want: + return stack + return False + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query', 'absent'], default='present'), + net_name=dict(type='str'), + net_id=dict(type='str'), + stack_id=dict(type='str'), + serials=dict(type='list', elements='str', default=None), + name=dict(type='str'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='switch_stack') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'switch_stack': '/networks/{net_id}/switch/stacks'} + query_url = {'switch_stack': '/networks/{net_id}/switch/stacks/{stack_id}'} + add_urls = {'switch_stack': '/networks/{net_id}/switch/stacks/{stack_id}/add'} + remove_urls = {'switch_stack': '/networks/{net_id}/switch/stacks/{stack_id}/remove'} + create_urls = {'switch_stack': '/networks/{net_id}/switch/stacks'} + delete_urls = {'switch_stack': '/networks/{net_id}/switch/stacks/{stack_id}'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['get_one'].update(query_url) + meraki.url_catalog['add'] = add_urls + meraki.url_catalog['remove'] = remove_urls + meraki.url_catalog['create'] = create_urls + meraki.url_catalog['delete'] = delete_urls + + payload = None + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + net_id = meraki.params['net_id'] + if net_id is None: + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], + data=meraki.get_nets(org_id=org_id)) + + # assign and lookup stack_id + stack_id = meraki.params['stack_id'] + if stack_id is None and meraki.params['name'] is not None: + stack_id = get_stack_id(meraki, net_id) + path = meraki.construct_path('get_all', net_id=net_id) + stacks = meraki.request(path, method='GET') + + if meraki.params['state'] == 'query': + if stack_id is None: + meraki.result['data'] = stacks + else: + meraki.result['data'] = get_stack(stack_id, stacks) + elif meraki.params['state'] == 'present': + if meraki.params['stack_id'] is None: + payload = {'serials': meraki.params['serials'], + 'name': meraki.params['name'], + } + path = meraki.construct_path('create', net_id=net_id) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + if meraki.status == 201: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + payload = {'serial': meraki.params['serials'][0]} + original = get_stack(stack_id, stacks) + comparable = deepcopy(original) + comparable.update(payload) + if meraki.params['serials'][0] not in comparable['serials']: + comparable['serials'].append(meraki.params['serials'][0]) + # meraki.fail_json(msg=comparable) + if meraki.is_update_required(original, comparable, optional_ignore=['serial']): + path = meraki.construct_path('add', net_id=net_id, custom={'stack_id': stack_id}) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + elif meraki.params['state'] == 'absent': + if meraki.params['serials'] is None: + path = meraki.construct_path('delete', net_id=net_id, custom={'stack_id': stack_id}) + response = meraki.request(path, method='DELETE') + meraki.result['data'] = {} + meraki.result['changed'] = True + else: + for serial in meraki.params['serials']: + payload = {'serial': serial} + original = get_stack(stack_id, stacks) + comparable = deepcopy(original) + comparable.update(payload) + if serial in comparable['serials']: + comparable['serials'].remove(serial) + if meraki.is_update_required(original, comparable, optional_ignore=['serial']): + path = meraki.construct_path('remove', net_id=net_id, custom={'stack_id': stack_id}) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_stack_l3_interface.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_stack_l3_interface.py new file mode 100644 index 00000000..46291c31 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_stack_l3_interface.py @@ -0,0 +1,395 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_stack_l3_interface +short_description: Manage routed interfaces on MS switches +description: +- Allows for creation, management, and visibility into routed interfaces on Meraki MS switches. +notes: +- Once a layer 3 interface is created, the API does not allow updating the interface and specifying C(default_gateway). +options: + state: + description: + - Create or modify an organization. + type: str + choices: [ present, query, absent ] + default: present + net_name: + description: + - Name of network which configuration is applied to. + aliases: [network] + type: str + net_id: + description: + - ID of network which configuration is applied to. + type: str + stack_id: + description: + - The unique identifier of the stack. + type: str + vlan_id: + description: + - The VLAN this routed interface is on. + - VLAN must be between 1 and 4094. + type: int + default_gateway: + description: + - The next hop for any traffic that isn't going to a directly connected subnet or over a static route. + - This IP address must exist in a subnet with a routed interface. + type: str + interface_ip: + description: + - The IP address this switch will use for layer 3 routing on this VLAN or subnet. + - This cannot be the same as the switch's management IP. + type: str + interface_id: + description: + - Uniqiue identification number for layer 3 interface. + type: str + multicast_routing: + description: + - Enable multicast support if multicast routing between VLANs is required. + type: str + choices: [disabled, enabled, IGMP snooping querier] + name: + description: + - A friendly name or description for the interface or VLAN. + type: str + subnet: + description: + - The network that this routed interface is on, in CIDR notation. + type: str + ospf_settings: + description: + - The OSPF routing settings of the interface. + type: dict + suboptions: + cost: + description: + - The path cost for this interface. + type: int + area: + description: + - The OSPF area to which this interface should belong. + - Can be either 'disabled' or the identifier of an existing OSPF area. + type: str + is_passive_enabled: + description: + - When enabled, OSPF will not run on the interface, but the subnet will still be advertised. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query all l3 interfaces + meraki_ms_stack_l3_interface: + auth_key: abc123 + state: query + serial: aaa-bbb-ccc + +- name: Query one l3 interface + meraki_ms_stack_l3_interface: + auth_key: abc123 + state: query + serial: aaa-bbb-ccc + name: Test L3 interface + +- name: Create l3 interface + meraki_ms_stack_l3_interface: + auth_key: abc123 + state: present + serial: aaa-bbb-ccc + name: "Test L3 interface 2" + subnet: "192.168.3.0/24" + interface_ip: "192.168.3.2" + multicast_routing: disabled + vlan_id: 11 + ospf_settings: + area: 0 + cost: 1 + is_passive_enabled: true + +- name: Update l3 interface + meraki_ms_stack_l3_interface: + auth_key: abc123 + state: present + serial: aaa-bbb-ccc + name: "Test L3 interface 2" + subnet: "192.168.3.0/24" + interface_ip: "192.168.3.2" + multicast_routing: disabled + vlan_id: 11 + ospf_settings: + area: 0 + cost: 2 + is_passive_enabled: true + +- name: Delete l3 interface + meraki_ms_stack_l3_interface: + auth_key: abc123 + state: absent + serial: aaa-bbb-ccc + interface_id: abc123344566 +''' + +RETURN = r''' +data: + description: Information about the layer 3 interfaces. + returned: success + type: complex + contains: + vlan_id: + description: The VLAN this routed interface is on. + returned: success + type: int + sample: 10 + default_gateway: + description: The next hop for any traffic that isn't going to a directly connected subnet or over a static route. + returned: success + type: str + sample: 192.168.2.1 + interface_ip: + description: The IP address this switch will use for layer 3 routing on this VLAN or subnet. + returned: success + type: str + sample: 192.168.2.2 + interface_id: + description: Uniqiue identification number for layer 3 interface. + returned: success + type: str + sample: 62487444811111120 + multicast_routing: + description: Enable multicast support if multicast routing between VLANs is required. + returned: success + type: str + sample: disabled + name: + description: A friendly name or description for the interface or VLAN. + returned: success + type: str + sample: L3 interface + subnet: + description: The network that this routed interface is on, in CIDR notation. + returned: success + type: str + sample: 192.168.2.0/24 + ospf_settings: + description: The OSPF routing settings of the interface. + returned: success + type: complex + contains: + cost: + description: The path cost for this interface. + returned: success + type: int + sample: 1 + area: + description: The OSPF area to which this interface should belong. + returned: success + type: str + sample: 0 + is_passive_enabled: + description: When enabled, OSPF will not run on the interface, but the subnet will still be advertised. + returned: success + type: bool + sample: true +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def construct_payload(meraki): + payload = {} + if meraki.params['name'] is not None: + payload['name'] = meraki.params['name'] + if meraki.params['subnet'] is not None: + payload['subnet'] = meraki.params['subnet'] + if meraki.params['interface_ip'] is not None: + payload['interfaceIp'] = meraki.params['interface_ip'] + if meraki.params['multicast_routing'] is not None: + payload['multicastRouting'] = meraki.params['multicast_routing'] + if meraki.params['vlan_id'] is not None: + payload['vlanId'] = meraki.params['vlan_id'] + if meraki.params['default_gateway'] is not None: + payload['defaultGateway'] = meraki.params['default_gateway'] + if meraki.params['ospf_settings'] is not None: + payload['ospfSettings'] = {} + if meraki.params['ospf_settings']['area'] is not None: + payload['ospfSettings']['area'] = meraki.params['ospf_settings']['area'] + if meraki.params['ospf_settings']['cost'] is not None: + payload['ospfSettings']['cost'] = meraki.params['ospf_settings']['cost'] + if meraki.params['ospf_settings']['is_passive_enabled'] is not None: + payload['ospfSettings']['isPassiveEnabled'] = meraki.params['ospf_settings']['is_passive_enabled'] + return payload + + +def get_interface_id(meraki, data, name): + # meraki.fail_json(msg=data) + for interface in data: + if interface['name'] == name: + return interface['interfaceId'] + return None + + +def get_interface(interfaces, interface_id): + for interface in interfaces: + if interface['interfaceId'] == interface_id: + return interface + return None + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + ospf_arg_spec = dict(area=dict(type='str'), + cost=dict(type='int'), + is_passive_enabled=dict(type='bool'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query', 'absent'], default='present'), + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['network']), + stack_id=dict(type='str'), + name=dict(type='str'), + subnet=dict(type='str'), + interface_id=dict(type='str'), + interface_ip=dict(type='str'), + multicast_routing=dict(type='str', choices=['disabled', 'enabled', 'IGMP snooping querier']), + vlan_id=dict(type='int'), + default_gateway=dict(type='str'), + ospf_settings=dict(type='dict', default=None, options=ospf_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='ms_stack_l3_interfaces') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'ms_stack_l3_interfaces': '/networks/{net_id}/switch/stacks/{stack_id}/routing/interfaces'} + query_one_urls = {'ms_stack_l3_interfaces': '/networks/{net_id}/switch/stacks/{stack_id}/routing/interfaces'} + create_urls = {'ms_stack_l3_interfaces': '/networks/{net_id}/switch/stacks/{stack_id}/routing/interfaces'} + update_urls = {'ms_stack_l3_interfaces': '/networks/{net_id}/switch/stacks/{stack_id}/routing/interfaces/{interface_id}'} + delete_urls = {'ms_stack_l3_interfaces': '/networks/{net_id}/switch/stacks/{stack_id}/routing/interfaces/{interface_id}'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['get_one'].update(query_one_urls) + meraki.url_catalog['create'] = create_urls + meraki.url_catalog['update'] = update_urls + meraki.url_catalog['delete'] = delete_urls + + payload = None + + if meraki.params['vlan_id'] is not None: + if meraki.params['vlan_id'] < 1 or meraki.params['vlan_id'] > 4094: + meraki.fail_json(msg='vlan_id must be between 1 and 4094') + + org_id = meraki.params['org_id'] + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + net_id = meraki.params['net_id'] + if net_id is None: + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], + data=meraki.get_nets(org_id=org_id)) + + interface_id = meraki.params['interface_id'] + interfaces = None + if interface_id is None: + if meraki.params['name'] is not None: + path = meraki.construct_path('get_all', net_id=net_id, custom={'stack_id': meraki.params['stack_id']}) + interfaces = meraki.request(path, method='GET') + interface_id = get_interface_id(meraki, interfaces, meraki.params['name']) + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + if meraki.params['state'] == 'query': + if interface_id is not None: # Query one interface + path = meraki.construct_path('get_one', net_id=net_id, custom={'stack_id': meraki.params['stack_id'], + 'interface_id': interface_id}) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + else: # Query all interfaces + path = meraki.construct_path('get_all', net_id=net_id, custom={'stack_id': meraki.params['stack_id']}) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + if interface_id is None: # Create a new interface + payload = construct_payload(meraki) + if meraki.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('create', net_id=net_id, custom={'stack_id': meraki.params['stack_id']}) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + if interfaces is None: + path = meraki.construct_path('get_all', net_id=net_id, custom={'stack_id': meraki.params['stack_id']}) + interfaces = meraki.request(path, method='GET') + payload = construct_payload(meraki) + interface = get_interface(interfaces, interface_id) + if meraki.is_update_required(interface, payload): + if meraki.check_mode is True: + interface.update(payload) + meraki.result['data'] = interface + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id, custom={'stack_id': meraki.params['stack_id'], + 'interface_id': interface_id}) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + meraki.result['data'] = interface + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'absent': + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('delete', net_id=net_id, custom={'stack_id': meraki.params['stack_id'], + 'interface_id': meraki.params['interface_id']}) + response = meraki.request(path, method='DELETE') + meraki.result['data'] = response + meraki.result['changed'] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_storm_control.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_storm_control.py new file mode 100644 index 00000000..2048ad5e --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_storm_control.py @@ -0,0 +1,201 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_ms_storm_control +short_description: Manage storm control configuration on a switch in the Meraki cloud +version_added: "0.0.1" +description: +- Allows for management of storm control settings for Meraki MS switches. +options: + state: + description: + - Specifies whether storm control configuration should be queried or modified. + choices: [query, present] + default: query + type: str + net_name: + description: + - Name of network. + type: str + net_id: + description: + - ID of network. + type: str + broadcast_threshold: + description: + - Percentage (1 to 99) of total available port bandwidth for broadcast traffic type. + - Default value 100 percent rate is to clear the configuration. + type: int + multicast_threshold: + description: + - Percentage (1 to 99) of total available port bandwidth for multicast traffic type. + - Default value 100 percent rate is to clear the configuration. + type: int + unknown_unicast_threshold: + description: + - Percentage (1 to 99) of total available port bandwidth for unknown unicast traffic type. + - Default value 100 percent rate is to clear the configuration. + type: int + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set broadcast settings + meraki_switch_storm_control: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + broadcast_threshold: 75 + multicast_threshold: 70 + unknown_unicast_threshold: 65 + delegate_to: localhost + +- name: Query storm control settings + meraki_switch_storm_control: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information queried or updated storm control configuration. + returned: success + type: complex + contains: + broadcast_threshold: + description: + - Percentage (1 to 99) of total available port bandwidth for broadcast traffic type. + - Default value 100 percent rate is to clear the configuration. + returned: success + type: int + sample: 42 + multicast_threshold: + description: + - Percentage (1 to 99) of total available port bandwidth for multicast traffic type. + - Default value 100 percent rate is to clear the configuration. + returned: success + type: int + sample: 42 + unknown_unicast_threshold: + description: + - Percentage (1 to 99) of total available port bandwidth for unknown unicast traffic type. + - Default value 100 percent rate is to clear the configuration. + returned: success + type: int + sample: 42 +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import recursive_diff +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def construct_payload(params): + payload = dict() + if 'broadcast_threshold' in params: + payload['broadcastThreshold'] = params['broadcast_threshold'] + if 'multicast_threshold' in params: + payload['multicastThreshold'] = params['multicast_threshold'] + if 'unknown_unicast_threshold' in params: + payload['unknownUnicastThreshold'] = params['unknown_unicast_threshold'] + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='query'), + net_name=dict(type='str'), + net_id=dict(type='str'), + broadcast_threshold=dict(type='int'), + multicast_threshold=dict(type='int'), + unknown_unicast_threshold=dict(type='int'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='switch_storm_control') + meraki.params['follow_redirects'] = 'all' + + query_urls = {'switch_storm_control': '/networks/{net_id}/switch/stormControl'} + update_url = {'switch_storm_control': '/networks/{net_id}/switch/stormControl'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update'] = update_url + + payload = None + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + if meraki.status == 200: + meraki.result['data'] = response + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_all', net_id=net_id) + original = meraki.request(path, method='GET') + payload = construct_payload(meraki.params) + if meraki.is_update_required(original, payload) is True: + diff = recursive_diff(original, payload) + if meraki.check_mode is True: + original.update(payload) + meraki.result['data'] = original + meraki.result['changed'] = True + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1]} + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1]} + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_switchport.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_switchport.py new file mode 100644 index 00000000..a8048bf2 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_ms_switchport.py @@ -0,0 +1,680 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_ms_switchport +short_description: Manage switchports on a switch in the Meraki cloud +description: +- Allows for management of switchports settings for Meraki MS switches. +options: + state: + description: + - Specifies whether a switchport should be queried or modified. + choices: [query, present] + default: query + type: str + access_policy_type: + description: + - Type of access policy to apply to port. + type: str + choices: [Open, Custom access policy, MAC allow list, Sticky MAC allow list] + access_policy_number: + description: + - Number of the access policy to apply. + - Only applicable to access port types. + type: int + allowed_vlans: + description: + - List of VLAN numbers to be allowed on switchport. + default: all + type: list + elements: str + enabled: + description: + - Whether a switchport should be enabled or disabled. + type: bool + default: yes + isolation_enabled: + description: + - Isolation status of switchport. + default: no + type: bool + link_negotiation: + description: + - Link speed for the switchport. + default: Auto negotiate + choices: [Auto negotiate, 100 Megabit (auto), 100 Megabit full duplex (forced)] + type: str + name: + description: + - Switchport description. + aliases: [description] + type: str + number: + description: + - Port number. + type: str + poe_enabled: + description: + - Enable or disable Power Over Ethernet on a port. + type: bool + default: true + rstp_enabled: + description: + - Enable or disable Rapid Spanning Tree Protocol on a port. + type: bool + default: true + serial: + description: + - Serial nubmer of the switch. + type: str + required: true + stp_guard: + description: + - Set state of STP guard. + choices: [disabled, root guard, bpdu guard, loop guard] + default: disabled + type: str + tags: + description: + - List of tags to assign to a port. + type: list + elements: str + type: + description: + - Set port type. + choices: [access, trunk] + default: access + type: str + vlan: + description: + - VLAN number assigned to port. + - If a port is of type trunk, the specified VLAN is the native VLAN. + - Setting value to 0 on a trunk will clear the VLAN. + type: int + voice_vlan: + description: + - VLAN number assigned to a port for voice traffic. + - Only applicable to access port type. + - Only applicable if voice_vlan_state is set to present. + type: int + voice_vlan_state: + description: + - Specifies whether voice vlan configuration should be present or absent. + choices: [absent, present] + default: present + type: str + mac_allow_list: + description: + - MAC addresses list that are allowed on a port. + - Only applicable to access port type. + - Only applicable to access_policy_type "MAC allow list". + type: dict + suboptions: + state: + description: + - The state the configuration should be left in. + - Merged, MAC addresses provided will be added to the current allow list. + - Replaced, All MAC addresses are overwritten, only the MAC addresses provided with exist in the allow list. + - Deleted, Remove the MAC addresses provided from the current allow list. + type: str + choices: [merged, replaced, deleted] + default: replaced + macs: + description: + - List of MAC addresses to update with based on state option. + type: list + elements: str + sticky_mac_allow_list: + description: + - MAC addresses list that are allowed on a port. + - Only applicable to access port type. + - Only applicable to access_policy_type "Sticky MAC allow list". + type: dict + suboptions: + state: + description: + - The state the configuration should be left in. + - Merged, MAC addresses provided will be added to the current allow list. + - Replaced, All MAC addresses are overwritten, only the MAC addresses provided with exist in the allow list. + - Deleted, Remove the MAC addresses provided from the current allow list. + type: str + choices: ["merged", "replaced", "deleted"] + default: replaced + macs: + description: + - List of MAC addresses to update with based on state option. + type: list + elements: str + sticky_mac_allow_list_limit: + description: + - The number of MAC addresses allowed in the sticky port allow list. + - Only applicable to access port type. + - Only applicable to access_policy_type "Sticky MAC allow list". + - The value must be equal to or greater then the list size of sticky_mac_allow_list. Value will be checked for validity, during processing. + type: int + flexible_stacking_enabled: + description: + - Whether flexible stacking capabilities are supported on the port. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Query information about all switchports on a switch + meraki_switchport: + auth_key: abc12345 + state: query + serial: ABC-123 + delegate_to: localhost + +- name: Query information about all switchports on a switch + meraki_switchport: + auth_key: abc12345 + state: query + serial: ABC-123 + number: 2 + delegate_to: localhost + +- name: Name switchport + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 7 + name: Test Port + delegate_to: localhost + +- name: Configure access port with voice VLAN + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 7 + enabled: true + name: Test Port + tags: desktop + type: access + vlan: 10 + voice_vlan: 11 + delegate_to: localhost + +- name: Check access port for idempotency + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 7 + enabled: true + name: Test Port + tags: desktop + type: access + vlan: 10 + voice_vlan: 11 + delegate_to: localhost + +- name: Configure trunk port with specific VLANs + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 7 + enabled: true + name: Server port + tags: server + type: trunk + allowed_vlans: + - 10 + - 15 + - 20 + delegate_to: localhost + +- name: Configure access port with sticky MAC allow list and limit. + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 5 + sticky_mac_allow_limit: 3 + sticky_mac_allow_list: + macs: + - aa:aa:bb:bb:cc:cc + - bb:bb:aa:aa:cc:cc + - 11:aa:bb:bb:cc:cc + state: replaced + delegate_to: localhost + +- name: Delete an existing MAC address from the sticky MAC allow list. + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 5 + sticky_mac_allow_list: + macs: + - aa:aa:bb:bb:cc:cc + state: deleted + delegate_to: localhost + +- name: Add a MAC address to sticky MAC allow list. + meraki_switchport: + auth_key: abc12345 + state: present + serial: ABC-123 + number: 5 + sticky_mac_allow_list: + macs: + - 22:22:bb:bb:cc:cc + state: merged + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information queried or updated switchports. + returned: success + type: complex + contains: + access_policy_type: + description: Type of access policy assigned to port + returned: success, when assigned + type: str + sample: "MAC allow list" + allowed_vlans: + description: List of VLANs allowed on an access port + returned: success, when port is set as access + type: str + sample: all + number: + description: Number of port. + returned: success + type: int + sample: 1 + name: + description: Human friendly description of port. + returned: success + type: str + sample: "Jim Phone Port" + tags: + description: List of tags assigned to port. + returned: success + type: list + sample: ['phone', 'marketing'] + enabled: + description: Enabled state of port. + returned: success + type: bool + sample: true + poe_enabled: + description: Power Over Ethernet enabled state of port. + returned: success + type: bool + sample: true + type: + description: Type of switchport. + returned: success + type: str + sample: trunk + vlan: + description: VLAN assigned to port. + returned: success + type: int + sample: 10 + voice_vlan: + description: VLAN assigned to port with voice VLAN enabled devices. + returned: success + type: int + sample: 20 + isolation_enabled: + description: Port isolation status of port. + returned: success + type: bool + sample: true + rstp_enabled: + description: Enabled or disabled state of Rapid Spanning Tree Protocol (RSTP) + returned: success + type: bool + sample: true + stp_guard: + description: State of STP guard + returned: success + type: str + sample: "Root Guard" + access_policy_number: + description: Number of assigned access policy. Only applicable to access ports. + returned: success + type: int + sample: 1234 + link_negotiation: + description: Link speed for the port. + returned: success + type: str + sample: "Auto negotiate" + sticky_mac_allow_list_limit: + description: Number of MAC addresses allowed on a sticky port. + returned: success + type: int + sample: 6 + sticky_mac_allow_list: + description: List of MAC addresses currently allowed on a sticky port. Used with access_policy_type of Sticky MAC allow list. + returned: success + type: list + sample: ["11:aa:bb:bb:cc:cc", "22:aa:bb:bb:cc:cc", "33:aa:bb:bb:cc:cc"] + mac_allow_list: + description: List of MAC addresses currently allowed on a non-sticky port. Used with access_policy_type of MAC allow list. + returned: success + type: list + sample: ["11:aa:bb:bb:cc:cc", "22:aa:bb:bb:cc:cc", "33:aa:bb:bb:cc:cc"] + port_schedule_id: + description: Unique ID of assigned port schedule + returned: success + type: str + sample: null + udld: + description: Alert state of UDLD + returned: success + type: str + sample: "Alert only" + flexible_stacking_enabled: + description: Whether flexible stacking capabilities are enabled on the port. + returned: success + type: bool +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + +param_map = { + "access_policy_number": "accessPolicyNumber", + "access_policy_type": "accessPolicyType", + "allowed_vlans": "allowedVlans", + "enabled": "enabled", + "isolation_enabled": "isolationEnabled", + "link_negotiation": "linkNegotiation", + "name": "name", + "number": "number", + "poe_enabled": "poeEnabled", + "rstp_enabled": "rstpEnabled", + "stp_guard": "stpGuard", + "tags": "tags", + "type": "type", + "vlan": "vlan", + "voice_vlan": "voiceVlan", + "mac_allow_list": "macAllowList", + "sticky_mac_allow_list": "stickyMacAllowList", + "sticky_mac_allow_list_limit": "stickyMacAllowListLimit", + "adaptive_policy_group_id": "adaptivePolicyGroupId", + "peer_sgt_capable": "peerSgtCapable", + "flexible_stacking_enabled": "flexibleStackingEnabled", +} + + +def sort_vlans(meraki, vlans): + converted = set() + for vlan in vlans: + converted.add(int(vlan)) + vlans_sorted = sorted(converted) + vlans_str = [] + for vlan in vlans_sorted: + vlans_str.append(str(vlan)) + return ",".join(vlans_str) + + +def assemble_payload(meraki): + payload = dict() + # if meraki.params['enabled'] is not None: + # payload['enabled'] = meraki.params['enabled'] + + for k, v in meraki.params.items(): + try: + if meraki.params[k] is not None: + if k == "access_policy_number": + if meraki.params["access_policy_type"] is not None: + payload[param_map[k]] = v + else: + payload[param_map[k]] = v + except KeyError: + pass + return payload + + +def get_mac_list(original_allowed, new_mac_list, state): + if state == "deleted": + return [entry for entry in original_allowed if entry not in new_mac_list] + if state == "merged": + return original_allowed + list(set(new_mac_list) - set(original_allowed)) + return new_mac_list + + +def clear_vlan(params, payload): + if params["vlan"] == 0: + payload["vlan"] = None + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + + policy_data_arg_spec = dict( + macs=dict(type="list", elements="str"), + state=dict( + type="str", choices=["merged", "replaced", "deleted"], default="replaced" + ), + ) + + argument_spec.update( + state=dict(type="str", choices=["present", "query"], default="query"), + serial=dict(type="str", required=True), + number=dict(type="str"), + name=dict(type="str", aliases=["description"]), + tags=dict(type="list", elements="str"), + enabled=dict(type="bool", default=True), + type=dict(type="str", choices=["access", "trunk"], default="access"), + vlan=dict(type="int"), + voice_vlan=dict(type="int"), + voice_vlan_state=dict( + type="str", choices=["present", "absent"], default="present" + ), + allowed_vlans=dict(type="list", elements="str", default="all"), + poe_enabled=dict(type="bool", default=True), + isolation_enabled=dict(type="bool", default=False), + rstp_enabled=dict(type="bool", default=True), + stp_guard=dict( + type="str", + choices=["disabled", "root guard", "bpdu guard", "loop guard"], + default="disabled", + ), + access_policy_type=dict( + type="str", + choices=[ + "Open", + "Custom access policy", + "MAC allow list", + "Sticky MAC allow list", + ], + ), + access_policy_number=dict(type="int"), + link_negotiation=dict( + type="str", + choices=[ + "Auto negotiate", + "100 Megabit (auto)", + "100 Megabit full duplex (forced)", + ], + default="Auto negotiate", + ), + mac_allow_list=dict(type="dict", options=policy_data_arg_spec), + sticky_mac_allow_list=dict(type="dict", options=policy_data_arg_spec), + sticky_mac_allow_list_limit=dict(type="int"), + # adaptive_policy_group_id=dict(type=str), + # peer_sgt_capable=dict(type=bool), + flexible_stacking_enabled=dict(type="bool"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="switchport") + if meraki.params.get("voice_vlan_state") == "absent" and meraki.params.get( + "voice_vlan" + ): + meraki.fail_json( + msg="voice_vlan_state cant be `absent` while voice_vlan is also defined." + ) + + meraki.params["follow_redirects"] = "all" + + if meraki.params["type"] == "trunk": + if not meraki.params["allowed_vlans"]: + meraki.params["allowed_vlans"] = [ + "all" + ] # Backdoor way to set default without conflicting on access + + query_urls = {"switchport": "/devices/{serial}/switch/ports"} + query_url = {"switchport": "/devices/{serial}/switch/ports/{number}"} + update_url = {"switchport": "/devices/{serial}/switch/ports/{number}"} + + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["get_one"].update(query_url) + meraki.url_catalog["update"] = update_url + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + if meraki.params["state"] == "query": + if meraki.params["number"]: + path = meraki.construct_path( + "get_one", + custom={ + "serial": meraki.params["serial"], + "number": meraki.params["number"], + }, + ) + response = meraki.request(path, method="GET") + meraki.result["data"] = response + else: + path = meraki.construct_path( + "get_all", custom={"serial": meraki.params["serial"]} + ) + response = meraki.request(path, method="GET") + meraki.result["data"] = response + elif meraki.params["state"] == "present": + payload = assemble_payload(meraki) + # meraki.fail_json(msg='payload', payload=payload) + allowed = set() # Use a set to remove duplicate items + if meraki.params["allowed_vlans"][0] == "all": + allowed.add("all") + else: + for vlan in meraki.params["allowed_vlans"]: + allowed.add(str(vlan)) + if meraki.params["vlan"] is not None: + allowed.add(str(meraki.params["vlan"])) + if len(allowed) > 1: # Convert from list to comma separated + payload["allowedVlans"] = sort_vlans(meraki, allowed) + else: + payload["allowedVlans"] = next(iter(allowed)) + + # Exceptions need to be made for idempotency check based on how Meraki returns + if meraki.params["type"] == "access": + if not meraki.params[ + "vlan" + ]: # VLAN needs to be specified in access ports, but can't default to it + payload["vlan"] = 1 + query_path = meraki.construct_path( + "get_one", + custom={ + "serial": meraki.params["serial"], + "number": meraki.params["number"], + }, + ) + original = meraki.request(query_path, method="GET") + # Check voiceVlan to see if state is absent to remove the vlan. + if meraki.params.get("voice_vlan_state"): + if meraki.params.get("voice_vlan_state") == "absent": + payload["voiceVlan"] = None + else: + payload["voiceVlan"] = meraki.params.get("voice_vlan") + if meraki.params.get("mac_allow_list"): + macs = get_mac_list( + original.get("macAllowList"), + meraki.params["mac_allow_list"].get("macs"), + meraki.params["mac_allow_list"].get("state"), + ) + payload["macAllowList"] = macs + # Evaluate Sticky Limit whether it was passed in or what is currently configured and was returned in GET call. + if meraki.params.get("sticky_mac_allow_list_limit"): + sticky_mac_limit = meraki.params.get("sticky_mac_allow_list_limit") + else: + sticky_mac_limit = original.get("stickyMacAllowListLimit") + if meraki.params.get("sticky_mac_allow_list"): + macs = get_mac_list( + original.get("stickyMacAllowList"), + meraki.params["sticky_mac_allow_list"].get("macs"), + meraki.params["sticky_mac_allow_list"].get("state"), + ) + if int(sticky_mac_limit) < len(macs): + meraki.fail_json( + msg="Stick MAC Allow List Limit must be equal to or greater than length of Sticky MAC Allow List." + ) + payload["stickyMacAllowList"] = macs + payload["stickyMacAllowListLimit"] = sticky_mac_limit + payload = clear_vlan(meraki.params, payload) + proposed = payload.copy() + if meraki.params["type"] == "trunk": + proposed["voiceVlan"] = original[ + "voiceVlan" + ] # API shouldn't include voice VLAN on a trunk port + # meraki.fail_json(msg='Compare', original=original, payload=payload) + if meraki.is_update_required(original, proposed, optional_ignore=["number"]): + if meraki.check_mode is True: + original.update(proposed) + meraki.result["data"] = original + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path( + "update", + custom={ + "serial": meraki.params["serial"], + "number": meraki.params["number"], + }, + ) + response = meraki.request(path, method="PUT", payload=json.dumps(payload)) + meraki.result["data"] = response + meraki.result["changed"] = True + else: + meraki.result["data"] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_content_filtering.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_content_filtering.py new file mode 100644 index 00000000..d189a4e4 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_content_filtering.py @@ -0,0 +1,302 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_content_filtering +short_description: Edit Meraki MX content filtering policies +description: +- Allows for setting policy on content filtering. +options: + auth_key: + description: + - Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set. + type: str + net_name: + description: + - Name of a network. + aliases: [ network ] + type: str + net_id: + description: + - ID number of a network. + type: str + state: + description: + - States that a policy should be created or modified. + choices: [present, query] + default: present + type: str + allowed_urls: + description: + - List of URL patterns which should be allowed. + type: list + elements: str + blocked_urls: + description: + - List of URL patterns which should be blocked. + type: list + elements: str + blocked_categories: + description: + - List of content categories which should be blocked. + - Use the C(meraki_content_filtering_facts) module for a full list of categories. + type: list + elements: str + category_list_size: + description: + - Determines whether a network filters fo rall URLs in a category or only the list of top blocked sites. + choices: [ top sites, full list ] + type: str + subset: + description: + - Display only certain facts. + choices: [categories, policy] + type: str +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' + - name: Set single allowed URL pattern + meraki_content_filtering: + auth_key: abc123 + org_name: YourOrg + net_name: YourMXNet + allowed_urls: + - "http://www.ansible.com/*" + + - name: Set blocked URL category + meraki_content_filtering: + auth_key: abc123 + org_name: YourOrg + net_name: YourMXNet + state: present + category_list_size: full list + blocked_categories: + - "Adult and Pornography" + + - name: Remove match patterns and categories + meraki_content_filtering: + auth_key: abc123 + org_name: YourOrg + net_name: YourMXNet + state: present + category_list_size: full list + allowed_urls: [] + blocked_urls: [] +''' + +RETURN = r''' +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + categories: + description: List of available content filtering categories. + returned: query for categories + type: complex + contains: + id: + description: Unique ID of content filtering category. + returned: query for categories + type: str + sample: "meraki:contentFiltering/category/1" + name: + description: Name of content filtering category. + returned: query for categories + type: str + sample: "Real Estate" + allowed_url_patterns: + description: Explicitly permitted URL patterns + returned: query for policy + type: list + sample: ["http://www.ansible.com"] + blocked_url_patterns: + description: Explicitly denied URL patterns + returned: query for policy + type: list + sample: ["http://www.ansible.net"] + blocked_url_categories: + description: List of blocked URL categories + returned: query for policy + type: complex + contains: + id: + description: Unique ID of category to filter + returned: query for policy + type: list + sample: ["meraki:contentFiltering/category/1"] + name: + description: Name of category to filter + returned: query for policy + type: list + sample: ["Real Estate"] + url_cateogory_list_size: + description: Size of categories to cache on MX appliance + returned: query for policy + type: str + sample: "topSites" +''' + + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec, recursive_diff +from copy import deepcopy + + +def get_category_dict(meraki, full_list, category): + for i in full_list['categories']: + if i['name'] == category: + return i['id'] + meraki.fail_json(msg="{0} is not a valid content filtering category".format(category)) + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['network']), + state=dict(type='str', default='present', choices=['present', 'query']), + allowed_urls=dict(type='list', elements='str'), + blocked_urls=dict(type='list', elements='str'), + blocked_categories=dict(type='list', elements='str'), + category_list_size=dict(type='str', choices=['top sites', 'full list']), + subset=dict(type='str', choices=['categories', 'policy']), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function='content_filtering') + module.params['follow_redirects'] = 'all' + + category_urls = {'content_filtering': '/networks/{net_id}/appliance/contentFiltering/categories'} + policy_urls = {'content_filtering': '/networks/{net_id}/appliance/contentFiltering'} + + meraki.url_catalog['categories'] = category_urls + meraki.url_catalog['policy'] = policy_urls + + if meraki.params['net_name'] and meraki.params['net_id']: + meraki.fail_json(msg='net_name and net_id are mutually exclusive') + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = None + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + if meraki.params['subset']: + if meraki.params['subset'] == 'categories': + path = meraki.construct_path('categories', net_id=net_id) + elif meraki.params['subset'] == 'policy': + path = meraki.construct_path('policy', net_id=net_id) + meraki.result['data'] = meraki.request(path, method='GET') + else: + response_data = {'categories': None, + 'policy': None, + } + path = meraki.construct_path('categories', net_id=net_id) + response_data['categories'] = meraki.request(path, method='GET') + path = meraki.construct_path('policy', net_id=net_id) + response_data['policy'] = meraki.request(path, method='GET') + meraki.result['data'] = response_data + if module.params['state'] == 'present': + payload = dict() + if meraki.params['allowed_urls']: + if meraki.params['allowed_urls'] == ['None']: # Corner case for resetting + payload['allowedUrlPatterns'] = [] + else: + payload['allowedUrlPatterns'] = meraki.params['allowed_urls'] + if meraki.params['blocked_urls']: + if meraki.params['blocked_urls'] == ['None']: # Corner case for resetting + payload['blockedUrlPatterns'] = [] + else: + payload['blockedUrlPatterns'] = meraki.params['blocked_urls'] + if meraki.params['blocked_categories']: + if meraki.params['blocked_categories'] == ['None']: # Corner case for resetting + payload['blockedUrlCategories'] = [] + else: + category_path = meraki.construct_path('categories', net_id=net_id) + categories = meraki.request(category_path, method='GET') + payload['blockedUrlCategories'] = [] + for category in meraki.params['blocked_categories']: + payload['blockedUrlCategories'].append(get_category_dict(meraki, + categories, + category)) + if meraki.params['category_list_size']: + if meraki.params['category_list_size'].lower() == 'top sites': + payload['urlCategoryListSize'] = "topSites" + elif meraki.params['category_list_size'].lower() == 'full list': + payload['urlCategoryListSize'] = "fullList" + path = meraki.construct_path('policy', net_id=net_id) + current = meraki.request(path, method='GET') + proposed = current.copy() + proposed.update(payload) + temp_current = deepcopy(current) + temp_blocked = [] + for blocked_category in current['blockedUrlCategories']: + temp_blocked.append(blocked_category['id']) + temp_current.pop('blockedUrlCategories') + if 'blockedUrlCategories' in payload: + payload['blockedUrlCategories'].sort() + temp_current['blockedUrlCategories'] = temp_blocked + if meraki.is_update_required(temp_current, payload) is True: + if module.check_mode: + meraki.generate_diff(current, payload) + current.update(payload) + meraki.result['changed'] = True + meraki.result['data'] = current + meraki.exit_json(**meraki.result) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['data'] = response + if recursive_diff(current, response) is None: + meraki.result['changed'] = False + meraki.result['data'] = str(recursive_diff(current, response)) + else: + meraki.result['changed'] = True + meraki.generate_diff(current, response) + else: + meraki.result['data'] = current + if module.check_mode: + meraki.result['data'] = current + meraki.exit_json(**meraki.result) + meraki.result['data'] = current + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_intrusion_prevention.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_intrusion_prevention.py new file mode 100644 index 00000000..0acd6bea --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_intrusion_prevention.py @@ -0,0 +1,371 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019 Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_intrusion_prevention +short_description: Manage intrustion prevention in the Meraki cloud +description: +- Allows for management of intrusion prevention rules networks within Meraki MX networks. + +options: + state: + description: + - Create or modify an organization. + choices: [ absent, present, query ] + default: present + type: str + net_name: + description: + - Name of a network. + aliases: [ name, network ] + type: str + net_id: + description: + - ID number of a network. + type: str + mode: + description: + - Operational mode of Intrusion Prevention system. + choices: [ detection, disabled, prevention ] + type: str + ids_rulesets: + description: + - Ruleset complexity setting. + choices: [ connectivity, balanced, security ] + type: str + allowed_rules: + description: + - List of IDs related to rules which are allowed for the organization. + type: list + elements: dict + suboptions: + rule_id: + description: + - ID of rule as defined by Snort. + type: str + rule_message: + description: + - Description of rule. + - This is overwritten by the API. + - Formerly C(message) which was deprecated but still maintained as an alias. + type: str + aliases: [ message ] + version_added: "2.3.0" + protected_networks: + description: + - Set included/excluded networks for Intrusion Prevention. + type: dict + suboptions: + use_default: + description: + - Whether to use special IPv4 addresses per RFC 5735. + type: bool + included_cidr: + description: + - List of network IP ranges to include in scanning. + type: list + elements: str + excluded_cidr: + description: + - List of network IP ranges to exclude from scanning. + type: list + elements: str + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set whitelist for organization + meraki_intrusion_prevention: + auth_key: '{{auth_key}}' + state: present + org_id: '{{test_org_id}}' + allowed_rules: + - rule_id: "meraki:intrusion/snort/GID/01/SID/5805" + rule_message: Test rule + delegate_to: localhost + +- name: Query IPS info for organization + meraki_intrusion_prevention: + auth_key: '{{auth_key}}' + state: query + org_name: '{{test_org_name}}' + delegate_to: localhost + register: query_org + +- name: Set full ruleset with check mode + meraki_intrusion_prevention: + auth_key: '{{auth_key}}' + state: present + org_name: '{{test_org_name}}' + net_name: '{{test_net_name}} - IPS' + mode: prevention + ids_rulesets: security + protected_networks: + use_default: true + included_cidr: + - 192.0.1.0/24 + excluded_cidr: + - 10.0.1.0/24 + delegate_to: localhost + +- name: Clear rules from organization + meraki_intrusion_prevention: + auth_key: '{{auth_key}}' + state: absent + org_name: '{{test_org_name}}' + allowed_rules: [] + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about the Threat Protection settings. + returned: success + type: complex + contains: + whitelistedRules: + description: List of whitelisted IPS rules. + returned: success, when organization is queried or modified + type: complex + contains: + ruleId: + description: A rule identifier for an IPS rule. + returned: success, when organization is queried or modified + type: str + sample: "meraki:intrusion/snort/GID/01/SID/5805" + rule_message: + description: Description of rule. + returned: success, when organization is queried or modified + type: str + sample: "MALWARE-OTHER Trackware myway speedbar runtime detection - switch engines" + mode: + description: Enabled setting of intrusion prevention. + returned: success, when network is queried or modified + type: str + sample: enabled + idsRulesets: + description: Setting of selected ruleset. + returned: success, when network is queried or modified + type: str + sample: balanced + protectedNetworks: + description: Networks protected by IPS. + returned: success, when network is queried or modified + type: complex + contains: + useDefault: + description: Whether to use special IPv4 addresses. + returned: success, when network is queried or modified + type: bool + sample: true + includedCidr: + description: List of CIDR notiation networks to protect. + returned: success, when network is queried or modified + type: str + sample: 192.0.1.0/24 + excludedCidr: + description: List of CIDR notiation networks to exclude from protection. + returned: success, when network is queried or modified + type: str + sample: 192.0.1.0/24 + +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + +param_map = {'allowed_rules': 'allowedrules', + 'rule_id': 'ruleId', + 'rule_message': 'message', + 'mode': 'mode', + 'protected_networks': 'protectedNetworks', + 'use_default': 'useDefault', + 'included_cidr': 'includedCidr', + } + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + allowedrules_arg_spec = dict(rule_id=dict(type='str'), + rule_message=dict(type='str', + aliases=['message'], + deprecated_aliases=[dict(name='message', version='3.0.0', collection_name='cisco.meraki')]), + ) + + protected_nets_arg_spec = dict(use_default=dict(type='bool'), + included_cidr=dict(type='list', elements='str'), + excluded_cidr=dict(type='list', elements='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['name', 'network']), + state=dict(type='str', choices=['absent', 'present', 'query'], default='present'), + allowed_rules=dict(type='list', default=None, elements='dict', options=allowedrules_arg_spec), + mode=dict(type='str', choices=['detection', 'disabled', 'prevention']), + ids_rulesets=dict(type='str', choices=['connectivity', 'balanced', 'security']), + protected_networks=dict(type='dict', default=None, options=protected_nets_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function='intrusion_prevention') + module.params['follow_redirects'] = 'all' + payload = None + + query_org_urls = {'intrusion_prevention': '/organizations/{org_id}/appliance/security/intrusion'} + query_net_urls = {'intrusion_prevention': '/networks/{net_id}/appliance/security/intrusion'} + set_org_urls = {'intrusion_prevention': '/organizations/{org_id}/appliance/security/intrusion'} + set_net_urls = {'intrusion_prevention': '/networks/{net_id}/appliance/security/intrusion'} + meraki.url_catalog['query_org'] = query_org_urls + meraki.url_catalog['query_net'] = query_net_urls + meraki.url_catalog['set_org'] = set_org_urls + meraki.url_catalog['set_net'] = set_net_urls + + if not meraki.params['org_name'] and not meraki.params['org_id']: + meraki.fail_json(msg='org_name or org_id parameters are required') + if meraki.params['net_name'] and meraki.params['net_id']: + meraki.fail_json(msg='net_name and net_id are mutually exclusive') + if meraki.params['net_name'] is None and meraki.params['net_id'] is None: # Organization param check + if meraki.params['state'] == 'present': + if meraki.params['allowed_rules'] is None: + meraki.fail_json(msg='allowed_rules is required when state is present and no network is specified.') + if meraki.params['net_name'] or meraki.params['net_id']: # Network param check + if meraki.params['state'] == 'present': + if meraki.params['protected_networks'] is not None: + if meraki.params['protected_networks']['use_default'] is False and meraki.params['protected_networks']['included_cidr'] is None: + meraki.fail_json(msg="included_cidr is required when use_default is False.") + if meraki.params['protected_networks']['use_default'] is False and meraki.params['protected_networks']['excluded_cidr'] is None: + meraki.fail_json(msg="excluded_cidr is required when use_default is False.") + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None and meraki.params['net_name']: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + # Assemble payload + if meraki.params['state'] == 'present': + if net_id is None: # Create payload for organization + rules = [] + for rule in meraki.params['allowed_rules']: + rules.append({'ruleId': rule['rule_id'], + 'message': rule['rule_message'], + }) + payload = {'allowedRules': rules} + else: # Create payload for network + payload = dict() + if meraki.params['mode']: + payload['mode'] = meraki.params['mode'] + if meraki.params['ids_rulesets']: + payload['idsRulesets'] = meraki.params['ids_rulesets'] + if meraki.params['protected_networks']: + payload['protectedNetworks'] = {} + if meraki.params['protected_networks']['use_default']: + payload['protectedNetworks'].update({'useDefault': meraki.params['protected_networks']['use_default']}) + if meraki.params['protected_networks']['included_cidr']: + payload['protectedNetworks'].update({'includedCidr': meraki.params['protected_networks']['included_cidr']}) + if meraki.params['protected_networks']['excluded_cidr']: + payload['protectedNetworks'].update({'excludedCidr': meraki.params['protected_networks']['excluded_cidr']}) + elif meraki.params['state'] == 'absent': + if net_id is None: # Create payload for organization + payload = {'allowedRules': []} + + if meraki.params['state'] == 'query': + if net_id is None: # Query settings for organization + path = meraki.construct_path('query_org', org_id=org_id) + data = meraki.request(path, method='GET') + if meraki.status == 200: + meraki.result['data'] = data + else: # Query settings for network + path = meraki.construct_path('query_net', net_id=net_id) + data = meraki.request(path, method='GET') + elif meraki.params['state'] == 'present': + path = meraki.construct_path('query_org', org_id=org_id) + original = meraki.request(path, method='GET') + if net_id is None: # Set configuration for organization + if meraki.is_update_required(original, payload, optional_ignore=['message']): + if meraki.module.check_mode is True: + original.update(payload) + meraki.result['data'] = original + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('set_org', org_id=org_id) + data = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = data + meraki.result['changed'] = True + else: + meraki.result['data'] = original + meraki.result['changed'] = False + else: # Set configuration for network + path = meraki.construct_path('query_net', net_id=net_id) + original = meraki.request(path, method='GET') + if meraki.is_update_required(original, payload): + if meraki.module.check_mode is True: + payload.update(original) + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('set_net', net_id=net_id) + data = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = data + meraki.result['changed'] = True + else: + meraki.result['data'] = original + meraki.result['changed'] = False + elif meraki.params['state'] == 'absent': + if net_id is None: + path = meraki.construct_path('query_org', org_id=org_id) + original = meraki.request(path, method='GET') + if meraki.is_update_required(original, payload): + if meraki.module.check_mode is True: + payload.update(original) + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('set_org', org_id=org_id) + data = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = data + meraki.result['changed'] = True + else: + meraki.result['data'] = original + meraki.result['changed'] = False + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l2_interface.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l2_interface.py new file mode 100644 index 00000000..48e48642 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l2_interface.py @@ -0,0 +1,272 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2020, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_l2_interface +short_description: Configure MX layer 2 interfaces +version_added: "2.1.0" +description: +- Allows for management and visibility of Merkai MX layer 2 ports. + +options: + state: + description: + - Modify or query an port. + choices: [present, query] + default: present + type: str + net_name: + description: + - Name of a network. + aliases: [name, network] + type: str + net_id: + description: + - ID number of a network. + type: str + org_id: + description: + - ID of organization associated to a network. + type: str + number: + description: + - ID number of MX port. + aliases: [port, port_id] + type: int + vlan: + description: + - Native VLAN when the port is in Trunk mode. + - Access VLAN when the port is in Access mode. + type: int + access_policy: + description: + - The name of the policy. Only applicable to access ports. + choices: [open, 8021x-radius, mac-radius, hybris-radius] + type: str + allowed_vlans: + description: + - Comma-delimited list of the VLAN ID's allowed on the port, or 'all' to permit all VLAN's on the port. + type: str + port_type: + description: + - Type of port. + choices: [access, trunk] + type: str + drop_untagged_traffic: + description: + - Trunk port can Drop all Untagged traffic. When true, no VLAN is required. + - Access ports cannot have dropUntaggedTraffic set to true. + type: bool + enabled: + description: + - Enabled state of port. + type: bool + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query layer 2 interface settings + meraki_mx_l2_interface: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + +- name: Query a single layer 2 interface settings + meraki_mx_l2_interface: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + number: 2 + delegate_to: localhost + +- name: Update interface configuration + meraki_mx_l2_interface: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + number: 2 + port_type: access + vlan: 10 + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about the created or manipulated object. + returned: success + type: complex + contains: + number: + description: + - ID number of MX port. + type: int + returned: success + sample: 4 + vlan: + description: + - Native VLAN when the port is in Trunk mode. + - Access VLAN when the port is in Access mode. + type: int + returned: success + sample: 1 + access_policy: + description: + - The name of the policy. Only applicable to access ports. + type: str + returned: success + sample: guestUsers + allowed_vlans: + description: + - Comma-delimited list of the VLAN ID's allowed on the port, or 'all' to permit all VLAN's on the port. + type: str + returned: success + sample: 1,5,10 + type: + description: + - Type of port. + type: str + returned: success + sample: access + drop_untagged_traffic: + description: + - Trunk port can Drop all Untagged traffic. When true, no VLAN is required. + - Access ports cannot have dropUntaggedTraffic set to true. + type: bool + returned: success + sample: true + enabled: + description: + - Enabled state of port. + type: bool + returned: success + sample: true +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def construct_payload(meraki): + payload = {} + if meraki.params['vlan'] is not None: + payload['vlan'] = meraki.params['vlan'] + if meraki.params['access_policy'] is not None: + payload['accessPolicy'] = meraki.params['access_policy'] + if meraki.params['allowed_vlans'] is not None: + payload['allowedVlans'] = meraki.params['allowed_vlans'] + if meraki.params['port_type'] is not None: + payload['type'] = meraki.params['port_type'] + if meraki.params['drop_untagged_traffic'] is not None: + payload['dropUntaggedTraffic'] = meraki.params['drop_untagged_traffic'] + if meraki.params['enabled'] is not None: + payload['enabled'] = meraki.params['enabled'] + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['name', 'network']), + state=dict(type='str', choices=['present', 'query'], default='present'), + number=dict(type='int', aliases=['port', 'port_id']), + vlan=dict(type='int'), + access_policy=dict(type='str', choices=['open', '8021x-radius', 'mac-radius', 'hybris-radius']), + allowed_vlans=dict(type='str'), + port_type=dict(type='str', choices=['access', 'trunk']), + drop_untagged_traffic=dict(type='bool'), + enabled=dict(type='bool'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function='mx_l2_interface') + module.params['follow_redirects'] = 'all' + + get_all_urls = {'mx_l2_interface': '/networks/{net_id}/appliance/ports'} + get_one_urls = {'mx_l2_interface': '/networks/{net_id}/appliance/ports/{port_id}'} + update_urls = {'mx_l2_interface': '/networks/{net_id}/appliance/ports/{port_id}'} + meraki.url_catalog['query_all'] = get_all_urls + meraki.url_catalog['query_one'] = get_one_urls + meraki.url_catalog['update'] = update_urls + + if meraki.params['net_name'] and meraki.params['net_id']: + meraki.fail_json(msg='net_name and net_id are mutually exclusive.') + if meraki.params['port_type'] == 'access': + if meraki.params['allowed_vlans'] is not None: + meraki.meraki.fail_json(msg='allowed_vlans is mutually exclusive with port type trunk.') + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + if meraki.params['number'] is not None: + path = meraki.construct_path('query_one', net_id=net_id, custom={'port_id': meraki.params['number']}) + else: + path = meraki.construct_path('query_all', net_id=net_id) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + meraki.exit_json(**meraki.result) + elif meraki.params['state'] == 'present': + path = meraki.construct_path('query_one', net_id=net_id, custom={'port_id': meraki.params['number']}) + original = meraki.request(path, method='GET') + payload = construct_payload(meraki) + if meraki.is_update_required(original, payload): + meraki.generate_diff(original, payload) + if meraki.check_mode is True: + original.update(payload) + meraki.result['data'] = original + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id, custom={'port_id': meraki.params['number']}) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + meraki.result['data'] = original + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l3_firewall.