voltron/PowerCLI-Example-Scripts
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

updated module with VMC Firewall functions

Browse Source
This commit is contained in:
alanrenouf
2018-01-31 20:40:39 -08:00
parent d6861d38fb
commit e0e4a56826
2 changed files with 370 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

BIN
Modules/VMware.VMC/VMware.VMC.psd1
View File

Binary file not shown.

371
Modules/VMware.VMC/VMware.VMC.psm1
View File

@@ -320,4 +320,373 @@ Function Get-VMCSDDCVersion {
} }
} }
} }
Export-ModuleMember -Function 'Get-VMCCommand', 'Connect-VMCVIServer', 'Get-VMCOrg', 'Get-VMCSDDC', 'Get-VMCTask', 'Get-VMCSDDCDefaultCredential', 'Get-VMCSDDCPublicIP', 'Get-VMCVMHost', 'Get-VMCSDDCVersion'
Function Get-VMCFirewallRule {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 11/19/2017
Organization: VMware
Blog: https://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Retruns VMC Firewall Rules for a given Gateway (MGW or CGW)
.DESCRIPTION
Retruns VMC Firewall Rules for a given Gateway (MGW or CGW)
.EXAMPLE
Get-VMCFirewallRule -OrgName <Org Name> -SDDCName <SDDC Name> -GatewayType <MGW or CGW>
.EXAMPLE
Get-VMCFirewallRule -OrgName <Org Name> -SDDCName <SDDC Name> -GatewayType <MGW or CGW> -ShowAll
#>
param(
[Parameter(Mandatory=$false)][String]$SDDCName,
[Parameter(Mandatory=$false)][String]$OrgName,
[Parameter(Mandatory=$false)][Switch]$ShowAll,
[Parameter(Mandatory=$true)][ValidateSet("MGW","CGW")][String]$GatewayType
)
if($GatewayType -eq "MGW") {
$EdgeId = "edge-1"
} else {
$EdgeId = "edge-2"
}
$orgId = (Get-VMCOrg -Name $OrgName).Id
$sddcId = (Get-VMCSDDC -Name $SDDCName -Org $OrgName).Id
$firewallConfigService = Get-VmcService com.vmware.vmc.orgs.sddcs.networks.edges.firewall.config
$firewallRules = ($firewallConfigService.get($orgId, $sddcId, $EdgeId)).firewall_rules.firewall_rules
if(-not $ShowAll) {
$firewallRules = $firewallRules | where { $_.rule_type -ne "default_policy" -and $_.rule_type -ne "internal_high" -and $_.name -ne "vSphere Cluster HA" -and $_.name -ne "Outbound Access" } | Sort-Object -Property rule_tag
} else {
$firewallRules = $firewallRules | Sort-Object -Property rule_tag
}
$results = @()
foreach ($firewallRule in $firewallRules) {
if($firewallRule.source.ip_address.Count -ne 0) {
$source = $firewallRule.source.ip_address
} else { $source = "ANY" }
if($firewallRule.application.service.protocol -ne $null) {
$protocol = $firewallRule.application.service.protocol
} else { $protocol = "ANY" }
if($firewallRule.application.service.port -ne $null) {
$port = $firewallRule.application.service.port
} else { $port = "ANY" }
$tmp = [pscustomobject] @{
ID = $firewallRule.rule_id;
Name = $firewallRule.name;
Type = $firewallRule.rule_type;
Action = $firewallRule.action;
Protocol = $protocol;
Port = $port;
SourceAddress = $source
DestinationAddress = $firewallRule.destination.ip_address;
}
$results+=$tmp
}
$results
}
Function Export-VMCFirewallRule {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 11/19/2017
Organization: VMware
Blog: https://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Exports all "customer" created VMC Firewall Rules to JSON file
.DESCRIPTION
Exports all "customer" created VMC Firewall Rules to JSON file
.EXAMPLE
Export-VMCFirewallRule -OrgName <Org Name> -SDDCName <SDDC Name> -GatewayType <MGW or CGW> -Path "C:\Users\lamw\Desktop\VMCFirewallRules.json"
#>
param(
[Parameter(Mandatory=$false)][String]$SDDCName,
[Parameter(Mandatory=$false)][String]$OrgName,
[Parameter(Mandatory=$true)][ValidateSet("MGW","CGW")][String]$GatewayType,
[Parameter(Mandatory=$false)][String]$Path
)
if (-not $global:DefaultVMCServers) { Write-error "No VMC Connection found, please use the Connect-VMC to connect"; break }
if($GatewayType -eq "MGW") {
$EdgeId = "edge-1"
} else {
$EdgeId = "edge-2"
}
$orgId = (Get-VMCOrg -Name $OrgName).Id
$sddcId = (Get-VMCSDDC -Name $SDDCName -Org $OrgName).Id
if(-not $orgId) {
Write-Host -ForegroundColor red "Unable to find Org $OrgName, please verify input"
break
