def del_policy_section(client_session, resource_id):
try:
category, security_policy_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
actionsByCategory = common.nsx_struct_get_list(
security_policy, 'securityPolicy/actionsByCategory')
for actions in actionsByCategory:
if actions.get('category') == category:
actionsByCategory.remove(actions)
break
else:
return
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
def add_group_exclude_member(client_session, security_group_id, member_id):
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
excludeMembers = common.nsx_struct_get_list(security_group,
'securitygroup/excludeMember')
for member in excludeMembers:
if member.get("objectId") == member_id:
raise cfy_exc.NonRecoverableError(
"Member %s already exists in %s group" %
(member_id, security_group['securitygroup'].get(
'name', '*unknown*')))
excludeMembers.append({"objectId": member_id})
raw_result = client_session.update(
'secGroupObject',
uri_parameters={'objectId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
return "%s|%s" % (security_group_id, member_id)
def del_policy_group_bind(client_session, resource_id):
try:
security_group_id, security_policy_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
bindings = common.nsx_struct_get_list(
security_policy, 'securityPolicy/securityGroupBinding')
for bind in bindings:
if bind.get('objectId') == security_group_id:
bindings.remove(bind)
break
else:
return
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
def delete_tag_vm(client_session, resource_id):
ids = resource_id.split("|")
if len(ids) != 2:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID')
# get list of attached
attached_vms_raw = common.nsx_read(client_session,
'body',
'securityTagVMsList',
uri_parameters={'tagId': ids[0]})
if not attached_vms_raw:
return
attached_vms = common.nsx_struct_get_list(attached_vms_raw,
'basicinfolist/basicinfo')
# delete only attached
for vm in attached_vms:
if vm.get('objectId') == ids[1]:
result_raw = client_session.delete('securityTagVM',
uri_parameters={
'tagId': ids[0],
'vmMoid': ids[1]
})
common.check_raw_result(result_raw)
break
def add_policy_group_bind(client_session, security_policy_id,
security_group_id):
resource_id = policy_group_to_resource_id(security_group_id,
security_policy_id)
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
bindings = common.nsx_struct_get_list(
security_policy, 'securityPolicy/securityGroupBinding')
for bind in bindings:
if bind.get('objectId') == security_group_id:
raise cfy_exc.NonRecoverableError(
"Group %s already exists in %s policy" %
(security_group_id, security_policy['securityPolicy'].get(
'name', '*unknown*')))
bindings.append({'objectId': str(security_group_id)})
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
return resource_id
def del_group_exclude_member(client_session, resource_id):
try:
security_group_id, member_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
excludeMembers = common.nsx_struct_get_list(security_group,
'securitygroup/excludeMember')
for member in excludeMembers:
if member.get("objectId") == member_id:
excludeMembers.remove(member)
break
else:
return
raw_result = client_session.update(
'secGroupObject',
uri_parameters={'objectId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
def add_policy_section(client_session, security_policy_id, category, action):
security_policy = common.nsx_read(
client_session,
'body',
'securityPolicyID',
uri_parameters={'ID': security_policy_id})
actionsByCategory = common.nsx_struct_get_list(
security_policy, 'securityPolicy/actionsByCategory')
for actions in actionsByCategory:
if actions.get('category') == category:
actions['action'] = action
break
else:
actionsByCategory.append({'category': category, 'action': action})
raw_result = client_session.update(
'securityPolicyID',
uri_parameters={'ID': security_policy_id},
request_body_dict=security_policy)
common.check_raw_result(raw_result)
return "%s|%s" % (category, security_policy_id)
def add_group_member(client_session, security_group_id, member_id):
raw_result = client_session.update('secGroupMember',
uri_parameters={
'objectId': security_group_id,
'memberMoref': member_id
})
common.check_raw_result(raw_result)
return "%s|%s" % (security_group_id, member_id)
def add_tag_vm(client_session, tag_id, vm_id):
resource_id = tag_vm_to_resource_id(tag_id, vm_id)
result_raw = client_session.update('securityTagVM',
uri_parameters={
'tagId': tag_id,
'vmMoid': vm_id
})
common.check_raw_result(result_raw)
return resource_id
def delete_nat_rule(client_session, resource_id):
try:
esg_id, ruleID = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
result = client_session.delete('edgeNatRule',
uri_parameters={
'edgeId': esg_id,
'ruleID': ruleID
})
common.check_raw_result(result)
def add_tag(client_session, name, description):
security_group = {'securityTag': {'name': name}}
if description:
security_group['securityTag']['description'] = description
result_raw = client_session.create('securityTag',
request_body_dict=security_group)
common.check_raw_result(result_raw)
return result_raw['objectId']
def del_group_member(client_session, resource_id):
try:
security_group_id, member_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
raw_result = client_session.delete('secGroupMember',
uri_parameters={
'objectId': security_group_id,
'memberMoref': member_id
})
common.check_raw_result(raw_result)
def delete_firewall_rule(client_session, resource_id):
"""Delete firewall rule, as resource_id used response
from add_firewall_rule"""
try:
esg_id, rule_id = resource_id.split("|")
except Exception as ex:
raise cfy_exc.NonRecoverableError(
'Unexpected error retrieving resource ID: %s' % str(ex))
result = client_session.delete('firewallRule',
uri_parameters={
'edgeId': esg_id,
'ruleId': rule_id
})
common.check_raw_result(result)
def add_nat_rule(client_session,
esg_id,
action,
originalAddress,
translatedAddress,
vnic=None,
ruleTag=None,
loggingEnabled=False,
enabled=True,
description='',
protocol='any',
translatedPort='any',
originalPort='any'):
nat_spec = client_session.extract_resource_body_example(
'edgeNatRules', 'create')
nat_rule = {
'ruleTag': ruleTag,
'action': action,
'vnic': vnic,
'originalAddress': originalAddress,
'translatedAddress': translatedAddress,
'description': description,
'protocol': protocol,
'translatedPort': originalPort,
'originalPort': translatedPort
}
if loggingEnabled:
nat_rule['loggingEnabled'] = 'true'
else:
nat_rule['loggingEnabled'] = 'false'
if enabled:
nat_rule['enabled'] = 'true'
else:
nat_rule['enabled'] = 'false'
nat_spec['natRules']['natRule'] = nat_rule
result_raw = client_session.create('edgeNatRules',
uri_parameters={'edgeId': esg_id},
request_body_dict=nat_spec)
common.check_raw_result(result_raw)
return "%s|%s" % (esg_id, result_raw['objectId'])
def del_dynamic_member(client_session, security_group_id):