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l3_firewall.py new file mode 100644 index 00000000..f8fa3f91 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l3_firewall.py @@ -0,0 +1,377 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_l3_firewall +short_description: Manage MX appliance layer 3 firewalls in the Meraki cloud +description: +- Allows for creation, management, and visibility into layer 3 firewalls implemented on Meraki MX firewalls. +notes: +- Module assumes a complete list of firewall rules are passed as a parameter. +- If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module. +options: + state: + description: + - Create or modify an organization. + choices: ['present', 'query'] + default: present + type: str + net_name: + description: + - Name of network which MX firewall is in. + type: str + net_id: + description: + - ID of network which MX firewall is in. + type: str + rules: + description: + - List of firewall rules. + type: list + elements: dict + suboptions: + policy: + description: + - Policy to apply if rule is hit. + choices: [allow, deny] + type: str + protocol: + description: + - Protocol to match against. + choices: [any, icmp, tcp, udp] + type: str + dest_port: + description: + - Comma separated list of destination port numbers to match against. + - C(Any) must be capitalized. + type: str + dest_cidr: + description: + - Comma separated list of CIDR notation destination networks. + - C(Any) must be capitalized. + type: str + src_port: + description: + - Comma separated list of source port numbers to match against. + - C(Any) must be capitalized. + type: str + src_cidr: + description: + - Comma separated list of CIDR notation source networks. + - C(Any) must be capitalized. + type: str + comment: + description: + - Optional comment to describe the firewall rule. + type: str + syslog_enabled: + description: + - Whether to log hints against the firewall rule. + - Only applicable if a syslog server is specified against the network. + type: bool + default: False + syslog_default_rule: + description: + - Whether to log hits against the default firewall rule. + - Only applicable if a syslog server is specified against the network. + - This is not shown in response from Meraki. Instead, refer to the C(syslog_enabled) value in the default rule. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query firewall rules + meraki_mx_l3_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + +- name: Set two firewall rules + meraki_mx_l3_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + rules: + - comment: Block traffic to server + src_cidr: 192.0.1.0/24 + src_port: any + dest_cidr: 192.0.2.2/32 + dest_port: any + protocol: any + policy: deny + - comment: Allow traffic to group of servers + src_cidr: 192.0.1.0/24 + src_port: any + dest_cidr: 192.0.2.0/24 + dest_port: any + protocol: any + policy: allow + delegate_to: localhost + +- name: Set one firewall rule and enable logging of the default rule + meraki_mx_l3_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + rules: + - comment: Block traffic to server + src_cidr: 192.0.1.0/24 + src_port: any + dest_cidr: 192.0.2.2/32 + dest_port: any + protocol: any + policy: deny + syslog_default_rule: yes + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Firewall rules associated to network. + returned: success + type: complex + contains: + rules: + description: List of firewall rules. + returned: success + type: complex + contains: + comment: + description: Comment to describe the firewall rule. + returned: always + type: str + sample: Block traffic to server + src_cidr: + description: Comma separated list of CIDR notation source networks. + returned: always + type: str + sample: 192.0.1.1/32,192.0.1.2/32 + src_port: + description: Comma separated list of source ports. + returned: always + type: str + sample: 80,443 + dest_cidr: + description: Comma separated list of CIDR notation destination networks. + returned: always + type: str + sample: 192.0.1.1/32,192.0.1.2/32 + dest_port: + description: Comma separated list of destination ports. + returned: always + type: str + sample: 80,443 + protocol: + description: Network protocol for which to match against. + returned: always + type: str + sample: tcp + policy: + description: Action to take when rule is matched. + returned: always + type: str + syslog_enabled: + description: Whether to log to syslog when rule is matched. + returned: always + type: bool + sample: true +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def assemble_payload(meraki): + params_map = {'policy': 'policy', + 'protocol': 'protocol', + 'dest_port': 'destPort', + 'dest_cidr': 'destCidr', + 'src_port': 'srcPort', + 'src_cidr': 'srcCidr', + 'syslog_enabled': 'syslogEnabled', + 'comment': 'comment', + } + rules = [] + for rule in meraki.params['rules']: + proposed_rule = dict() + for k, v in rule.items(): + proposed_rule[params_map[k]] = v + rules.append(proposed_rule) + payload = {'rules': rules} + return payload + + +def get_rules(meraki, net_id): + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + if meraki.status == 200: + return normalize_rule_case(response) + + +def normalize_rule_case(rules): + excluded = ['comment', 'syslogEnabled'] + try: + for r in rules['rules']: + for k in r: + if k not in excluded: + r[k] = r[k].lower() + except KeyError: + return rules + return rules + + +def normalize_case(rule): + any = ['any', 'Any', 'ANY'] + if 'srcPort' in rule: + if rule['srcPort'] in any: + rule['srcPort'] = 'Any' + if 'srcCidr' in rule: + if rule['srcCidr'] in any: + rule['srcCidr'] = 'Any' + if 'destPort' in rule: + if rule['destPort'] in any: + rule['destPort'] = 'Any' + if 'destCidr' in rule: + if rule['destCidr'] in any: + rule['destCidr'] = 'Any' + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + fw_rules = dict(policy=dict(type='str', choices=['allow', 'deny']), + protocol=dict(type='str', choices=['tcp', 'udp', 'icmp', 'any']), + dest_port=dict(type='str'), + dest_cidr=dict(type='str'), + src_port=dict(type='str'), + src_cidr=dict(type='str'), + comment=dict(type='str'), + syslog_enabled=dict(type='bool', default=False), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + net_name=dict(type='str'), + net_id=dict(type='str'), + rules=dict(type='list', default=None, elements='dict', options=fw_rules), + syslog_default_rule=dict(type='bool'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mx_l3_firewall') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'mx_l3_firewall': '/networks/{net_id}/appliance/firewall/l3FirewallRules/'} + update_urls = {'mx_l3_firewall': '/networks/{net_id}/appliance/firewall/l3FirewallRules/'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update'] = update_urls + + payload = None + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + net_id = meraki.params['net_id'] + if net_id is None: + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], + data=meraki.get_nets(org_id=org_id)) + + if meraki.params['state'] == 'query': + meraki.result['data'] = get_rules(meraki, net_id) + elif meraki.params['state'] == 'present': + rules = get_rules(meraki, net_id) + path = meraki.construct_path('get_all', net_id=net_id) + if meraki.params['rules'] is not None: + payload = assemble_payload(meraki) + else: + payload = dict() + update = False + if meraki.params['syslog_default_rule'] is not None: + payload['syslogDefaultRule'] = meraki.params['syslog_default_rule'] + try: + if meraki.params['rules'] is not None: + if len(rules['rules']) - 1 != len(payload['rules']): # Quick and simple check to avoid more processing + update = True + if meraki.params['syslog_default_rule'] is not None: + if rules['rules'][len(rules['rules']) - 1]['syslogEnabled'] != meraki.params['syslog_default_rule']: + update = True + if update is False: + default_rule = rules['rules'][len(rules['rules']) - 1].copy() + del rules['rules'][len(rules['rules']) - 1] # Remove default rule for comparison + if len(rules['rules']) - 1 == 0: # There is only a single rule + normalize_case(rules['rules'][0]) + normalize_case(payload['rules'][0]) + if meraki.is_update_required(rules['rules'][0], payload['rules'][0]) is True: + update = True + else: + for r in range(len(rules['rules']) - 1): + normalize_case(rules[r]) + normalize_case(payload['rules'][r]) + if meraki.is_update_required(rules[r], payload['rules'][r]) is True: + update = True + rules['rules'].append(default_rule) + except KeyError: + pass + if update is True: + if meraki.check_mode is True: + if meraki.params['rules'] is not None: + data = payload['rules'] + data.append(rules['rules'][len(rules['rules']) - 1]) # Append the default rule + if meraki.params['syslog_default_rule'] is not None: + data[len(payload) - 1]['syslog_enabled'] = meraki.params['syslog_default_rule'] + else: + if meraki.params['syslog_default_rule'] is not None: + data = rules + data['rules'][len(data['rules']) - 1]['syslogEnabled'] = meraki.params['syslog_default_rule'] + meraki.result['data'] = data + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = rules + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l7_firewall.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l7_firewall.py new file mode 100644 index 00000000..efe4bda8 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_l7_firewall.py @@ -0,0 +1,475 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_l7_firewall +short_description: Manage MX appliance layer 7 firewalls in the Meraki cloud +description: +- Allows for creation, management, and visibility into layer 7 firewalls implemented on Meraki MX firewalls. +notes: +- Module assumes a complete list of firewall rules are passed as a parameter. +- If there is interest in this module allowing manipulation of a single firewall rule, please submit an issue against this module. +options: + state: + description: + - Query or modify a firewall rule. + choices: ['present', 'query'] + default: present + type: str + net_name: + description: + - Name of network which MX firewall is in. + type: str + net_id: + description: + - ID of network which MX firewall is in. + type: str + rules: + description: + - List of layer 7 firewall rules. + type: list + elements: dict + suboptions: + policy: + description: + - Policy to apply if rule is hit. + choices: [deny] + default: deny + type: str + type: + description: + - Type of policy to apply. + choices: [application, + application_category, + blocked_countries, + host, + ip_range, + port, + allowed_countries] + type: str + application: + description: + - Application to filter. + type: dict + suboptions: + name: + description: + - Name of application to filter as defined by Meraki. + type: str + id: + description: + - URI of application as defined by Meraki. + type: str + host: + description: + - FQDN of host to filter. + type: str + ip_range: + description: + - CIDR notation range of IP addresses to apply rule to. + - Port can be appended to range with a C(":"). + type: str + port: + description: + - TCP or UDP based port to filter. + type: str + countries: + description: + - List of countries to whitelist or blacklist. + - The countries follow the two-letter ISO 3166-1 alpha-2 format. + type: list + elements: str + categories: + description: + - When C(True), specifies that applications and application categories should be queried instead of firewall rules. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query firewall rules + meraki_mx_l7_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + +- name: Query applications and application categories + meraki_mx_l7_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + categories: yes + state: query + delegate_to: localhost + +- name: Set firewall rules + meraki_mx_l7_firewall: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + rules: + - type: allowed_countries + countries: + - US + - FR + - type: blocked_countries + countries: + - CN + - policy: deny + type: port + port: 8080 + - type: port + port: 1234 + - type: host + host: asdf.com + - type: application + application: + id: meraki:layer7/application/205 + - type: application_category + application: + id: meraki:layer7/category/24 + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Firewall rules associated to network. + returned: success + type: complex + contains: + rules: + description: Ordered list of firewall rules. + returned: success, when not querying applications + type: list + contains: + policy: + description: Action to apply when rule is hit. + returned: success + type: str + sample: deny + type: + description: Type of rule category. + returned: success + type: str + sample: applications + applications: + description: List of applications within a category. + type: list + contains: + id: + description: URI of application. + returned: success + type: str + sample: Gmail + name: + description: Descriptive name of application. + returned: success + type: str + sample: meraki:layer7/application/4 + applicationCategory: + description: List of application categories within a category. + type: list + contains: + id: + description: URI of application. + returned: success + type: str + sample: Gmail + name: + description: Descriptive name of application. + returned: success + type: str + sample: meraki:layer7/application/4 + port: + description: Port number in rule. + returned: success + type: str + sample: 23 + ipRange: + description: Range of IP addresses in rule. + returned: success + type: str + sample: 1.1.1.0/23 + allowedCountries: + description: Countries to be allowed. + returned: success + type: str + sample: CA + blockedCountries: + description: Countries to be blacklisted. + returned: success + type: str + sample: RU + application_categories: + description: List of application categories and applications. + type: list + returned: success, when querying applications + contains: + applications: + description: List of applications within a category. + type: list + contains: + id: + description: URI of application. + returned: success + type: str + sample: Gmail + name: + description: Descriptive name of application. + returned: success + type: str + sample: meraki:layer7/application/4 + id: + description: URI of application category. + returned: success + type: str + sample: Email + name: + description: Descriptive name of application category. + returned: success + type: str + sample: layer7/category/1 +''' + +import copy +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_applications(meraki, net_id): + path = meraki.construct_path('get_categories', net_id=net_id) + return meraki.request(path, method='GET') + + +def lookup_application(meraki, net_id, application): + response = get_applications(meraki, net_id) + for category in response['applicationCategories']: + if category['name'].lower() == application.lower(): + return category['id'] + for app in category['applications']: + if app['name'].lower() == application.lower(): + return app['id'] + meraki.fail_json(msg="No application or category named {0} found".format(application)) + + +def assemble_payload(meraki, net_id, rule): + if rule['type'] == 'application': + new_rule = {'policy': rule['policy'], + 'type': 'application', + } + if rule['application']['id']: + new_rule['value'] = {'id': rule['application']['id']} + elif rule['application']['name']: + new_rule['value'] = {'id': lookup_application(meraki, net_id, rule['application']['name'])} + elif rule['type'] == 'application_category': + new_rule = {'policy': rule['policy'], + 'type': 'applicationCategory', + } + if rule['application']['id']: + new_rule['value'] = {'id': rule['application']['id']} + elif rule['application']['name']: + new_rule['value'] = {'id': lookup_application(meraki, net_id, rule['application']['name'])} + elif rule['type'] == 'ip_range': + new_rule = {'policy': rule['policy'], + 'type': 'ipRange', + 'value': rule['ip_range']} + elif rule['type'] == 'host': + new_rule = {'policy': rule['policy'], + 'type': rule['type'], + 'value': rule['host']} + elif rule['type'] == 'port': + new_rule = {'policy': rule['policy'], + 'type': rule['type'], + 'value': rule['port']} + elif rule['type'] == 'blocked_countries': + new_rule = {'policy': rule['policy'], + 'type': 'blockedCountries', + 'value': rule['countries'] + } + elif rule['type'] == 'allowed_countries': + new_rule = {'policy': rule['policy'], + 'type': 'allowedCountries', + 'value': rule['countries'] + } + return new_rule + + +def restructure_response(rules): + for rule in rules['rules']: + type = rule['type'] + rule[type] = copy.deepcopy(rule['value']) + del rule['value'] + return rules + + +def get_rules(meraki, net_id): + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + if meraki.status == 200: + return response + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + application_arg_spec = dict(id=dict(type='str'), + name=dict(type='str'), + ) + + rule_arg_spec = dict(policy=dict(type='str', choices=['deny'], default='deny'), + type=dict(type='str', choices=['application', + 'application_category', + 'blocked_countries', + 'host', + 'ip_range', + 'port', + 'allowed_countries']), + ip_range=dict(type='str'), + application=dict(type='dict', default=None, options=application_arg_spec), + host=dict(type='str'), + port=dict(type='str'), + countries=dict(type='list', elements='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + net_name=dict(type='str'), + net_id=dict(type='str'), + rules=dict(type='list', default=None, elements='dict', options=rule_arg_spec), + categories=dict(type='bool'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mx_l7_firewall') + + # check for argument completeness + if meraki.params['rules']: + for rule in meraki.params['rules']: + if rule['type'] == 'application' and rule['application'] is None: + meraki.fail_json(msg="application argument is required when type is application.") + elif rule['type'] == 'application_category' and rule['application'] is None: + meraki.fail_json(msg="application argument is required when type is application_category.") + elif rule['type'] == 'blocked_countries' and rule['countries'] is None: + meraki.fail_json(msg="countries argument is required when type is blocked_countries.") + elif rule['type'] == 'host' and rule['host'] is None: + meraki.fail_json(msg="host argument is required when type is host.") + elif rule['type'] == 'port' and rule['port'] is None: + meraki.fail_json(msg="port argument is required when type is port.") + elif rule['type'] == 'allowed_countries' and rule['countries'] is None: + meraki.fail_json(msg="countries argument is required when type is allowed_countries.") + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'mx_l7_firewall': '/networks/{net_id}/appliance/firewall/l7FirewallRules/'} + query_category_urls = {'mx_l7_firewall': '/networks/{net_id}/appliance/firewall/l7FirewallRules/applicationCategories'} + update_urls = {'mx_l7_firewall': '/networks/{net_id}/appliance/firewall/l7FirewallRules/'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['get_categories'] = (query_category_urls) + meraki.url_catalog['update'] = update_urls + + payload = None + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + orgs = None + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + net_id = meraki.params['net_id'] + if net_id is None: + if orgs is None: + orgs = meraki.get_orgs() + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], + data=meraki.get_nets(org_id=org_id)) + + if meraki.params['state'] == 'query': + if meraki.params['categories'] is True: # Output only applications + meraki.result['data'] = get_applications(meraki, net_id) + else: + meraki.result['data'] = restructure_response(get_rules(meraki, net_id)) + elif meraki.params['state'] == 'present': + rules = get_rules(meraki, net_id) + path = meraki.construct_path('get_all', net_id=net_id) + + # Detect if no rules are given, special case + if len(meraki.params['rules']) == 0: + # Conditionally wrap parameters in rules makes it comparable + if isinstance(meraki.params['rules'], list): + param_rules = {'rules': meraki.params['rules']} + else: + param_rules = meraki.params['rules'] + if meraki.is_update_required(rules, param_rules): + if meraki.module.check_mode is True: + meraki.result['data'] = meraki.params['rules'] + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + payload = {'rules': []} + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + else: + meraki.result['data'] = param_rules + meraki.exit_json(**meraki.result) + if meraki.params['rules']: + payload = {'rules': []} + for rule in meraki.params['rules']: + payload['rules'].append(assemble_payload(meraki, net_id, rule)) + else: + payload = dict() + if meraki.is_update_required(rules, payload, force_include='id'): + if meraki.module.check_mode is True: + response = restructure_response(payload) + meraki.generate_diff(restructure_response(rules), response) + meraki.result['data'] = response + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + response = restructure_response(response) + if meraki.status == 200: + meraki.generate_diff(restructure_response(rules), response) + meraki.result['data'] = response + meraki.result['changed'] = True + else: + if meraki.module.check_mode is True: + meraki.result['data'] = rules + meraki.result['changed'] = False + meraki.exit_json(**meraki.result) + meraki.result['data'] = payload + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_malware.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_malware.py new file mode 100644 index 00000000..1cbf7e68 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_malware.py @@ -0,0 +1,264 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_malware +short_description: Manage Malware Protection in the Meraki cloud +description: +- Fully configure malware protection in a Meraki environment. +notes: +- Some of the options are likely only used for developers within Meraki. +options: + state: + description: + - Specifies whether object should be queried, created/modified, or removed. + choices: [absent, present, query] + default: query + type: str + net_name: + description: + - Name of network which configuration is applied to. + aliases: [network] + type: str + net_id: + description: + - ID of network which configuration is applied to. + type: str + allowed_urls: + description: + - List of URLs to whitelist. + type: list + elements: dict + suboptions: + url: + description: + - URL string to allow. + type: str + comment: + description: + - Human readable information about URL. + type: str + allowed_files: + description: + - List of files to whitelist. + type: list + elements: dict + suboptions: + sha256: + description: + - 256-bit hash of file. + type: str + aliases: [ hash ] + comment: + description: + - Human readable information about file. + type: str + mode: + description: + - Enabled or disabled state of malware protection. + choices: [disabled, enabled] + type: str + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' + - name: Enable malware protection + meraki_malware: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + mode: enabled + delegate_to: localhost + + - name: Set whitelisted url + meraki_malware: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + mode: enabled + allowed_urls: + - url: www.ansible.com + comment: Ansible + - url: www.google.com + comment: Google + delegate_to: localhost + + - name: Set whitelisted file + meraki_malware: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + mode: enabled + allowed_files: + - sha256: e82c5f7d75004727e1f3b94426b9a11c8bc4c312a9170ac9a73abace40aef503 + comment: random zip + delegate_to: localhost + + - name: Get malware settings + meraki_malware: + auth_key: abc123 + state: query + org_name: YourNet + net_name: YourOrg + delegate_to: localhost +''' + +RETURN = r''' +data: + description: List of administrators. + returned: success + type: complex + contains: + mode: + description: Mode to enable or disable malware scanning. + returned: success + type: str + sample: enabled + allowed_files: + description: List of files which are whitelisted. + returned: success + type: complex + contains: + sha256: + description: sha256 hash of whitelisted file. + returned: success + type: str + sample: e82c5f7d75004727e1f3b94426b9a11c8bc4c312a9170ac9a73abace40aef503 + comment: + description: Comment about the whitelisted entity + returned: success + type: str + sample: TPS report + allowed_urls: + description: List of URLs which are whitelisted. + returned: success + type: complex + contains: + url: + description: URL of whitelisted site. + returned: success + type: str + sample: site.com + comment: + description: Comment about the whitelisted entity + returned: success + type: str + sample: Corporate HQ +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + urls_arg_spec = dict(url=dict(type='str'), + comment=dict(type='str'), + ) + + files_arg_spec = dict(sha256=dict(type='str', aliases=['hash']), + comment=dict(type='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'present', 'query'], default='query'), + net_name=dict(type='str', aliases=['network']), + net_id=dict(type='str'), + mode=dict(type='str', choices=['enabled', 'disabled']), + allowed_urls=dict(type='list', default=None, elements='dict', options=urls_arg_spec), + allowed_files=dict(type='list', default=None, elements='dict', options=files_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='malware') + + meraki.params['follow_redirects'] = 'all' + + query_url = {'malware': '/networks/{net_id}/appliance/security/malware'} + update_url = {'malware': '/networks/{net_id}/appliance/security/malware'} + + meraki.url_catalog['get_one'].update(query_url) + meraki.url_catalog['update'] = update_url + + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + # Check for argument completeness + if meraki.params['state'] == 'present': + if meraki.params['allowed_files'] is not None or meraki.params['allowed_urls'] is not None: + if meraki.params['mode'] is None: + meraki.fail_json(msg="mode must be set when allowed_files or allowed_urls is set.") + + # Assemble payload + if meraki.params['state'] == 'present': + payload = dict() + if meraki.params['mode'] is not None: + payload['mode'] = meraki.params['mode'] + if meraki.params['allowed_urls'] is not None: + payload['allowedUrls'] = meraki.params['allowed_urls'] + if meraki.params['allowed_files'] is not None: + payload['allowedFiles'] = meraki.params['allowed_files'] + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_one', net_id=net_id) + data = meraki.request(path, method='GET') + if meraki.status == 200: + meraki.result['data'] = data + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_one', net_id=net_id) + original = meraki.request(path, method='GET') + if meraki.is_update_required(original, payload): + if meraki.module.check_mode is True: + meraki.generate_diff(original, payload) + original.update(payload) + meraki.result['data'] = original + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + data = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.generate_diff(original, data) + meraki.result['data'] = data + meraki.result['changed'] = True + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_nat.