New-Object use in PowerCLI script wipes previous vCloud firewall rule upload

Tagged: 

This topic contains 1 reply, has 2 voices, and was last updated by Profile photo of K. Chris Nakagaki K. Chris Nakagaki 1 year, 10 months ago.

  • Author
    Posts
  • #22354
    Profile photo of Scott Jennings
    Scott Jennings
    Participant

    Hi,

    I have a script to upload firewall rules to vCloud Director from csv and it's overwriting the entire firewall config everytime due to the use of New-Object.

    The Line that I think is causing the issue is this one:

    $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice

    Without having to re-write the entire script (which was not authored by me – but was provided by a supplier and I think they got it off the internet!) can we keep the existing rules and use something like add-member instead?

    Thanks!

    Scott.

    # Replaces all rules for a given vshield with the ones from a CSV file.
    # CSV header is: Num,Descr,Proto,SrcIP,SrcPort,DstIP,DstPortRange,Policy,Direction,isEnabled,EnableLogging
    # http://pubs.vmware.com/vcd-51/index.jsp?topic=%2Fcom.vmware.vcloud.api.reference.doc_51%2Fdoc%2Ftypes%2FFirewallRuleType.html
    # Note: SrcPort can be -1 (for any), any or a port number. DstPortRange can be any or a port number range (ex: 22-26)
    param (
    [parameter(Mandatory = $true, HelpMessage="vCD Server")][alias("-server","s")][ValidateNotNullOrEmpty()][string[]]$CIServer,
    [parameter(Mandatory = $true, HelpMessage="Org")][alias("-vOrg","o")][ValidateNotNullOrEmpty()][string[]]$orgName,
    [parameter(Mandatory = $true, HelpMessage="OrgNet")][alias("-orgNet","n")][ValidateNotNullOrEmpty()][string[]]$orgNet,
    [parameter(Mandatory = $true, HelpMessage="CSV Path")][alias("-file","f")][ValidateNotNullOrEmpty()][string[]]$csvFile
    )
     
    # Add in the VI Toolkit
    if ( (Get-PSSnapin -Name VMware.VimAutomation.Core -ErrorAction SilentlyContinue) -eq $null ) {
    Add-PSsnapin VMware.VimAutomation.Core
    }
    if ( (Get-PSSnapin -Name VMware.VimAutomation.Cloud -ErrorAction SilentlyContinue) -eq $null ) {
    Add-PSsnapin VMware.VimAutomation.Cloud
    }
     
    try {
    Connect-CIServer -Server $CIServer 2>&1 | out-null
    } catch {
    Exit
    }
     
    #Search EdgeGW
    try {
      $myOrgNet = Get-Org -Name $orgName | Get-OrgNetwork -Name $orgNet
      $edgeHREF = $myOrgNet.ExtensionData.EdgeGateway.Href
      $edgeView = Search-Cloud -QueryType EdgeGateway -ErrorAction Stop | Get-CIView | where {$_.href -eq $edgeHREF}
    } catch {
    [System.Windows.Forms.MessageBox]::Show("Exception: " + $_.Exception.Message + " - Failed item:" + $_.Exception.ItemName ,"Error.",0,[System.Windows.Forms.MessageBoxIcon]::Exclamation)
      Exit
    }
     
    #Item to Configure Services
    $edgeView.Configuration.EdgeGatewayServiceConfiguration
    $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
    $fwService.DefaultAction = "drop"
    $fwService.LogDefaultAction = $false
    $fwService.IsEnabled = $true
    $fwService.FirewallRule = @()
     
    Import-CSV -path $csvFile |
    foreach-object
    {
    $fwService.FirewallRule @() New-Object vmware.vimautomation.cloud.views.firewallrule
     
    $rowNum = $_.Num -as [int]
     
    $fwService.FirewallRule[$rowNum].description = $_.Descr
    $fwService.FirewallRule[$rowNum].protocols = New-Object vmware.vimautomation.cloud.views.firewallRuleTypeProtocols
    switch ($_.Proto)
    {
    "tcp" { $fwService.FirewallRule[$rowNum].protocols.tcp = $true }
    "udp" { $fwService.FirewallRule[$rowNum].protocols.udp = $true }
    "any" { $fwService.FirewallRule[$rowNum].protocols.any = $true }
    default { $fwService.FirewallRule[$rowNum].protocols.any = $true }
    }
    $fwService.FirewallRule[$rowNum].sourceip = $_.SrcIP
     
    if ($_.SrcPort -eq "any" ) { $srcPort = "-1" } else { $srcPort = $_.SrcPort }
    $fwService.FirewallRule[$rowNum].sourceport = $srcPort
     
    $fwService.FirewallRule[$rowNum].destinationip = $_.DstIP
    $fwService.FirewallRule[$rowNum].destinationportrange = $_.DstPortRange
    $fwService.FirewallRule[$rowNum].policy = $_.Policy
    #$fwService.FirewallRule[$rowNum].direction = $_.Direction
    #$fwService.FirewallRule[$rowNum].MatchOnTranslate = [System.Convert]::ToBoolean($_.MatchOnTranslate)
    $fwService.FirewallRule[$rowNum].isenabled = [System.Convert]::ToBoolean($_.isEnabled)
    $fwService.FirewallRule[$rowNum].enablelogging = [System.Convert]::ToBoolean($_.EnableLogging)
    }
     
    #configure Edge
    $edgeView.ConfigureServices($fwService)
  • #22361
    Profile photo of K. Chris Nakagaki
    K. Chris Nakagaki
    Participant

    The only real way I can imagine you could accomplish this is by getting the current list of firewall rules, adding those to your additional rules. I unfortunately do not have a vCloud Director environment to see what options are available.

    Add this as a parameter and do something like this:
    [parameter(Mandatory = $true, HelpMessage="Append")][alias("-append","a")][ValidateNotNullOrEmpty()][boolean]$Append

    Switch ($Append)
    {
    $True {
    $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice
    $fwService.DefaultAction = "drop"
    $fwService.LogDefaultAction = $false
    $fwService.IsEnabled = $true
    $fwService.FirewallRule = @()
    $fwService.FirewallRule += $edgeView.GetServices.Firewall #<– If you can get the current list of rules, i just don't know what options you have to get the info. This is definitely not right as is, but may give a starting point. } $False { $fwService = New-Object vmware.vimautomation.cloud.views.firewallservice $fwService.DefaultAction = "drop" $fwService.LogDefaultAction = $false $fwService.IsEnabled = $true $fwService.FirewallRule = @() } }

You must be logged in to reply to this topic.