Background
So here is a real life requirement that when vRealize Orchestrator created a new virtual machine, the ip addresses of the new VM are passed over to a list, another script will be triggered weekly to read from the list, base on the list create the firewall rules so that new servers can access common service.
The common services are these servers 192.168.0.1 – .4, the source address is dynamic, as it depends on your new virtual machine’s ip addresses.
Here’s a sample code to be sent over to Tufin SecureChange using its Ticket API. The workflow element depends on your environment, the workflow id and name need to be changed according to what you set. You can use Postman to test the api and see what is your workflow id. Do not copy the below wholesale, this is just for learning only.
<# Author: Cyrus
Unix server common services script. This is to build a standard firewall rules for new servers
Need to do exception handling so that troubleshooting is easier if the script fails. #>
#ignore certificate validation
add-type @"
using System.Net;
using System.Security.Cryptography.X509Certificates;
public class TrustAllCertsPolicy : ICertificatePolicy {
public bool CheckValidationResult(
ServicePoint srvPoint, X509Certificate certificate,
WebRequest request, int certificateProblem) {
return true;
}
}
"@
[System.Net.ServicePointManager]::CertificatePolicy = New-Object TrustAllCertsPolicy
#script integration. If there is an existing script that returns ip address, remove the Read-Host command and use the function you have.
#$new_server = Read-Host("New Server IP address ")
#to consolidate new servers from a list
function GatherNewServers($new_server){
$src_addr = @"
<source type="IP">
<ip_address>$new_server</ip_address>
<netmask>255.255.255.255</netmask>
</source>
"@
return $src_addr + "`r"
}
#store the iteration in an array
$src_ip = @()
$src_addr = Get-Content "$env:HOMEDRIVE\Powershell\test_ip.txt"
for($i=0; $i -lt $src_addr.Count; $i++) {
$src = $src_addr.item($i)
$src_ip += GatherNewServers($src)
}
$body = @"
<ticket>
<subject>Firewall rule for new server</subject>
<priority>Normal</priority>
<domain_name>Default</domain_name>
<workflow>
<id>154</id>
<name>Submit a Change Request</name>
<uses_topology>true</uses_topology>
</workflow>
<steps>
<step>
<name>Submit Access Request</name>
<tasks>
<task>
<fields>
<field xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance" xsi:type="multi_access_request">
<name>Required Access</name>
<access_request>
<users>
<user>Any</user>
</users>
<sources>
$src_ip
</sources>
<destinations>
<destination type="IP">
<ip_address>192.168.0.1</ip_address>
<netmask>255.255.255.255</netmask>
</destination>
</destinations>
<services>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>8140</port>
</service>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>61613</port>
</service>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>8142</port>
</service>
</services>
<action>Accept</action>
<labels/>
</access_request>
<access_request>
<users>
<user>Any</user>
</users>
<sources>
$src_ip
</sources>
<destinations>
<destination type="IP">
<ip_address>192.168.0.2</ip_address>
<netmask>255.255.255.255</netmask>
</destination>
</destinations>
<services>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>111</port>
</service>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>300</port>
</service>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>302</port>
</service>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>304</port>
</service>
<service type="PROTOCOL">
<protocol>TCP</protocol>
<port>2049</port>
</service>
<service type="PROTOCOL">
<protocol>UDP</protocol>
<port>2049</port>
</service>
<service type="PROTOCOL">
<protocol>UDP</protocol>
<port>111</port>
</service>
<service type="PROTOCOL">
<protocol>UDP</protocol>
<port>300</port>
</service>
<service type="PROTOCOL">
<protocol>UDP</protocol>
<port>302</port>
</service>
<service type="PROTOCOL">
<protocol>UDP</protocol>
<port>304</port>
</service>
</services>
<action>Accept</action>
<labels/>
</access_request>
<access_request>
<users>
<user>Any</user>
</users>
<sources>
$src_ip
</sources>
<destinations>
<destination type="IP">
<ip_address>192.168.0.3</ip_address>
<netmask>255.255.255.255</netmask>
</destination>
<destination type="IP">
<ip_address>192.168.0.4</ip_address>
<netmask>255.255.255.255</netmask>
</destination>
</destinations>
<services>
<service type="PROTOCOL">
<protocol>UDP</protocol>
<port>123</port>
</service>
</services>
<action>Accept</action>
<labels/>
</access_request>
</field>
</fields>
</task>
</tasks>
</step>
</steps>
<comments/>
</ticket>
"@
#preparing the header
$usr = "your_username_here"
$pwd = "your_password_here"
$cred = "${usr}:${pwd}"
$bytes = [System.Text.Encoding]::ASCII.GetBytes($cred)
$base64 = [System.Convert]::ToBase64String($bytes)
$basicAuthValue = "Basic $base64"
$headers = @{ Authorization = $basicAuthValue }
Invoke-RestMethod -Uri "https://tufinsecurechange_hostname/securechangeworkflow/api/securechange/tickets" -Method Post -Headers $headers -ContentType "application/xml" -Body $body
cyruslab 