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_nat.py new file mode 100644 index 00000000..0844d4c1 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_nat.py @@ -0,0 +1,679 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_nat +short_description: Manage NAT rules in Meraki cloud +description: +- Allows for creation, management, and visibility of NAT rules (1:1, 1:many, port forwarding) within Meraki. + +options: + state: + description: + - Create or modify an organization. + choices: [present, query] + default: present + type: str + net_name: + description: + - Name of a network. + aliases: [name, network] + type: str + net_id: + description: + - ID number of a network. + type: str + org_id: + description: + - ID of organization associated to a network. + type: str + subset: + description: + - Specifies which NAT components to query. + choices: ['1:1', '1:many', all, port_forwarding] + default: all + type: list + elements: str + one_to_one: + description: + - List of 1:1 NAT rules. + type: list + elements: dict + suboptions: + name: + description: + - A descriptive name for the rule. + type: str + public_ip: + description: + - The IP address that will be used to access the internal resource from the WAN. + type: str + lan_ip: + description: + - The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN. + type: str + uplink: + description: + - The physical WAN interface on which the traffic will arrive. + choices: [both, internet1, internet2] + type: str + allowed_inbound: + description: + - The ports this mapping will provide access on, and the remote IPs that will be allowed access to the resource. + type: list + elements: dict + suboptions: + protocol: + description: + - Protocol to apply NAT rule to. + choices: [any, icmp-ping, tcp, udp] + type: str + default: any + destination_ports: + description: + - List of ports or port ranges that will be forwarded to the host on the LAN. + type: list + elements: str + allowed_ips: + description: + - ranges of WAN IP addresses that are allowed to make inbound connections on the specified ports or port ranges, or 'any'. + type: list + elements: str + one_to_many: + description: + - List of 1:many NAT rules. + type: list + elements: dict + suboptions: + public_ip: + description: + - The IP address that will be used to access the internal resource from the WAN. + type: str + uplink: + description: + - The physical WAN interface on which the traffic will arrive. + choices: [both, internet1, internet2] + type: str + port_rules: + description: + - List of associated port rules. + type: list + elements: dict + suboptions: + name: + description: + - A description of the rule. + type: str + protocol: + description: + - Protocol to apply NAT rule to. + choices: [tcp, udp] + type: str + public_port: + description: + - Destination port of the traffic that is arriving on the WAN. + type: str + local_ip: + description: + - Local IP address to which traffic will be forwarded. + type: str + local_port: + description: + - Destination port of the forwarded traffic that will be sent from the MX to the specified host on the LAN. + - If you simply wish to forward the traffic without translating the port, this should be the same as the Public port. + type: str + allowed_ips: + description: + - Remote IP addresses or ranges that are permitted to access the internal resource via this port forwarding rule, or 'any'. + type: list + elements: str + port_forwarding: + description: + - List of port forwarding rules. + type: list + elements: dict + suboptions: + name: + description: + - A descriptive name for the rule. + type: str + lan_ip: + description: + - The IP address of the server or device that hosts the internal resource that you wish to make available on the WAN. + type: str + uplink: + description: + - The physical WAN interface on which the traffic will arrive. + choices: [both, internet1, internet2] + type: str + public_port: + description: + - A port or port ranges that will be forwarded to the host on the LAN. + type: int + local_port: + description: + - A port or port ranges that will receive the forwarded traffic from the WAN. + type: int + allowed_ips: + description: + - List of ranges of WAN IP addresses that are allowed to make inbound connections on the specified ports or port ranges (or any). + type: list + elements: str + protocol: + description: + - Protocol to forward traffic for. + choices: [tcp, udp] + type: str + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query all NAT rules + meraki_nat: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + subset: all + delegate_to: localhost + +- name: Query 1:1 NAT rules + meraki_nat: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: query + subset: '1:1' + delegate_to: localhost + +- name: Create 1:1 rule + meraki_nat: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + one_to_one: + - name: Service behind NAT + public_ip: 1.2.1.2 + lan_ip: 192.168.128.1 + uplink: internet1 + allowed_inbound: + - protocol: tcp + destination_ports: + - 80 + allowed_ips: + - 10.10.10.10 + delegate_to: localhost + +- name: Create 1:many rule + meraki_nat: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + one_to_many: + - public_ip: 1.1.1.1 + uplink: internet1 + port_rules: + - name: Test rule + protocol: tcp + public_port: 10 + local_ip: 192.168.128.1 + local_port: 11 + allowed_ips: + - any + delegate_to: localhost + +- name: Create port forwarding rule + meraki_nat: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + port_forwarding: + - name: Test map + lan_ip: 192.168.128.1 + uplink: both + protocol: tcp + allowed_ips: + - 1.1.1.1 + public_port: 10 + local_port: 11 + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about the created or manipulated object. + returned: success + type: complex + contains: + one_to_one: + description: Information about 1:1 NAT object. + returned: success, when 1:1 NAT object is in task + type: complex + contains: + rules: + description: List of 1:1 NAT rules. + returned: success, when 1:1 NAT object is in task + type: complex + contains: + name: + description: Name of NAT object. + returned: success, when 1:1 NAT object is in task + type: str + example: Web server behind NAT + lanIp: + description: Local IP address to be mapped. + returned: success, when 1:1 NAT object is in task + type: str + example: 192.168.128.22 + publicIp: + description: Public IP address to be mapped. + returned: success, when 1:1 NAT object is in task + type: str + example: 148.2.5.100 + uplink: + description: Internet port where rule is applied. + returned: success, when 1:1 NAT object is in task + type: str + example: internet1 + allowedInbound: + description: List of inbound forwarding rules. + returned: success, when 1:1 NAT object is in task + type: complex + contains: + protocol: + description: Protocol to apply NAT rule to. + returned: success, when 1:1 NAT object is in task + type: str + example: tcp + destinationPorts: + description: Ports to apply NAT rule to. + returned: success, when 1:1 NAT object is in task + type: str + example: 80 + allowedIps: + description: List of IP addresses to be forwarded. + returned: success, when 1:1 NAT object is in task + type: list + example: 10.80.100.0/24 + one_to_many: + description: Information about 1:many NAT object. + returned: success, when 1:many NAT object is in task + type: complex + contains: + rules: + description: List of 1:many NAT rules. + returned: success, when 1:many NAT object is in task + type: complex + contains: + publicIp: + description: Public IP address to be mapped. + returned: success, when 1:many NAT object is in task + type: str + example: 148.2.5.100 + uplink: + description: Internet port where rule is applied. + returned: success, when 1:many NAT object is in task + type: str + example: internet1 + portRules: + description: List of NAT port rules. + returned: success, when 1:many NAT object is in task + type: complex + contains: + name: + description: Name of NAT object. + returned: success, when 1:many NAT object is in task + type: str + example: Web server behind NAT + protocol: + description: Protocol to apply NAT rule to. + returned: success, when 1:1 NAT object is in task + type: str + example: tcp + publicPort: + description: Destination port of the traffic that is arriving on WAN. + returned: success, when 1:1 NAT object is in task + type: int + example: 9443 + localIp: + description: Local IP address traffic will be forwarded. + returned: success, when 1:1 NAT object is in task + type: str + example: 192.0.2.10 + localPort: + description: Destination port to be forwarded to. + returned: success, when 1:1 NAT object is in task + type: int + example: 443 + allowedIps: + description: List of IP addresses to be forwarded. + returned: success, when 1:1 NAT object is in task + type: list + example: 10.80.100.0/24 + port_forwarding: + description: Information about port forwarding rules. + returned: success, when port forwarding is in task + type: complex + contains: + rules: + description: List of port forwarding rules. + returned: success, when port forwarding is in task + type: complex + contains: + lanIp: + description: Local IP address to be mapped. + returned: success, when port forwarding is in task + type: str + example: 192.168.128.22 + allowedIps: + description: List of IP addresses to be forwarded. + returned: success, when port forwarding is in task + type: list + example: 10.80.100.0/24 + name: + description: Name of NAT object. + returned: success, when port forwarding is in task + type: str + example: Web server behind NAT + protocol: + description: Protocol to apply NAT rule to. + returned: success, when port forwarding is in task + type: str + example: tcp + publicPort: + description: Destination port of the traffic that is arriving on WAN. + returned: success, when port forwarding is in task + type: int + example: 9443 + localPort: + description: Destination port to be forwarded to. + returned: success, when port forwarding is in task + type: int + example: 443 + uplink: + description: Internet port where rule is applied. + returned: success, when port forwarding is in task + type: str + example: internet1 +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import recursive_diff +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + +key_map = {'name': 'name', + 'public_ip': 'publicIp', + 'lan_ip': 'lanIp', + 'uplink': 'uplink', + 'allowed_inbound': 'allowedInbound', + 'protocol': 'protocol', + 'destination_ports': 'destinationPorts', + 'allowed_ips': 'allowedIps', + 'port_rules': 'portRules', + 'public_port': 'publicPort', + 'local_ip': 'localIp', + 'local_port': 'localPort', + } + + +def construct_payload(params): + if isinstance(params, list): + items = [] + for item in params: + items.append(construct_payload(item)) + return items + elif isinstance(params, dict): + info = {} + for param in params: + info[key_map[param]] = construct_payload(params[param]) + return info + elif isinstance(params, str) or isinstance(params, int): + return params + + +def list_int_to_str(data): + return [str(item) for item in data] + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + one_to_one_allowed_inbound_spec = dict(protocol=dict(type='str', choices=['tcp', 'udp', 'icmp-ping', 'any'], default='any'), + destination_ports=dict(type='list', elements='str'), + allowed_ips=dict(type='list', elements='str'), + ) + + one_to_many_port_inbound_spec = dict(protocol=dict(type='str', choices=['tcp', 'udp']), + name=dict(type='str'), + local_ip=dict(type='str'), + local_port=dict(type='str'), + allowed_ips=dict(type='list', elements='str'), + public_port=dict(type='str'), + ) + + one_to_one_spec = dict(name=dict(type='str'), + public_ip=dict(type='str'), + lan_ip=dict(type='str'), + uplink=dict(type='str', choices=['internet1', 'internet2', 'both']), + allowed_inbound=dict(type='list', elements='dict', options=one_to_one_allowed_inbound_spec), + ) + + one_to_many_spec = dict(public_ip=dict(type='str'), + uplink=dict(type='str', choices=['internet1', 'internet2', 'both']), + port_rules=dict(type='list', elements='dict', options=one_to_many_port_inbound_spec), + ) + + port_forwarding_spec = dict(name=dict(type='str'), + lan_ip=dict(type='str'), + uplink=dict(type='str', choices=['internet1', 'internet2', 'both']), + protocol=dict(type='str', choices=['tcp', 'udp']), + public_port=dict(type='int'), + local_port=dict(type='int'), + allowed_ips=dict(type='list', elements='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type='str'), + net_name=dict(type='str', aliases=['name', 'network']), + state=dict(type='str', choices=['present', 'query'], default='present'), + subset=dict(type='list', elements='str', choices=['1:1', '1:many', 'all', 'port_forwarding'], default='all'), + one_to_one=dict(type='list', elements='dict', options=one_to_one_spec), + one_to_many=dict(type='list', elements='dict', options=one_to_many_spec), + port_forwarding=dict(type='list', elements='dict', options=port_forwarding_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function='nat') + module.params['follow_redirects'] = 'all' + + one_to_one_payload = None + one_to_many_payload = None + port_forwarding_payload = None + if meraki.params['state'] == 'present': + if meraki.params['one_to_one'] is not None: + rules = [] + for i in meraki.params['one_to_one']: + data = {'name': i['name'], + 'publicIp': i['public_ip'], + 'uplink': i['uplink'], + 'lanIp': i['lan_ip'], + 'allowedInbound': construct_payload(i['allowed_inbound']) + } + for inbound in data['allowedInbound']: + inbound['destinationPorts'] = list_int_to_str(inbound['destinationPorts']) + rules.append(data) + one_to_one_payload = {'rules': rules} + if meraki.params['one_to_many'] is not None: + rules = [] + for i in meraki.params['one_to_many']: + data = {'publicIp': i['public_ip'], + 'uplink': i['uplink'], + } + port_rules = [] + for port_rule in i['port_rules']: + rule = {'name': port_rule['name'], + 'protocol': port_rule['protocol'], + 'publicPort': str(port_rule['public_port']), + 'localIp': port_rule['local_ip'], + 'localPort': str(port_rule['local_port']), + 'allowedIps': port_rule['allowed_ips'], + } + port_rules.append(rule) + data['portRules'] = port_rules + rules.append(data) + one_to_many_payload = {'rules': rules} + if meraki.params['port_forwarding'] is not None: + port_forwarding_payload = {'rules': construct_payload(meraki.params['port_forwarding'])} + for rule in port_forwarding_payload['rules']: + rule['localPort'] = str(rule['localPort']) + rule['publicPort'] = str(rule['publicPort']) + + onetomany_urls = {'nat': '/networks/{net_id}/appliance/firewall/oneToManyNatRules'} + onetoone_urls = {'nat': '/networks/{net_id}/appliance/firewall/oneToOneNatRules'} + port_forwarding_urls = {'nat': '/networks/{net_id}/appliance/firewall/portForwardingRules'} + meraki.url_catalog['1:many'] = onetomany_urls + meraki.url_catalog['1:1'] = onetoone_urls + meraki.url_catalog['port_forwarding'] = port_forwarding_urls + + if meraki.params['net_name'] and meraki.params['net_id']: + meraki.fail_json(msg='net_name and net_id are mutually exclusive') + + org_id = meraki.params['org_id'] + if not org_id: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + if meraki.params['subset'][0] == 'all': + path = meraki.construct_path('1:many', net_id=net_id) + data = {'1:many': meraki.request(path, method='GET')} + path = meraki.construct_path('1:1', net_id=net_id) + data['1:1'] = meraki.request(path, method='GET') + path = meraki.construct_path('port_forwarding', net_id=net_id) + data['port_forwarding'] = meraki.request(path, method='GET') + meraki.result['data'] = data + else: + for subset in meraki.params['subset']: + path = meraki.construct_path(subset, net_id=net_id) + data = {subset: meraki.request(path, method='GET')} + try: + meraki.result['data'][subset] = data + except KeyError: + meraki.result['data'] = {subset: data} + elif meraki.params['state'] == 'present': + meraki.result['data'] = dict() + if one_to_one_payload is not None: + path = meraki.construct_path('1:1', net_id=net_id) + current = meraki.request(path, method='GET') + if meraki.is_update_required(current, one_to_one_payload): + if meraki.module.check_mode is True: + diff = recursive_diff(current, one_to_one_payload) + current.update(one_to_one_payload) + if 'diff' not in meraki.result: + meraki.result['diff'] = {'before': {}, 'after': {}} + meraki.result['diff']['before'].update({'one_to_one': diff[0]}) + meraki.result['diff']['after'].update({'one_to_one': diff[1]}) + meraki.result['data'] = {'one_to_one': current} + meraki.result['changed'] = True + else: + r = meraki.request(path, method='PUT', payload=json.dumps(one_to_one_payload)) + if meraki.status == 200: + diff = recursive_diff(current, one_to_one_payload) + if 'diff' not in meraki.result: + meraki.result['diff'] = {'before': {}, 'after': {}} + meraki.result['diff']['before'].update({'one_to_one': diff[0]}) + meraki.result['diff']['after'].update({'one_to_one': diff[1]}) + meraki.result['data'] = {'one_to_one': r} + meraki.result['changed'] = True + else: + meraki.result['data']['one_to_one'] = current + if one_to_many_payload is not None: + path = meraki.construct_path('1:many', net_id=net_id) + current = meraki.request(path, method='GET') + if meraki.is_update_required(current, one_to_many_payload): + if meraki.module.check_mode is True: + diff = recursive_diff(current, one_to_many_payload) + current.update(one_to_many_payload) + if 'diff' not in meraki.result: + meraki.result['diff'] = {'before': {}, 'after': {}} + meraki.result['diff']['before'].update({'one_to_many': diff[0]}) + meraki.result['diff']['after'].update({'one_to_many': diff[1]}) + meraki.result['data']['one_to_many'] = current + meraki.result['changed'] = True + else: + r = meraki.request(path, method='PUT', payload=json.dumps(one_to_many_payload)) + if meraki.status == 200: + diff = recursive_diff(current, one_to_many_payload) + if 'diff' not in meraki.result: + meraki.result['diff'] = {'before': {}, 'after': {}} + meraki.result['diff']['before'].update({'one_to_many': diff[0]}) + meraki.result['diff']['after'].update({'one_to_many': diff[1]}) + meraki.result['data'].update({'one_to_many': r}) + meraki.result['changed'] = True + else: + meraki.result['data']['one_to_many'] = current + if port_forwarding_payload is not None: + path = meraki.construct_path('port_forwarding', net_id=net_id) + current = meraki.request(path, method='GET') + if meraki.is_update_required(current, port_forwarding_payload): + if meraki.module.check_mode is True: + diff = recursive_diff(current, port_forwarding_payload) + current.update(port_forwarding_payload) + if 'diff' not in meraki.result: + meraki.result['diff'] = {'before': {}, 'after': {}} + meraki.result['diff']['before'].update({'port_forwarding': diff[0]}) + meraki.result['diff']['after'].update({'port_forwarding': diff[1]}) + meraki.result['data']['port_forwarding'] = current + meraki.result['changed'] = True + else: + r = meraki.request(path, method='PUT', payload=json.dumps(port_forwarding_payload)) + if meraki.status == 200: + if 'diff' not in meraki.result: + meraki.result['diff'] = {'before': {}, 'after': {}} + diff = recursive_diff(current, port_forwarding_payload) + meraki.result['diff']['before'].update({'port_forwarding': diff[0]}) + meraki.result['diff']['after'].update({'port_forwarding': diff[1]}) + meraki.result['data'].update({'port_forwarding': r}) + meraki.result['changed'] = True + else: + meraki.result['data']['port_forwarding'] = current + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_network_vlan_settings.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_network_vlan_settings.py new file mode 100644 index 00000000..105114e5 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_network_vlan_settings.py @@ -0,0 +1,161 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2022 Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_mx_network_vlan_settings +short_description: Manage VLAN settings for Meraki Networks +description: +- Edits VLAN enabled status on a network within Meraki. +options: + state: + description: + - Create or modify an alert. + choices: [ present, query ] + type: str + net_name: + description: + - Name of a network. + aliases: [ name, network ] + type: str + net_id: + description: + - ID number of a network. + type: str + vlans_enabled: + description: + - Whether VLANs are enabled on the network. + type: bool + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Update settings + meraki_mx_network_vlan_settings: + auth_key: abc123 + org_name: YourOrg + net_name: YourNet + state: present + vlans_enabled: true +""" + +RETURN = r""" +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + vlans_enabled: + description: Whether VLANs are enabled for this network. + returned: success + type: bool +""" + +import copy +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def construct_payload(meraki): + payload = {"vlansEnabled": meraki.params["vlans_enabled"]} + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type="str"), + net_name=dict(type="str", aliases=["name", "network"]), + state=dict(type="str", choices=["query", "present"]), + vlans_enabled=dict(type="bool"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function="network_vlan_settings") + module.params["follow_redirects"] = "all" + + query_urls = { + "network_vlan_settings": "/networks/{net_id}/appliance/vlans/settings" + } + update_urls = { + "network_vlan_settings": "/networks/{net_id}/appliance/vlans/settings" + } + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["update"] = update_urls + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params["org_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + net_id = meraki.params["net_id"] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params["net_name"], data=nets) + + if meraki.params["state"] == "query": + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "present": + path = meraki.construct_path("get_all", net_id=net_id) + original = meraki.request(path, method="GET") + payload = construct_payload(meraki) + if meraki.is_update_required(original, payload): + if meraki.check_mode is True: + meraki.generate_diff(original, payload) + meraki.result["data"] = payload + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update", net_id=net_id) + response = meraki.request(path, method="PUT", payload=json.dumps(payload)) + if meraki.status == 200: + meraki.generate_diff(original, payload) + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + else: + meraki.result["data"] = original + meraki.exit_json(**meraki.result) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_site_to_site_firewall.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_site_to_site_firewall.py new file mode 100644 index 00000000..f81ac3a3 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_site_to_site_firewall.py @@ -0,0 +1,330 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_site_to_site_firewall +short_description: Manage MX appliance firewall rules for site-to-site VPNs +version_added: "1.0.0" +description: +- Allows for creation, management, and visibility into firewall rules for site-to-site VPNs implemented on Meraki MX firewalls. +notes: +- Module assumes a complete list of firewall rules are passed as a parameter. +options: + state: + description: + - Create or modify an organization. + choices: ['present', 'query'] + default: present + type: str + rules: + description: + - List of firewall rules. + type: list + elements: dict + suboptions: + policy: + description: + - Policy to apply if rule is hit. + choices: [allow, deny] + type: str + protocol: + description: + - Protocol to match against. + choices: [any, icmp, tcp, udp] + type: str + dest_port: + description: + - Comma separated list of destination port numbers to match against. + - C(Any) must be capitalized. + type: str + dest_cidr: + description: + - Comma separated list of CIDR notation destination networks. + - C(Any) must be capitalized. + type: str + src_port: + description: + - Comma separated list of source port numbers to match against. + - C(Any) must be capitalized. + type: str + src_cidr: + description: + - Comma separated list of CIDR notation source networks. + - C(Any) must be capitalized. + type: str + comment: + description: + - Optional comment to describe the firewall rule. + type: str + syslog_enabled: + description: + - Whether to log hints against the firewall rule. + - Only applicable if a syslog server is specified against the network. + type: bool + default: False + syslog_default_rule: + description: + - Whether to log hits against the default firewall rule. + - Only applicable if a syslog server is specified against the network. + - This is not shown in response from Meraki. Instead, refer to the C(syslog_enabled) value in the default rule. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query firewall rules + meraki_mx_site_to_site_firewall: + auth_key: abc123 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Set two firewall rules + meraki_mx_site_to_site_firewall: + auth_key: abc123 + org_name: YourOrg + state: present + rules: + - comment: Block traffic to server + src_cidr: 192.0.1.0/24 + src_port: any + dest_cidr: 192.0.2.2/32 + dest_port: any + protocol: any + policy: deny + - comment: Allow traffic to group of servers + src_cidr: 192.0.1.0/24 + src_port: any + dest_cidr: 192.0.2.0/24 + dest_port: any + protocol: any + policy: permit + delegate_to: localhost + +- name: Set one firewall rule and enable logging of the default rule + meraki_mx_site_to_site_firewall: + auth_key: abc123 + org_name: YourOrg + state: present + rules: + - comment: Block traffic to server + src_cidr: 192.0.1.0/24 + src_port: any + dest_cidr: 192.0.2.2/32 + dest_port: any + protocol: any + policy: deny + syslog_default_rule: yes + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Firewall rules associated to network. + returned: success + type: complex + contains: + rules: + description: List of firewall rules associated to network. + returned: success + type: complex + contains: + comment: + description: Comment to describe the firewall rule. + returned: always + type: str + sample: Block traffic to server + src_cidr: + description: Comma separated list of CIDR notation source networks. + returned: always + type: str + sample: 192.0.1.1/32,192.0.1.2/32 + src_port: + description: Comma separated list of source ports. + returned: always + type: str + sample: 80,443 + dest_cidr: + description: Comma separated list of CIDR notation destination networks. + returned: always + type: str + sample: 192.0.1.1/32,192.0.1.2/32 + dest_port: + description: Comma separated list of destination ports. + returned: always + type: str + sample: 80,443 + protocol: + description: Network protocol for which to match against. + returned: always + type: str + sample: tcp + policy: + description: Action to take when rule is matched. + returned: always + type: str + syslog_enabled: + description: Whether to log to syslog when rule is matched. + returned: always + type: bool + sample: true +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def assemble_payload(meraki): + params_map = {'policy': 'policy', + 'protocol': 'protocol', + 'dest_port': 'destPort', + 'dest_cidr': 'destCidr', + 'src_port': 'srcPort', + 'src_cidr': 'srcCidr', + 'syslog_enabled': 'syslogEnabled', + 'comment': 'comment', + } + rules = [] + for rule in meraki.params['rules']: + proposed_rule = dict() + for k, v in rule.items(): + proposed_rule[params_map[k]] = v + rules.append(proposed_rule) + payload = {'rules': rules} + return payload + + +def get_rules(meraki, org_id): + path = meraki.construct_path('get_all', org_id=org_id) + response = meraki.request(path, method='GET') + if meraki.status == 200: + return response + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + fw_rules = dict(policy=dict(type='str', choices=['allow', 'deny']), + protocol=dict(type='str', choices=['tcp', 'udp', 'icmp', 'any']), + dest_port=dict(type='str'), + dest_cidr=dict(type='str'), + src_port=dict(type='str'), + src_cidr=dict(type='str'), + comment=dict(type='str'), + syslog_enabled=dict(type='bool', default=False), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + rules=dict(type='list', default=None, elements='dict', options=fw_rules), + syslog_default_rule=dict(type='bool'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mx_site_to_site_firewall') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'mx_site_to_site_firewall': '/organizations/{org_id}/appliance/vpn/vpnFirewallRules/'} + update_urls = {'mx_site_to_site_firewall': '/organizations/{org_id}/appliance/vpn/vpnFirewallRules/'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update'] = update_urls + + payload = None + + # execute checks for argument completeness + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + orgs = None + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + + if meraki.params['state'] == 'query': + meraki.result['data'] = get_rules(meraki, org_id) + elif meraki.params['state'] == 'present': + rules = get_rules(meraki, org_id) + path = meraki.construct_path('get_all', org_id=org_id) + if meraki.params['rules'] is not None: + payload = assemble_payload(meraki) + else: + payload = dict() + update = False + if meraki.params['syslog_default_rule'] is not None: + payload['syslogDefaultRule'] = meraki.params['syslog_default_rule'] + try: + if meraki.params['rules'] is not None: + if len(rules['rules']) - 1 != len(payload['rules']): # Quick and simple check to avoid more processing + update = True + if meraki.params['syslog_default_rule'] is not None: + if rules['rules'][len(rules['rules']) - 1]['syslogEnabled'] != meraki.params['syslog_default_rule']: + update = True + if update is False: + default_rule = rules['rules'][len(rules['rules']) - 1].copy() + # meraki.fail_json(msg=update) + del rules['rules'][len(rules['rules']) - 1] # Remove default rule for comparison + if len(rules['rules']) - 1 == 0: + if meraki.is_update_required(rules['rules'][0], payload['rules'][0]) is True: + update = True + else: + for r in range(len(rules) - 1): + if meraki.is_update_required(rules['rules'][r], payload['rules'][r]) is True: + update = True + rules['rules'].append(default_rule) + except KeyError: + pass + if update is True: + if meraki.check_mode is True: + if meraki.params['rules'] is not None: + data = payload + data['rules'].append(rules['rules'][len(rules['rules']) - 1]) # Append the default rule + if meraki.params['syslog_default_rule'] is not None: + data['rules'][len(payload['rules']) - 1]['syslog_enabled'] = meraki.params['syslog_default_rule'] + else: + if meraki.params['syslog_default_rule'] is not None: + data = rules + data['rules'][len(data['rules']) - 1]['syslogEnabled'] = meraki.params['syslog_default_rule'] + meraki.result['data'] = data + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = rules + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_site_to_site_vpn.