-
Notifications
You must be signed in to change notification settings - Fork 5
/
Copy pathvyos-cfme-emb-ansible-launch-instance-and-configure-nat-gateway.yml
241 lines (211 loc) · 8.14 KB
/
vyos-cfme-emb-ansible-launch-instance-and-configure-nat-gateway.yml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
- name: Create a VyOS instance
hosts: localhost
gather_facts: True
connection: local
vars:
keypair: id_rsa_os1_rcalvaga
instance_type: t2.micro
security_group: ssh-sec-group
image: ami-92e86ae8
region: us-east-1
vpc_subnet_id: subnet-0264793e
instance_name: vyos-instance
private_ip1: 192.168.122.10
private_ip2: 192.168.0.10
wait_for_ssh: False
provider_id: 2
max_retries: 10
retry_interval: 30
tasks:
- debug: var=manageiq.api_url
- debug: var=manageiq.api_token
- debug: var=manageiq.service
- name: Launch VyOS instance
ec2:
assign_public_ip: yes
key_name: "{{ keypair }}"
group: "{{ security_group }}"
instance_type: "{{ instance_type }}"
image: "{{ image }}"
wait: true
region: "{{ region }}"
instance_tags:
Name: "{{ instance_name }}"
exact_count: 1
count_tag:
Name: "{{ instance_name }}"
vpc_subnet_id: "{{ vpc_subnet_id }}"
private_ip: "{{ private_ip1 }}"
register: ec2
- debug: var=ec2
- set_fact: ec2_id={{ ec2.instance_ids[0] }}
- name: Add secondary private IP
ec2_eni:
instance_id: "{{ ec2_id }}"
attached: True
device_index: 1
security_groups: "{{ security_group }}"
region: "{{ region }}"
private_ip_address: "{{ private_ip2 }}"
subnet_id: subnet-2b1c0117
delete_on_termination: true
state: present
- name: Add new instance to host group
add_host: hostname={{ ec2.instances[0].public_ip }} groupname=vyos_launched
- name: Wait for SSH to come up
wait_for: host={{ ec2.instances[0].public_dns_name }} port=22 delay=60 timeout=320 state=started
- name: Set the Provider URL
set_fact:
provider_url: "{{ manageiq.api_url }}/api/providers/{{ provider_id }}"
- name: Refresh Amazon EC2 provider in CloudForms
uri:
url: "{{ provider_url }}"
method: POST
body:
action: refresh
body_format: json
validate_certs: False
headers:
X-Auth-Token: "{{ manageiq.api_token }}"
Content-Type: "application/json"
status_code: 200
register: output
- name: Set the task href
set_fact:
task_url: "{{ output.json.task_href}}"
- name: Wait for the provider refresh to end
uri:
url: "{{ task_url }}"
method: GET
validate_certs: False
headers:
X-Auth-Token: "{{ manageiq.api_token }}"
Content-Type: "application/json"
status_code: 200
register: task_result
until: task_result.json.state == 'Finished' or task_result.json.status == 'Error'
failed_when: task_result.json.status == 'Error'
retries: "{{max_retries}}"
delay: "{{retry_interval}}"
- name: Lookup instance href
uri:
url: "{{ manageiq.api_url }}/api/vms?filter[]=name={{ item.id }}&expand=resources"
method: GET
body:
action: refresh
body_format: json
validate_certs: False
headers:
X-Auth-Token: "{{ manageiq.api_token }}"
Content-Type: "application/json"
status_code: 200
register: output
with_items:
- "{{ ec2.instances }}"
- debug: var=output
- name: Set the Service URL
set_fact:
svc_url: "/api/{{ manageiq.service }}"
- name: Initialize an empty list for vms
set_fact:
vms: []
- name: Append resource href to vms list
set_fact:
vms: "{{ vms }} + [ { 'href': svc_url, 'resource': { 'href': '/api/vms/{{ item.json.resources[0].id }}' } } ]"
with_items: "{{ output.results }}"
retries: "{{max_retries}}"
delay: "{{retry_interval}}"
- debug: var=vms
- name: Register vms with the service
uri:
url: "{{ manageiq.api_url }}/api/services"
method: POST
body_format: json