}
if(-not $sddcId) {
Write-Host -ForegroundColor red "Unable to find SDDC $SDDCName, please verify input"
break
}
$firewallConfigService = Get-VmcService com.vmware.vmc.orgs.sddcs.networks.edges.firewall.config
$firewallRules = ($firewallConfigService.get($orgId, $sddcId, $EdgeId)).firewall_rules.firewall_rules
if(-not $ShowAll) {
$firewallRules = $firewallRules | where { $_.rule_type -ne "default_policy" -and $_.rule_type -ne "internal_high" -and $_.name -ne "vSphere Cluster HA" -and $_.name -ne "Outbound Access" } | Sort-Object -Property rule_tag
} else {
$firewallRules = $firewallRules | Sort-Object -Property rule_tag
}
$results = @()
$count = 0
foreach ($firewallRule in $firewallRules) {
if($firewallRule.source.ip_address.Count -ne 0) {
$source = $firewallRule.source.ip_address
} else {
$source = "ANY"
}
$tmp = [pscustomobject] @{
Name = $firewallRule.name;
Action = $firewallRule.action;
Protocol = $firewallRule.application.service.protocol;
Port = $firewallRule.application.service.port;
SourcePort = $firewallRule.application.service.source_port;
ICMPType = $firewallRule.application.service.icmp_type;
SourceAddress = $firewallRule.source.ip_address;
DestinationAddress = $firewallRule.destination.ip_address;
Enabled = $firewallRule.enabled;
Logging = $firewallRule.logging_enabled;
}
$count+=1
$results+=$tmp
}
if($Path) {
Write-Host -ForegroundColor Green "Exporting $count VMC Firewall Rules to $Path ..."
$results | ConvertTo-Json | Out-File $Path
} else {
$results | ConvertTo-Json
}
}
Function Import-VMCFirewallRule {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 11/19/2017
Organization: VMware
Blog: https://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Imports VMC Firewall Rules from exported JSON configuration file
.DESCRIPTION
Imports VMC Firewall Rules from exported JSON configuration file
.EXAMPLE
Import-VMCFirewallRule -OrgName <Org Name> -SDDCName <SDDC Name> -GatewayType <MGW or CGW> -Path "C:\Users\lamw\Desktop\VMCFirewallRules.json"
#>
param(
[Parameter(Mandatory=$false)][String]$SDDCName,
[Parameter(Mandatory=$false)][String]$OrgName,
[Parameter(Mandatory=$true)][ValidateSet("MGW","CGW")][String]$GatewayType,
[Parameter(Mandatory=$false)][String]$Path
)
if (-not $global:DefaultVMCServers) { Write-error "No VMC Connection found, please use the Connect-VMC to connect"; break }
if($GatewayType -eq "MGW") {
$EdgeId = "edge-1"
} else {
$EdgeId = "edge-2"
}
$orgId = (Get-VMCOrg -Name $OrgName).Id
$sddcId = (Get-VMCSDDC -Name $SDDCName -Org $OrgName).Id
if(-not $orgId) {
Write-Host -ForegroundColor red "Unable to find Org $OrgName, please verify input"
break
}
if(-not $sddcId) {
Write-Host -ForegroundColor red "Unable to find SDDC $SDDCName, please verify input"
break
}
$firewallService = Get-VmcService com.vmware.vmc.orgs.sddcs.networks.edges.firewall.config.rules
$vmcFirewallRulesJSON = Get-Content -Raw $Path | ConvertFrom-Json
# Create top level Firewall Rules Object
$firewallRules = $firewallService.Help.add.firewall_rules.Create()
# Create top top level Firewall Rule Spec which will be an array of individual Firewall rules as we process them in next section
$ruleSpec = $firewallService.Help.add.firewall_rules.firewall_rules.Create()
foreach ($vmcFirewallRule in $vmcFirewallRulesJSON) {
# Create Individual Firewall Rule Element Spec
$ruleElementSpec = $firewallService.Help.add.firewall_rules.firewall_rules.Element.Create()
# AppSpec
$appSpec = $firewallService.Help.add.firewall_rules.firewall_rules.Element.application.Create()
# ServiceSpec
$serviceSpec = $firewallService.Help.add.firewall_rules.firewall_rules.Element.application.service.Element.Create()
$protocol = $null
if($vmcFirewallRule.Protocol -ne $null) {
$protocol = $vmcFirewallRule.Protocol
}
$serviceSpec.protocol = $protocol
# Process ICMP Type from JSON
$icmpType = $null
if($vmcFirewallRule.ICMPType -ne $null) {
$icmpType = $vmcFirewallRule.ICMPType
}
$serviceSpec.icmp_type = $icmpType
# Process Source Ports from JSON
$sourcePorts = @()
