voltron/PowerCLI-Example-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Fix for existing configurations

Browse Source
This commit is contained in:
Markus Kraus
2020-05-28 20:38:09 +02:00
parent 222f75a6ca
commit 91cac83589
1 changed files with 50 additions and 66 deletions
Download Patch File Download Diff File Expand all files Collapse all files

116
Scripts/Set-VMHostSecureNTP.ps1
View File

@@ -1,15 +1,17 @@
function Set-VMHostSecureNTP { function Set-VMHostSecureNTP {
[CmdletBinding()] [CmdletBinding()]
param( param(
[Parameter(Mandatory=$True, ValueFromPipeline=$True, Position=0, HelpMessage = "Specifies the hosts to configure.")] [Parameter(Mandatory=$True, ValueFromPipeline=$True, HelpMessage = "Specifies the hosts to configure.")]
[ValidateNotNullorEmpty()] [ValidateNotNullorEmpty()]
[VMware.VimAutomation.Types.VMHost[]] $VMHost, [VMware.VimAutomation.Types.VMHost[]] $VMHost,
[Parameter(Mandatory=$False, ValueFromPipeline=$False, Position=1, HelpMessage = "Type of confugration")] [Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Set and Secure operation for new NTP Servers")]
[ValidateSet("SetSecure","Secure")] [Switch] $SetSecure,
[String] $Type = "SetSecure", [Parameter(Mandatory=$True, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Array of NTP Serbers")]
[Parameter(Mandatory=$True, ValueFromPipeline=$False, Position=2, HelpMessage = "Array of NTP Serbers")]
[ValidateNotNullorEmpty()] [ValidateNotNullorEmpty()]
[Array] $NTP [Array] $NTP,
[Parameter(Mandatory=$False, ValueFromPipeline=$False, ParameterSetName="SetSecure", HelpMessage = "Execute Secure operation for exitsting NTP Servers")]
[Switch] $Secure
) )
begin { begin {
@@ -74,6 +76,23 @@ function Set-VMHostSecureNTP {
Write-Warning "Error during Rule List. See latest errors..." Write-Warning "Error during Rule List. See latest errors..."
} }
"`tEnabled: $($FirewallRuleList.Enabled)" "`tEnabled: $($FirewallRuleList.Enabled)"
## Set NTP Client Firewall Rule
"Set NTP Client Firewall Rule ..."
$esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs()
$esxcliargs.enabled = "true"
$esxcliargs.allowedall = "false"
$esxcliargs.rulesetid = "ntpClient"
try {
$esxcli.network.firewall.ruleset.set.Invoke($esxcliargs)
}
catch [System.Exception] {
$ErrorMessage = $_.Exception.Message
if ($ErrorMessage -ne "Already use allowed ip list") {
Write-Warning "Error during Rule Set. See latest errors..."
}
}
"Get NTP Client Firewall Rule AllowedIP ..." "Get NTP Client Firewall Rule AllowedIP ..."
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs() $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs()
$esxcliargs.rulesetid = "ntpClient" $esxcliargs.rulesetid = "ntpClient"
@@ -83,9 +102,8 @@ function Set-VMHostSecureNTP {
catch [System.Exception] { catch [System.Exception] {
Write-Warning "Error during Rule List. See latest errors..." Write-Warning "Error during Rule List. See latest errors..."
} }
"`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses)" "`tAllowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")"
## Remove Existing IP from firewall rule ## Remove Existing IP from firewall rule
## BUG: If AllowedIP was enabled and is disabled now, old IPs will not be removed
"Remove Existing IP from firewall rule ..." "Remove Existing IP from firewall rule ..."
if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") { if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") {
foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) { foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) {
@@ -98,30 +116,10 @@ function Set-VMHostSecureNTP {
catch [System.Exception] { catch [System.Exception] {
