search

ansible-collections / ansible.posix

Ansible Collection for Posix
Other
155 stars 150 forks source link

firewalld_info (new module request) #98

Closed ArchitectPim closed 3 years ago

ArchitectPim commented 3 years ago
SUMMARY

Defining the end-state of the firewall settings independently of the begin-state of the firewall, so replacing the existing state with the desired end-state (if changed).

Currently with the firewalld module, the changes are made incrementally on the existing state.

ISSUE TYPE
COMPONENT NAME

firewalld

ADDITIONAL INFORMATION

First I have to tell that I am quite new to Ansible. My understanding of Ansible is that is a configuration management system to be used to manage servers from a central point. In my opinion this means that I can define and set the end-state, independently from the starting state.

For firewalld this does not work.

When the starting state is (in the example I focus only on the services, but the story holds true for all zone parameters):

$ sudo firewall-cmd --list-services
https

Executing the task:

  - firewalld:
      zone: somezone
      service: ssh
      permanent: yes
      state: enabled

will result in:

$ sudo firewall-cmd --list-services
https ssh

I know I can remove a service with a task:

  - firewalld:
      zone: somezone
      service: http
      permanent: yes
      state: disabled

However to be able to do this, I first need to determine by logging into the server which services are enabled and then add for all not required services a task. I my opinion, this is not how it should work.

A firewall is key in the security of a server. So, in my opinion, it is necessary to be able to define the end-state of a firewall independently of the start-start.

maxamillion commented 3 years ago

Thank you for submitting the issue ticket against this Ansible Collection, I appreciate the feedback!

Ansible is an automation tool. Ansible is capable of automating anything with a network connection (and even some local connection options) over any native protocol. There's examples of using Ansible to automate network hardware (cisco, juniper, palo alto, etc), server hardware (redfish, drac, ilo), storage area networks, mainframes, and all the way to things like Phillips Hue lightbuilbs. Ansible largely aims to provide the ability for an user to prescribe an series of tasks, order of operations or otherwise, to automate against a particular device or technology (we also integrate with various SaaS and appliances via REST APIs).

That being said, since each task is a single action to be automated the general pattern is that if you need state inspection of a system that can be accomplished using facts or *_info modules.

I will agree that there's a gap here and we should probably have a firewalld_info module that will gather that information in a way that can be easily used with the firewalld module in a playbook.

I'll mark this as a feature request, thank you!