if($vmcFirewallRule.SourcePort -eq "any" -or $vmcFirewallRule.SourcePort -ne $null) {
foreach ($port in $vmcFirewallRule.SourcePort) {
$sourcePorts+=$port
}
} else {
$sourcePorts = @("any")
}
$serviceSpec.source_port = $sourcePorts
# Process Ports from JSON
$ports = @()
if($vmcFirewallRule.Port -ne "null") {
foreach ($port in $vmcFirewallRule.Port) {
$ports+=$port
}
}
$serviceSpec.port = $ports
$addSpec = $appSpec.service.Add($serviceSpec)
# Create Source Spec
$srcSpec = $firewallService.Help.add.firewall_rules.firewall_rules.Element.source.Create()
$srcSpec.exclude = $false
# Process Source Address from JSON
$sourceAddess = @()
if($vmcFirewallRule.SourceAddress -ne "null") {
foreach ($address in $vmcFirewallRule.SourceAddress) {
$sourceAddess+=$address
}
}
$srcSpec.ip_address = $sourceAddess;
# Create Destination Spec
$destSpec = $firewallService.Help.add.firewall_rules.firewall_rules.Element.destination.Create()
$destSpec.exclude = $false
# Process Destination Address from JSON
$destinationAddess = @()
if($vmcFirewallRule.DestinationAddress -ne "null") {
foreach ($address in $vmcFirewallRule.DestinationAddress) {
$destinationAddess+=$address
}
}
$destSpec.ip_address = $destinationAddess
# Add various specs
if($vmcFirewallRule.Protocol -ne $null -and $vmcFirewallRule.port -ne $null) {
$ruleElementSpec.application = $appSpec
}
$ruleElementSpec.source = $srcSpec
$ruleElementSpec.destination = $destSpec
$ruleElementSpec.rule_type = "user"
# Process Enabled from JSON
$fwEnabled = $false
if($vmcFirewallRule.Enabled -eq "true") {
$fwEnabled = $true
}
$ruleElementSpec.enabled = $fwEnabled
# Process Logging from JSON
$loggingEnabled = $false
if($vmcFirewallRule.Logging -eq "true") {
$loggingEnabled = $true
}
$ruleElementSpec.logging_enabled = $loggingEnabled
$ruleElementSpec.action = $vmcFirewallRule.Action
$ruleElementSpec.name = $vmcFirewallRule.Name
# Add the individual FW rule spec into our overall firewall rules array
Write-host "Creating VMC Firewall Rule Spec:" $vmcFirewallRule.Name "..."
$ruleSpecAdd = $ruleSpec.Add($ruleElementSpec)
}
$firewallRules.firewall_rules = $ruleSpec
Write-host "Adding VMC Firewall Rules ..."
$firewallRuleAdd = $firewallService.add($orgId,$sddcId,$EdgeId,$firewallRules)
}
Function Remove-VMCFirewallRule {
<#
.NOTES
===========================================================================
Created by: William Lam
Date: 11/19/2017
Organization: VMware
Blog: https://www.virtuallyghetto.com
Twitter: @lamw
===========================================================================
.SYNOPSIS
Removes VMC Firewall Rule given Rule Id
.DESCRIPTION
Removes VMC Firewall Rule given Rule Id
.EXAMPLE
Import-VMCFirewallRule -OrgName <Org Name> -SDDCName <SDDC Name> -GatewayType <MGW or CGW> -RuleId <Rule Id>
#>
param(
[Parameter(Mandatory=$false)][String]$SDDCName,
[Parameter(Mandatory=$false)][String]$OrgName,
[Parameter(Mandatory=$true)][ValidateSet("MGW","CGW")][String]$GatewayType,
[Parameter(Mandatory=$false)][String]$RuleId
)
if (-not $global:DefaultVMCServers) { Write-error "No VMC Connection found, please use the Connect-VMC to connect"; break }
if($GatewayType -eq "MGW") {
$EdgeId = "edge-1"
} else {
$EdgeId = "edge-2"
}
$orgId = (Get-VMCOrg -Name $OrgName).Id
$sddcId = (Get-VMCSDDC -Name $SDDCName -Org $OrgName).Id
if(-not $orgId) {
Write-Host -ForegroundColor red "Unable to find Org $OrgName, please verify input"
break
}
if(-not $sddcId) {
Write-Host -ForegroundColor red "Unable to find SDDC $SDDCName, please verify input"
break
}
$firewallService = Get-VmcService com.vmware.vmc.orgs.sddcs.networks.edges.firewall.config.rules
Write-Host "Removing VMC Firewall Rule Id $RuleId ..."
$firewallService.delete($orgId,$sddcId,$EdgeId,$RuleId)
}
Export-ModuleMember -Function 'Get-VMCCommand', 'Connect-VMCVIServer', 'Get-VMCOrg', 'Get-VMCSDDC', 'Get-VMCTask', 'Get-VMCSDDCDefaultCredential', 'Get-VMCSDDCPublicIP', 'Get-VMCVMHost', 'Get-VMCSDDCVersion', 'Get-VMCFirewallRule', 'Export-VMCFirewallRule', 'Import-VMCFirewallRule', 'Remove-VMCFirewallRule'