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
security_group['securitygroup']['dynamicMemberDefinition'] = {}
# it is not error!
# We need to use bulk to update dynamic members
# with use security_group_id as scope
raw_result = client_session.update(
'secGroupBulk',
uri_parameters={'scopeId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
def add_firewall_rule(client_session,
esg_id,
application='any',
direction='any',
name="",
loggingEnabled=False,
matchTranslated=False,
destination='any',
enabled=True,
source='any',
action='accept',
ruleTag=None,
description=None):
firewallRule = {
'name': name,
'source': source,
'action': action,
'direction': direction,
'application': application,
'destination': destination
}
common.set_boolean_property(firewallRule, 'loggingEnabled', loggingEnabled)
common.set_boolean_property(firewallRule, 'matchTranslated',
matchTranslated)
common.set_boolean_property(firewallRule, 'enabled', enabled)
if ruleTag:
firewallRule['ruleTag'] = ruleTag
if description:
firewallRule['description'] = description
firewall_spec = {}
firewall_spec['firewallRules'] = {}
firewall_spec['firewallRules']['firewallRule'] = firewallRule
result_raw = client_session.create('firewallRules',
uri_parameters={'edgeId': esg_id},
request_body_dict=firewall_spec)
common.check_raw_result(result_raw)
return result_raw['objectId'], "%s|%s" % (esg_id, result_raw['objectId'])
def add_group(client_session, scopeId, name, member, excludeMember,
dynamicMemberDefinition):
security_group = {
'securitygroup': {
'name': name,
'member': member,
'excludeMember': excludeMember,
'dynamicMemberDefinition': dynamicMemberDefinition
}
}
raw_result = client_session.create('secGroupBulk',
uri_parameters={'scopeId': scopeId},
request_body_dict=security_group)
common.check_raw_result(raw_result)
return raw_result['objectId']
def add_policy(client_session, name, description, precedence, parent,
securityGroupBinding, actionsByCategory):
security_policy = {
'securityPolicy': {
"name": name,
"description": description,
"precedence": precedence,
"parent": parent,
"securityGroupBinding": securityGroupBinding,
"actionsByCategory": actionsByCategory
}
}
raw_result = client_session.create('securityPolicy',
request_body_dict=security_policy)
common.check_raw_result(raw_result)
return raw_result['objectId']
def nat_service(client_session, esg_id, enabled):
change_needed = False
current_nat_config = client_session.read('edgeNat',
uri_parameters={'edgeId':
esg_id})['body']
new_nat_config = current_nat_config
if enabled:
if current_nat_config['nat']['enabled'] == 'false':
new_nat_config['nat']['enabled'] = 'true'
change_needed = True
else:
if current_nat_config['nat']['enabled'] == 'true':
new_nat_config['nat']['enabled'] = 'false'
change_needed = True
if change_needed:
result = client_session.update('edgeNat',
uri_parameters={'edgeId': esg_id},
request_body_dict=new_nat_config)
common.check_raw_result(result)
def set_dynamic_member(client_session, security_group_id, dynamic_set):
security_group = common.nsx_read(
client_session,
'body',
'secGroupObject',
uri_parameters={'objectId': security_group_id})
# fully overwrite previous state
security_group['securitygroup']['dynamicMemberDefinition'] = {
'dynamicSet': dynamic_set
}
# it is not error!
# We need to use bulk to update dynamic members
# with use security_group_id as scope
raw_result = client_session.update(
'secGroupBulk',
uri_parameters={'scopeId': security_group_id},
request_body_dict=security_group)
common.check_raw_result(raw_result)
return security_group_id
def del_logical_switch(client_session, resource_id):
raw_result = client_session.delete(
'logicalSwitch', uri_parameters={'virtualWireID': resource_id}
)
common.check_raw_result(raw_result)
def get_logical_switch(client_session, logical_switch_id):
raw_result = client_session.read('logicalSwitch', uri_parameters={
'virtualWireID': logical_switch_id
})
common.check_raw_result(raw_result)
return raw_result['body']['virtualWire']
def delete_tag(client_session, resource_id):
result = client_session.delete('securityTagID',
uri_parameters={'tagId': resource_id})
common.check_raw_result(result)
