This repository has been archived by the owner on Oct 28, 2022. It is now read-only.
-
Notifications
You must be signed in to change notification settings - Fork 89
/
Copy pathMoveDfwRule2Section.ps1
189 lines (154 loc) · 7.47 KB
/
MoveDfwRule2Section.ps1
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
## PowerNSX Sampe Script
## Author: Dale Coghlan
## version 1.0
## April 2018
########################################
# 1 - Connect to your NSX Manager
# 2 - Run the script and provide the name of the rule you want to move, and also
# the name of the section you want to move the rule into.
<#
Copyright © 2017 VMware, Inc. All Rights Reserved.
This program is free software: you can redistribute it and/or modify it under
the terms of the GNU General Public License version 2, as published by the Free
Software Foundation.
This program is distributed in the hope that it will be useful, but WITHOUT ANY
WARRANTY; without even the implied warranty of MERCHANTIBILITY or FITNESS
FOR A PARTICULAR PURPOSE. See the GNU General Public License version 2 for more
details.
You should have received a copy of the General Public License version 2 along
with this program. If not, see https://www.gnu.org/licenses/gpl-2.0.html.
The full text of the General Public License 2.0 is provided in the COPYING file.
Some files may be comprised of various open source software components, each of which
has its own license that is located in the source code of the respective component.
#>
<#
This is a SAMPLE script that find a DFW rule based on the name provided, and
move it into the DFW section based on the section name provided.
It is intended to be an example of how to perform a certain action and may not
be suitable for all purposes. Only basic parameters and error checking have been
implemented. Please read an understand its action and modify as appropriate, or
ensure its suitability for a given situation before blindly running it.
Testing is limited to a lab environment. Please test accordingly.
#>
param (
[Parameter (Mandatory=$True)]
#Name of DFW rule to find and move to specified DFW section
[string]$ruleName,
[Parameter (Mandatory=$True)]
#Name of DFW Section to move specified rule to
[string]$sectionName
)
################################################################################
# The fun starts here
################################################################################
# This is to determine dynamic path separators
$pathSeparator = [IO.Path]::DirectorySeparatorChar
# Generate date time string for debug log file name
$dtstring = get-date -format "yyyy_MM_dd_HH_mm_ss"
# Name and location of the debug log file. This will place it in the directory
# where this script is run from and will work cross-platform
$DebugFileNamePrefix = [System.IO.Path]::GetFileNameWithoutExtension($MyInvocation.InvocationName)
$DebugLogFile = ".$($pathSeparator)$($DebugFileNamePrefix)_$dtstring.log"
# Take note of the start time
$StartTime = Get-Date
function Write-Log {
param (
[Parameter(Mandatory=$false)]
[ValidateSet("host", "warning", "verbose")]
[string]$level="host",
[Parameter(Mandatory=$false)]
[ValidateNotNullOrEmpty()]
[ValidateSet("white", "yellow", "red", "magenta", "cyan", "green")]
[string]$ForegroundColor="white",
[Parameter(Mandatory=$true)]
[ValidateNotNullOrEmpty()]
[object]$msg
)
$msgPrefix = "$(get-date -f "HH:mm:ss") : Line($($MyInvocation.ScriptLineNumber)) :"
if ( -not ( test-path $DebugLogFile )) {
write-host "$msgPrefix Log file not found... creating a new one"
New-Item -Type file $DebugLogFile | out-null
if ( test-path $DebugLogFile ) {
write-host "$msgPrefix Logging to file $DebugLogFile"
}
}
switch ($level) {
"warning" {
write-warning "$msgPrefix $msg"
Add-content -path $DebugLogFile -value "$msgPrefix $msg"
}
"verbose" {
write-verbose "$msgPrefix $msg"
Add-content -path $DebugLogFile -value "$msgPrefix $msg"
}
default {
write-host "$msgPrefix $msg" -ForegroundColor $ForegroundColor
Add-content -path $DebugLogFile -value "$msgPrefix $msg"
}
}
}
# Make sure we have a connection to NSX Manager
If ( -not $DefaultNsxConnection ) {
throw "Please connect to to NSX first"
}
write-log -level host -msg "Retrieving complete DFW configuration"
$uri="/api/4.0/firewall/globalroot-0/config"
$response = invoke-nsxwebrequest -URI $uri -Method GET -connection $connection
[system.xml.xmldocument]$responseXml = $response.content
#Clone the DFW configuration so modifying XML doesnt affect the source.
$_responseXml = $responseXml.CloneNode($true)
write-log -level host -msg "Searching for firewall rule with name $ruleName"
# Find the rule based on the name
$rule = $_responseXml.SelectSingleNode("//rule[name='$ruleName']")
# Find the destination section based on the name
$section = $_responseXml.SelectSingleNode("//section[@name='$($sectionName)']")
# Perform a sanity check that the rule specified doesn't already exist in the destination section
if ($rule.parentNode.name -eq $section.name) {
write-log -level host -ForegroundColor yellow -msg "Rule '$($ruleName)' with ID '$($rule.id)' already exists in the destination section '$($section.name)' with ID '$($section.id)'"
throw "Rule already exists in destination section"
}
# Only do the needful if both a rule is found and an appropriate section is found
if ( ($rule) -and ($section) ) {
write-log -level host -msg "Found firewall rule with name $ruleName ($($rule.id))"
write-log -level host -msg "Found firewall section with name $sectionName ($($section.id))"
# Import the rule into the document and then append it to the destination section
$ruleImport = $section.ownerDocument.ImportNode($rule, $True)
$section.AppendChild($ruleImport) | out-null
# Remove the original rule from the source sections
$rule.parentNode.removeChild($rule) | out-null
# set the proceed flag to true, as we assume that all is good up to this point.
$proceed = $True
# Sanity checks to verify:
# - The rule has been moved to the desired section
# - The rule has been removed from the original section
$sanityCheck = $_responseXml.selectNodes("//rule[name='$ruleName']")
# If there are no results from the xpath query, then something has gone
# wrong and we don't want to proceed
if (! ($sanityCheck) ) {
$proceed = $False
} else {
# Iterate through the results of the xpath query, and if a section is found
# which doesn't match the destination seciton, then do not proceed.
foreach ($result in $sanityCheck) {
if ( $result.parentNode.id -ne $section.id ) {
$proceed = $False
}
}
}
if ($proceed = $True) {
write-log -level host -ForegroundColor green -msg "Sanity checks passed."
write-log -level host -msg "Updating DFW configuration."
#Update the DFW configuration
$body = $_responseXml.OuterXml
$AdditionalHeaders = @{"If-Match"=$response.Headers.ETag}
$URI = "/api/4.0/firewall/globalroot-0/config"
$updateResponse = invoke-nsxwebrequest -method "put" -uri $URI -body $body -extraheader $AdditionalHeaders -connection $connection
if ( $updateResponse | Get-Member -memberType Properties -name statusCode ) {
if ( $updateResponse.statusCode -ne '200' ) {
write-log -level host -ForegroundColor red -msg "Failed to update DFW configuration."
} else {
write-log -level host -ForegroundColor green -msg "Successfully updated DFW configuration."
}
}
}
}