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_site_to_site_vpn.py new file mode 100644 index 00000000..2c1711ad --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_site_to_site_vpn.py @@ -0,0 +1,270 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_site_to_site_vpn +short_description: Manage AutoVPN connections in Meraki +version_added: "1.1.0" +description: +- Allows for creation, management, and visibility into AutoVPNs implemented on Meraki MX firewalls. +options: + state: + description: + - Create or modify an organization. + choices: ['present', 'query'] + default: present + type: str + net_name: + description: + - Name of network which MX firewall is in. + type: str + net_id: + description: + - ID of network which MX firewall is in. + type: str + mode: + description: + - Set VPN mode for network + choices: ['none', 'hub', 'spoke'] + type: str + hubs: + description: + - List of hubs to assign to a spoke. + type: list + elements: dict + suboptions: + hub_id: + description: + - Network ID of hub + type: str + use_default_route: + description: + - Indicates whether deafult troute traffic should be sent to this hub. + - Only valid in spoke mode. + type: bool + subnets: + description: + - List of subnets to advertise over VPN. + type: list + elements: dict + suboptions: + local_subnet: + description: + - CIDR formatted subnet. + type: str + use_vpn: + description: + - Whether to advertise over VPN. + type: bool +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set hub mode + meraki_site_to_site_vpn: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: hub_network + mode: hub + delegate_to: localhost + register: set_hub + +- name: Set spoke mode + meraki_site_to_site_vpn: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: spoke_network + mode: spoke + hubs: + - hub_id: N_1234 + use_default_route: false + delegate_to: localhost + register: set_spoke + +- name: Add subnet to hub for VPN. Hub is required. + meraki_site_to_site_vpn: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: hub_network + mode: hub + hubs: + - hub_id: N_1234 + use_default_route: false + subnets: + - local_subnet: 192.168.1.0/24 + use_vpn: true + delegate_to: localhost + register: set_hub + +- name: Query rules for hub + meraki_site_to_site_vpn: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: hub_network + delegate_to: localhost + register: query_all_hub +''' + +RETURN = r''' +data: + description: VPN settings. + returned: success + type: complex + contains: + mode: + description: Mode assigned to network. + returned: always + type: str + sample: spoke + hubs: + description: Hub networks to associate to. + returned: always + type: complex + contains: + hub_id: + description: ID of hub network. + returned: always + type: complex + sample: N_12345 + use_default_route: + description: Whether to send all default route traffic over VPN. + returned: always + type: bool + sample: true + subnets: + description: List of subnets to advertise over VPN. + returned: always + type: complex + contains: + local_subnet: + description: CIDR formatted subnet. + returned: always + type: str + sample: 192.168.1.0/24 + use_vpn: + description: Whether subnet should use the VPN. + returned: always + type: bool + sample: true +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec +from copy import deepcopy + + +def assemble_payload(meraki): + payload = {'mode': meraki.params['mode']} + if meraki.params['hubs'] is not None: + payload['hubs'] = meraki.params['hubs'] + for hub in payload['hubs']: + hub['hubId'] = hub.pop('hub_id') + hub['useDefaultRoute'] = hub.pop('use_default_route') + if meraki.params['subnets'] is not None: + payload['subnets'] = meraki.params['subnets'] + for subnet in payload['subnets']: + subnet['localSubnet'] = subnet.pop('local_subnet') + subnet['useVpn'] = subnet.pop('use_vpn') + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + hubs_args = dict(hub_id=dict(type='str'), + use_default_route=dict(type='bool'), + ) + subnets_args = dict(local_subnet=dict(type='str'), + use_vpn=dict(type='bool'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + net_name=dict(type='str'), + net_id=dict(type='str'), + hubs=dict(type='list', default=None, elements='dict', options=hubs_args), + subnets=dict(type='list', default=None, elements='dict', options=subnets_args), + mode=dict(type='str', choices=['none', 'hub', 'spoke']), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='site_to_site_vpn') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'site_to_site_vpn': '/networks/{net_id}/appliance/vpn/siteToSiteVpn/'} + update_urls = {'site_to_site_vpn': '/networks/{net_id}/appliance/vpn/siteToSiteVpn/'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update'] = update_urls + + payload = None + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + org_id = meraki.params['org_id'] + if org_id is None: + orgs = meraki.get_orgs() + for org in orgs: + if org['name'] == meraki.params['org_name']: + org_id = org['id'] + net_id = meraki.params['net_id'] + if net_id is None: + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], + data=meraki.get_nets(org_id=org_id)) + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_all', net_id=net_id) + original = meraki.request(path, method='GET') + payload = assemble_payload(meraki) + comparable = deepcopy(original) + comparable.update(payload) + if meraki.is_update_required(original, payload): + if meraki.check_mode is True: + meraki.result['changed'] = True + meraki.result['data'] = payload + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['changed'] = True + meraki.result['data'] = response + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_static_route.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_static_route.py new file mode 100644 index 00000000..51aef265 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_static_route.py @@ -0,0 +1,438 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, 2019 Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_mx_static_route +short_description: Manage static routes in the Meraki cloud +description: +- Allows for creation, management, and visibility into static routes within Meraki. + +options: + state: + description: + - Create or modify an organization. + choices: [ absent, query, present ] + default: present + type: str + net_name: + description: + - Name of a network. + type: str + net_id: + description: + - ID number of a network. + type: str + name: + description: + - Descriptive name of the static route. + type: str + subnet: + description: + - CIDR notation based subnet for static route. + type: str + gateway_ip: + description: + - IP address of the gateway for the subnet. + type: str + route_id: + description: + - Unique ID of static route. + type: str + gateway_vlan_id: + description: + - The gateway IP (next hop) VLAN ID of the static route. + type: int + fixed_ip_assignments: + description: + - List of fixed MAC to IP bindings for DHCP. + type: list + elements: dict + suboptions: + mac: + description: + - MAC address of endpoint. + type: str + ip: + description: + - IP address of endpoint. + type: str + name: + description: + - Hostname of endpoint. + type: str + reserved_ip_ranges: + description: + - List of IP ranges reserved for static IP assignments. + type: list + elements: dict + suboptions: + start: + description: + - First IP address of reserved range. + type: str + end: + description: + - Last IP address of reserved range. + type: str + comment: + description: + - Human readable description of reservation range. + type: str + enabled: + description: + - Indicates whether static route is enabled within a network. + type: bool + + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Create static_route + meraki_static_route: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + name: Test Route + subnet: 192.0.1.0/24 + gateway_ip: 192.168.128.1 + delegate_to: localhost + +- name: Update static route with fixed IP assignment + meraki_static_route: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + route_id: d6fa4821-1234-4dfa-af6b-ae8b16c20c39 + fixed_ip_assignments: + - mac: aa:bb:cc:dd:ee:ff + ip: 192.0.1.11 + comment: Server + delegate_to: localhost + +- name: Query static routes + meraki_static_route: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + delegate_to: localhost + +- name: Delete static routes + meraki_static_route: + auth_key: abc123 + state: absent + org_name: YourOrg + net_name: YourNet + route_id: '{{item}}' + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + id: + description: Unique identification string assigned to each static route. + returned: success + type: str + sample: d6fa4821-1234-4dfa-af6b-ae8b16c20c39 + net_id: + description: Identification string of network. + returned: query or update + type: str + sample: N_12345 + name: + description: Name of static route. + returned: success + type: str + sample: Data Center static route + subnet: + description: CIDR notation subnet for static route. + returned: success + type: str + sample: 192.0.1.0/24 + gatewayIp: + description: Next hop IP address. + returned: success + type: str + sample: 192.1.1.1 + enabled: + description: Enabled state of static route. + returned: query or update + type: bool + sample: True + reservedIpRanges: + description: List of IP address ranges which are reserved for static assignment. + returned: query or update + type: complex + contains: + start: + description: First address in reservation range, inclusive. + returned: query or update + type: str + sample: 192.0.1.2 + end: + description: Last address in reservation range, inclusive. + returned: query or update + type: str + sample: 192.0.1.10 + comment: + description: Human readable description of range. + returned: query or update + type: str + sample: Server range + fixedIpAssignments: + description: List of static MAC to IP address bindings. + returned: query or update + type: complex + contains: + mac: + description: Key is MAC address of endpoint. + returned: query or update + type: complex + contains: + ip: + description: IP address to be bound to the endpoint. + returned: query or update + type: str + sample: 192.0.1.11 + name: + description: Hostname given to the endpoint. + returned: query or update + type: str + sample: JimLaptop +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def fixed_ip_factory(meraki, data): + fixed_ips = dict() + for item in data: + fixed_ips[item["mac"]] = {"ip": item["ip"], "name": item["name"]} + return fixed_ips + + +def get_static_routes(meraki, net_id): + path = meraki.construct_path("get_all", net_id=net_id) + r = meraki.request(path, method="GET") + return r + + +def get_static_route(meraki, net_id, route_id): + path = meraki.construct_path( + "get_one", net_id=net_id, custom={"route_id": route_id} + ) + r = meraki.request(path, method="GET") + return r + + +def does_route_exist(name, routes): + for route in routes: + if name == route["name"]: + return route + return None + + +def update_dict(original, proposed): + for k, v in proposed.items(): + if v is not None: + original[k] = v + return original + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + fixed_ip_arg_spec = dict( + mac=dict(type="str"), + ip=dict(type="str"), + name=dict(type="str"), + ) + + reserved_ip_arg_spec = dict( + start=dict(type="str"), + end=dict(type="str"), + comment=dict(type="str"), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type="str"), + net_name=dict(type="str"), + name=dict(type="str"), + subnet=dict(type="str"), + gateway_ip=dict(type="str"), + state=dict( + type="str", default="present", choices=["absent", "present", "query"] + ), + fixed_ip_assignments=dict( + type="list", elements="dict", options=fixed_ip_arg_spec + ), + reserved_ip_ranges=dict( + type="list", elements="dict", options=reserved_ip_arg_spec + ), + route_id=dict(type="str"), + enabled=dict(type="bool"), + gateway_vlan_id=dict(type="int"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function="static_route") + module.params["follow_redirects"] = "all" + payload = None + + query_urls = {"static_route": "/networks/{net_id}/appliance/staticRoutes"} + query_one_urls = { + "static_route": "/networks/{net_id}/appliance/staticRoutes/{route_id}" + } + create_urls = {"static_route": "/networks/{net_id}/appliance/staticRoutes/"} + update_urls = { + "static_route": "/networks/{net_id}/appliance/staticRoutes/{route_id}" + } + delete_urls = { + "static_route": "/networks/{net_id}/appliance/staticRoutes/{route_id}" + } + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["get_one"].update(query_one_urls) + meraki.url_catalog["create"] = create_urls + meraki.url_catalog["update"] = update_urls + meraki.url_catalog["delete"] = delete_urls + + if not meraki.params["org_name"] and not meraki.params["org_id"]: + meraki.fail_json( + msg="Parameters 'org_name' or 'org_id' parameters are required" + ) + if not meraki.params["net_name"] and not meraki.params["net_id"]: + meraki.fail_json( + msg="Parameters 'net_name' or 'net_id' parameters are required" + ) + if meraki.params["net_name"] and meraki.params["net_id"]: + meraki.fail_json(msg="'net_name' and 'net_id' are mutually exclusive") + + # Construct payload + if meraki.params["state"] == "present": + payload = dict() + if meraki.params["net_name"]: + payload["name"] = meraki.params["net_name"] + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params["org_id"] + if not org_id: + org_id = meraki.get_org_id(meraki.params["org_name"]) + net_id = meraki.params["net_id"] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params["net_name"], data=nets) + + if meraki.params["state"] == "query": + if meraki.params["route_id"] is not None: + meraki.result["data"] = get_static_route( + meraki, net_id, meraki.params["route_id"] + ) + else: + meraki.result["data"] = get_static_routes(meraki, net_id) + elif meraki.params["state"] == "present": + payload = { + "name": meraki.params["name"], + "subnet": meraki.params["subnet"], + "gatewayIp": meraki.params["gateway_ip"], + } + if meraki.params["fixed_ip_assignments"] is not None: + payload["fixedIpAssignments"] = fixed_ip_factory( + meraki, meraki.params["fixed_ip_assignments"] + ) + if meraki.params["reserved_ip_ranges"] is not None: + payload["reservedIpRanges"] = meraki.params["reserved_ip_ranges"] + if meraki.params["enabled"] is not None: + payload["enabled"] = meraki.params["enabled"] + if meraki.params["gateway_vlan_id"] is not None: + payload["gatewayVlanId"] = meraki.params["gateway_vlan_id"] + + route_id = meraki.params["route_id"] + if meraki.params["name"] is not None and route_id is None: + route_status = does_route_exist( + meraki.params["name"], get_static_routes(meraki, net_id) + ) + if route_status is not None: # Route exists, assign route_id + route_id = route_status["id"] + + if route_id is not None: + existing_route = get_static_route(meraki, net_id, route_id) + original = existing_route.copy() + payload = update_dict(existing_route, payload) + if module.check_mode: + meraki.result["data"] = payload + meraki.exit_json(**meraki.result) + if meraki.is_update_required(original, payload, optional_ignore=["id"]): + path = meraki.construct_path( + "update", net_id=net_id, custom={"route_id": route_id} + ) + meraki.result["data"] = meraki.request( + path, method="PUT", payload=json.dumps(payload) + ) + meraki.result["changed"] = True + else: + meraki.result["data"] = original + else: + if module.check_mode: + meraki.result["data"] = payload + meraki.exit_json(**meraki.result) + path = meraki.construct_path("create", net_id=net_id) + meraki.result["data"] = meraki.request( + path, method="POST", payload=json.dumps(payload) + ) + meraki.result["changed"] = True + elif meraki.params["state"] == "absent": + if module.check_mode: + meraki.exit_json(**meraki.result) + path = meraki.construct_path( + "delete", net_id=net_id, custom={"route_id": meraki.params["route_id"]} + ) + meraki.result["data"] = meraki.request(path, method="DELETE") + meraki.result["changed"] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_third_party_vpn_peers.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_third_party_vpn_peers.py new file mode 100644 index 00000000..c504911c --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_third_party_vpn_peers.py @@ -0,0 +1,493 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2022, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_mx_third_party_vpn_peers +short_description: Manage third party (IPSec) VPN peers for MX devices +description: +- Create, edit, query, or delete third party VPN peers in a Meraki environment. +options: + state: + description: + - Specifies whether object should be queried, created/modified, or removed. + choices: [absent, present, query] + default: query + type: str + peers: + description: + - The list of VPN peers. + type: list + elements: dict + suboptions: + name: + description: + - The name of the VPN peer. + - Required when state is present. + type: str + public_ip: + description: + - The public IP of the VPN peer. + - Required when state is present. + type: str + secret: + description: + - The shared secret with the VPN peer. + - Required when state is present. + type: str + private_subnets: + description: + - The list of the private subnets of the VPN peer. + - Required when state is present. + type: list + elements: str + ike_version: + description: + - The IKE version to be used for the IPsec VPN peer configuration. + default: "1" + type: str + choices: ["1", "2"] + ipsec_policies_preset: + description: + - Specifies IPsec preset values. If this is provided, the 'ipsecPolicies' parameter is ignored. + type: str + choices: ["default", "aws", "azure"] + remote_id: + description: + - The remote ID is used to identify the connecting VPN peer. This can either be a valid IPv4 Address, FQDN or User FQDN. + type: str + network_tags: + description: + - A list of network tags that will connect with this peer. If not included, the default is ['all']. + type: list + elements: str + ipsec_policies: + description: + - Custom IPSec policies for the VPN peer. If not included and a preset has not been chosen, the default preset for IPSec policies will be used. + type: dict + suboptions: + child_lifetime: + description: + - The lifetime of the Phase 2 SA in seconds. + type: int + ike_lifetime: + description: + - The lifetime of the Phase 1 SA in seconds. + type: int + child_auth_algo: + description: + - This is the authentication algorithms to be used in Phase 2. + type: list + elements: str + choices: ['sha256', 'sha1', 'md5'] + child_cipher_algo: + description: + - This is the cipher algorithms to be used in Phase 2. + choices: ['aes256', 'aes192', 'aes128', 'tripledes', 'des', 'null'] + type: list + elements: str + child_pfs_group: + description: + - This is the Diffie-Hellman group to be used for Perfect Forward Secrecy in Phase 2. + type: list + elements: str + choices: ['disabled','group14', 'group5', 'group2', 'group1'] + ike_auth_algo: + description: + - This is the authentication algorithm to be used in Phase 1. + type: list + elements: str + choices: ['sha256', 'sha1', 'md5'] + ike_cipher_algo: + description: + - This is the cipher algorithm to be used in Phase 1. + type: list + elements: str + choices: ['aes256', 'aes192', 'aes128', 'tripledes', 'des'] + ike_diffie_hellman_group: + description: + - This is the Diffie-Hellman group to be used in Phase 1. + type: list + elements: str + choices: ['group14', 'group5', 'group2', 'group1'] + ike_prf_algo: + description: + - This is the pseudo-random function to be used in IKE_SA. + type: list + elements: str + choices: ['prfsha256', 'prfsha1', 'prfmd5', 'default'] + +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Query all VPN peers + meraki_mx_third_party_vpn_peers: + auth_key: abc123 + state: query + org_name: orgName + +- name: Create VPN peer with an IPsec policy + meraki_mx_third_party_vpn_peers: + auth_key: abc123 + state: present + org_name: orgName + peers: + - name: "Test peer" + public_ip: "198.51.100.1" + secret: "s3cret" + private_subnets: + - "192.0.2.0/24" + ike_version: "2" + network_tags: + - none + remote_id: "192.0.2.0" + ipsec_policies: + child_lifetime: 600 + ike_lifetime: 600 + child_auth_algo: + - "md5" + child_cipher_algo: + - "tripledes" + - "aes192" + child_pfs_group: + - "disabled" + ike_auth_algo: + - "sha256" + ike_cipher_algo: + - "tripledes" + ike_diffie_hellman_group: + - "group2" + ike_prf_algo: + - "prfmd5" +""" + +RETURN = r""" + +response: + description: Information about the organization which was created or modified + returned: success + type: complex + contains: + appliance_ip: + description: IP address of Meraki appliance in the VLAN + returned: success + type: str + sample: 192.0.1.1 + dnsnamservers: + description: IP address or Meraki defined DNS servers which VLAN should use by default + returned: success + type: str + sample: upstream_dns + peers: + description: The list of VPN peers. + returned: success + type: complex + contains: + ike_version: + description: The IKE version to be used for the IPsec VPN peer configuration. + returned: success + type: str + sample: "1" + ipsec_policies_preset: + description: Preconfigured IPsec settings. + returned: success + type: str + sample: "aws" + name: + description: The name of the VPN peer. + returned: success + type: str + sample: "MyVPNPeer" + public_ip: + description: The public IP of the VPN peer. + returned: success + type: str + sample: "198.51.100.1" + remote_id: + description: "The remote ID is used to identify the connecting VPN peer." + returned: success + type: str + sample: "s3cret" + network_tags: + description: A list of network tags that will connect with this peer. + returned: success + type: list + sample: ["all"] + private_subnets: + description: The list of the private subnets of the VPN peer. + returned: success + type: list + sample: ["192.0.2.0/24"] + ipsec_policies: + description: Custom IPSec policies for the VPN peer. + returned: success + type: complex + contains: + child_lifetime: + description: The lifetime of the Phase 2 SA in seconds. + returned: success + type: str + sample: "60" + ike_lifetime: + description: The lifetime of the Phase 1 SA in seconds. + returned: success + type: str + sample: "60" + child_auth_algo: + description: This is the authentication algorithms to be used in Phase 2. + returned: success + type: list + sample: ["sha1"] + child_cipher_algo: + description: This is the cipher algorithms to be used in Phase 2. + returned: success + type: list + sample: ["aes192"] + child_pfs_group: + description: This is the Diffie-Hellman group to be used for Perfect Forward Secrecy in Phase 2. + returned: success + type: list + sample: ["group14"] + ike_auth_algo: + description: This is the authentication algorithm to be used in Phase 1. + returned: success + type: list + sample: ["sha1"] + ike_cipher_algo: + description: This is the cipher algorithm to be used in Phase 1. + returned: success + type: list + sample: ["aes128"] + ike_diffie_hellman_group: + description: This is the Diffie-Hellman group to be used in Phase 1. + returned: success + type: list + sample: ["group14"] + ike_prf_algo: + description: This is the pseudo-random function to be used in IKE_SA. + returned: success + type: list + sample: ["prfmd5"] +""" + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) +import json + + +def validate_payload(meraki): + for peer in meraki.params["peers"]: + if peer["name"] is None: + meraki.fail_json(msg="Peer name must be specified") + elif peer["public_ip"] is None: + meraki.fail_json(msg="Peer public IP must be specified") + elif peer["secret"] is None: + meraki.fail_json(msg="Peer secret must be specified") + elif peer["private_subnets"] is None: + meraki.fail_json(msg="Peer private subnets must be specified") + + +def construct_payload(meraki): + validate_payload(meraki) + peer_list = [] + for peer in meraki.params["peers"]: + current_peer = dict() + current_peer["name"] = peer["name"] + current_peer["publicIp"] = peer["public_ip"] + current_peer["secret"] = peer["secret"] + current_peer["privateSubnets"] = peer["private_subnets"] + if peer["ike_version"] is not None: + current_peer["ikeVersion"] = peer["ike_version"] + if peer["ipsec_policies_preset"] is not None: + current_peer["ipsecPoliciesPreset"] = peer["ipsec_policies_preset"] + if peer["remote_id"] is not None: + current_peer["remoteId"] = peer["remote_id"] + if peer["network_tags"] is not None: + current_peer["networkTags"] = peer["network_tags"] + if peer["ipsec_policies"] is not None: + current_peer["ipsecPolicies"] = dict() + if peer["ipsec_policies"]["child_lifetime"] is not None: + current_peer["ipsecPolicies"]["childLifetime"] = peer["ipsec_policies"][ + "child_lifetime" + ] + if peer["ipsec_policies"]["ike_lifetime"] is not None: + current_peer["ipsecPolicies"]["ikeLifetime"] = peer["ipsec_policies"][ + "ike_lifetime" + ] + if peer["ipsec_policies"]["child_auth_algo"] is not None: + current_peer["ipsecPolicies"]["childAuthAlgo"] = peer["ipsec_policies"][ + "child_auth_algo" + ] + if peer["ipsec_policies"]["child_cipher_algo"] is not None: + current_peer["ipsecPolicies"]["childCipherAlgo"] = peer[ + "ipsec_policies" + ]["child_cipher_algo"] + if peer["ipsec_policies"]["child_pfs_group"] is not None: + current_peer["ipsecPolicies"]["childPfsGroup"] = peer["ipsec_policies"][ + "child_pfs_group" + ] + if peer["ipsec_policies"]["ike_auth_algo"] is not None: + current_peer["ipsecPolicies"]["ikeAuthAlgo"] = peer["ipsec_policies"][ + "ike_auth_algo" + ] + if peer["ipsec_policies"]["ike_cipher_algo"] is not None: + current_peer["ipsecPolicies"]["ikeCipherAlgo"] = peer["ipsec_policies"][ + "ike_cipher_algo" + ] + if peer["ipsec_policies"]["ike_diffie_hellman_group"] is not None: + current_peer["ipsecPolicies"]["ikeDiffieHellmanGroup"] = peer[ + "ipsec_policies" + ]["ike_diffie_hellman_group"] + if peer["ipsec_policies"]["ike_prf_algo"] is not None: + current_peer["ipsecPolicies"]["ikePrfAlgo"] = peer["ipsec_policies"][ + "ike_prf_algo" + ] + + peer_list.append(current_peer) + payload = {"peers": peer_list} + return payload + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + ipsec_policies_arg_spec = dict( + child_lifetime=dict(type="int", default=None), + ike_lifetime=dict(type="int", default=None), + child_auth_algo=dict( + type="list", elements="str", default=None, choices=["sha256", "sha1", "md5"] + ), + child_cipher_algo=dict( + type="list", + elements="str", + default=None, + choices=["aes256", "aes192", "aes128", "tripledes", "des", "null"], + ), + child_pfs_group=dict( + type="list", + elements="str", + default=None, + choices=["disabled", "group14", "group5", "group2", "group1"], + ), + ike_auth_algo=dict( + type="list", elements="str", default=None, choices=["sha256", "sha1", "md5"] + ), + ike_cipher_algo=dict( + type="list", + elements="str", + default=None, + choices=["aes256", "aes192", "aes128", "tripledes", "des"], + ), + ike_diffie_hellman_group=dict( + type="list", + elements="str", + default=None, + choices=["group14", "group5", "group2", "group1"], + ), + ike_prf_algo=dict( + type="list", + elements="str", + default=None, + choices=["prfsha256", "prfsha1", "prfmd5", "default"], + ), + ) + + peers_arg_spec = dict( + name=dict(type="str"), + public_ip=dict(type="str"), + secret=dict(type="str", no_log=True), + private_subnets=dict(type="list", elements="str"), + ike_version=dict(type="str", choices=["1", "2"], default="1"), + ipsec_policies_preset=dict( + type="str", choices=["default", "aws", "azure"], default=None + ), + remote_id=dict(type="str", default=None), + network_tags=dict(type="list", elements="str", default=None), + ipsec_policies=dict(type="dict", options=ipsec_policies_arg_spec, default=None), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict(type="str", choices=["absent", "present", "query"], default="query"), + peers=dict(type="list", elements="dict", options=peers_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="third_party_vpn_peer") + + meraki.params["follow_redirects"] = "all" + + query_urls = { + "third_party_vpn_peer": "/organizations/{org_id}/appliance/vpn/thirdPartyVPNPeers" + } + update_url = { + "third_party_vpn_peer": "/organizations/{org_id}/appliance/vpn/thirdPartyVPNPeers" + } + + meraki.url_catalog["get_all"].update(query_urls) + meraki.url_catalog["update"] = update_url + + payload = None + if meraki.params["org_id"] is None and meraki.params["org_name"] is None: + meraki.fail_json(msg="Organization must be specified via org_name or org_id") + + org_id = meraki.params["org_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + + if meraki.params["state"] == "query": + path = meraki.construct_path("get_all", org_id=org_id) + response = meraki.request(path, "GET") + meraki.result["data"] = response + elif meraki.params["state"] == "present": + payload = construct_payload(meraki) + have = meraki.request(meraki.construct_path("get_all", org_id=org_id), "GET") + # meraki.fail_json(msg="Compare", have=have, payload=payload) + if meraki.is_update_required(have, payload): + meraki.generate_diff(have, payload) + path = meraki.construct_path("update", org_id=org_id) + if meraki.module.check_mode is False: + response = meraki.request(path, "PUT", payload=json.dumps(payload)) + meraki.result["data"] = response + else: + meraki.result["data"] = payload + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + meraki.result["data"] = have + elif meraki.params["state"] == "absent": + return + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_uplink_bandwidth.