search

IBM-Security / ibmsecurity

Idempotent functions for IBM Security Appliance REST APIs. Currently covering ISAM and ISDS Appliances.
Apache License 2.0
47 stars 73 forks source link

New functionality to export junctions from the appliance to YAML files #219

Open vcassidy opened 4 years ago

vcassidy commented 4 years ago

The isam.web.reverse_proxy.junctions.get call returns the output from the ISAM appliance. Unfortunately the data returned is not the correct values to recreate a junction.

Customers currently use proprietary ways to manage junctions rather than Ansible. With an export facility we can export junctions in such a way that existing customers can more easily migrate to Ansible.

I propose a new function isam.web.reverse_proxy.junctions.export

Ultimately I want to create an export_junction_details role so we can export all the junctions for an appliance in a similar way to how the report_junctions.yml playbook works.

ram-ibm commented 4 years ago

One other option you have is to export the reverse configuration in a zip file and import it into any target environment. That includes junctions, webseal configuration, JMT, etc.

Will look into the pull request provided - but was curious to understand the use case driving this code?

vcassidy commented 4 years ago

Hi Ram, good to hear from you.

I am revisiting the code just now as I want to test it a little further with some other junction flags. I have also been looking at the junction set where the check_mode doesn’t seem to work too well.

The reason for this is my customers can have 50+ junctions on each WebSEAL. They don’t often change WebSEAL configs but often may have to amend junctions or create new. They have some development test environments that are shared but perhaps have single WebSEAL instances so they don’t want to take an outage each time they amend a single junction. They store junctions in GIT and should deploy from there but they have concerns that they have no reliable way to compare source from reality.

I have rebuilt my environment on Python 3.7.7 now and am retesting cleaning up the code. I think this is now supported? I think it may resolve some of the issues I was seeing on the set junction.

Cheers

Vincent Cassidy   <>

On 10 Apr 2020, at 13:45, Ram Sreerangam notifications@github.com wrote:

One other option you have is to export the reverse configuration in a zip file and import it into any target environment. That includes junctions, webseal configuration, JMT, etc.

Will look into the pull request provided - but was curious to understand the use case driving this code?

— You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub https://github.com/IBM-Security/ibmsecurity/issues/219#issuecomment-612013483, or unsubscribe https://github.com/notifications/unsubscribe-auth/ABDXGZPLWS5SFZ4WGKBAXUDRL4IFFANCNFSM4MCFIZVA.

ram-ibm commented 4 years ago

I see what you are looking to do - wonder if it might make more sense to use the existing junctions.get_all() and junctions.get() functions to extract the junction information and then use that output to create YAML files?

See the report_junctions.yml playbook - instead of using a "template" to create a report, you could use that to create YAML files instead?

tombosmansibm commented 2 years ago

I've created this as a tool to help converting junction xml to yaml format. https://github.com/tombosmansibm/convertjunctionxmltoyaml