-
Notifications
You must be signed in to change notification settings - Fork 5
/
apply-access-policies_itsm.yml
115 lines (98 loc) · 3.34 KB
/
apply-access-policies_itsm.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
# REQUIREMENTS
# pip install pan-python
# pip install pandevice
# pip install xmltodict
# ansible-galaxy install paloaltonetworks.paloaltonetworks
# https://www.bountysource.com/issues/59738537-certificate-verify-failed
# set verify to disable in the virtual environment
---
- name: Retrieve pan_hosts.csv file
hosts: webserver
gather_facts: False
tasks:
- name: Get acl_entries csv file from webserver
fetch:
src: "/home/{{ ansible_user }}/csvfiles/acl_entries_to_apply.csv"
dest: "{{ playbook_dir }}/csvfiles/acl_entries_to_apply.csv"
flat: yes
- name: Set up ACL entries
hosts: ansible
gather_facts: False
become: yes
vars:
csvfile: "{{ lookup('file', '{{ playbook_dir }}/csvfiles/acl_entries_to_apply.csv') }}"
vars_files:
- "{{ playbook_dir }}/vars/default_vars.yml"
tasks:
- name: Check to see if acl_entries.yml exists
stat:
# path: "{{ playbook_dir }}/vars/acl_entries.yml"
path: /tmp/acl_entries.yml
register: acl_entries_output
- name: Delete acl_entries.yml if it already exists
file:
# path: "{{ playbook_dir }}/vars/acl_entries.yml"
path: /tmp/acl_entries.yml
state: absent
when: acl_entries_output.stat.exists == True
- name: Create acl_entries.yml file from template
template:
src: "{{ playbook_dir }}/templates/acl_entries.j2"
# dest: "{{ playbook_dir }}/vars/acl_entries.yml"
dest: /tmp/acl_entries.yml
- name: Apply ACLs to PAN Firewalls
hosts: panos
connection: local
gather_facts: False
vars:
erase: false
vars_files:
- "{{ playbook_dir }}/vars/default_vars.yml"
- "{{ playbook_dir }}/credentials/pan_credentials.yml"
- "{{ playbook_dir }}/credentials/servicenow_credentials.yml"
# roles:
# - role: paloaltonetworks.paloaltonetworks
tasks:
- name: Load acl_entries variable into the playbook
include_vars:
# file: "{{ playbook_dir }}/vars/acl_entries.yml"
file: /tmp/acl_entries.yml
run_once: yes
- block:
- name: Add an ACL entry
paloaltonetworks.panos.panos_security_rule:
provider:
ip_address: "{{ ansible_host }}"
username: "{{ PAN_USERNAME }}"
password: "{{ PAN_PASSWORD }}"
rule_name: "{{item.rule_name}}"
description: "{{item.rule_name}}"
source_ip: "{{item.source_ip}}"
destination_ip: "{{ item.destination_ip }}"
source_zone: "['{{item.source_zone}}']"
destination_zone: "['{{item.destination_zone}}']"
action: "{{ item.action}}"
state: present
loop: "{{ acl_entries }}"
ignore_errors: True
when: policy_state == "add"
- block:
- name: Remove ACL entries
paloaltonetworks.panos.panos_security_rule:
provider:
ip_address: "{{ ansible_host }}"
username: "{{ PAN_USERNAME }}"
password: "{{ PAN_PASSWORD }}"
rule_name: "{{item.rule_name}}"
state: absent
loop: "{{ acl_entries }}"
when: policy_state == "remove"
- debug:
var: snow_cr_number
when: snow_cr_number is defined
run_once: yes
- set_stats:
data:
expose_to_cloud_redhat_com_snow_cr_number: "{{ snow_cr_number }}"
when: snow_cr_number is defined
run_once: yes