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_uplink_bandwidth.py new file mode 100644 index 00000000..cb2ef07e --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_uplink_bandwidth.py @@ -0,0 +1,325 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_uplink_bandwidth +short_description: Manage uplinks on Meraki MX appliances +version_added: "1.1.0" +description: +- Configure and query information about uplinks on Meraki MX appliances. +notes: +- Some of the options are likely only used for developers within Meraki. +- Module was formerly named M(cisco.meraki.meraki_mx_uplink). +options: + state: + description: + - Specifies whether object should be queried, created/modified, or removed. + choices: [absent, present, query] + default: query + type: str + org_name: + description: + - Name of organization associated to a network. + type: str + org_id: + description: + - ID of organization associated to a network. + type: str + net_name: + description: + - Name of network which VLAN is in or should be in. + aliases: [network] + type: str + net_id: + description: + - ID of network which VLAN is in or should be in. + type: str + wan1: + description: + - Configuration of WAN1 uplink + type: dict + suboptions: + bandwidth_limits: + description: + - Structure for configuring bandwidth limits + type: dict + suboptions: + limit_up: + description: + - Maximum upload speed for interface + type: int + limit_down: + description: + - Maximum download speed for interface + type: int + wan2: + description: + - Configuration of WAN2 uplink + type: dict + suboptions: + bandwidth_limits: + description: + - Structure for configuring bandwidth limits + type: dict + suboptions: + limit_up: + description: + - Maximum upload speed for interface + type: int + limit_down: + description: + - Maximum download speed for interface + type: int + cellular: + description: + - Configuration of cellular uplink + type: dict + suboptions: + bandwidth_limits: + description: + - Structure for configuring bandwidth limits + type: dict + suboptions: + limit_up: + description: + - Maximum upload speed for interface + type: int + limit_down: + description: + - Maximum download speed for interface + type: int +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Set MX uplink settings + meraki_mx_uplink_bandwidth: + auth_key: '{{auth_key}}' + state: present + org_name: '{{test_org_name}}' + net_name: '{{test_net_name}} - Uplink' + wan1: + bandwidth_limits: + limit_down: 1000000 + limit_up: 1000 + cellular: + bandwidth_limits: + limit_down: 0 + limit_up: 0 + delegate_to: localhost + +- name: Query MX uplink settings + meraki_mx_uplink_bandwidth: + auth_key: '{{auth_key}}' + state: query + org_name: '{{test_org_name}}' + net_name: '{{test_net_name}} - Uplink' + delegate_to: localhost + +''' + +RETURN = r''' + +data: + description: Information about the organization which was created or modified + returned: success + type: complex + contains: + wan1: + description: WAN1 interface + returned: success + type: complex + contains: + bandwidth_limits: + description: Structure for uplink bandwidth limits + returned: success + type: complex + contains: + limit_up: + description: Upload bandwidth limit + returned: success + type: int + limit_down: + description: Download bandwidth limit + returned: success + type: int + wan2: + description: WAN2 interface + returned: success + type: complex + contains: + bandwidth_limits: + description: Structure for uplink bandwidth limits + returned: success + type: complex + contains: + limit_up: + description: Upload bandwidth limit + returned: success + type: int + limit_down: + description: Download bandwidth limit + returned: success + type: int + cellular: + description: cellular interface + returned: success + type: complex + contains: + bandwidth_limits: + description: Structure for uplink bandwidth limits + returned: success + type: complex + contains: + limit_up: + description: Upload bandwidth limit + returned: success + type: int + limit_down: + description: Download bandwidth limit + returned: success + type: int +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import recursive_diff +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + +INT_NAMES = ('wan1', 'wan2', 'cellular') + + +def clean_custom_format(data): + for interface in data: + if data[interface]['bandwidth_limits']['limit_up'] is None: + data[interface]['bandwidth_limits']['limit_up'] = 0 + if data[interface]['bandwidth_limits']['limit_down'] is None: + data[interface]['bandwidth_limits']['limit_down'] = 0 + return data + + +def meraki_struct_to_custom_format(data): + new_struct = {} + for interface in INT_NAMES: + if interface in data['bandwidthLimits']: + new_struct[interface] = {'bandwidth_limits': {'limit_up': data['bandwidthLimits'][interface]['limitUp'], + 'limit_down': data['bandwidthLimits'][interface]['limitDown'], + } + } + # return snake_dict_to_camel_dict(new_struct) + return new_struct + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + bandwidth_arg_spec = dict(limit_up=dict(type='int'), + limit_down=dict(type='int'), + ) + + interface_arg_spec = dict(bandwidth_limits=dict(type='dict', default=None, options=bandwidth_arg_spec), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'present', 'query'], default='query'), + net_name=dict(type='str', aliases=['network']), + net_id=dict(type='str'), + wan1=dict(type='dict', default=None, options=interface_arg_spec), + wan2=dict(type='dict', default=None, options=interface_arg_spec), + cellular=dict(type='dict', default=None, options=interface_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='mx_uplink') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'mx_uplink': '/networks/{net_id}/appliance/trafficShaping/uplinkBandwidth'} + update_bw_url = {'mx_uplink': '/networks/{net_id}/appliance/trafficShaping/uplinkBandwidth'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['update_bw'] = update_bw_url + + payload = dict() + + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + path = meraki.construct_path('get_all', net_id=net_id) + response = meraki.request(path, method='GET') + data = clean_custom_format(meraki_struct_to_custom_format(response)) + meraki.result['data'] = data + elif meraki.params['state'] == 'present': + path = meraki.construct_path('get_all', net_id=net_id) + original = meraki.request(path, method='GET') + payload = {'bandwidthLimits': {}} + for interface in INT_NAMES: + if meraki.params[interface] is not None: + if meraki.params[interface]['bandwidth_limits'] is not None: + payload['bandwidthLimits'][interface] = None + payload['bandwidthLimits'][interface] = {'limitUp': meraki.params[interface]['bandwidth_limits']['limit_up'], + 'limitDown': meraki.params[interface]['bandwidth_limits']['limit_down'], + } + if payload['bandwidthLimits'][interface]['limitUp'] == 0: + payload['bandwidthLimits'][interface]['limitUp'] = None + if payload['bandwidthLimits'][interface]['limitDown'] == 0: + payload['bandwidthLimits'][interface]['limitDown'] = None + if meraki.is_update_required(original, payload): + if meraki.module.check_mode is True: + diff = recursive_diff(clean_custom_format(meraki_struct_to_custom_format(original)), + clean_custom_format(meraki_struct_to_custom_format(payload))) + original.update(payload) + meraki.result['data'] = clean_custom_format(meraki_struct_to_custom_format(original)) + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1], + } + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update_bw', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + formatted_original = clean_custom_format(meraki_struct_to_custom_format(original)) + formatted_response = clean_custom_format(meraki_struct_to_custom_format(response)) + diff = recursive_diff(formatted_original, formatted_response) + meraki.result['diff'] = {'before': diff[0], + 'after': diff[1], + } + meraki.result['data'] = formatted_response + meraki.result['changed'] = True + else: + meraki.result['data'] = clean_custom_format(meraki_struct_to_custom_format(original)) + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_vlan.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_vlan.py new file mode 100644 index 00000000..2b6c8adc --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_mx_vlan.py @@ -0,0 +1,585 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_mx_vlan +short_description: Manage VLANs in the Meraki cloud +description: +- Create, edit, query, or delete VLANs in a Meraki environment. +notes: +- Meraki's API will return an error if VLANs aren't enabled on a network. VLANs are returned properly if VLANs are enabled on a network. +- Some of the options are likely only used for developers within Meraki. +- Meraki's API defaults to networks having VLAN support disabled and there is no way to enable VLANs support in the API. VLAN support must be enabled manually. +options: + state: + description: + - Specifies whether object should be queried, created/modified, or removed. + choices: [absent, present, query] + default: query + type: str + net_name: + description: + - Name of network which VLAN is in or should be in. + aliases: [network] + type: str + net_id: + description: + - ID of network which VLAN is in or should be in. + type: str + vlan_id: + description: + - ID number of VLAN. + - ID should be between 1-4096. + type: int + name: + description: + - Name of VLAN. + aliases: [vlan_name] + type: str + subnet: + description: + - CIDR notation of network subnet. + type: str + appliance_ip: + description: + - IP address of appliance. + - Address must be within subnet specified in C(subnet) parameter. + type: str + dns_nameservers: + description: + - Semi-colon delimited list of DNS IP addresses. + - Specify one of the following options for preprogrammed DNS entries opendns, google_dns, upstream_dns + type: str + reserved_ip_range: + description: + - IP address ranges which should be reserve and not distributed via DHCP. + type: list + elements: dict + suboptions: + start: + description: First IP address of reserved IP address range, inclusive. + type: str + end: + description: Last IP address of reserved IP address range, inclusive. + type: str + comment: + description: Description of IP addresses reservation + type: str + vpn_nat_subnet: + description: + - The translated VPN subnet if VPN and VPN subnet translation are enabled on the VLAN. + type: str + fixed_ip_assignments: + description: + - Static IP address assignments to be distributed via DHCP by MAC address. + type: list + elements: dict + suboptions: + mac: + description: MAC address for fixed IP assignment binding. + type: str + ip: + description: IP address for fixed IP assignment binding. + type: str + name: + description: Descriptive name of IP assignment binding. + type: str + dhcp_handling: + description: + - How to handle DHCP packets on network. + type: str + choices: ['Run a DHCP server', + 'Relay DHCP to another server', + 'Do not respond to DHCP requests', + 'none', + 'server', + 'relay'] + dhcp_relay_server_ips: + description: + - IP addresses to forward DHCP packets to. + type: list + elements: str + dhcp_lease_time: + description: + - DHCP lease timer setting + type: str + choices: ['30 minutes', + '1 hour', + '4 hours', + '12 hours', + '1 day', + '1 week'] + dhcp_boot_options_enabled: + description: + - Enable DHCP boot options + type: bool + dhcp_boot_next_server: + description: + - DHCP boot option to direct boot clients to the server to load boot file from. + type: str + dhcp_boot_filename: + description: + - Filename to boot from for DHCP boot + type: str + dhcp_options: + description: + - List of DHCP option values + type: list + elements: dict + suboptions: + code: + description: + - DHCP option number. + type: int + type: + description: + - Type of value for DHCP option. + type: str + choices: ['text', 'ip', 'hex', 'integer'] + value: + description: + - Value for DHCP option. + type: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query all VLANs in a network. + meraki_vlan: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + state: query + delegate_to: localhost + +- name: Query information about a single VLAN by ID. + meraki_vlan: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + vlan_id: 2 + state: query + delegate_to: localhost + +- name: Create a VLAN. + meraki_vlan: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + state: present + vlan_id: 2 + name: TestVLAN + subnet: 192.0.1.0/24 + appliance_ip: 192.0.1.1 + delegate_to: localhost + +- name: Update a VLAN. + meraki_vlan: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + state: present + vlan_id: 2 + name: TestVLAN + subnet: 192.0.1.0/24 + appliance_ip: 192.168.250.2 + fixed_ip_assignments: + - mac: "13:37:de:ad:be:ef" + ip: 192.168.250.10 + name: fixed_ip + reserved_ip_range: + - start: 192.168.250.10 + end: 192.168.250.20 + comment: reserved_range + dns_nameservers: opendns + delegate_to: localhost + +- name: Enable DHCP on VLAN with options + meraki_vlan: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + vlan_id: 2 + name: TestVLAN + subnet: 192.168.250.0/24 + appliance_ip: 192.168.250.2 + dhcp_handling: server + dhcp_lease_time: 1 hour + dhcp_boot_options_enabled: false + dhcp_options: + - code: 5 + type: ip + value: 192.0.1.1 + delegate_to: localhost + +- name: Delete a VLAN. + meraki_vlan: + auth_key: abc12345 + org_name: YourOrg + net_name: YourNet + state: absent + vlan_id: 2 + delegate_to: localhost +''' + +RETURN = r''' + +response: + description: Information about the organization which was created or modified + returned: success + type: complex + contains: + appliance_ip: + description: IP address of Meraki appliance in the VLAN + returned: success + type: str + sample: 192.0.1.1 + dnsnamservers: + description: IP address or Meraki defined DNS servers which VLAN should use by default + returned: success + type: str + sample: upstream_dns + fixed_ip_assignments: + description: List of MAC addresses which have IP addresses assigned. + returned: success + type: complex + contains: + macaddress: + description: MAC address which has IP address assigned to it. Key value is the actual MAC address. + returned: success + type: complex + contains: + ip: + description: IP address which is assigned to the MAC address. + returned: success + type: str + sample: 192.0.1.4 + name: + description: Descriptive name for binding. + returned: success + type: str + sample: fixed_ip + reserved_ip_ranges: + description: List of IP address ranges which are reserved for static assignment. + returned: success + type: complex + contains: + comment: + description: Description for IP address reservation. + returned: success + type: str + sample: reserved_range + end: + description: Last IP address in reservation range. + returned: success + type: str + sample: 192.0.1.10 + start: + description: First IP address in reservation range. + returned: success + type: str + sample: 192.0.1.5 + id: + description: VLAN ID number. + returned: success + type: int + sample: 2 + name: + description: Descriptive name of VLAN. + returned: success + type: str + sample: TestVLAN + networkId: + description: ID number of Meraki network which VLAN is associated to. + returned: success + type: str + sample: N_12345 + subnet: + description: CIDR notation IP subnet of VLAN. + returned: success + type: str + sample: "192.0.1.0/24" + dhcp_handling: + description: Status of DHCP server on VLAN. + returned: success + type: str + sample: Run a DHCP server + dhcp_lease_time: + description: DHCP lease time when server is active. + returned: success + type: str + sample: 1 day + dhcp_boot_options_enabled: + description: Whether DHCP boot options are enabled. + returned: success + type: bool + sample: no + dhcp_boot_next_server: + description: DHCP boot option to direct boot clients to the server to load the boot file from. + returned: success + type: str + sample: 192.0.1.2 + dhcp_boot_filename: + description: Filename for boot file. + returned: success + type: str + sample: boot.txt + dhcp_options: + description: DHCP options. + returned: success + type: complex + contains: + code: + description: + - Code for DHCP option. + - Integer between 2 and 254. + returned: success + type: int + sample: 43 + type: + description: + - Type for DHCP option. + - Choices are C(text), C(ip), C(hex), C(integer). + returned: success + type: str + sample: text + value: + description: Value for the DHCP option. + returned: success + type: str + sample: 192.0.1.2 +''' + +from ansible.module_utils.basic import AnsibleModule +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec +import json + + +def fixed_ip_factory(meraki, data): + fixed_ips = dict() + for item in data: + fixed_ips[item['mac']] = {'ip': item['ip'], 'name': item['name']} + return fixed_ips + + +def get_vlans(meraki, net_id): + path = meraki.construct_path('get_all', net_id=net_id) + return meraki.request(path, method='GET') + + +# TODO: Allow method to return actual item if True to reduce number of calls needed +def is_vlan_valid(meraki, net_id, vlan_id): + vlans = get_vlans(meraki, net_id) + for vlan in vlans: + if vlan_id == vlan['id']: + return True + return False + + +def construct_payload(meraki): + payload = {'id': meraki.params['vlan_id'], + 'name': meraki.params['name'], + 'subnet': meraki.params['subnet'], + 'applianceIp': meraki.params['appliance_ip'], + } + if meraki.params['dns_nameservers']: + if meraki.params['dns_nameservers'] not in ('opendns', 'google_dns', 'upstream_dns'): + payload['dnsNameservers'] = format_dns(meraki.params['dns_nameservers']) + else: + payload['dnsNameservers'] = meraki.params['dns_nameservers'] + if meraki.params['fixed_ip_assignments']: + payload['fixedIpAssignments'] = fixed_ip_factory(meraki, meraki.params['fixed_ip_assignments']) + if meraki.params['reserved_ip_range']: + payload['reservedIpRanges'] = meraki.params['reserved_ip_range'] + if meraki.params['vpn_nat_subnet']: + payload['vpnNatSubnet'] = meraki.params['vpn_nat_subnet'] + if meraki.params['dhcp_handling']: + payload['dhcpHandling'] = normalize_dhcp_handling(meraki.params['dhcp_handling']) + if meraki.params['dhcp_relay_server_ips']: + payload['dhcpRelayServerIps'] = meraki.params['dhcp_relay_server_ips'] + if meraki.params['dhcp_lease_time']: + payload['dhcpLeaseTime'] = meraki.params['dhcp_lease_time'] + if meraki.params['dhcp_boot_options_enabled']: + payload['dhcpBootOptionsEnabled'] = meraki.params['dhcp_boot_options_enabled'] + if meraki.params['dhcp_boot_next_server']: + payload['dhcpBootNextServer'] = meraki.params['dhcp_boot_next_server'] + if meraki.params['dhcp_boot_filename']: + payload['dhcpBootFilename'] = meraki.params['dhcp_boot_filename'] + if meraki.params['dhcp_options']: + payload['dhcpOptions'] = meraki.params['dhcp_options'] + # if meraki.params['dhcp_handling']: + # meraki.fail_json(payload) + + return payload + + +def format_dns(nameservers): + return nameservers.replace(';', '\n') + + +def normalize_dhcp_handling(parameter): + if parameter == 'none': + return 'Do not respond to DHCP requests' + elif parameter == 'server': + return 'Run a DHCP server' + elif parameter == 'relay': + return 'Relay DHCP to another server' + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + fixed_ip_arg_spec = dict(mac=dict(type='str'), + ip=dict(type='str'), + name=dict(type='str'), + ) + + reserved_ip_arg_spec = dict(start=dict(type='str'), + end=dict(type='str'), + comment=dict(type='str'), + ) + + dhcp_options_arg_spec = dict(code=dict(type='int'), + type=dict(type='str', choices=['text', 'ip', 'hex', 'integer']), + value=dict(type='str'), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['absent', 'present', 'query'], default='query'), + net_name=dict(type='str', aliases=['network']), + net_id=dict(type='str'), + vlan_id=dict(type='int'), + name=dict(type='str', aliases=['vlan_name']), + subnet=dict(type='str'), + appliance_ip=dict(type='str'), + fixed_ip_assignments=dict(type='list', default=None, elements='dict', options=fixed_ip_arg_spec), + reserved_ip_range=dict(type='list', default=None, elements='dict', options=reserved_ip_arg_spec), + vpn_nat_subnet=dict(type='str'), + dns_nameservers=dict(type='str'), + dhcp_handling=dict(type='str', choices=['Run a DHCP server', + 'Relay DHCP to another server', + 'Do not respond to DHCP requests', + 'none', + 'server', + 'relay'], + ), + dhcp_relay_server_ips=dict(type='list', default=None, elements='str'), + dhcp_lease_time=dict(type='str', choices=['30 minutes', + '1 hour', + '4 hours', + '12 hours', + '1 day', + '1 week']), + dhcp_boot_options_enabled=dict(type='bool'), + dhcp_boot_next_server=dict(type='str'), + dhcp_boot_filename=dict(type='str'), + dhcp_options=dict(type='list', default=None, elements='dict', options=dhcp_options_arg_spec), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='vlan') + + meraki.params['follow_redirects'] = 'all' + + query_urls = {'vlan': '/networks/{net_id}/appliance/vlans'} + query_url = {'vlan': '/networks/{net_id}/appliance/vlans/{vlan_id}'} + create_url = {'vlan': '/networks/{net_id}/appliance/vlans'} + update_url = {'vlan': '/networks/{net_id}/appliance/vlans/'} + delete_url = {'vlan': '/networks/{net_id}/appliance/vlans/'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['get_one'].update(query_url) + meraki.url_catalog['create'] = create_url + meraki.url_catalog['update'] = update_url + meraki.url_catalog['delete'] = delete_url + + payload = None + + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'query': + if not meraki.params['vlan_id']: + meraki.result['data'] = get_vlans(meraki, net_id) + else: + path = meraki.construct_path('get_one', net_id=net_id, custom={'vlan_id': meraki.params['vlan_id']}) + response = meraki.request(path, method='GET') + meraki.result['data'] = response + elif meraki.params['state'] == 'present': + payload = construct_payload(meraki) + if is_vlan_valid(meraki, net_id, meraki.params['vlan_id']) is False: # Create new VLAN + if meraki.module.check_mode is True: + meraki.result['data'] = payload + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('create', net_id=net_id) + response = meraki.request(path, method='POST', payload=json.dumps(payload)) + meraki.result['changed'] = True + meraki.result['data'] = response + else: # Update existing VLAN + path = meraki.construct_path('get_one', net_id=net_id, custom={'vlan_id': meraki.params['vlan_id']}) + original = meraki.request(path, method='GET') + ignored = ['networkId'] + if meraki.is_update_required(original, payload, optional_ignore=ignored): + meraki.generate_diff(original, payload) + if meraki.module.check_mode is True: + original.update(payload) + meraki.result['changed'] = True + meraki.result['data'] = original + meraki.exit_json(**meraki.result) + path = meraki.construct_path('update', net_id=net_id) + str(meraki.params['vlan_id']) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + meraki.result['changed'] = True + meraki.result['data'] = response + meraki.generate_diff(original, response) + else: + if meraki.module.check_mode is True: + meraki.result['data'] = original + meraki.exit_json(**meraki.result) + meraki.result['data'] = original + elif meraki.params['state'] == 'absent': + if is_vlan_valid(meraki, net_id, meraki.params['vlan_id']): + if meraki.module.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('delete', net_id=net_id) + str(meraki.params['vlan_id']) + response = meraki.request(path, 'DELETE') + meraki.result['changed'] = True + meraki.result['data'] = response + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_network.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_network.py new file mode 100644 index 00000000..84e5a2fc --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_network.py @@ -0,0 +1,469 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, 2019 Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_network +short_description: Manage networks in the Meraki cloud +description: +- Allows for creation, management, and visibility into networks within Meraki. +options: + state: + description: + - Create or modify an organization. + choices: [ absent, present, query ] + default: present + type: str + net_name: + description: + - Name of a network. + aliases: [ name, network ] + type: str + net_id: + description: + - ID number of a network. + type: str + type: + description: + - Type of network device network manages. + - Required when creating a network. + - As of Ansible 2.8, C(combined) type is no longer accepted. + - As of Ansible 2.8, changes to this parameter are no longer idempotent. + choices: [ appliance, switch, wireless, sensor, systemsManager, camera, cellularGateway ] + aliases: [ net_type ] + type: list + elements: str + tags: + type: list + elements: str + description: + - List of tags to assign to network. + - C(tags) name conflicts with the tags parameter in Ansible. Indentation problems may cause unexpected behaviors. + - Ansible 2.8 converts this to a list from a comma separated list. + timezone: + description: + - Timezone associated to network. + - See U(https://en.wikipedia.org/wiki/List_of_tz_database_time_zones) for a list of valid timezones. + type: str + enable_vlans: + description: + - Boolean value specifying whether VLANs should be supported on a network. + - Requires C(net_name) or C(net_id) to be specified. + type: bool + local_status_page_enabled: + description: > + - This no longer works and will likely be moved to a separate module. + - Enables the local device status pages (U[my.meraki.com](my.meraki.com), U[ap.meraki.com](ap.meraki.com), U[switch.meraki.com](switch.meraki.com), + U[wired.meraki.com](wired.meraki.com)). + - Only can be specified on its own or with C(remote_status_page_enabled). + type: bool + remote_status_page_enabled: + description: + - This no longer works and will likely be moved to a separate module. + - Enables access to the device status page (U(http://device LAN IP)). + - Can only be set if C(local_status_page_enabled:) is set to C(yes). + - Only can be specified on its own or with C(local_status_page_enabled). + type: bool + copy_from_network_id: + description: + - New network inherits properties from this network ID. + - Other provided parameters will override the copied configuration. + - Type which must match this network's type exactly. + type: str + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- delegate_to: localhost + block: + - name: List all networks associated to the YourOrg organization + meraki_network: + auth_key: abc12345 + state: query + org_name: YourOrg + - name: Query network named MyNet in the YourOrg organization + meraki_network: + auth_key: abc12345 + state: query + org_name: YourOrg + net_name: MyNet + - name: Create network named MyNet in the YourOrg organization + meraki_network: + auth_key: abc12345 + state: present + org_name: YourOrg + net_name: MyNet + type: switch + timezone: America/Chicago + tags: production, chicago + - name: Create combined network named MyNet in the YourOrg organization + meraki_network: + auth_key: abc12345 + state: present + org_name: YourOrg + net_name: MyNet + type: + - switch + - appliance + timezone: America/Chicago + tags: production, chicago + - name: Create new network based on an existing network + meraki_network: + auth_key: abc12345 + state: present + org_name: YourOrg + net_name: MyNet + type: + - switch + - appliance + copy_from_network_id: N_1234 + - name: Enable VLANs on a network + meraki_network: + auth_key: abc12345 + state: query + org_name: YourOrg + net_name: MyNet + enable_vlans: yes + - name: Modify local status page enabled state + meraki_network: + auth_key: abc12345 + state: query + org_name: YourOrg + net_name: MyNet + local_status_page_enabled: yes +""" + +RETURN = r""" +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + id: + description: Identification string of network. + returned: success + type: str + sample: N_12345 + name: + description: Written name of network. + returned: success + type: str + sample: YourNet + organization_id: + description: Organization ID which owns the network. + returned: success + type: str + sample: 0987654321 + tags: + description: Space delimited tags assigned to network. + returned: success + type: list + sample: ['production'] + time_zone: + description: Timezone where network resides. + returned: success + type: str + sample: America/Chicago + type: + description: Functional type of network. + returned: success + type: list + sample: ['switch'] + local_status_page_enabled: + description: States whether U(my.meraki.com) and other device portals should be enabled. + returned: success + type: bool + sample: true + remote_status_page_enabled: + description: Enables access to the device status page. + returned: success + type: bool + sample: true +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def is_net_valid(data, net_name=None, net_id=None): + if net_name is None and net_id is None: + return False + for n in data: + if net_name: + if n["name"] == net_name: + return True + elif net_id: + if n["id"] == net_id: + return True + return False + + +def get_network_settings(meraki, net_id): + path = meraki.construct_path("get_settings", net_id=net_id) + response = meraki.request(path, method="GET") + return response + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type="str"), + type=dict( + type="list", + elements="str", + choices=[ + "wireless", + "switch", + "appliance", + "sensor", + "systemsManager", + "camera", + "cellularGateway", + ], + aliases=["net_type"], + ), + tags=dict(type="list", elements="str"), + timezone=dict(type="str"), + net_name=dict(type="str", aliases=["name", "network"]), + state=dict( + type="str", choices=["present", "query", "absent"], default="present" + ), + enable_vlans=dict(type="bool"), + local_status_page_enabled=dict(type="bool"), + remote_status_page_enabled=dict(type="bool"), + copy_from_network_id=dict(type="str"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function="network") + module.params["follow_redirects"] = "all" + payload = None + + create_urls = {"network": "/organizations/{org_id}/networks"} + update_urls = {"network": "/networks/{net_id}"} + delete_urls = {"network": "/networks/{net_id}"} + update_settings_urls = {"network": "/networks/{net_id}/settings"} + get_settings_urls = {"network": "/networks/{net_id}/settings"} + enable_vlans_urls = {"network": "/networks/{net_id}/appliance/vlans/settings"} + get_vlan_status_urls = {"network": "/networks/{net_id}/appliance/vlans/settings"} + meraki.url_catalog["create"] = create_urls + meraki.url_catalog["update"] = update_urls + meraki.url_catalog["update_settings"] = update_settings_urls + meraki.url_catalog["get_settings"] = get_settings_urls + meraki.url_catalog["delete"] = delete_urls + meraki.url_catalog["enable_vlans"] = enable_vlans_urls + meraki.url_catalog["status_vlans"] = get_vlan_status_urls + + if not meraki.params["org_name"] and not meraki.params["org_id"]: + meraki.fail_json(msg="org_name or org_id parameters are required") + if meraki.params["state"] != "query": + if not meraki.params["net_name"] and not meraki.params["net_id"]: + meraki.fail_json( + msg="net_name or net_id is required for present or absent states" + ) + if meraki.params["net_name"] and meraki.params["net_id"]: + meraki.fail_json(msg="net_name and net_id are mutually exclusive") + if not meraki.params["net_name"] and not meraki.params["net_id"]: + if meraki.params["enable_vlans"]: + meraki.fail_json( + msg="The parameter 'enable_vlans' requires 'net_name' or 'net_id' to be specified" + ) + if ( + meraki.params["local_status_page_enabled"] is False + and meraki.params["remote_status_page_enabled"] is True + ): + meraki.fail_json( + msg="local_status_page_enabled must be true when setting remote_status_page_enabled" + ) + + # Construct payload + if