Migrating win_firewall files with history

plugins/modules/win_firewall.ps1

@@ -0,0 +1,90 @@
+#!powershell
+
+# Copyright: (c) 2017, Michael Eaton <[email protected]>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+#Requires -Module Ansible.ModuleUtils.Legacy
+
+$ErrorActionPreference = "Stop"
+$firewall_profiles = @('Domain', 'Private', 'Public')
+
+$params = Parse-Args $args -supports_check_mode $true
+$check_mode = Get-AnsibleParam -obj $params -name "_ansible_check_mode" -type "bool" -default $false
+
+$profiles = Get-AnsibleParam -obj $params -name "profiles" -type "list" -default @("Domain", "Private", "Public")
+$state = Get-AnsibleParam -obj $params -name "state" -type "str" -failifempty $true -validateset 'disabled', 'enabled'
+$inbound_action = Get-AnsibleParam -obj $params -name "inbound_action" -type "str" -validateset 'allow', 'block', 'not_configured'
+$outbound_action = Get-AnsibleParam -obj $params -name "outbound_action" -type "str" -validateset 'allow', 'block', 'not_configured'
+
+$result = @{
+    changed = $false
+    profiles = $profiles
+    state = $state
+}
+
+try {
+    get-command Get-NetFirewallProfile > $null
+    get-command Set-NetFirewallProfile > $null
+}
+catch {
+    Fail-Json $result "win_firewall requires Get-NetFirewallProfile and Set-NetFirewallProfile Cmdlets."
+}
+
+$FIREWALL_ENABLED = [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]::True
+$FIREWALL_DISABLED = [Microsoft.PowerShell.Cmdletization.GeneratedTypes.NetSecurity.GpoBoolean]::False
+
+Try {
+
+    ForEach ($profile in $firewall_profiles) {
+        $current_profile = Get-NetFirewallProfile -Name $profile
+        $currentstate = $current_profile.Enabled
+        $current_inboundaction = $current_profile.DefaultInboundAction
+        $current_outboundaction = $current_profile.DefaultOutboundAction
+        $result.$profile = @{
+            enabled = ($currentstate -eq $FIREWALL_ENABLED)
+            considered = ($profiles -contains $profile)
+            currentstate = $currentstate
+        }
+
+        if ($profiles -notcontains $profile) {
+            continue
+        }
+
+        if ($state -eq 'enabled') {
+
+            if ($currentstate -eq $FIREWALL_DISABLED) {
+                Set-NetFirewallProfile -name $profile -Enabled true -WhatIf:$check_mode
+                $result.changed = $true
+                $result.$profile.enabled = $true
+            }
+            if ($null -ne $inbound_action) {
+                $inbound_action = [Globalization.CultureInfo]::InvariantCulture.TextInfo.ToTitleCase($inbound_action.ToLower()) -replace '_', ''
+                if ($inbound_action -ne $current_inboundaction) {
+                    Set-NetFirewallProfile -name $profile -DefaultInboundAction $inbound_action -WhatIf:$check_mode
+                    $result.changed = $true
+                }
+            }
+            if ($null -ne $outbound_action) {
+                $outbound_action = [Globalization.CultureInfo]::InvariantCulture.TextInfo.ToTitleCase($outbound_action.ToLower()) -replace '_', ''
+                if ($outbound_action -ne $current_outboundaction) {
+                    Set-NetFirewallProfile -name $profile -DefaultOutboundAction $outbound_action -WhatIf:$check_mode
+                    $result.changed = $true
+                }
+            }
+        }
+        else {
+
+            if ($currentstate -eq $FIREWALL_ENABLED) {
+                Set-NetFirewallProfile -name $profile -Enabled false -WhatIf:$check_mode
+                $result.changed = $true
+                $result.$profile.enabled = $false
+            }
+
+        }
+    }
+}
+Catch {
+    Fail-Json $result "an error occurred when attempting to change firewall status for profile $profile $($_.Exception.Message)"
+}
+
+Exit-Json $result

