|
| 1 | +#!/usr/bin/env python |
| 2 | + |
| 3 | +""" |
| 4 | +* ******************************************************* |
| 5 | +* Copyright (c) VMware, Inc. 2019. All Rights Reserved. |
| 6 | +* SPDX-License-Identifier: MIT |
| 7 | +* ******************************************************* |
| 8 | +* |
| 9 | +* DISCLAIMER. THIS PROGRAM IS PROVIDED TO YOU "AS IS" WITHOUT |
| 10 | +* WARRANTIES OR CONDITIONS OF ANY KIND, WHETHER ORAL OR WRITTEN, |
| 11 | +* EXPRESS OR IMPLIED. THE AUTHOR SPECIFICALLY DISCLAIMS ANY IMPLIED |
| 12 | +* WARRANTIES OR CONDITIONS OF MERCHANTABILITY, SATISFACTORY QUALITY, |
| 13 | +* NON-INFRINGEMENT AND FITNESS FOR A PARTICULAR PURPOSE. |
| 14 | +""" |
| 15 | + |
| 16 | +__author__ = 'VMware, Inc.' |
| 17 | + |
| 18 | + |
| 19 | +import argparse |
| 20 | +import requests |
| 21 | +from com.vmware.nsx_policy_client_for_vmc import create_nsx_policy_client_for_vmc |
| 22 | +from com.vmware.nsx_policy.model_client import Rule |
| 23 | +from vmware.vapi.bindings.struct import PrettyPrinter as NsxPrettyPrinter |
| 24 | +from com.vmware.nsx_policy.model_client import ApiError |
| 25 | + |
| 26 | +# format NSXT objects for readability |
| 27 | +nsx_pp = NsxPrettyPrinter() |
| 28 | + |
| 29 | + |
| 30 | +class NSXPolicySegmentFirewall(object): |
| 31 | + """ |
| 32 | + e.g. Demonstrate access to NSX Policy Manager and show |
| 33 | + access to infra, tier1s, segments and firewall CRUD operations |
| 34 | + """ |
| 35 | + |
| 36 | + def __init__(self): |
| 37 | + parser = argparse.ArgumentParser( |
| 38 | + formatter_class=argparse.ArgumentDefaultsHelpFormatter) |
| 39 | + |
| 40 | + parser.add_argument('--refresh_token', |
| 41 | + required=True, |
| 42 | + help='Refresh token obtained from CSP') |
| 43 | + |
| 44 | + parser.add_argument('--org_id', |
| 45 | + required=True, |
| 46 | + help='Orgization ID') |
| 47 | + |
| 48 | + parser.add_argument('--sddc_id', |
| 49 | + required=True, |
| 50 | + help='Sddc ID') |
| 51 | + |
| 52 | + args = parser.parse_args() |
| 53 | + |
| 54 | + self.nsx_client = create_nsx_policy_client_for_vmc( |
| 55 | + refresh_token=args.refresh_token, |
| 56 | + org_id=args.org_id, |
| 57 | + sddc_id=args.sddc_id) |
| 58 | + |
| 59 | + def get_infra(self): |
| 60 | + print(' Infra '.center(70, '=')) |
| 61 | + self.infra = self.nsx_client.Infra.get() |
| 62 | + nsx_pp.pprint(self.infra) |
| 63 | + return self.infra |
| 64 | + |
| 65 | + def get_tier1s(self): |
| 66 | + print(' Tier1s '.center(70, '=')) |
| 67 | + self.tier1s = self.nsx_client.infra.Tier1s.list() |
| 68 | + nsx_pp.pprint(self.tier1s) |
| 69 | + return self.tier1s |
| 70 | + |
| 71 | + def get_segments(self): |
| 72 | + print(' Segments '.center(70, '=')) |
| 73 | + self.segments = self.nsx_client.infra.tier_1s.Segments.list('cgw') |
| 74 | + nsx_pp.pprint(self.segments) |
| 75 | + return self.segments |
| 76 | + |
| 77 | + def get_domains(self): |
| 78 | + print(' Domains '.center(70, '=')) |
| 79 | + self.domains = self.nsx_client.infra.Domains.list() |
| 80 | + nsx_pp.pprint(self.domains) |
| 81 | + return self.domains |
| 82 | + |
| 83 | + def get_mgw_gateway_firewall_rules(self): |
| 84 | + print(' Firewall Rules '.center(70, '=')) |
| 85 | + self.mgw_policies = self.nsx_client.infra.domains.GatewayPolicies.get('mgw', 'default') |
| 86 | + self.mgw_rules = self.mgw_policies.rules |
| 87 | + nsx_pp.pprint(self.mgw_rules) |
| 88 | + return self.mgw_rules |
| 89 | + |
| 90 | + def patch_mgw_gateway_firewall_rule(self): |
| 91 | + print(' Patch Vcenter inbound '.center(70, '=')) |
| 92 | + try: |
| 93 | + rule_obj = Rule(action='ALLOW', |
| 94 | + scope=['/infra/labels/mgw'], |
| 95 | + services=['/infra/services/HTTPS'], |
| 96 | + source_groups=['ANY'], |
| 97 | + destination_groups=['/infra/domains/mgw/groups/VCENTER'], |
| 98 | + display_name='InboundAccess-vCenter', sequence_number=0) |
| 99 | + |
| 100 | + self.nsx_client.infra.domains.gateway_policies.Rules.patch('mgw', 'default', 'InboundAccess-vCenter', |
| 101 | + rule_obj) |
| 102 | + except Exception as ex: |
| 103 | + print(ex) |
| 104 | + self.log_error(ex) |
| 105 | + |
| 106 | + def delete_mgw_gateway_firewall_rule(self): |
| 107 | + print(' Deleting Vcenter inbound FW Rule '.center(70, '=')) |
| 108 | + try: |
| 109 | + self.nsx_client.infra.domains.gateway_policies.Rules.delete('mgw', 'default', 'InboundAccess-vCenter') |
| 110 | + except Exception as ex: |
| 111 | + print(ex) |
| 112 | + self.log_error(ex) |
| 113 | + |
| 114 | + def log_error(self, ex): |
| 115 | + """ |
| 116 | + Generic error logger that will use NSXT API Error message decoders for |
| 117 | + more descriptive information on errors |
| 118 | + """ |
| 119 | + api_error = ex.data.convert_to(ApiError) |
| 120 | + print("Error configuring {}".format(api_error.error_message)) |
| 121 | + print("{}".format(api_error.__dict__)) |
| 122 | + print("{}".format(api_error.details)) |
| 123 | + |
| 124 | + def run(self): |
| 125 | + self.get_infra() |
| 126 | + self.get_tier1s() |
| 127 | + self.get_segments() |
| 128 | + self.get_domains() |
| 129 | + self.get_mgw_gateway_firewall_rules() |
| 130 | + self.patch_mgw_gateway_firewall_rule() |
| 131 | + self.get_mgw_gateway_firewall_rules() |
| 132 | + |
| 133 | + def cleanup(self): |
| 134 | + self.delete_mgw_gateway_firewall_rule() |
| 135 | + self.get_mgw_gateway_firewall_rules() # check to ensure deletion |
| 136 | + |
| 137 | + |
| 138 | +def main(): |
| 139 | + nsx = NSXPolicySegmentFirewall() |
| 140 | + nsx.run() |
| 141 | + nsx.cleanup() |
| 142 | + |
| 143 | + |
| 144 | +if __name__ == '__main__': |
| 145 | + main() |
0 commit comments