body:
action: add_resource
resources: "{{ vms }}"
validate_certs: False
headers:
X-Auth-Token: "{{ manageiq.api_token }}"
Content-Type: "application/json"
status_code: 200
register: output
- debug: var=output.json.results[0].success
- name: Check if the VM was successfully attached to service
fail: msg="{{output.json.results[0].message}}"
when: output.json.results[0].success == false
- name: Configuring VyOS Host as a NAT Gateway
hosts: vyos_launched
gather_facts: True
connection: local
tasks:
- name: Configure network interfaces
vyos_config:
lines:
- set interfaces ethernet eth0 address dhcp
- set interfaces ethernet eth0 description 'OUTSIDE'
- set interfaces ethernet eth1 address '192.168.0.1/24'
- set interfaces ethernet eth1 description 'INSIDE'
# save: yes
ignore_errors: yes
- name: Configure Source NAT for our "Inside" network
vyos_config:
lines:
- set nat source rule 100 outbound-interface 'eth0'
- set nat source rule 100 source address '192.168.0.0/24'
- set nat source rule 100 translation address masquerade
# save: yes
- name: Configure a DHCP Server
vyos_config:
lines:
- set service dhcp-server disabled 'false'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 default-router '192.168.0.1'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 dns-server '192.168.0.1'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 domain-name 'internal-network'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 lease '86400'
- set service dhcp-server shared-network-name LAN subnet 192.168.0.0/24 start '192.168.0.9' stop '192.168.0.254'
# save: yes
- name: And a DNS forwarder
vyos_config:
lines:
- set service dns forwarding cache-size '0'
- set service dns forwarding listen-on 'eth1'
- set service dns forwarding name-server '8.8.8.8'
- set service dns forwarding name-server '8.8.4.4'
# save: yes
- name: Add a set of firewall policies for our "Outside" interface
vyos_config:
lines:
- set firewall name OUTSIDE-IN default-action 'drop'
- set firewall name OUTSIDE-IN rule 10 action 'accept'
- set firewall name OUTSIDE-IN rule 10 state established 'enable'
- set firewall name OUTSIDE-IN rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL default-action 'drop'
- set firewall name OUTSIDE-LOCAL rule 10 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 10 state established 'enable'
- set firewall name OUTSIDE-LOCAL rule 10 state related 'enable'
- set firewall name OUTSIDE-LOCAL rule 20 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 20 icmp type-name 'echo-request'
- set firewall name OUTSIDE-LOCAL rule 20 protocol 'icmp'
- set firewall name OUTSIDE-LOCAL rule 20 state new 'enable'
- set firewall name OUTSIDE-LOCAL rule 30 action 'drop'
- set firewall name OUTSIDE-LOCAL rule 30 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 30 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 30 recent count '4'
- set firewall name OUTSIDE-LOCAL rule 30 recent time '60'
- set firewall name OUTSIDE-LOCAL rule 30 state new 'enable'
- set firewall name OUTSIDE-LOCAL rule 31 action 'accept'
- set firewall name OUTSIDE-LOCAL rule 31 destination port '22'
- set firewall name OUTSIDE-LOCAL rule 31 protocol 'tcp'
- set firewall name OUTSIDE-LOCAL rule 31 state new 'enable'
# save: yes
- name: Apply the firewall policies
vyos_config:
lines:
- set interfaces ethernet eth0 firewall in name 'OUTSIDE-IN'
- set interfaces ethernet eth0 firewall local name 'OUTSIDE-LOCAL'
# save: yes
- name: Show the Configuration
vyos_command:
commands:
- show configuration commands