Created
July 8, 2011 20:46
-
-
Save cwebberOps/1072770 to your computer and use it in GitHub Desktop.
Weird exported resource behavior
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| define ucr_fw_rule ( | |
| $allowed_ip, | |
| $allowed_ports, | |
| $origin = 'self', | |
| $dest_ip = 'self', | |
| $ensure = 'present', | |
| $flags = '', | |
| $proto = 'tcp', | |
| $service = 'unknown', | |
| $applies_to = 'self', | |
| $order = 100, | |
| $desc = '') { | |
| if $applies_to == 'self' { | |
| if ($operatingsystem == 'Solaris' ) and ( $zone == 'true') { | |
| $builder_host = $global_zone | |
| } else { | |
| $builder_host = $hostname | |
| } | |
| } else { | |
| $builder_host = $applies_to | |
| } | |
| if $origin == 'self' { | |
| $origin_host = $hostname | |
| } else { | |
| $origin_host = $origin | |
| } | |
| @@file {"/var/inst/firewall/rules.d/${origin_host}.${name}.yml": | |
| ensure => "${ensure}", | |
| content => fw_yaml($name), | |
| tag => "firewall_${builder_host}", | |
| require => File['/var/inst/firewall/rules.d'] | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| - !ruby/object:Puppet::TransObject | |
| line: 37 | |
| name: &id074 /var/inst/firewall/rules.d/oraiasenv.bastion_allow_ssh.yml | |
| tags: | |
| - file | |
| - firewall_pebble-solarisvm | |
| - class | |
| - firewall::builder | |
| - firewall | |
| - builder | |
| - node | |
| - pebble-solarisvm | |
| - main | |
| type: file | |
| params: | |
| tag: firewall_pebble-solarisvm | |
| content: | |
| flags: "" | |
| service: ssh | |
| applies_to: pebble-solarisvm | |
| dest_ip: | |
| - 10.0.64.40 | |
| - 10.0.62.33 | |
| order: 100 | |
| origin: oraiasenv | |
| allowed_ports: 22 | |
| desc: "" | |
| allowed_ip: | |
| - 10.0.226.143 | |
| - 138.23.248.50 | |
| proto: tcp | |
| path: *id074 | |
| require: | |
| - file | |
| - /var/inst/firewall/rules.d | |
| ensure: present | |
| file: |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| require 'yaml' | |
| require 'ipaddr' | |
| module Puppet::Parser::Functions | |
| newfunction(:fw_yaml, :type => :rvalue) do |args| | |
| allowed_ip = lookupvar('allowed_ip') | |
| allowed_ports = lookupvar('allowed_ports') | |
| dest_ip = lookupvar('dest_ip') | |
| flags = lookupvar('flags') | |
| proto = lookupvar('proto') | |
| service = lookupvar('service') | |
| desc = lookupvar('desc') | |
| name = lookupvar('name') | |
| hostname = lookupvar('hostname') | |
| applies_to = lookupvar('applies_to') | |
| origin = lookupvar('origin') | |
| order = lookupvar('order') | |
| os = lookupvar('operatingsystem') | |
| if applies_to == 'self' | |
| if os == 'Solaris' | |
| if lookupvar('zone') == 'true' | |
| builder_host = lookupvar('global_zone') | |
| else | |
| builder_host = hostname | |
| end | |
| else | |
| builder_host = hostname | |
| end | |
| else | |
| builder_host = applies_to | |
| end | |
| if origin == 'self' | |
| origin_host = hostname | |
| else | |
| origin_host = origin | |
| end | |
| # Process the ports and change any numbers to integers | |
| if allowed_ports != 'any' | |
| if allowed_ports.class == Array | |
| new_ports = [] | |
| allowed_ports.each do |port| | |
| new_ports << port.to_i | |
| end | |
| allowed_ports = new_ports | |
| else | |
| allowed_ports = allowed_ports.to_i | |
| end | |
| end | |
| # deal with dest_ip being set to self. | |
| if dest_ip == 'self' | |
| rfc_1918 = [ | |
| IPAddr.new('10.0.0.0/8'), | |
| IPAddr.new('172.16.0.0/12'), | |
| IPAddr.new('192.168.0.0/16') | |
| ] | |
| # Figure out what my IP addressses are | |