meraki.params["state"] == "present": + payload = dict() + if meraki.params["net_name"]: + payload["name"] = meraki.params["net_name"] + if meraki.params["type"]: + payload["productTypes"] = meraki.params["type"] + if meraki.params["tags"]: + payload["tags"] = meraki.params["tags"] + if meraki.params["timezone"]: + payload["timeZone"] = meraki.params["timezone"] + if meraki.params["local_status_page_enabled"] is not None: + payload["localStatusPageEnabled"] = meraki.params[ + "local_status_page_enabled" + ] + if meraki.params["remote_status_page_enabled"] is not None: + payload["remoteStatusPageEnabled"] = meraki.params[ + "remote_status_page_enabled" + ] + if meraki.params["copy_from_network_id"] is not None: + payload["copyFromNetworkId"] = meraki.params["copy_from_network_id"] + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params["org_id"] + if not org_id: + org_id = meraki.get_org_id(meraki.params["org_name"]) + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.params["net_id"] + net_exists = False + if net_id is not None: + if is_net_valid(nets, net_id=net_id) is False: + meraki.fail_json(msg="Network specified by net_id does not exist.") + net_exists = True + elif meraki.params["net_name"]: + if is_net_valid(nets, net_name=meraki.params["net_name"]) is True: + net_id = meraki.get_net_id(net_name=meraki.params["net_name"], data=nets) + net_exists = True + + if meraki.params["state"] == "query": + if not meraki.params["net_name"] and not meraki.params["net_id"]: + meraki.result["data"] = nets + elif meraki.params["net_name"] or meraki.params["net_id"] is not None: + if ( + meraki.params["local_status_page_enabled"] is not None + or meraki.params["remote_status_page_enabled"] is not None + ): + meraki.result["data"] = get_network_settings(meraki, net_id) + meraki.exit_json(**meraki.result) + else: + meraki.result["data"] = meraki.get_net( + meraki.params["org_name"], net_name=meraki.params["net_name"], data=nets, net_id=meraki.params["net_id"], + ) + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "present": + if net_exists is False: # Network needs to be created + if "type" not in meraki.params or meraki.params["type"] is None: + meraki.fail_json( + msg="type parameter is required when creating a network." + ) + if meraki.check_mode is True: + data = payload + data["id"] = "N_12345" + data["organization_id"] = org_id + meraki.result["data"] = data + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("create", org_id=org_id) + r = meraki.request(path, method="POST", payload=json.dumps(payload)) + if meraki.status == 201: + meraki.result["data"] = r + meraki.result["changed"] = True + else: # Network exists, make changes + if meraki.params["enable_vlans"] is not None: # Modify VLANs configuration + status_path = meraki.construct_path("status_vlans", net_id=net_id) + status = meraki.request(status_path, method="GET") + payload = {"vlansEnabled": meraki.params["enable_vlans"]} + if meraki.is_update_required(status, payload): + if meraki.check_mode is True: + data = { + "vlansEnabled": meraki.params["enable_vlans"], + "network_id": net_id, + } + meraki.result["data"] = data + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("enable_vlans", net_id=net_id) + r = meraki.request(path, method="PUT", payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result["data"] = r + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + else: + meraki.result["data"] = status + meraki.exit_json(**meraki.result) + elif ( + meraki.params["local_status_page_enabled"] is not None + or meraki.params["remote_status_page_enabled"] is not None + ): + path = meraki.construct_path("get_settings", net_id=net_id) + original = meraki.request(path, method="GET") + payload = {} + if meraki.params["local_status_page_enabled"] is not None: + payload["localStatusPageEnabled"] = meraki.params[ + "local_status_page_enabled" + ] + if meraki.params["remote_status_page_enabled"] is not None: + payload["remoteStatusPageEnabled"] = meraki.params[ + "remote_status_page_enabled" + ] + if meraki.is_update_required(original, payload): + if meraki.check_mode is True: + original.update(payload) + meraki.result["data"] = original + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update_settings", net_id=net_id) + response = meraki.request( + path, method="PUT", payload=json.dumps(payload) + ) + meraki.result["data"] = response + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + else: + meraki.result["data"] = original + meraki.exit_json(**meraki.result) + net = meraki.get_net(meraki.params["org_name"], net_id=net_id, data=nets) + if meraki.is_update_required(net, payload): + if meraki.check_mode is True: + data = net + net.update(payload) + meraki.result["data"] = net + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update", net_id=net_id) + r = meraki.request(path, method="PUT", payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result["data"] = r + meraki.result["changed"] = True + else: + meraki.result["data"] = net + elif meraki.params["state"] == "absent": + if is_net_valid(nets, net_id=net_id) is True: + if meraki.check_mode is True: + meraki.result["data"] = {} + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("delete", net_id=net_id) + r = meraki.request(path, method="DELETE") + if meraki.status == 204: + meraki.result["changed"] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_network_settings.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_network_settings.py new file mode 100644 index 00000000..098b7729 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_network_settings.py @@ -0,0 +1,337 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2023 Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_network_settings +short_description: Manage the settings of networks in the Meraki cloud +description: +- Allows for management of settings of networks within Meraki. +options: + state: + description: + - Create or modify an organization. + choices: [present, query] + type: str + default: query + net_name: + description: + - Name of a network. + aliases: [ name, network ] + type: str + net_id: + description: + - ID number of a network. + type: str + local_status_page_enabled: + description: > + - Enables the local device status pages (U[my.meraki.com](my.meraki.com), U[ap.meraki.com](ap.meraki.com), U[switch.meraki.com](switch.meraki.com), + U[wired.meraki.com](wired.meraki.com)). + - Only can be specified on its own or with C(remote_status_page_enabled). + type: bool + remote_status_page_enabled: + description: + - Enables access to the device status page (U(http://device LAN IP)). + - Can only be set if C(local_status_page_enabled:) is set to C(yes). + - Only can be specified on its own or with C(local_status_page_enabled). + type: bool + local_status_page: + description: + - Configuration stanza of the local status page. + type: dict + suboptions: + authentication: + description: + - Local status page authentication settings. + type: dict + suboptions: + enabled: + description: + - Set whether local status page authentication is enabled. + type: bool + password: + description: + - Set password on local status page. + type: str + secure_port: + description: + - Configuration of SecureConnect options applied to the network. + type: dict + suboptions: + enabled: + description: + - Set whether SecureConnect is enabled on the network. + type: bool +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" + - name: Get network settings + cisco.meraki.meraki_network_settings: + auth_key: '{{ auth_key }}' + state: query + org_name: '{{test_org_name}}' + net_name: NetworkSettingsTestNet + delegate_to: localhost + + - name: Update network settings + cisco.meraki.meraki_network_settings: + auth_key: '{{ auth_key }}' + state: present + org_name: '{{test_org_name}}' + net_name: NetworkSettingsTestNet + local_status_page_enabled: false + delegate_to: localhost + + - name: Enable password on local page + cisco.meraki.meraki_network_settings: + auth_key: '{{ auth_key }}' + state: present + org_name: '{{test_org_name}}' + net_name: NetworkSettingsTestNet + local_status_page_enabled: true + local_status_page: + authentication: + enabled: true + password: abc123 + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + local_status_page_enabled: + description: States whether U(my.meraki.com) and other device portals should be enabled. + returned: success + type: bool + sample: true + remote_status_page_enabled: + description: Enables access to the device status page. + returned: success + type: bool + sample: true + expire_data_older_than: + description: The number of days, weeks, or months in Epoch time to expire the data before + returned: success + type: int + sample: 1234 + fips: + description: A hash of FIPS options applied to the Network. + returned: success + type: complex + contains: + enabled: + description: Enables/disables FIPS on the network. + returned: success + type: bool + sample: true + local_status_page: + description: A hash of Local Status Page(s) authentication options applied to the Network. + returned: success + type: complex + contains: + authentication: + description: A hash of Local Status Pages' authentication options applied to the Network. + type: complex + contains: + username: + description: The username used for Local Status Pages. + type: str + returned: success + sample: admin + enabled: + description: Enables/Disables the authenticaiton on Local Status Pages. + type: bool + returned: success + sample: true + secure_port: + description: A hash of SecureConnect options applied to the Network. + type: complex + contains: + enabled: + description: Enables/disables SecureConnect on the network. + type: bool + returned: success + sample: true + named_vlans: + description: A hash of Named VLANs options applied to the Network. + type: complex + contains: + enabled: + description: Enables/disables Named VLANs on the network. + type: bool + returned: success + sample: true +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def is_net_valid(data, net_name=None, net_id=None): + if net_name is None and net_id is None: + return False + for n in data: + if net_name: + if n["name"] == net_name: + return True + elif net_id: + if n["id"] == net_id: + return True + return False + + +def get_network_settings(meraki, net_id): + path = meraki.construct_path("get_settings", net_id=net_id) + response = meraki.request(path, method="GET") + return response + + +def construct_payload(params): + payload = dict() + if params["local_status_page_enabled"] is not None: + payload["localStatusPageEnabled"] = params["local_status_page_enabled"] + if params["remote_status_page_enabled"] is not None: + payload["remoteStatusPageEnabled"] = params["remote_status_page_enabled"] + if params["local_status_page"] is not None: + payload["localStatusPage"] = dict() + if params["local_status_page"]["authentication"] is not None: + payload["localStatusPage"]["authentication"] = {} + if params["local_status_page"]["authentication"]["enabled"] is not None: + payload["localStatusPage"]["authentication"]["enabled"] = params["local_status_page"]["authentication"]["enabled"] + if params["local_status_page"]["authentication"]["password"] is not None: + payload["localStatusPage"]["authentication"]["password"] = params["local_status_page"]["authentication"]["password"] + if params["secure_port"] is not None: + payload["securePort"] = dict() + if params["secure_port"]["enabled"] is not None: + payload["securePort"]["enabled"] = params["secure_port"]["enabled"] + return payload + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + auth_args = dict( + enabled=dict(type="bool"), + password=dict(type="str", no_log=True), + ) + + local_status_page_args = dict( + authentication=dict(type="dict", default=None, options=auth_args), + ) + + secure_port_args = dict( + enabled=dict(type="bool"), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict(type="str", choices=["query", "present"], default="query"), + net_name=dict(type="str", aliases=["name", "network"]), + net_id=dict(type="str"), + local_status_page_enabled=dict(type="bool"), + remote_status_page_enabled=dict(type="bool"), + local_status_page=dict(type="dict", default=None, options=local_status_page_args), + secure_port=dict(type="dict", default=None, options=secure_port_args) + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function="network") + module.params["follow_redirects"] = "all" + payload = None + + update_settings_urls = {"network": "/networks/{net_id}/settings"} + get_settings_urls = {"network": "/networks/{net_id}/settings"} + meraki.url_catalog["update_settings"] = update_settings_urls + meraki.url_catalog["get_settings"] = get_settings_urls + + if not meraki.params["org_name"] and not meraki.params["org_id"]: + meraki.fail_json(msg="org_name or org_id parameters are required") + if meraki.params["state"] != "query": + if not meraki.params["net_name"] and not meraki.params["net_id"]: + meraki.fail_json( + msg="net_name or net_id is required for present or absent states" + ) + if meraki.params["net_name"] and meraki.params["net_id"]: + meraki.fail_json(msg="net_name and net_id are mutually exclusive") + if ( + meraki.params["local_status_page_enabled"] is False + and meraki.params["remote_status_page_enabled"] is True + ): + meraki.fail_json( + msg="local_status_page_enabled must be true when setting remote_status_page_enabled" + ) + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params["org_id"] + net_id = meraki.params["net_id"] + if not org_id: + org_id = meraki.get_org_id(meraki.params["org_name"]) + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params["net_name"], data=nets) + + if meraki.params["state"] == "query": + path = meraki.construct_path("get_settings", net_id=net_id) + meraki.result["data"] = meraki.request(path, method="GET") + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "present": + path = meraki.construct_path("get_settings", net_id=net_id) + current = meraki.request(path, method="GET") + payload = construct_payload(meraki.params) + if meraki.is_update_required(current, payload, optional_ignore=["password"]): + if meraki.check_mode is True: + try: + del payload["local_status_page"]["authentication"]["password"] + except KeyError: + pass + meraki.result["data"] = payload + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("update_settings", net_id=net_id) + response = meraki.request(path, method="PUT", payload=json.dumps(payload)) + if meraki.status == 200: + meraki.result["changed"] = True + meraki.result["data"] = response + meraki.exit_json(**meraki.result) + meraki.result["data"] = current + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_organization.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_organization.py new file mode 100644 index 00000000..45148e89 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_organization.py @@ -0,0 +1,242 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_organization +short_description: Manage organizations in the Meraki cloud +description: +- Allows for creation, management, and visibility into organizations within Meraki. +options: + state: + description: + - Create or modify an organization. + - C(org_id) must be specified if multiple organizations of the same name exist. + - C(absent) WILL DELETE YOUR ENTIRE ORGANIZATION, AND ALL ASSOCIATED OBJECTS, WITHOUT CONFIRMATION. USE WITH CAUTION. + choices: ['absent', 'present', 'query'] + default: present + type: str + clone: + description: + - Organization to clone to a new organization. + type: str + org_name: + description: + - Name of organization. + - If C(clone) is specified, C(org_name) is the name of the new organization. + aliases: [ name, organization ] + type: str + org_id: + description: + - ID of organization. + aliases: [ id ] + type: str + delete_confirm: + description: + - ID of organization required for confirmation before deletion. + type: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Create a new organization named YourOrg + meraki_organization: + auth_key: abc12345 + org_name: YourOrg + state: present + delegate_to: localhost + +- name: Delete an organization named YourOrg + meraki_organization: + auth_key: abc12345 + org_name: YourOrg + state: absent + delegate_to: localhost + +- name: Query information about all organizations associated to the user + meraki_organization: + auth_key: abc12345 + state: query + delegate_to: localhost + +- name: Query information about a single organization named YourOrg + meraki_organization: + auth_key: abc12345 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Rename an organization to RenamedOrg + meraki_organization: + auth_key: abc12345 + org_id: 987654321 + org_name: RenamedOrg + state: present + delegate_to: localhost + +- name: Clone an organization named Org to a new one called ClonedOrg + meraki_organization: + auth_key: abc12345 + clone: Org + org_name: ClonedOrg + state: present + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about the organization which was created or modified + returned: success + type: complex + contains: + id: + description: Unique identification number of organization + returned: success + type: int + sample: 2930418 + name: + description: Name of organization + returned: success + type: str + sample: YourOrg + +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_org(meraki, org_id, data): + # meraki.fail_json(msg=str(org_id), data=data, oid0=data[0]['id'], oid1=data[1]['id']) + for o in data: + # meraki.fail_json(msg='o', data=o['id'], type=str(type(o['id']))) + if o['id'] == org_id: + return o + return -1 + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + argument_spec.update(clone=dict(type='str'), + state=dict(type='str', choices=['absent', 'present', 'query'], default='present'), + org_name=dict(type='str', aliases=['name', 'organization']), + org_id=dict(type='str', aliases=['id']), + delete_confirm=dict(type='str'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='organizations') + + meraki.params['follow_redirects'] = 'all' + + create_urls = {'organizations': '/organizations'} + update_urls = {'organizations': '/organizations/{org_id}'} + delete_urls = {'organizations': '/organizations/{org_id}'} + clone_urls = {'organizations': '/organizations/{org_id}/clone'} + + meraki.url_catalog['create'] = create_urls + meraki.url_catalog['update'] = update_urls + meraki.url_catalog['clone'] = clone_urls + meraki.url_catalog['delete'] = delete_urls + + payload = None + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + orgs = meraki.get_orgs() + if meraki.params['state'] == 'query': + if meraki.params['org_name']: # Query by organization name + module.warn('All matching organizations will be returned, even if there are duplicate named organizations') + for o in orgs: + if o['name'] == meraki.params['org_name']: + meraki.result['data'] = o + elif meraki.params['org_id']: + for o in orgs: + if o['id'] == meraki.params['org_id']: + meraki.result['data'] = o + else: # Query all organizations, no matter what + meraki.result['data'] = orgs + elif meraki.params['state'] == 'present': + if meraki.params['clone']: # Cloning + payload = {'name': meraki.params['org_name']} + response = meraki.request(meraki.construct_path('clone', + org_name=meraki.params['clone'] + ), + payload=json.dumps(payload), + method='POST') + if meraki.status != 201: + meraki.fail_json(msg='Organization clone failed') + meraki.result['data'] = response + meraki.result['changed'] = True + elif not meraki.params['org_id'] and meraki.params['org_name']: # Create new organization + payload = {'name': meraki.params['org_name']} + response = meraki.request(meraki.construct_path('create'), + method='POST', + payload=json.dumps(payload)) + if meraki.status == 201: + meraki.result['data'] = response + meraki.result['changed'] = True + elif meraki.params['org_id'] and meraki.params['org_name']: # Update an existing organization + payload = {'name': meraki.params['org_name'], + 'id': meraki.params['org_id'], + } + original = get_org(meraki, meraki.params['org_id'], orgs) + if meraki.is_update_required(original, payload, optional_ignore=['url']): + response = meraki.request(meraki.construct_path('update', + org_id=meraki.params['org_id'] + ), + method='PUT', + payload=json.dumps(payload)) + if meraki.status != 200: + meraki.fail_json(msg='Organization update failed') + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + elif meraki.params['state'] == 'absent': + if meraki.params['org_name'] is not None: + org_id = meraki.get_org_id(meraki.params['org_name']) + elif meraki.params['org_id'] is not None: + org_id = meraki.params['org_id'] + if meraki.params['delete_confirm'] != org_id: + meraki.fail_json(msg="delete_confirm must match the network ID of the network to be deleted.") + if meraki.check_mode is True: + meraki.result['data'] = {} + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path('delete', org_id=org_id) + response = meraki.request(path, method='DELETE') + if meraki.status == 204: + meraki.result['data'] = {} + meraki.result['changed'] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_snmp.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_snmp.py new file mode 100644 index 00000000..0240a168 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_snmp.py @@ -0,0 +1,387 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function +__metaclass__ = type + +ANSIBLE_METADATA = { + 'metadata_version': '1.1', + 'status': ['preview'], + 'supported_by': 'community' +} + +DOCUMENTATION = r''' +--- +module: meraki_snmp +short_description: Manage organizations in the Meraki cloud +description: +- Allows for management of SNMP settings for Meraki. +options: + state: + description: + - Specifies whether SNMP information should be queried or modified. + choices: ['query', 'present'] + default: present + type: str + v2c_enabled: + description: + - Specifies whether SNMPv2c is enabled. + type: bool + v3_enabled: + description: + - Specifies whether SNMPv3 is enabled. + type: bool + v3_auth_mode: + description: + - Sets authentication mode for SNMPv3. + choices: ['MD5', 'SHA'] + type: str + v3_auth_pass: + description: + - Authentication password for SNMPv3. + - Must be at least 8 characters long. + type: str + v3_priv_mode: + description: + - Specifies privacy mode for SNMPv3. + choices: ['DES', 'AES128'] + type: str + v3_priv_pass: + description: + - Privacy password for SNMPv3. + - Must be at least 8 characters long. + type: str + peer_ips: + description: + - List of IP addresses which can perform SNMP queries. + type: list + elements: str + net_name: + description: + - Name of network. + type: str + net_id: + description: + - ID of network. + type: str + access: + description: + - Type of SNMP access. + choices: [community, none, users] + type: str + community_string: + description: + - SNMP community string. + - Only relevant if C(access) is set to C(community). + type: str + users: + description: + - Information about users with access to SNMP. + - Only relevant if C(access) is set to C(users). + type: list + elements: dict + suboptions: + username: + description: Username of user with access. + type: str + passphrase: + description: Passphrase for user SNMP access. + type: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +''' + +EXAMPLES = r''' +- name: Query SNMP values + meraki_snmp: + auth_key: abc12345 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Enable SNMPv2 + meraki_snmp: + auth_key: abc12345 + org_name: YourOrg + state: present + v2c_enabled: yes + delegate_to: localhost + +- name: Disable SNMPv2 + meraki_snmp: + auth_key: abc12345 + org_name: YourOrg + state: present + v2c_enabled: no + delegate_to: localhost + +- name: Enable SNMPv3 + meraki_snmp: + auth_key: abc12345 + org_name: YourOrg + state: present + v3_enabled: true + v3_auth_mode: SHA + v3_auth_pass: ansiblepass + v3_priv_mode: AES128 + v3_priv_pass: ansiblepass + peer_ips: 192.0.1.1;192.0.1.2 + delegate_to: localhost + +- name: Set network access type to community string + meraki_snmp: + auth_key: abc1235 + org_name: YourOrg + net_name: YourNet + state: present + access: community + community_string: abc123 + delegate_to: localhost + +- name: Set network access type to username + meraki_snmp: + auth_key: abc1235 + org_name: YourOrg + net_name: YourNet + state: present + access: users + users: + - username: ansibleuser + passphrase: ansiblepass + delegate_to: localhost +''' + +RETURN = r''' +data: + description: Information about SNMP settings. + type: complex + returned: always + contains: + hostname: + description: Hostname of SNMP server. + returned: success and no network specified. + type: str + sample: n1.meraki.com + peer_ips: + description: Semi-colon delimited list of IPs which can poll SNMP information. + returned: success and no network specified. + type: str + sample: 192.0.1.1 + port: + description: Port number of SNMP. + returned: success and no network specified. + type: str + sample: 16100 + v2c_enabled: + description: Shows enabled state of SNMPv2c + returned: success and no network specified. + type: bool + sample: true + v3_enabled: + description: Shows enabled state of SNMPv3 + returned: success and no network specified. + type: bool + sample: true + v3_auth_mode: + description: The SNMP version 3 authentication mode either MD5 or SHA. + returned: success and no network specified. + type: str + sample: SHA + v3_priv_mode: + description: The SNMP version 3 privacy mode DES or AES128. + returned: success and no network specified. + type: str + sample: AES128 + v2_community_string: + description: Automatically generated community string for SNMPv2c. + returned: When SNMPv2c is enabled and no network specified. + type: str + sample: o/8zd-JaSb + v3_user: + description: Automatically generated username for SNMPv3. + returned: When SNMPv3c is enabled and no network specified. + type: str + sample: o/8zd-JaSb + access: + description: Type of SNMP access. + type: str + returned: success, when network specified + community_string: + description: SNMP community string. Only relevant if C(access) is set to C(community). + type: str + returned: success, when network specified + users: + description: Information about users with access to SNMP. Only relevant if C(access) is set to C(users). + type: complex + contains: + username: + description: Username of user with access. + type: str + returned: success, when network specified + passphrase: + description: Passphrase for user SNMP access. + type: str + returned: success, when network specified +''' + +from ansible.module_utils.basic import AnsibleModule, json +from ansible.module_utils.common.dict_transformations import snake_dict_to_camel_dict +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import MerakiModule, meraki_argument_spec + + +def get_snmp(meraki, org_id): + path = meraki.construct_path('get_all', org_id=org_id) + r = meraki.request(path, + method='GET', + ) + if meraki.status == 200: + return r + + +def set_snmp(meraki, org_id): + payload = dict() + if meraki.params['v2c_enabled'] is not None: + payload = {'v2cEnabled': meraki.params['v2c_enabled'], + } + if meraki.params['v3_enabled'] is True: + if len(meraki.params['v3_auth_pass']) < 8 or len(meraki.params['v3_priv_pass']) < 8: + meraki.fail_json(msg='v3_auth_pass and v3_priv_pass must both be at least 8 characters long.') + if meraki.params['v3_auth_mode'] is None or \ + meraki.params['v3_auth_pass'] is None or \ + meraki.params['v3_priv_mode'] is None or \ + meraki.params['v3_priv_pass'] is None: + meraki.fail_json(msg='v3_auth_mode, v3_auth_pass, v3_priv_mode, and v3_auth_pass are required') + payload = {'v3Enabled': meraki.params['v3_enabled'], + 'v3AuthMode': meraki.params['v3_auth_mode'].upper(), + 'v3AuthPass': meraki.params['v3_auth_pass'], + 'v3PrivMode': meraki.params['v3_priv_mode'].upper(), + 'v3PrivPass': meraki.params['v3_priv_pass'], + } + if meraki.params['peer_ips'] is not None: + payload['peerIps'] = meraki.params['peer_ips'] + elif meraki.params['v3_enabled'] is False: + payload = {'v3Enabled': False} + full_compare = snake_dict_to_camel_dict(payload) + path = meraki.construct_path('create', org_id=org_id) + snmp = get_snmp(meraki, org_id) + ignored_parameters = ['v3AuthPass', 'v3PrivPass', 'hostname', 'port', 'v2CommunityString', 'v3User'] + if meraki.is_update_required(snmp, full_compare, optional_ignore=ignored_parameters): + if meraki.module.check_mode is True: + meraki.generate_diff(snmp, full_compare) + snmp.update(payload) + meraki.result['data'] = snmp + meraki.result['changed'] = True + meraki.exit_json(**meraki.result) + r = meraki.request(path, + method='PUT', + payload=json.dumps(payload)) + if meraki.status == 200: + meraki.generate_diff(snmp, r) + meraki.result['changed'] = True + return r + else: + return snmp + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + user_arg_spec = dict(username=dict(type='str'), + passphrase=dict(type='str', no_log=True), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update(state=dict(type='str', choices=['present', 'query'], default='present'), + v2c_enabled=dict(type='bool'), + v3_enabled=dict(type='bool'), + v3_auth_mode=dict(type='str', choices=['SHA', 'MD5']), + v3_auth_pass=dict(type='str', no_log=True), + v3_priv_mode=dict(type='str', choices=['DES', 'AES128']), + v3_priv_pass=dict(type='str', no_log=True), + peer_ips=dict(type='list', default=None, elements='str'), + access=dict(type='str', choices=['none', 'community', 'users']), + community_string=dict(type='str', no_log=True), + users=dict(type='list', default=None, elements='dict', options=user_arg_spec), + net_name=dict(type='str'), + net_id=dict(type='str'), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule(argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function='snmp') + meraki.params['follow_redirects'] = 'all' + + query_urls = {'snmp': '/organizations/{org_id}/snmp'} + query_net_urls = {'snmp': '/networks/{net_id}/snmp'} + update_urls = {'snmp': '/organizations/{org_id}/snmp'} + update_net_urls = {'snmp': '/networks/{net_id}/snmp'} + + meraki.url_catalog['get_all'].update(query_urls) + meraki.url_catalog['query_net_all'] = query_net_urls + meraki.url_catalog['create'] = update_urls + meraki.url_catalog['create_net'] = update_net_urls + + payload = None + + if not meraki.params['org_name'] and not meraki.params['org_id']: + meraki.fail_json(msg='org_name or org_id is required') + + org_id = meraki.params['org_id'] + if org_id is None: + org_id = meraki.get_org_id(meraki.params['org_name']) + net_id = meraki.params['net_id'] + if net_id is None and meraki.params['net_name']: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(org_id, meraki.params['net_name'], data=nets) + + if meraki.params['state'] == 'present': + if net_id is not None: + payload = {'access': meraki.params['access']} + if meraki.params['community_string'] is not None: + payload['communityString'] = meraki.params['community_string'] + elif meraki.params['users'] is not None: + payload['users'] = meraki.params['users'] + + if meraki.params['state'] == 'query': + if net_id is None: + meraki.result['data'] = get_snmp(meraki, org_id) + else: + path = meraki.construct_path('query_net_all', net_id=net_id) + response = meraki.request(path, method='GET') + if meraki.status == 200: + meraki.result['data'] = response + elif meraki.params['state'] == 'present': + if net_id is None: + meraki.result['data'] = set_snmp(meraki, org_id) + else: + path = meraki.construct_path('query_net_all', net_id=net_id) + original = meraki.request(path, method='GET') + if meraki.is_update_required(original, payload): + path = meraki.construct_path('create_net', net_id=net_id) + response = meraki.request(path, method='PUT', payload=json.dumps(payload)) + if meraki.status == 200: + if response['access'] == 'none': + meraki.result['data'] = {} + else: + meraki.result['data'] = response + meraki.result['changed'] = True + else: + meraki.result['data'] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == '__main__': + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_syslog.