Puppet: Using YAML's with puppetlabs/firewall

0
votes

Up until recently we've been using puppet in a very basic way. To manage iptables, we created an iptables-save file and loaded it. I want to revamp our iptables management and use the puppetlabs/firewall module.

Best practices suggest that I use .yaml files to deal with this however I'm running into a lot of problems using hiera() and yaml's.

I want common.yaml to have a list of ranges associated with some group:

firewall_group:
  localdomain:
    - 10.0.0.3/32
    - 10.10.0.0/26
  anotherdomain:
    - 172.0.1.0/26

And I want in some other {$certname}.yaml to contain a list of ports that the host will accept access from from some list of groups:

ports:
  ssh: 
    number: 22 
    groups:
      - localdomain
  http:
    number: 80
    groups:
      - localdomain
      - anotherdomain

What's the best way to create these firewall rules using puppetlabs/firewall? (Assuming the hiera.yaml looks up these .yaml files correctly) I'm putting the .pp file in custom_fw/manifests/core.pp that init.pp includes.

I've tried using the $ports.each method and the create_resources () method I found searching up "nested yaml loop puppet" but I'm sure I made some error that failed the puppet apply.

Thanks in advance for any insight!

1
rubyyamlpuppetfirewall

1 Answers

1
votes

I have spent some time on this particular problem, and came up with the following solution.

Firstly, get my module alexharvey/firewall_multi. At the time of writing, you would also need the latest puppetlabs/firewall module (v1.8.0) although I'm willing to patch my module for anyone who needs compatibility with earlier versions of Puppet Labs firewall.

The firewall_multi module provides a multiplexer frontend to the Puppet Labs firewall module, allowing us to specify arrays of sources and destinations.

Secondly, you will need Hiera version 3, which has the alias lookup function, which allows you to define an alias for a Hiera array that can be used elsewhere in Hiera.

You can now do this:

---
mylocaldomain:
  - 10.0.0.3/32
  - 10.10.0.0/26
myotherdomain:
  - 172.0.1.0/26

myclass::firewall_multis:
  '00099 accept tcp port 22 for ssh':
    dport: '22'
    action: 'accept'
    proto: 'tcp'
    source: "%{alias('mylocaldomain')}"
myotherclass::firewall_multis:
  '00200 accept tcp port 80 for http':
    dport: '80'
    action: 'accept'
    proto: 'tcp'
    source: "%{alias('myotherdomain')}"

And:

class myclass (
  $firewall_multis,
) {
  validate_hash($firewall_multis)
  create_resources(firewall_multi, $firewall_multis)
  ...
}

class myotherclass (
  $firewall_multis,
) {
  validate_hash($firewall_multis)
  create_resources(firewall_multi, $firewall_multis)
  ...
}