def _CreateFirewall(self, holder, args):
client = holder.client
if args.rules and args.allow:
raise firewalls_utils.ArgumentValidationError(
'Can NOT specify --rules and --allow in the same request.')
if bool(args.action) ^ bool(args.rules):
raise firewalls_utils.ArgumentValidationError(
'Must specify --rules with --action.')
allowed = firewalls_utils.ParseRules(args.allow, client.messages,
firewalls_utils.ActionType.ALLOW)
network_ref = self.NETWORK_ARG.ResolveAsResource(
args, holder.resources)
firewall_ref = self.FIREWALL_RULE_ARG.ResolveAsResource(
args, holder.resources)
firewall = client.messages.Firewall(allowed=allowed,
name=firewall_ref.Name(),
description=args.description,
network=network_ref.SelfLink(),
sourceRanges=args.source_ranges,
sourceTags=args.source_tags,
targetTags=args.target_tags)
firewall.direction = None
if args.direction and args.direction in ['EGRESS', 'OUT']:
firewall.direction = (
client.messages.Firewall.DirectionValueValuesEnum.EGRESS)
else:
firewall.direction = (
client.messages.Firewall.DirectionValueValuesEnum.INGRESS)
firewall.priority = args.priority
firewall.destinationRanges = args.destination_ranges
allowed = []
denied = []
if not args.action:
allowed = firewalls_utils.ParseRules(
args.allow, client.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'ALLOW':
allowed = firewalls_utils.ParseRules(
args.rules, client.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'DENY':
denied = firewalls_utils.ParseRules(
args.rules, client.messages, firewalls_utils.ActionType.DENY)
firewall.allowed = allowed
firewall.denied = denied
firewall.sourceServiceAccounts = args.source_service_accounts
firewall.targetServiceAccounts = args.target_service_accounts
return firewall, firewall_ref.project
def CreateRequests(self, args):
"""Returns a list of requests necessary for adding firewall rules."""
if args.rules and args.allow:
raise firewalls_utils.ArgumentValidationError(
'Can NOT specify --rules and --allow in the same request.')
if bool(args.action) ^ bool(args.rules):
raise firewalls_utils.ArgumentValidationError(
'Must specify --rules with --action.')
direction = None
if args.direction and args.direction in ['EGRESS', 'OUT']:
direction = self.messages.Firewall.DirectionValueValuesEnum.EGRESS
else:
direction = self.messages.Firewall.DirectionValueValuesEnum.INGRESS
priority = args.priority
allowed = []
denied = []
if not args.action:
allowed = firewalls_utils.ParseRules(
args.allow, self.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'ALLOW':
allowed = firewalls_utils.ParseRules(
args.rules, self.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'DENY':
denied = firewalls_utils.ParseRules(
args.rules, self.messages, firewalls_utils.ActionType.DENY)
network_ref = self.NETWORK_ARG.ResolveAsResource(args, self.resources)
firewall_ref = self.FIREWALL_RULE_ARG.ResolveAsResource(
args, self.resources)
request = self.messages.ComputeFirewallsInsertRequest(
firewall=self.messages.Firewall(
allowed=allowed,
denied=denied,
direction=direction,
priority=priority,
name=firewall_ref.Name(),
description=args.description,
network=network_ref.SelfLink(),
sourceRanges=args.source_ranges,
destinationRanges=args.destination_ranges,
sourceTags=args.source_tags,
targetTags=args.target_tags,
sourceServiceAccounts=args.source_service_accounts,
targetServiceAccounts=args.target_service_accounts),
project=self.project)
return [request]
def CreateRequests(self, args):
"""Returns a list of requests necessary for adding firewall rules."""
# TODO(user): remove the check once allow was deprecated.
if args.rules and args.allow:
raise firewalls_utils.ArgumentValidationError(
'Can NOT specify --rules and --allow in the same request.')
if bool(args.action) ^ bool(args.rules):
raise firewalls_utils.ArgumentValidationError(
'Must specify --rules with --action.')
direction = None
if args.direction and args.direction in ['EGRESS', 'OUT']:
direction = self.messages.Firewall.DirectionValueValuesEnum.EGRESS
else:
direction = self.messages.Firewall.DirectionValueValuesEnum.INGRESS
priority = args.priority
allowed = []
denied = []
if not args.action:
allowed = firewalls_utils.ParseRules(
args.allow, self.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'ALLOW':
allowed = firewalls_utils.ParseRules(
args.rules, self.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'DENY':
denied = firewalls_utils.ParseRules(
args.rules, self.messages, firewalls_utils.ActionType.DENY)
network_ref = self.CreateGlobalReference(args.network,
resource_type='networks')
firewall_ref = self.CreateGlobalReference(args.name,
resource_type='firewalls')
request = self.messages.ComputeFirewallsInsertRequest(
firewall=self.messages.Firewall(
allowed=allowed,
denied=denied,
direction=direction,
priority=priority,
name=firewall_ref.Name(),
description=args.description,
network=network_ref.SelfLink(),
sourceRanges=args.source_ranges,
destinationRanges=args.destination_ranges,
sourceTags=args.source_tags,
targetTags=args.target_tags),
project=self.project)
return [request]
def ValidateArgument(self, messages, args):
self.new_allowed = firewalls_utils.ParseRules(
args.allow, messages, firewalls_utils.ActionType.ALLOW)
args_unset = all(x is None
for x in (args.allow, args.description,
args.source_ranges, args.source_tags,
args.target_tags))
if self.with_egress_firewall:
args_unset = args_unset and all(
x is None
for x in (args.destination_ranges, args.priority, args.rules))
if self.with_service_account:
args_unset = args_unset and all(
x is None for x in (args.source_service_accounts,
args.target_service_accounts))
args_unset = args_unset and args.disabled is None
args_unset = (args_unset and args.enable_logging is None)
if self.support_logging_metadata:
args_unset = args_unset and not args.logging_metadata
if args_unset:
raise calliope_exceptions.ToolException(
'At least one property must be modified.')
if args.rules and args.allow:
raise firewalls_utils.ArgumentValidationError(
'Can NOT specify --rules and --allow in the same request.')
def ValidateArgument(self, messages, args):
super(BetaUpdateFirewall, self).ValidateArgument(messages, args)
if args.rules and args.allow:
raise firewalls_utils.ArgumentValidationError(
'Can NOT specify --rules and --allow in the same request.')
def _CreateFirewall(self, holder, args):
client = holder.client
if args.rules and args.allow:
raise firewalls_utils.ArgumentValidationError(
'Can NOT specify --rules and --allow in the same request.')
if bool(args.action) ^ bool(args.rules):
raise firewalls_utils.ArgumentValidationError(
'Must specify --rules with --action.')
allowed = firewalls_utils.ParseRules(args.allow, client.messages,
firewalls_utils.ActionType.ALLOW)
network_ref = self.NETWORK_ARG.ResolveAsResource(
args, holder.resources)
firewall_ref = self.FIREWALL_RULE_ARG.ResolveAsResource(
args, holder.resources)
firewall = client.messages.Firewall(allowed=allowed,
name=firewall_ref.Name(),
description=args.description,
network=network_ref.SelfLink(),
sourceRanges=args.source_ranges,
sourceTags=args.source_tags,
targetTags=args.target_tags)
if args.disabled is not None:
firewall.disabled = args.disabled
firewall.direction = None
if args.direction and args.direction in ['EGRESS', 'OUT']:
firewall.direction = (
client.messages.Firewall.DirectionValueValuesEnum.EGRESS)
else:
firewall.direction = (
client.messages.Firewall.DirectionValueValuesEnum.INGRESS)
firewall.priority = args.priority
firewall.destinationRanges = args.destination_ranges
allowed = []
denied = []
if not args.action:
allowed = firewalls_utils.ParseRules(
args.allow, client.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'ALLOW':
allowed = firewalls_utils.ParseRules(
args.rules, client.messages, firewalls_utils.ActionType.ALLOW)
elif args.action == 'DENY':
denied = firewalls_utils.ParseRules(
args.rules, client.messages, firewalls_utils.ActionType.DENY)
firewall.allowed = allowed
firewall.denied = denied
firewall.sourceServiceAccounts = args.source_service_accounts
firewall.targetServiceAccounts = args.target_service_accounts
if args.IsSpecified('logging_metadata') and not args.enable_logging:
raise exceptions.InvalidArgumentException(
'--logging-metadata',
'cannot toggle logging metadata if logging is not enabled.')
if args.IsSpecified('enable_logging'):
log_config = client.messages.FirewallLogConfig(
enable=args.enable_logging)
if args.IsSpecified('logging_metadata'):
log_config.metadata = flags.GetLoggingMetadataArg(
client.messages).GetEnumForChoice(args.logging_metadata)
firewall.logConfig = log_config
return firewall, firewall_ref.project
