meraki_mx_l3_firewall - rules are overwriting instead of appending
iamgini opened this issue · 7 comments
The meraki_mx_l3_firewall is just replacing/overwriting the entry(s) instead of adding/appending new rules. Is there a way to prevent this?
Maybe a parameter called append: yes ?
Playbook:
- name: Create Merakai L3 Firewall Rule
cisco.meraki.meraki_mx_l3_firewall:
host: "{{ ansible_host }}"
auth_key: abc123
org_name: YourOrg
net_name: YourNet
use_https: yes
validate_certs: yes
state: present
rules:
- comment: Block traffic to server
src_cidr: 192.0.1.0/24
src_port: any
dest_cidr: 192.0.2.2/32
dest_port: any
protocol: any
policy: deny
syslog_default_rule: yes
delegate_to: localhost
register: l3_rule_status
- debug:
msg: "{{ l3_rule_status }}"Thanks
This is how the API works and for me to add support for modifying individual rules would complicate the module more than it already is. Are you trying to update just one rule?
@kbreit
oh okay. Trying to add new rules actually. It seems I need to collect existing rules and then add all rules back with the new rule!
or am I doing wrong with the module ?
You're correct. You'll need to download the rules, modify how you need, and reupload. I wish there was an easier way to do it but with the API handling it this way it isn't easy for me to modify individual rules.
Hi @kbreit
We have tried the method which we discussed last time - gather existing rules and combine them with a new entry. This is working with IP/CIDR/FQDN.
But when there are objects and object groups in the source/destination, the module will fail. It says expecting IP/CIDR/FQDN.
I have checked the API and couldn't find an option to mention the object or object group as source/destination.
Comma-separated list of destination IP address(es) (in IP or CIDR notation), fully-qualified domain names (FQDN) or 'any'
Do you have any information about this ?
Thanks in advance.
Please send an example playbook I can use to piece this together. Your point makes sense.
Hi @kbreit sure.
yeah, otherwise the module is not useful as we don't even able to follow the "fetch and combine" method too.
New rule to add:
meraki_rules_new_list:
- comment: "{{ meraki_rule_description }}"
protocol: "{{ meraki_rule_protocol }}"
src_cidr: "{{ meraki_rule_source_cidr }}"
src_port: "{{ meraki_rule_source_port }}"
dest_cidr: "{{ meraki_rule_dest_cidr }}"
dest_port: "{{ meraki_rule_dest_port }}"
policy: "{{ meraki_rule_policy }}"
Please see my tasks below.
- name: Fetch firewall rules
meraki_mx_l3_firewall:
host: "{{ meraki_host }}"
auth_key: "{{ meraki_auth_key }}"
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_network_name }}"
state: query
delegate_to: localhost
register: meraki_l3_fw_status
- name: Combine with new rule
ansible.builtin.set_fact:
meraki_rules_final_list: "{{ [meraki_rules_new_list,meraki_l3_fw_status.data.rules]|
community.general.lists_mergeby('comment') }}"
- name: Prepare API Data for Meraki
ansible.builtin.set_fact:
meraki_rules_data: "{ 'rules': {{ meraki_rules_final_list}} }"
- name: Update Merakai L3 Firewall Rules
cisco.meraki.meraki_mx_l3_firewall:
host: "{{ meraki_host }}"
auth_key: "{{ meraki_auth_key }}"
org_name: "{{ meraki_org_name }}"
net_name: "{{ meraki_network_name }}"
use_https: yes
validate_certs: yes
state: present
rules: "{{ meraki_rules_data }}"
delegate_to: localhost
register: l3_rule_status