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_syslog.py new file mode 100644 index 00000000..e9423875 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_syslog.py @@ -0,0 +1,317 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2018, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_syslog +short_description: Manage syslog server settings in the Meraki cloud. +description: +- Allows for creation and management of Syslog servers within Meraki. +notes: +- Changes to existing syslog servers replaces existing configuration. If you need to add to an + existing configuration set state to query to gather the existing configuration and then modify or add. +options: + auth_key: + description: + - Authentication key provided by the dashboard. Required if environmental variable MERAKI_KEY is not set. + type: str + state: + description: + - Query or edit syslog servers + - To delete a syslog server, do not include server in list of servers + choices: [present, query] + default: present + type: str + net_name: + description: + - Name of a network. + aliases: [name, network] + type: str + net_id: + description: + - ID number of a network. + type: str + servers: + description: + - List of syslog server settings + type: list + elements: dict + suboptions: + host: + description: + - IP address or hostname of Syslog server. + type: str + port: + description: + - Port number Syslog server is listening on. + default: "514" + type: int + roles: + description: + - List of applicable Syslog server roles. + - Choices can be one of Wireless Event log, Appliance event log, Switch event log, Air Marshal events, Flows, URLs, IDS alerts, Security events + type: list + elements: str + +author: + - Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Query syslog configurations on network named MyNet in the YourOrg organization + meraki_syslog: + auth_key: abc12345 + state: query + org_name: YourOrg + net_name: MyNet + delegate_to: localhost + +- name: Add single syslog server with Appliance event log role + meraki_syslog: + auth_key: abc12345 + state: present + org_name: YourOrg + net_name: MyNet + servers: + - host: 192.0.1.2 + port: 514 + roles: + - Appliance event log + delegate_to: localhost + +- name: Add multiple syslog servers + meraki_syslog: + auth_key: abc12345 + state: present + org_name: YourOrg + net_name: MyNet + servers: + - host: 192.0.1.2 + port: 514 + roles: + - Appliance event log + - host: 192.0.1.3 + port: 514 + roles: + - Appliance event log + - Flows + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information about the created or manipulated object. + returned: info + type: complex + contains: + servers: + description: List of syslog servers. + returned: info + type: complex + contains: + host: + description: Hostname or IP address of syslog server. + returned: success + type: str + sample: 192.0.1.1 + port: + description: Port number for syslog communication. + returned: success + type: str + sample: 443 + roles: + description: List of roles assigned to syslog server. + returned: success + type: list + sample: "Wireless event log, URLs" +""" + +from copy import deepcopy +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def sort_roles(syslog_servers): + """Accept a full payload and sort roles""" + # sorted_servers = list() + for i, server in enumerate(syslog_servers): + syslog_servers["servers"][i]["roles"] = sorted( + syslog_servers["servers"][i]["roles"] + ) + # return sorted_servers + + +def validate_role_choices(meraki, servers): + choices = [ + "Wireless event log", + "Appliance event log", + "Switch event log", + "Air Marshal events", + "Flows", + "URLs", + "IDS alerts", + "Security events", + ] + + # Change all choices to lowercase for comparison + for i in range(len(choices)): + choices[i] = choices[i].lower() + for server in range(len(servers)): + for role in servers[server]["roles"]: + if role.lower() not in choices: + meraki.fail_json( + msg="Invalid role found in {0}.".format(servers[server]["host"]) + ) + + +def normalize_roles(meraki, servers): + if len(servers["servers"]) > 0: + for server in range(len(servers)): + for role in range(len(servers["servers"][server]["roles"])): + servers["servers"][server]["roles"][role] = servers["servers"][server][ + "roles" + ][role].lower() + return servers + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + + server_arg_spec = dict( + host=dict(type="str"), + port=dict(type="int", default="514"), + roles=dict( + type="list", + elements="str", + ), + ) + + argument_spec = meraki_argument_spec() + argument_spec.update( + net_id=dict(type="str"), + servers=dict(type="list", elements="dict", options=server_arg_spec), + state=dict(type="str", choices=["present", "query"], default="present"), + net_name=dict(type="str", aliases=["name", "network"]), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + + meraki = MerakiModule(module, function="syslog") + module.params["follow_redirects"] = "all" + payload = None + + syslog_urls = {"syslog": "/networks/{net_id}/syslogServers"} + meraki.url_catalog["query_update"] = syslog_urls + + if not meraki.params["org_name"] and not meraki.params["org_id"]: + meraki.fail_json(msg="org_name or org_id parameters are required") + if meraki.params["state"] != "query": + if not meraki.params["net_name"] and not meraki.params["net_id"]: + meraki.fail_json( + msg="net_name or net_id is required for present or absent states" + ) + if meraki.params["net_name"] and meraki.params["net_id"]: + meraki.fail_json(msg="net_name and net_id are mutually exclusive") + + # if the user is working with this module in only check mode we do not + # want to make any changes to the environment, just return the current + # state with no modifications + + # manipulate or modify the state as needed (this is going to be the + # part where your module will do what it needs to do) + + org_id = meraki.params["org_id"] + if not org_id: + org_id = meraki.get_org_id(meraki.params["org_name"]) + net_id = meraki.params["net_id"] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params["net_name"], data=nets) + + if meraki.params["state"] == "query": + path = meraki.construct_path("query_update", net_id=net_id) + r = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = r + elif meraki.params["state"] == "present": + # Validate roles + validate_role_choices(meraki, meraki.params["servers"]) + + # Construct payload + payload = dict() + payload["servers"] = meraki.params["servers"] + + # Convert port numbers to string for idempotency checks + for server in payload["servers"]: + if server["port"]: + server["port"] = str(server["port"]) + path = meraki.construct_path("query_update", net_id=net_id) + r = meraki.request(path, method="GET") + if meraki.status == 200: + original = r + + # Roles must be sorted since out of order responses may break idempotency check + # Need to check to make sure servers are actually defined + if original is not None: + if len(original["servers"]) > 0: + sort_roles(original) + if payload is not None: + if len(payload["servers"]) > 0: + sort_roles(payload) + + # Sanitize roles for comparison + sanitized_original = normalize_roles(meraki, deepcopy(original)) + sanitized_payload = normalize_roles(meraki, deepcopy(payload)) + + if meraki.is_update_required(sanitized_original, sanitized_payload): + if meraki.module.check_mode is True: + meraki.generate_diff(original, payload) + original.update(payload) + meraki.result["data"] = original + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("query_update", net_id=net_id) + r = meraki.request(path, method="PUT", payload=json.dumps(payload)) + if meraki.status == 200: + meraki.generate_diff(original, r) + meraki.result["data"] = r + meraki.result["changed"] = True + else: + if meraki.module.check_mode is True: + meraki.result["data"] = original + meraki.exit_json(**meraki.result) + meraki.result["data"] = original + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_webhook.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_webhook.py new file mode 100644 index 00000000..9b8ce2f6 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_webhook.py @@ -0,0 +1,431 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2019, Kevin Breit (@kbreit) <kevin.breit@kevinbreit.net> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_webhook +short_description: Manage webhooks configured in the Meraki cloud +description: +- Configure and query information about webhooks within the Meraki cloud. +notes: +- Some of the options are likely only used for developers within Meraki. +options: + state: + description: + - Specifies whether object should be queried, created/modified, or removed. + choices: [absent, present, query] + default: query + type: str + net_name: + description: + - Name of network which configuration is applied to. + aliases: [network] + type: str + net_id: + description: + - ID of network which configuration is applied to. + type: str + name: + description: + - Name of webhook. + type: str + shared_secret: + description: + - Secret password to use when accessing webhook. + type: str + url: + description: + - URL to access when calling webhook. + type: str + webhook_id: + description: + - Unique ID of webhook. + type: str + payload_template_name: + description: + - The name of the payload template + type: str + payload_template_id: + description: + - The ID of the payload template. Overrides payload_template_name if passed too. + type: str + test: + description: + - Indicates whether to test or query status. + type: str + choices: [test] + test_id: + description: + - ID of webhook test query. + type: str +author: +- Kevin Breit (@kbreit) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Create webhook + meraki_webhook: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + name: Test_Hook + url: https://webhook.url/ + shared_secret: shhhdonttellanyone + payload_template_name: 'Slack (included)' + delegate_to: localhost + +- name: Query one webhook + meraki_webhook: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + name: Test_Hook + delegate_to: localhost + +- name: Query all webhooks + meraki_webhook: + auth_key: abc123 + state: query + org_name: YourOrg + net_name: YourNet + delegate_to: localhost + +- name: Delete webhook + meraki_webhook: + auth_key: abc123 + state: absent + org_name: YourOrg + net_name: YourNet + name: Test_Hook + delegate_to: localhost + +- name: Test webhook + meraki_webhook: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + test: test + url: https://webhook.url/abc123 + delegate_to: localhost + +- name: Get webhook status + meraki_webhook: + auth_key: abc123 + state: present + org_name: YourOrg + net_name: YourNet + test: status + test_id: abc123531234 + delegate_to: localhost +""" + +RETURN = r""" +data: + description: List of administrators. + returned: success + type: complex + contains: + id: + description: Unique ID of webhook. + returned: success + type: str + sample: aHR0cHM6Ly93ZWJob22LnvpdGUvOGViNWI3NmYtYjE2Ny00Y2I4LTlmYzQtND32Mj3F5NzIaMjQ0 + name: + description: Descriptive name of webhook. + returned: success + type: str + sample: Test_Hook + networkId: + description: ID of network containing webhook object. + returned: success + type: str + sample: N_12345 + shared_secret: + description: Password for webhook. + returned: success + type: str + sample: VALUE_SPECIFIED_IN_NO_LOG_PARAMETER + url: + description: URL of webhook endpoint. + returned: success + type: str + sample: https://webhook.url/abc123 + status: + description: Status of webhook test. + returned: success, when testing webhook + type: str + sample: enqueued + payloadTemplate: + description: The payload template used when posting data to the HTTP server. + returned: success + type: str + sample: + payloadTemplateId: wpt_00001 + name: Meraki (included) +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def get_webhook_id(name, webhooks): + for webhook in webhooks: + if name == webhook["name"]: + return webhook["id"] + return None + + +def get_all_webhooks(meraki, net_id): + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, method="GET") + if meraki.status == 200: + return response + + +def sanitize_no_log_values(meraki): + try: + meraki.result["diff"]["before"][ + "shared_secret" + ] = "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" + except KeyError: + pass + try: + for i in meraki.result['data']: + i[ + "shared_secret" + ] = "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" + except (KeyError, TypeError): + pass + try: + meraki.result["data"]["shared_secret"] = "VALUE_SPECIFIED_IN_NO_LOG_PARAMETER" + except (KeyError, TypeError): + pass + + +def get_webhook_payload_templates(meraki, net_id): + path = meraki.construct_path("get_payload_templates", net_id=net_id) + response = meraki.request(path, "GET") + if meraki.status != 200: + meraki.fail_json(msg="Unable to get webhook payload templates") + return response + + +def get_webhook_payload_template_id(meraki, templates, name): + for template in templates: + if template["name"] == name: + return template["payloadTemplateId"] + meraki.fail_json(msg="No payload template found with the name {0}".format(name)) + + +def main(): + # define the available arguments/parameters that a user can pass to + # the module + + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict(type="str", choices=["absent", "present", "query"], default="query"), + net_name=dict(type="str", aliases=["network"]), + net_id=dict(type="str"), + name=dict(type="str"), + url=dict(type="str"), + shared_secret=dict(type="str", no_log=True), + webhook_id=dict(type="str"), + test=dict(type="str", choices=["test"]), + test_id=dict(type="str"), + payload_template_name=dict(type="str"), + payload_template_id=dict(type="str"), + ) + + # the AnsibleModule object will be our abstraction working with Ansible + # this includes instantiation, a couple of common attr would be the + # args/params passed to the execution, as well as if the module + # supports check mode + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="webhooks") + + meraki.params["follow_redirects"] = "all" + + query_url = {"webhooks": "/networks/{net_id}/webhooks/httpServers"} + query_one_url = {"webhooks": "/networks/{net_id}/webhooks/httpServers/{hookid}"} + create_url = {"webhooks": "/networks/{net_id}/webhooks/httpServers"} + update_url = {"webhooks": "/networks/{net_id}/webhooks/httpServers/{hookid}"} + delete_url = {"webhooks": "/networks/{net_id}/webhooks/httpServers/{hookid}"} + test_url = {"webhooks": "/networks/{net_id}/webhooks/webhookTests"} + test_status_url = {"webhooks": "/networks/{net_id}/webhooks/webhookTests/{testid}"} + query_payload_templates = { + "webhooks": "/networks/{net_id}/webhooks/payloadTemplates" + } + meraki.url_catalog["get_all"].update(query_url) + meraki.url_catalog["get_one"].update(query_one_url) + meraki.url_catalog["create"] = create_url + meraki.url_catalog["update"] = update_url + meraki.url_catalog["delete"] = delete_url + meraki.url_catalog["test"] = test_url + meraki.url_catalog["test_status"] = test_status_url + meraki.url_catalog["get_payload_templates"] = query_payload_templates + + org_id = meraki.params["org_id"] + if org_id is None: + org_id = meraki.get_org_id(meraki.params["org_name"]) + + net_id = meraki.params["net_id"] + if net_id is None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id(net_name=meraki.params["net_name"], data=nets) + + templates = get_webhook_payload_templates(meraki, net_id) + payload_template_id = meraki.params["payload_template_id"] + if ( + payload_template_id is None + and meraki.params["payload_template_name"] is not None + ): + payload_template_id = get_webhook_payload_template_id( + meraki, templates, name=meraki.params["payload_template_name"] + ) + + webhook_id = meraki.params["webhook_id"] + webhooks = None + if webhook_id is None and meraki.params["name"]: + webhooks = get_all_webhooks(meraki, net_id) + webhook_id = get_webhook_id(meraki.params["name"], webhooks) + + if meraki.params["state"] == "present" and meraki.params["test"] is None: + payload = { + "name": meraki.params["name"], + "url": meraki.params["url"], + } + if meraki.params["shared_secret"] is not None: + payload["sharedSecret"] = meraki.params["shared_secret"] + if payload_template_id is not None: + payload["payloadTemplate"] = {"payloadTemplateId": payload_template_id} + + if meraki.params["state"] == "query": + if webhook_id is not None: # Query a single webhook + path = meraki.construct_path( + "get_one", net_id=net_id, custom={"hookid": webhook_id} + ) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + sanitize_no_log_values(meraki) + meraki.exit_json(**meraki.result) + elif meraki.params["test_id"] is not None: + path = meraki.construct_path( + "test_status", + net_id=net_id, + custom={"testid": meraki.params["test_id"]}, + ) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + sanitize_no_log_values(meraki) + meraki.exit_json(**meraki.result) + else: + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, method="GET") + if meraki.status == 200: + meraki.result["data"] = response + # meraki.fail_json(msg=meraki.result) + sanitize_no_log_values(meraki) + meraki.exit_json(**meraki.result) + elif meraki.params["state"] == "present": + if meraki.params["test"] == "test": + payload = {"url": meraki.params["url"]} + path = meraki.construct_path("test", net_id=net_id) + response = meraki.request(path, method="POST", payload=json.dumps(payload)) + if meraki.status == 201: + meraki.result["data"] = response + meraki.exit_json(**meraki.result) + if webhook_id is None: # New webhook needs to be created + if meraki.check_mode is True: + meraki.result["data"] = payload + meraki.result["data"]["networkId"] = net_id + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path("create", net_id=net_id) + response = meraki.request(path, method="POST", payload=json.dumps(payload)) + if meraki.status == 201: + meraki.result["data"] = response + meraki.result["changed"] = True + else: # Need to update + path = meraki.construct_path( + "get_one", net_id=net_id, custom={"hookid": webhook_id} + ) + original = meraki.request(path, method="GET") + if meraki.is_update_required(original, payload): + if meraki.check_mode is True: + meraki.generate_diff(original, payload) + sanitize_no_log_values(meraki) + original.update(payload) + meraki.result["data"] = original + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path( + "update", net_id=net_id, custom={"hookid": webhook_id} + ) + response = meraki.request( + path, method="PUT", payload=json.dumps(payload) + ) + if meraki.status == 200: + # Not all fields are included so it needs to be checked to avoid comparing same thing + if meraki.is_update_required(original, response): + meraki.generate_diff(original, response) + sanitize_no_log_values(meraki) + meraki.result["data"] = response + meraki.result["changed"] = True + else: + meraki.result["data"] = original + elif meraki.params["state"] == "absent": + if webhook_id is None: # Make sure it is downloaded + if webhooks is None: + webhooks = get_all_webhooks(meraki, net_id) + webhook_id = get_webhook_id(meraki.params["name"], webhooks) + if webhook_id is None: + meraki.fail_json( + msg="There is no webhook with the name {0}".format( + meraki.params["name"] + ) + ) + if webhook_id: # Test to see if it exists + if meraki.module.check_mode is True: + meraki.result["data"] = None + meraki.result["changed"] = True + meraki.exit_json(**meraki.result) + path = meraki.construct_path( + "delete", net_id=net_id, custom={"hookid": webhook_id} + ) + response = meraki.request(path, method="DELETE") + if meraki.status == 204: + meraki.result["data"] = response + meraki.result["changed"] = True + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() diff --git a/ansible_collections/cisco/meraki/plugins/modules/meraki_webhook_payload_template.py b/ansible_collections/cisco/meraki/plugins/modules/meraki_webhook_payload_template.py new file mode 100644 index 00000000..d7cc5a19 --- /dev/null +++ b/ansible_collections/cisco/meraki/plugins/modules/meraki_webhook_payload_template.py @@ -0,0 +1,352 @@ +#!/usr/bin/python +# -*- coding: utf-8 -*- + +# Copyright: (c) 2022, Joshua Coronado (@joshuajcoronado) <joshua@coronado.io> +# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt) + +from __future__ import absolute_import, division, print_function + +__metaclass__ = type + +ANSIBLE_METADATA = { + "metadata_version": "1.1", + "status": ["preview"], + "supported_by": "community", +} + +DOCUMENTATION = r""" +--- +module: meraki_webhook_payload_template +short_description: Manage webhook payload templates for a network in the Meraki cloud +description: +- Allows for querying, deleting, creating, and updating of webhook payload templates. +options: + state: + description: + - Specifies whether payload template should be queried, created, modified, or deleted. + choices: ['absent', 'query', 'present'] + default: query + type: str + name: + description: + - Name of the template. + type: str + net_name: + description: + - Name of network containing access points. + type: str + net_id: + description: + - ID of network containing access points. + type: str + body: + description: + - The liquid template used for the body of the webhook message. + type: str + headers: + description: + - List of the liquid templates used with the webhook headers. + type: list + elements: dict + default: [] + suboptions: + name: + description: + - The name of the header template. + type: str + template: + description: + - The liquid template for the headers + type: str +author: +- Joshua Coronado (@joshuajcoronado) +extends_documentation_fragment: cisco.meraki.meraki +""" + +EXAMPLES = r""" +- name: Query all configuration templates + meraki_webhook_payload_template: + auth_key: abc12345 + org_name: YourOrg + state: query + delegate_to: localhost + +- name: Query specific configuration templates + meraki_webhook_payload_template: + auth_key: abc12345 + org_name: YourOrg + state: query + name: Twitter + delegate_to: localhost + +- name: Create payload template + meraki_webhook_payload_template: + auth_key: abc12345 + org_name: YourOrg + state: query + name: TestTemplate + body: Testbody + headers: + - name: testheader + template: testheadertemplate + delegate_to: localhost + +- name: Delete a configuration template + meraki_config_template: + auth_key: abc123 + state: absent + org_name: YourOrg + name: TestTemplate + delegate_to: localhost +""" + +RETURN = r""" +data: + description: Information about queried object. + returned: success + type: complex + contains: + name: + description: + - The name of the template + returned: success + type: str + sample: testTemplate + body: + description: + - The liquid template used for the body of the webhook message. + returned: success + type: str + sample: {"event_type":"{{alertTypeId}}","client_payload":{"text":"{{alertData}}"}} + headers: + description: List of the liquid templates used with the webhook headers. + returned: success + type: list + contains: + name: + description: + - The name of the template + returned: success + type: str + sample: testTemplate + template: + description: + - The liquid template for the header + returned: success + type: str + sample: "Bearer {{sharedSecret}}" +""" + +from ansible.module_utils.basic import AnsibleModule, json +from ansible_collections.cisco.meraki.plugins.module_utils.network.meraki.meraki import ( + MerakiModule, + meraki_argument_spec, +) + + +def get_webhook_payload_templates(meraki, net_id): + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, "GET") + if meraki.status != 200: + meraki.fail_json(msg="Unable to get webhook payload templates") + return response + + +def delete_template(meraki, net_id, template_id): + changed = True + if meraki.check_mode: + return {}, changed + else: + path = meraki.construct_path( + "update", net_id=net_id, custom={"template_id": template_id} + ) + response = meraki.request(path, method="DELETE") + if meraki.status != 204: + meraki.fail_json(msg="Unable to remove webhook payload templates") + return response, changed + + +def create_template(meraki, net_id, template): + changed = True + + if meraki.check_mode: + return template, changed + else: + path = meraki.construct_path("get_all", net_id=net_id) + response = meraki.request(path, "POST", payload=json.dumps(template)) + if meraki.status != 201: + meraki.fail_json(msg="Unable to create webhook payload template") + return response, changed + + +def update_template(meraki, net_id, template, payload): + changed = False + + if template["body"] != payload["body"]: + changed = True + + if meraki.is_update_required(template["headers"], payload["headers"]): + changed = True + + if changed: + meraki.generate_diff(template, payload) + if meraki.check_mode: + return payload, changed + else: + path = meraki.construct_path( + "update", + net_id=net_id, + custom={"template_id": template["payloadTemplateId"]}, + ) + response = meraki.request( + path, method="PUT", payload=json.dumps(payload) + ) + if meraki.status != 200: + meraki.fail_json( + msg="Unable to update webhook payload template" + ) + return response, changed + + return template, changed + + +def main(): + + # define the available arguments/parameters that a user can pass to + # the module + argument_spec = meraki_argument_spec() + argument_spec.update( + state=dict( + type="str", choices=["absent", "query", "present"], default="query" + ), + name=dict(type="str", default=None), + net_name=dict(type="str"), + net_id=dict(type="str"), + body=dict(type="str", default=None), + headers=dict( + type="list", + default=[], + elements="dict", + options=dict( + name=dict(type="str"), + template=dict(type="str"), + ), + ), + ) + + module = AnsibleModule( + argument_spec=argument_spec, + supports_check_mode=True, + ) + meraki = MerakiModule(module, function="webhook_payload_template") + meraki.params["follow_redirects"] = "all" + + query_all_urls = { + "webhook_payload_template": "/networks/{net_id}/webhooks/payloadTemplates" + } + update_urls = { + "webhook_payload_template": "/networks/{net_id}/webhooks/payloadTemplates/{template_id}" + } + + meraki.url_catalog["get_all"].update(query_all_urls) + meraki.url_catalog["update"] = update_urls + + org_id = meraki.params["org_id"] + if meraki.params["org_name"]: + org_id = meraki.get_org_id(meraki.params["org_name"]) + net_id = meraki.params["net_id"] + + if net_id is None: + if meraki.params["net_name"] is not None: + nets = meraki.get_nets(org_id=org_id) + net_id = meraki.get_net_id( + net_name=meraki.params["net_name"], data=nets + ) + + templates = { + template["name"]: template + for template in get_webhook_payload_templates(meraki, net_id) + } + + if meraki.params["state"] == "query": + meraki.result["changed"] = False + + if meraki.params["name"]: + if meraki.params["name"] in templates: + meraki.result["data"] = templates[meraki.params["name"]] + else: + meraki.fail_json( + msg="Unable to get webhook payload template named: {0}".format( + meraki.params["name"] + ) + ) + else: + meraki.result["data"] = templates + + elif meraki.params["state"] == "present": + if meraki.params["name"] is None: + meraki.fail_json(msg="name is a required parameter") + + if meraki.params["body"] is None: + meraki.fail_json( + msg="body is a required parameter when state is present" + ) + + headers = [] + + for header in meraki.params["headers"]: + for key in ["name", "template"]: + if key not in header: + meraki.fail_json( + msg="{0} is a required parameter for a header".format( + key + ) + ) + if not header[key]: + meraki.fail_json( + msg="{0} in header must be a string".format(key) + ) + headers.append( + dict(name=header["name"], template=header["template"]) + ) + + payload = { + "name": meraki.params["name"], + "body": meraki.params["body"], + "headers": meraki.params["headers"], + } + + if meraki.params["name"] in templates: + ( + meraki.result["data"], + meraki.result["changed"], + ) = update_template( + meraki, net_id, templates[meraki.params["name"]], payload + ) + else: + ( + meraki.result["data"], + meraki.result["changed"], + ) = create_template(meraki, net_id, payload) + + elif meraki.params["state"] == "absent": + if meraki.params["name"] in templates: + ( + meraki.result["data"], + meraki.result["changed"], + ) = delete_template( + meraki, + net_id, + templates[meraki.params["name"]]["payloadTemplateId"], + ) + else: + meraki.result["changed"] = False + meraki.result["data"] = {} + + # in the event of a successful module execution, you will want to + # simple AnsibleModule.exit_json(), passing the key/value results + meraki.exit_json(**meraki.result) + + +if __name__ == "__main__": + main() |