Dapacruz/panw-remove-tags.py

## panw-remove-tags.py
#!/usr/bin/env python3

'''Removes tags from Panorama

panw-remove-tags.py

Author: David Cruz (davidcruz72@gmail.com)

Python version >= 3.6

Required software:
    PAN-Configurator (https://github.com/cpainchaud/pan-configurator)

Features:
    Backs up Panorama running configuration
    Appends tag name to object and security policy descriptions
    Removes space separated list of tags from objects and security policies
'''

from datetime import datetime
import argparse
import signal
import sys
import subprocess
import time

panorama = 'PANORAMA'

base_dir = '/Users/USER/pan-configurator/pan-configurator'
utils_dir = f'{base_dir}/utils'

working_dir = f'/Users/USER/pan-configurator/working'
downloaded_config = f'{working_dir}/panorama-backup-{datetime.now().strftime("%Y.%m.%d-%H.%M.%S")}.xml'

pa_address_edit = ['php', '-r', f'require_once "{utils_dir}/address-edit.php";', f'in=api://{panorama}']
pa_service_edit = ['php', '-r', f'require_once "{utils_dir}/service-edit.php";', f'in=api://{panorama}']
pa_rule_edit = ['php', '-r', f'require_once "{utils_dir}/rules-edit.php";', f'in=api://{panorama}']
pa_tag_edit = ['php', '-r', f'require_once "{utils_dir}/tag-edit.php";', f'in=api://{panorama}']
pa_upload_config = ['php', '-r', f'require_once "{utils_dir}/upload-config.php";']


def sigint_handler(signum, frame):
    sys.exit(1)


def parse_args():
    parser = argparse.ArgumentParser(description='Removes tags from Panorama')
    parser.add_argument('tags', type=str, nargs='+', help='Space separated list of tags to remove')
    return parser.parse_args()


def main():
    # Ctrl+C graceful exit
    signal.signal(signal.SIGINT, sigint_handler)

    tags = parse_args().tags

    start_time = time.time()

    # Back up Panorama running configuration
    upload_args = [
        f'in=api://{panorama}/running-config',
        f'out={downloaded_config}'
    ]
    print(
        f'PANW-REMOVE-TAGS-{datetime.now().strftime("%Y.%m.%d-%H:%M:%S")}: Backing up Panorama running configuration ...\n')
    result = subprocess.run(pa_upload_config + upload_args, check=True, capture_output=True)
    print(result.stdout.decode("utf-8"), result.stderr.decode("utf-8"))

    for tag in tags:
            # Append tag name to address and service object descriptions and remove tag
            object_args = [
                'location=Shared',
                f'actions=displayReferences/description-Append:[{tag}]/tag-Remove:{tag}',
                f'filter=(tag has {tag})'
            ]
            print(
                f'PANW-REMOVE-TAGS-{datetime.now().strftime("%Y.%m.%d-%H:%M:%S")}: Appending tag "{tag}" name to address and address group object descriptions and removing tag ...')
            result = subprocess.run(pa_address_edit + object_args, check=True, capture_output=True)
            print(result.stdout.decode("utf-8"), result.stderr.decode("utf-8"))
            print(
                f'PANW-REMOVE-TAGS-{datetime.now().strftime("%Y.%m.%d-%H:%M:%S")}: Appending tag name "{tag}" to service object descriptions and removing tag ...')
            result = subprocess.run(pa_service_edit + object_args, check=True, capture_output=True)
            print(result.stdout.decode("utf-8"), result.stderr.decode("utf-8"))

            # Append tag name to security policy descriptions and remove tag
            rule_args = [
                'location=all',
                f'actions=display/description-Append:[{tag}]/tag-Remove:{tag}',
                f'filter=(tag has {tag})'
            ]
            print(
                f'PANW-REMOVE-TAGS-{datetime.now().strftime("%Y.%m.%d-%H:%M:%S")}: Appending tag "{tag}" name to security policy descriptions ...')
            result = subprocess.run(pa_rule_edit + rule_args, check=True, capture_output=True)
            print(result.stdout.decode("utf-8"), result.stderr.decode("utf-8"))

        # Remove tag
        tag_args = [
            'location=Shared',
            'actions=displayReferences/delete',
            f'filter=(name eq {tag})'
        ]
        print(
            f'PANW-REMOVE-TAGS-{datetime.now().strftime("%Y.%m.%d-%H:%M:%S")}: Removing tag "{tag}" from security policies ...')
        result = subprocess.run(pa_tag_edit + tag_args, check=True, capture_output=True)
        print(result.stdout.decode("utf-8"), result.stderr.decode("utf-8"))

        print(
            f'Removed {len(tags)} tags in {(time.time()-start_time)/60 :.3f} minutes')

    sys.exit(0)


if __name__ == '__main__':
    main()