plugins/modules/win_firewall.py

@@ -0,0 +1,89 @@
+#!/usr/bin/python
+# -*- coding: utf-8 -*-
+
+# Copyright: (c) 2017, Michael Eaton <[email protected]>
+# GNU General Public License v3.0+ (see COPYING or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+DOCUMENTATION = r'''
+---
+module: win_firewall
+short_description: Enable or disable the Windows Firewall
+description:
+- Enable or Disable Windows Firewall profiles.
+requirements:
+  - This module requires Windows Management Framework 5 or later.
+options:
+  profiles:
+    description:
+    - Specify one or more profiles to change.
+    type: list
+    elements: str
+    choices: [ Domain, Private, Public ]
+    default: [ Domain, Private, Public ]
+  state:
+    description:
+    - Set state of firewall for given profile.
+    type: str
+    choices: [ disabled, enabled ]
+  inbound_action:
+    description:
+    - Set to C(allow) or C(block) inbound network traffic in the profile.
+    - C(not_configured) is valid when configuring a GPO.
+    type: str
+    choices: [ allow, block, not_configured ]
+    version_added: 1.1.0
+  outbound_action:
+    description:
+    - Set to C(allow) or C(block) inbound network traffic in the profile.
+    - C(not_configured) is valid when configuring a GPO.
+    type: str
+    choices: [ allow, block, not_configured ]
+    version_added: 1.1.0
+seealso:
+- module: community.windows.win_firewall_rule
+author:
+- Michael Eaton (@michaeldeaton)
+'''
+
+EXAMPLES = r'''
+- name: Enable firewall for Domain, Public and Private profiles
+  community.windows.win_firewall:
+    state: enabled
+    profiles:
+      - Domain
+      - Private
+      - Public
+  tags: enable_firewall
+
+- name: Disable Domain firewall
+  community.windows.win_firewall:
+    state: disabled
+    profiles:
+      - Domain
+  tags: disable_firewall
+
+- name: Enable firewall for Domain profile and block outbound connections
+  community.windows.win_firewall:
+    profiles: Domain
+    state: enabled
+    outbound_action: block
+  tags: block_connection
+'''
+
+RETURN = r'''
+enabled:
+    description: Current firewall status for chosen profile (after any potential change).
+    returned: always
+    type: bool
+    sample: true
+profiles:
+    description: Chosen profile.
+    returned: always
+    type: str
+    sample: Domain
+state:
+    description: Desired state of the given firewall profile(s).
+    returned: always
+    type: list
+    sample: enabled
+'''

tests/integration/targets/win_firewall/aliases

@@ -0,0 +1 @@
+shippable/windows/group5

tests/integration/targets/win_firewall/tasks/main.yml

@@ -0,0 +1,52 @@
+# NOTE: The win_firewall module only works on WMF 5+
+
+- ansible.windows.setup:
+
+- name: Test Windows capabilities
+  raw: Get-Command Get-NetFirewallProfile -ErrorAction SilentlyContinue; return $?
+  failed_when: no
+  register: get_netfirewallprofile
+
+- name: Only run tests when Windows is capable
+  when: get_netfirewallprofile.rc == 0 and ansible_powershell_version >= 5
+  block:
+  - name: Turn off Windows Firewall (begin)
+    win_firewall:
+      profiles: [ Domain, Private, Public ]
+      state: disabled
+    register: firewall_off
+
+  - name: Test firewall_off
+    assert:
+      that:
+      - not firewall_off.Domain.enabled
+      - not firewall_off.Private.enabled
+      - not firewall_off.Public.enabled
+
+
+  - name: Test in normal mode
+    import_tasks: tests.yml
+    vars:
+      in_check_mode: no
+
+
+  - name: Test in check-mode
+    import_tasks: tests.yml
+    vars:
+      in_check_mode: yes
+    check_mode: yes
+
+
+  - name: Turn on Windows Firewall (end)
+    win_firewall:
+      profiles: [ Domain, Private, Public ]
+      state: enabled
+    register: firewall_on
+
+  - name: Test firewall_on
+    assert:
+      that:
+      - firewall_on is changed
+      - firewall_on.Domain.enabled
+      - firewall_on.Private.enabled
+      - firewall_on.Public.enabled