algosec_define_application_flows¶
New in version 0.3.0.
Synopsis¶
- Update application flows of an AlgoSec BusinessFlow application to match a requested configuration.
- Create, modify or delete application flows if needed.
- Apply the changes in BusinessFlow to automatically create a FireFlow change request.
- Optionally make sure that all defined flow pass the flow connectivity check on BusinessFlow
Requirements¶
- algosec can be obtained from PyPi https://pypi.python.org/pypi/algosec
Options¶
parameter | required | default | choices | comments |
---|---|---|---|---|
ip_address |
yes |
IP address (or hostname) of the AlgoSec server.
|
||
user |
yes |
Username credentials to use for auth.
|
||
password |
yes |
Password credentials to use for auth.
|
||
certify_ssl |
no | False |
Set whether or not to validate the AlgoSec server SSL certificate.
This flag might be set to False only in testing environments.
It is highly unrecommended to set it to False in production environments.
|
|
app_name |
yes |
BusinessFlow Application to update.
|
||
app_flows |
yes |
Dictionary of application flows to be applied. The configuration can be also provided from a JSON file.
Please usage examples in the `Examples`_ section.
|
||
check_connectivity |
no | false |
Assert that all flows pass flow connectivity check on BusinessFlow.
If any of the unchanged flows are not passing connectivity test, fail and report their names.
|
Return Values¶
name | description | returned | type | sample |
---|---|---|---|---|
app_name | The BusinessFlow application for which flows were defined. | always | string | PayrollApp |
deleted_flows | Number of flows deleted. | always | int | |
created_flows | Number of flows created. | always | int | |
modified_flows | Number of flows modified. | always | int | |
unchanged_flows | Number of flows left unchanged. | always | int | |
blocked_flows | List of flow names that failed connectivity check. | only when connectivity check fails, when check_connectivity flag in on. | list | ["flow1", "flow2", "flow3"] |
Examples¶
---
- name: Update application flows of an AlgoSec BusinessFlow application
hosts: algosec-server
gather_facts: False
roles:
- role: algosec.algosec
tasks:
- name: Grab AlgoSec credentials from ansible-vault
include_vars: 'algosec-secrets.yml'
no_log: 'yes'
- name: Set App flows on ABF using JSON configuration loaded from file
# We use delegation to use the local python interpreter (and virtualenv if enabled)
delegate_to: localhost
vars:
flows_data: "{{ lookup('file','vars/application-flows.json')|from_json }}"
algosec_define_application_flows:
ip_address: "{{ ip_address }}"
user: "{{ username }}"
password: "{{ password }}"
app_name: "{{ item.app_name}}"
app_flows: "{{item.app_flows}}"
with_items: "{{ flows_data.applications }}"
Example For Application Flows JSON File¶
{
"applications": [
{
"app_name": "TEST",
"app_flows": {
"flow1": {
"sources": ["HR Payroll server", "192.168.0.0/16"],
"destinations": ["16.47.71.62"],
"services": ["HTTPS"]
},
"flow2": {
"sources": ["10.0.0.1"],
"destinations": ["10.0.0.2"],
"services": ["udp/501"]
},
"flow3": {
"sources": ["1.2.3.4"],
"destinations": ["3.4.5.6"],
"services": ["SSH"]
}
}
},
{
"app_name": "ANOTHER-APP",
"app_flows": {
"new-flow": {
"sources": ["1.2.3.4"],
"destinations": ["3.4.5.6"],
"services": ["SSH"]
}
}
}
]
}