-
Notifications
You must be signed in to change notification settings - Fork 2
/
Copy pathasa_create_acl.yml
96 lines (87 loc) · 4.25 KB
/
asa_create_acl.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
#!/usr/bin/ansible-playbook
---
#
# Copyright (c) 2018 World Wide Technology, Inc.
# All rights reserved.
#
# author: [email protected] GitHub/GitLab @joelwking
#
# description:
#
# This playbook retrieves network policy from the Tetration Network Policy Publisher
# feature. The policy returned is used to create an ACL configuration on an ASA firewall
#
# usage:
#
# ./asa_create_acl.yml -e "cert_directory=producer-tnp-12.cert"
#
# Notes:
# To logon the ASA firewall to verify the configuration changes:
# ssh -oKexAlgorithms=+diffie-hellman-group1-sha1 -c 3des-cbc [email protected]
#
# Sample configuration generated on the ASA
#
# object-group network SERVERS
# network-object host 10.255.40.139
# access-list OUTSIDE extended permit tcp any object-group SERVERS eq 5660
# access-list OUTSIDE extended permit tcp any object-group SERVERS eq https
# access-list OUTSIDE extended permit udp any object-group SERVERS eq ntp
# access-list OUTSIDE extended permit udp any object-group SERVERS eq domain
# access-list OUTSIDE extended permit tcp any object-group SERVERS eq ssh
# access-list OUTSIDE extended permit udp any object-group SERVERS eq 40125
# access-list OUTSIDE extended permit udp any object-group SERVERS eq snmp
#
- name: Network Policy Publisher for ASA firewall configuration
hosts: ASA
connection: local
gather_facts: false
vars:
provider: # ASA Credentials
host: "{{ inventory_hostname }}"
username: "{{ asa.username }}"
password: "{{ asa.password }}"
authorize: yes
auth_pass: "{{ asa.password }}"
# Tetration / Kafka options
cert_directory: producer-tnp-12.cert # directory name of tetration certificates
validate_certs: "no" # certificate verify
network_object: [] # Create an empty list (see set_fact)
object_group: SERVERS # Name of the network object group on ASA
acl_name: OUTSIDE # Name of the Access Control List (ACL)
acl_action: {"ALLOW": "permit", "DROP": "deny"} # translator for action verbs
tasks:
- name: Include credentials from an encrypted password.yml file
include_vars: "{{ playbook_dir }}/files/passwords.yml"
no_log: True
- name: Tetration Network Policy
tetration_network_policy:
broker: "{{ lookup('file', '{{ playbook_dir }}/files/certificates/{{ cert_directory }}/kafkaBrokerIps.txt') }}"
topic: "{{ lookup('file', '{{ playbook_dir }}/files/certificates/{{ cert_directory }}/topic.txt') }}"
cert_directory: "{{ playbook_dir }}/files/certificates/{{ cert_directory }}/"
validate_certs: "{{ validate_certs }}"
timeout: 120000 # 2 minutes, enforcement policy is published every minute
register: tnp
#
# Obtain the server IP address from the inventory filter variable 'unsafeSubnetValue=[10.255.40.139/32]]''
#
- debug:
msg: "{{ item['query'].split('unsafeSubnetValue=[')[1].split('/')[0] }}"
verbosity: 1
with_items: "{{ tnp.ansible_facts.inventory_filters }}"
- name: Create a list of server IP addresses from the inventory filters
set_fact:
network_object: "{{ network_object + [item] }}"
with_items: "{{ tnp.ansible_facts.inventory_filters | list }}"
- name: Configure ASA firewall network-object
asa_config:
lines:
- "network-object host {{ item['query'].split('unsafeSubnetValue=[')[1].split('/')[0] }}"
parents: ["object-group network {{ object_group }}"]
provider: "{{ provider }}"
with_items: "{{ network_object }}"
- name: Configure ASA firewall access-list
asa_config:
lines:
- "access-list {{ acl_name }} line 1 extended {{ acl_action[item.action] }} {{ item.ip_protocol }} any object-group {{ object_group }} eq {{ item.dst_port_start }}"
provider: "{{ provider }}"
loop: "{{ tnp.ansible_facts.intents }}"