| my_addresses = [] | |
| lookupvar('interfaces').split(',').each do |int| | |
| if !(int =~ /lo/) # filter out all of the loopback interfaces | |
| if int =~ /^[a-z]+\d+_\d+/ # grab the sub interfaces | |
| if !(lookupvar("zone_#{int}")) # see if there is a zone associated with this interface | |
| ipaddress = lookupvar("ipaddress_#{int}") | |
| if ipaddress != '' && ipaddress != '0.0.0.0' # check for a valid ip address | |
| my_addresses << ipaddress # add the ip addres to the array | |
| end | |
| end | |
| else # look at only the regular interfaces | |
| ipaddress = lookupvar("ipaddress_#{int}") | |
| if ipaddress != '' && ipaddress != '0.0.0.0' # check for a valid ip address | |
| my_addresses << ipaddress # add the ip addres to the array | |
| end | |
| end | |
| end | |
| end | |
| end | |
| # Process the my_addresses, before putting it in the hash. | |
| fw_bits = { | |
| 'allowed_ip' => allowed_ip, | |
| 'allowed_ports' => allowed_ports, | |
| 'dest_ip' => my_addresses, | |
| 'flags' => flags, | |
| 'proto' => proto, | |
| 'service' => service, | |
| 'order' => order.to_i, | |
| 'applies_to' => builder_host, | |
| 'origin' => origin_host, | |
| 'desc' => desc | |
| } | |
| return fw_bits.to_yaml.to_s | |
| end | |
| end |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| class firewall { | |
| } | |
| # Import the defined types that make this work | |
| import "defined_types.pp" | |
| class firewall::builder { | |
| file {"/inst/pkg-ver/firewall-0.1": | |
| ensure => directory | |
| } | |
| file {"/inst/pkg/firewall": | |
| ensure => "/inst/pkg-ver/firewall-0.1" | |
| } | |
| file {"/inst/pkg-ver/firewall-0.1/bin": | |
| ensure => directory, | |
| require => File["/inst/pkg-ver/firewall-0.1"] | |
| } | |
| file {"/var/inst/firewall": | |
| ensure => directory | |
| } | |
| file {"/var/inst/firewall/rules.d": | |
| ensure => directory, | |
| require => File["/var/inst/firewall"] | |
| } | |
| File <<| tag == "firewall_${hostname}" |>> | |
| } | |
| class firewall::ssh { | |
| ucr_fw_rule {"bastion_allow_ssh": | |
| allowed_ip => ['192.168.0.5', '192.168.0.1'], | |
| allowed_ports => 22, | |
| service => "ssh" | |
| } | |
| } |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| # Snip | |
| - !ruby/object:Puppet::TransBucket | |
| line: | |
| name: &id280 firewall::ssh | |
| type: Class | |
| children: | |
| - !ruby/object:Puppet::TransBucket | |
| line: 42 | |
| name: bastion_allow_ssh | |
| type: Ucr_fw_rule | |
| children: | |
| - !ruby/object:Puppet::TransObject | |
| line: 37 | |
| name: &id040 /var/inst/firewall/rules.d/pebble-solarisvm.bastion_allow_ssh.yml | |
| tags: | |
| - file | |
| - firewall_pebble-solarisvm | |
| - ucr_fw_rule | |
| - bastion_allow_ssh | |
| - class | |
| - firewall::ssh | |
| - firewall | |
| - ssh | |
| - node | |
| - pebble-solarisvm | |
| - main | |
| type: file | |
| params: | |
| tag: firewall_pebble-solarisvm | |
| content: "--- \n flags: \"\"\n applies_to: &id001 pebble-solarisvm\n service: ssh\n dest_ip: \n - 10.0.0.50\n - 10.0.64.39\n - 10.0.64.40\n - 10.0.62.32\n - 10.0.62.33\n order: 100\n origin: *id001\n allowed_ports: 22\n desc: \"\"\n proto: tcp\n allowed_ip: \n - 10.0.226.143\n - 10.0.248.50" | |
| path: *id040 | |
| require: | |
| - file | |
| - /var/inst/firewall/rules.d | |
| ensure: present | |
| file: /var/inst/puppet/env/dev/modules/firewall/manifests/defined_types.pp | |
| file: &id073 /var/inst/puppet/env/dev/modules/firewall/manifests/init.pp | |
| file: |
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment