Skip to content

Instantly share code, notes, and snippets.

@cwebberOps
Created July 8, 2011 20:46
Show Gist options
  • Save cwebberOps/1072770 to your computer and use it in GitHub Desktop.
Save cwebberOps/1072770 to your computer and use it in GitHub Desktop.
Weird exported resource behavior
define ucr_fw_rule (
$allowed_ip,
$allowed_ports,
$origin = 'self',
$dest_ip = 'self',
$ensure = 'present',
$flags = '',
$proto = 'tcp',
$service = 'unknown',
$applies_to = 'self',
$order = 100,
$desc = '') {
if $applies_to == 'self' {
if ($operatingsystem == 'Solaris' ) and ( $zone == 'true') {
$builder_host = $global_zone
} else {
$builder_host = $hostname
}
} else {
$builder_host = $applies_to
}
if $origin == 'self' {
$origin_host = $hostname
} else {
$origin_host = $origin
}
@@file {"/var/inst/firewall/rules.d/${origin_host}.${name}.yml":
ensure => "${ensure}",
content => fw_yaml($name),
tag => "firewall_${builder_host}",
require => File['/var/inst/firewall/rules.d']
}
}
- !ruby/object:Puppet::TransObject
line: 37
name: &id074 /var/inst/firewall/rules.d/oraiasenv.bastion_allow_ssh.yml
tags:
- file
- firewall_pebble-solarisvm
- class
- firewall::builder
- firewall
- builder
- node
- pebble-solarisvm
- main
type: file
params:
tag: firewall_pebble-solarisvm
content:
flags: ""
service: ssh
applies_to: pebble-solarisvm
dest_ip:
- 10.0.64.40
- 10.0.62.33
order: 100
origin: oraiasenv
allowed_ports: 22
desc: ""
allowed_ip:
- 10.0.226.143
- 138.23.248.50
proto: tcp
path: *id074
require:
- file
- /var/inst/firewall/rules.d
ensure: present
file:
require 'yaml'
require 'ipaddr'
module Puppet::Parser::Functions
newfunction(:fw_yaml, :type => :rvalue) do |args|
allowed_ip = lookupvar('allowed_ip')
allowed_ports = lookupvar('allowed_ports')
dest_ip = lookupvar('dest_ip')
flags = lookupvar('flags')
proto = lookupvar('proto')
service = lookupvar('service')
desc = lookupvar('desc')
name = lookupvar('name')
hostname = lookupvar('hostname')
applies_to = lookupvar('applies_to')
origin = lookupvar('origin')
order = lookupvar('order')
os = lookupvar('operatingsystem')
if applies_to == 'self'
if os == 'Solaris'
if lookupvar('zone') == 'true'
builder_host = lookupvar('global_zone')
else
builder_host = hostname
end
else
builder_host = hostname
end
else
builder_host = applies_to
end
if origin == 'self'
origin_host = hostname
else
origin_host = origin
end
# Process the ports and change any numbers to integers
if allowed_ports != 'any'
if allowed_ports.class == Array
new_ports = []
allowed_ports.each do |port|
new_ports << port.to_i
end
allowed_ports = new_ports
else
allowed_ports = allowed_ports.to_i
end
end
# deal with dest_ip being set to self.
if dest_ip == 'self'
rfc_1918 = [
IPAddr.new('10.0.0.0/8'),
IPAddr.new('172.16.0.0/12'),
IPAddr.new('192.168.0.0/16')
]
# Figure out what my IP addressses are
my_addresses = []
lookupvar('interfaces').split(',').each do |int|
if !(int =~ /lo/) # filter out all of the loopback interfaces
if int =~ /^[a-z]+\d+_\d+/ # grab the sub interfaces
if !(lookupvar("zone_#{int}")) # see if there is a zone associated with this interface
ipaddress = lookupvar("ipaddress_#{int}")
if ipaddress != '' && ipaddress != '0.0.0.0' # check for a valid ip address
my_addresses << ipaddress # add the ip addres to the array
end
end
else # look at only the regular interfaces
ipaddress = lookupvar("ipaddress_#{int}")
if ipaddress != '' && ipaddress != '0.0.0.0' # check for a valid ip address
my_addresses << ipaddress # add the ip addres to the array
end
end
end
end
end
# Process the my_addresses, before putting it in the hash.
fw_bits = {
'allowed_ip' => allowed_ip,
'allowed_ports' => allowed_ports,
'dest_ip' => my_addresses,
'flags' => flags,
'proto' => proto,
'service' => service,
'order' => order.to_i,
'applies_to' => builder_host,
'origin' => origin_host,
'desc' => desc
}
return fw_bits.to_yaml.to_s
end
end
class firewall {
}
# Import the defined types that make this work
import "defined_types.pp"
class firewall::builder {
file {"/inst/pkg-ver/firewall-0.1":
ensure => directory
}
file {"/inst/pkg/firewall":
ensure => "/inst/pkg-ver/firewall-0.1"
}
file {"/inst/pkg-ver/firewall-0.1/bin":
ensure => directory,
require => File["/inst/pkg-ver/firewall-0.1"]
}
file {"/var/inst/firewall":
ensure => directory
}
file {"/var/inst/firewall/rules.d":
ensure => directory,
require => File["/var/inst/firewall"]
}
File <<| tag == "firewall_${hostname}" |>>
}
class firewall::ssh {
ucr_fw_rule {"bastion_allow_ssh":
allowed_ip => ['192.168.0.5', '192.168.0.1'],
allowed_ports => 22,
service => "ssh"
}
}
# Snip
- !ruby/object:Puppet::TransBucket
line:
name: &id280 firewall::ssh
type: Class
children:
- !ruby/object:Puppet::TransBucket
line: 42
name: bastion_allow_ssh
type: Ucr_fw_rule
children:
- !ruby/object:Puppet::TransObject
line: 37
name: &id040 /var/inst/firewall/rules.d/pebble-solarisvm.bastion_allow_ssh.yml
tags:
- file
- firewall_pebble-solarisvm
- ucr_fw_rule
- bastion_allow_ssh
- class
- firewall::ssh
- firewall
- ssh
- node
- pebble-solarisvm
- main
type: file
params:
tag: firewall_pebble-solarisvm
content: "--- \n flags: \"\"\n applies_to: &id001 pebble-solarisvm\n service: ssh\n dest_ip: \n - 10.0.0.50\n - 10.0.64.39\n - 10.0.64.40\n - 10.0.62.32\n - 10.0.62.33\n order: 100\n origin: *id001\n allowed_ports: 22\n desc: \"\"\n proto: tcp\n allowed_ip: \n - 10.0.226.143\n - 10.0.248.50"
path: *id040
require:
- file
- /var/inst/firewall/rules.d
ensure: present
file: /var/inst/puppet/env/dev/modules/firewall/manifests/defined_types.pp
file: &id073 /var/inst/puppet/env/dev/modules/firewall/manifests/init.pp
file:
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment