Merge pull request #57 from chkp-andreybak/new-feature-branch

Add Maestro modules and modify checkpoint.py to support special Masero modules

Author: chkp-majds

CHANGELOG.rst

@@ -4,6 +4,32 @@ Check_Point.gaia Release Notes
 
 .. contents:: Topics
 
+v7.0.0
+======
+
+Release Summary
+---------------
+
+This is release 6.0.0 of ``check_point.gaia``, released on 2025-01-28.
+
+New Modules
+-----------
+
+- check_point.gaia.cp_gaia_maestro_changes – apply or discard pending Maestro changes over Web Services API.
+- check_point.gaia.cp_gaia_maestro_gateways – manage Maestro Gateways over Web Services API.
+- check_point.gaia.cp_gaia_maestro_gateways_facts – get information about Maestro Gateways over Web Services API.
+- check_point.gaia.cp_gaia_maestro_ports – configure Maestro Orchestrator ports over Web Services API.
+- check_point.gaia.cp_gaia_maestro_ports_facts - get information about Maestro Orchestrator ports over Web Services API.
+- check_point.gaia.cp_gaia_maestro_security_groups - manage Maestro Security Groups over Web Services API.
+- check_point.gaia.cp_gaia_maestro_security_groups_facts - get information about Maestro Security Groups over Web Services API.
+- check_point.gaia.cp_gaia_maestro_sites - add description to Maestro Sites over Web Services API.
+- check_point.gaia.cp_gaia_maestro_sites_facts - get information about Maestro Sites over Web Services API.
+
+Minor Changes
+---------------
+
+modify infrastructure to support special Maestro APIs.
+
 
 v6.0.1
 ======

README.md

@@ -147,7 +147,15 @@ Modules
 * `cp_gaia_snmp_trap_receiver_facts` –  get SNMP trap receiver configuration of a Check Point machine over Web Services API.
 * `cp_gaia_snmp_user` –  manage SNMP USM user configuration of a Check Point machine over Web Services API.
 * `cp_gaia_snmp_user_facts` –  get SNMP USM user configuration of a Check Point machine over Web Services API.
-
+* `cp_gaia_maestro_changes` – apply or discard pending Maestro changes over Web Services API.
+* `cp_gaia_maestro_gateways` – manage Maestro Gateways over Web Services API.
+* `cp_gaia_maestro_gateways_facts` – get information about Maestro Gateways over Web Services API.
+* `cp_gaia_maestro_ports` – configure Maestro Orchestrator ports over Web Services API.
+* `cp_gaia_maestro_ports_facts` - get information about Maestro Orchestrator ports over Web Services API.
+* `cp_gaia_maestro_security_groups` - manage Maestro Security Groups over Web Services API.
+* `cp_gaia_maestro_security_groups_facts` - get information about Maestro Security Groups over Web Services API.
+* `cp_gaia_maestro_sites` - add description to Maestro Sites over Web Services API.
+* `cp_gaia_maestro_sites_facts` - get information about Maestro Sites over Web Services API.
 
 ### Code of Conduct
 This collection follows the Ansible project's

galaxy.yml

@@ -9,7 +9,7 @@ namespace: check_point
 name: gaia
 
 # The version of the collection. Must be compatible with semantic versioning
-version: 6.0.1
+version: 7.0.0
 
 # The path to the Markdown (.md) readme file. This path is relative to the root of the collection
 readme: README.md

plugins/module_utils/checkpoint.py

@@ -31,7 +31,6 @@
 __metaclass__ = type
 
 import time
-
 from ansible.module_utils.connection import Connection
 
 BEFORE_REQUEST = 1
@@ -200,6 +199,9 @@ def chkp_facts_api_call(module, api_call_object, is_multible):
         if "static-route" == api_call_object:
             if "address" in module_key_params and "mask_length" in module_key_params:
                 show_single = True
+        elif "maestro" in api_call_object:
+            if "id" in module_key_params or "interface_name" in module_key_params or "site_id" in module_key_params:
+                show_single = True
         else:
             if len(module_key_params) > 0:
                 show_single = True
@@ -219,7 +221,7 @@ def chkp_facts_api_call(module, api_call_object, is_multible):
     }
 
