voxpupuli#134 Added feature for purging unmanaged firewalld zones

yachub · Jan 13, 2020 · a21fc9f · a21fc9f
1 parent 3de2523
commit a21fc9f
Show file tree

Hide file tree

Showing 4 changed files with 41 additions and 2 deletions.
diff --git a/README.md b/README.md
@@ -46,6 +46,7 @@ class { 'firewalld': }
 * `purge_direct_rules`: True or false, whether to purge [firewalld direct rules](#firewalld-direct-rules)
 * `purge_direct_chains`: True or false, whether to purge [firewalld direct chains](#firewalld-direct-chains)
 * `purge_direct_passthroughs`: True or false, whether to purge [firewalld direct passthroughs](#firewalld-direct-passthroughs)
+* `purge_zones`: True or false, whether to purge unmanaged firewalld zones (default: false)
 
 
 

diff --git a/lib/puppet/provider/firewalld_zone/firewall_cmd.rb b/lib/puppet/provider/firewalld_zone/firewall_cmd.rb
@@ -8,7 +8,31 @@
 ) do
   desc 'Interact with firewall-cmd'
 
+  mk_resource_methods
+
+  def self.instances
+    zones = execute_firewall_cmd(['--get-zones'], nil).split(' ')
+    zones.map do |zone|
+      debug("Zone: #{zone}")
+      new(
+        {
+          ensure: :present,
+          name: zone,
+        }
+      )
+    end
+  end
+
+  def self.prefetch(resources)
+    instances.each do |prov|
+      if (resource = resources[prov.name])
+        resource.provider = prov
+      end
+    end
+  end
+
   def exists?
+    @property_hash[:ensure] == :present
     @resource[:zone] = @resource[:name]
     execute_firewall_cmd(['--get-zones'], nil).split(' ').include?(@resource[:name])
   end
@@ -35,7 +59,7 @@ def target
     # The firewall-cmd may or may not return the target surrounded by
     # %% depending on the version. See:
     # https://github.com/crayfishx/puppet-firewalld/issues/111
-    return @resource[:target] if @resource[:target].delete('%') == zone_target
+    return @resource[:target] if @resource[:target].delete('%') == zone_target unless @resource[:target].nil?
     zone_target
   end
 

diff --git a/manifests/init.pp b/manifests/init.pp
@@ -50,6 +50,7 @@
   Boolean $purge_direct_chains       = false,
   Boolean $purge_direct_passthroughs = false,
   Boolean $purge_unknown_ipsets      = false,
+  Boolean $purge_zones               = false,
   Optional[String] $default_zone     = undef,
   Optional[Enum['off','all','unicast','broadcast','multicast']] $log_denied = undef,
   Optional[Enum['yes', 'no']] $cleanup_on_exit = undef,
@@ -255,4 +256,11 @@
         purge => true,
       }
     }
+
+    if $purge_zones {
+      resources { 'firewalld_zone':
+        purge  => true,
+        notify => Exec['firewalld::reload'],
+      }
+    }
 }
diff --git a/spec/classes/init_spec.rb b/spec/classes/init_spec.rb
@@ -31,7 +31,8 @@
         purge_direct_rules: true,
         purge_direct_chains: true,
         purge_direct_passthroughs: true,
-        purge_unknown_ipsets: true
+        purge_unknown_ipsets: true,
+        purge_zones: true
       }
     end
 
@@ -51,6 +52,11 @@
       is_expected.to contain_resources('firewalld_ipset').
         with_purge(true)
     end
+
+    it do
+      is_expected.to contain_resources('firewalld_zone').
+        with_purge(true)
+    end
   end
 
   context 'with parameter ports' do