Write-Warning "Error during AllowedIP remove. See latest errors..." Write-Warning "Error during AllowedIP remove. See latest errors..."
} }
} }
} }
## Set NTP Client Firewall Rule
"Set NTP Client Firewall Rule ..."
if ($FirewallRuleList.Enabled -ne $True -or $FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") {
$esxcliargs = $esxcli.network.firewall.ruleset.set.CreateArgs()
if ($FirewallRuleList.Enabled -ne $True) {
$esxcliargs.enabled = "true"
}
if ($FirewallRuleAllowedIPList.AllowedIPAddresses -eq "All") {
$esxcliargs.allowedall = "false"
}
$esxcliargs.rulesetid = "ntpClient"
try {
$esxcli.network.firewall.ruleset.set.Invoke($esxcliargs)
}
catch [System.Exception] {
Write-Warning "Error during Rule Set. See latest errors..."
}
}
## Set NTP Client Firewall Rule AllowedIP ## Set NTP Client Firewall Rule AllowedIP
### BUG: If AllowedIP was enabled and is disabled now, a duplicate Ip Cannot be added --> Workarund done
"Set NTP Client Firewall Rule AllowedIP ..." "Set NTP Client Firewall Rule AllowedIP ..."
foreach ($myNTP in $NTP) { foreach ($myNTP in $NTP) {
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs() $esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
@@ -132,55 +130,41 @@ function Set-VMHostSecureNTP {
} }
catch [System.Exception] { catch [System.Exception] {
$ErrorMessage = $_.Exception.Message $ErrorMessage = $_.Exception.Message
if ($ErrorMessage -eq "Ip address already exist.") { if ($ErrorMessage -ne "Ip address already exist.") {
Write-Warning "Error during AllowedIP remove. See latest errors..."
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs()
$esxcliargs.rulesetid = "ntpClient"
try {
$FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs)
}
catch [System.Exception] {
Write-Warning "Error during Rule List. See latest errors..."
}
if ($FirewallRuleAllowedIPList.AllowedIPAddresses -ne "All") {
foreach ($IP in $FirewallRuleAllowedIPList.AllowedIPAddresses) {
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.remove.CreateArgs()
$esxcliargs.rulesetid = "ntpClient"
$esxcliargs.ipaddress = $IP
try {
$esxcli.network.firewall.ruleset.allowedip.remove.Invoke($esxcliargs)
}
catch [System.Exception] {
Write-Warning "Error during AllowedIP remove. See latest errors..."
}
}
}
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.add.CreateArgs()
$esxcliargs.ipaddress = $myNTP
$esxcliargs.rulesetid = "ntpClient"
try {
$esxcli.network.firewall.ruleset.allowedip.add.Invoke($esxcliargs)
}
catch [System.Exception] {
Write-Warning "Error during Rule AllowedIP Update. '$ErrorMessage' See latest errors..."
}
} }
} }
} }
## Get New NTP Client Firewall Rule AllowedIP
"Get New NTP Client Firewall Rule AllowedIP ..."
$esxcliargs = $esxcli.network.firewall.ruleset.allowedip.list.CreateArgs()
$esxcliargs.rulesetid = "ntpClient"
try {
$FirewallRuleAllowedIPList = $esxcli.network.firewall.ruleset.allowedip.list.Invoke($esxcliargs)
}
catch [System.Exception] {
Write-Warning "Error during Rule List. See latest errors..."
}
"`tNew Allowed IP Addresses: $($FirewallRuleAllowedIPList.AllowedIPAddresses -join ", ")"
## Get New NTP Servers
"Get New NTP Servers ..."
$NewNTPServers = $MyHost | Get-VMHostNtpServer
"`tNew NTP Servers: $($NewNTPServers -join ", ")"
} }
} }
process { process {
if ($Type -eq "SetSecure") { if ($SetSecure) {
"Executing Set and Secure operation..." "Execute Set and Secure operation for new NTP Servers ..."
$VMHost | Foreach-Object { Write-Output (SetSecure $_) } $VMHost | Foreach-Object { Write-Output (SetSecure $_) }
} }
if ($Secure) {
"Execute Secure operation for exitsting NTP Servers ..."
$VMHost | Foreach-Object { Write-Output (Secure $_) }
}
} }