 
-def chkp_api_call(module, api_call_object, has_add_api, ignore=None, show_params=None, add_params=None):
+def chkp_api_call(module, api_call_object, has_add_api, ignore=None, show_params=None, add_params=None, is_maestro_special=False):
     target_version = get_version(module)
     changed = False
     if show_params is None:
@@ -229,46 +231,56 @@ def chkp_api_call(module, api_call_object, has_add_api, ignore=None, show_params
     modules_params_original = module.params
     module_params_show = dict((k, v) for k, v in module.params.items() if k in show_params and v is not None)
     module.params = module_params_show
-    code, res = api_call(module, target_version, api_call_object="show-{0}".format(api_call_object))
-    before = res.copy()
-    [before.pop(key, None) for key in ignore]
+    if not is_maestro_special:
+        code, res = api_call(module, target_version, api_call_object="show-{0}".format(api_call_object))
+        before = res.copy()
+        [before.pop(key, None) for key in ignore]
+    else:
+        code, res = api_call(module, target_version, api_call_object="show-maestro-security-groups")
+        before = res.copy()
 
     # Run the command:
     module.params = modules_params_original
     if 'state' in module.params and module.params['state'] == 'absent':  # handle delete
-        if code == 200:
-            # delete/show require same params
-            module.params = module_params_show
-            code, res = api_call(module, target_version, api_call_object="delete-{0}".format(api_call_object))
+        if is_maestro_special:
+            code, res = api_call(module, target_version, api_call_object="discard-{0}".format(api_call_object))
         else:
-            return {
-                api_call_object.replace('-', '_'): {},
-                "changed": False
-            }
-    else:  # handle set/add
-        params_dict = module.params.copy()
-        for key, value in module.params.items():
-            if not is_checkpoint_param(key):
-                del params_dict[key]
-
-        if code == 200:
-            if idempotency_check(res, params_dict) is True:
+            if code == 200:
+                # delete/show require same params
+                module.params = module_params_show
+                code, res = api_call(module, target_version, api_call_object="delete-{0}".format(api_call_object))
+            else:
                 return {
-                    api_call_object.replace('-', '_'): res,
+                    api_call_object.replace('-', '_'): {},
                     "changed": False
                 }
-            code, res = api_call(module, target_version, api_call_object="set-{0}".format(api_call_object))
+    else:  # handle set/add
+        if is_maestro_special:
+            code, res = api_call(module, target_version, api_call_object="apply-{0}".format(api_call_object))
         else:
-            if has_add_api is True:
-                if add_params:
-                    [module.params.pop(key) for key in show_params if key not in add_params]
-                    module.params.update(add_params)
-                if 'loopback-interface' == api_call_object:  # loopback doesn't take 'name' for add-... api
-                    if 'name' in module.params:
-                        module.params.pop("name")
-                code, res = api_call(module, target_version, api_call_object="add-{0}".format(api_call_object))
-            else:  # some requests like static-route don't have add, try set instead
+            params_dict = module.params.copy()
+            for key, value in module.params.items():
+                if not is_checkpoint_param(key):
+                    del params_dict[key]
+
+            if code == 200:
+                if idempotency_check(res, params_dict) is True:
+                    return {
+                        api_call_object.replace('-', '_'): res,
+                        "changed": False
+                    }
                 code, res = api_call(module, target_version, api_call_object="set-{0}".format(api_call_object))
+            else:
+                if has_add_api is True:
+                    if add_params:
+                        [module.params.pop(key) for key in show_params if key not in add_params]
+                        module.params.update(add_params)
+                        if 'loopback-interface' == api_call_object:  # loopback doesn't take 'name' for add-... api
+                            if 'name' in module.params:
+                                module.params.pop("name")
+                    code, res = api_call(module, target_version, api_call_object="add-{0}".format(api_call_object))
+                else:  # some requests like static-route don't have add, try set instead
+                    code, res = api_call(module, target_version, api_call_object="set-{0}".format(api_call_object))
 
     if code == 200:
         if 'wait_for_task' in module.params and module.params['wait_for_task'] is True:

plugins/modules/cp_gaia_maestro_changes.py

@@ -0,0 +1,76 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+author: Roi Tal (@chkp-roital)
+description: Handle pending changes, either apply or delete them.
+module: cp_gaia_maestro_changes 
+short_description: Handle pending changes, either apply or delete them.
+version_added: '7.0.0'
+requirements: ['supported starting from gaia_api >= 1.8']
+options:
+  version:
+    description: Gaia API version for example 1.6.
+    required: False
+    type: str
+  state:
+    description: Ansible state which can be C(present) or C(absent). absent will delete the pending changes, present will apply them
+    required: False
+    type: str
+    default: present
+    choices: [present, absent]
+notes:
+- Supports C(check_mode).
+'''
+
+EXAMPLES = """
+- name: Delete pending changes
+  check_point.gaia.cp_gaia_user:
+    state: absent
+
+"""
+
+RETURN = """
+
+"""
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.check_point.gaia.plugins.module_utils.checkpoint import chkp_api_call, checkpoint_argument_spec_for_all
+
+
+def main():
+    # arguments for the module:
+    fields = dict(
+        state=dict(type='str', default='present', choices=['present', 'absent'])
+    )
+    fields.update(checkpoint_argument_spec_for_all)
+    module = AnsibleModule(argument_spec=fields, supports_check_mode=True)
+    api_call_object = "maestro-security-groups-changes"
+
+    res = chkp_api_call(module, api_call_object, False, is_maestro_special=True)
+    module.exit_json(**res)
+
+
+if __name__ == "__main__":
+    main()

plugins/modules/cp_gaia_maestro_gateways.py

@@ -0,0 +1,89 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+#
+# Ansible module to manage CheckPoint Firewall (c) 2019
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+#
+
+from __future__ import (absolute_import, division, print_function)
+
+__metaclass__ = type
+
+DOCUMENTATION = '''
+---
+author: Roi Tal (@chkp-roital)
+description: Assign, re-assign or un-assign Gateways to Security Groups, and change GW descriptions.
+module: cp_gaia_maestro_gateways
+short_description: Modify Security Group Members.
+version_added: '7.0.0'
+requirements: ['supported starting from gaia_api >= 1.8']
+options:
+  version:
+    description: Gaia API version for example 1.6.
+    required: False
+    type: str
+  id:
+    description: The serial of the Gateway you wish to modify
+    required: True
+    type: str
+  security_group:
+    description: Choose ID of Security Group to assign this Gateway to
+    required: False
+    type: int
+  description:
+    description: Description of this Gateway
+    required: False
+    type: str
+
+notes:
+- Supports C(check_mode).
+'''
+
+EXAMPLES = """
+- name: Assign GW to SG and add description
+  check_point.gaia.cp_gaia_gateways:
+    id: 1007RT1992
+    security_group: 1
+    description: "1007RT1992 GW Description"
+
+"""
+
+RETURN = """
+maestro_gateway:
+  description: The updated Maestro Gateway details.
+  returned: always.
+  type: dict  
+"""
+
+
+from ansible.module_utils.basic import AnsibleModule
+from ansible_collections.check_point.gaia.plugins.module_utils.checkpoint import chkp_api_call, checkpoint_argument_spec_for_all
+
+def main():
+    # arguments for the module:
+    fields = dict(
+        id=dict(type='str', required=True),
+        security_group=dict(type="int"),
+        description=dict(type="str")
+    )
+    fields.update(checkpoint_argument_spec_for_all)
+    module = AnsibleModule(argument_spec=fields, supports_check_mode=True)
+    api_call_object = 'maestro-gateway'
+    show_params = ["id"]
+    res = chkp_api_call(module, api_call_object, False, show_params=show_params)
+    module.exit_json(**res)
+
+if __name__ == "__main__":
+    main()