Introducing module firewall_alias

[KiLLuuuhh]

This pull requests introduces the module firewall_alias to the puzzle.opnsense collection.

With this new module, user will be able to:

1. set name for alias
2. set different alias types of content such as:
   • host
   • network
   • port
   • url
   • urltable
   • geoip
   • networkgroup
   • macaddress
   • bgpasn
   • dynamicipv6host
   • opnvpngroup
   • internal
   • external
3. Set content and validate content of the types above.
4. Enable statistics for the alias.
5. Set a description for the alias.
6. Set the refresh frequency for a urltable.
7. Set the interface for dynamicipv6host.

Disclaimer: We are aware that this module is also offered by Ansibleguy. However, we have decided to develop it independently due to compatibility issues with the different versions we support.

[nerrehmit]

While testing your changes against a live opnsense 24.1 installation I found a couple of things. I'm going to report them individually so that you can comment/ close them each on their own.

[nerrehmit]

I was able to set a host alias with spaces in the name.
However updating it within opnsense then gave me an error upon save. Here is the ansible snippet that worked:

  - name: set google dns alias
    puzzle.opnsense.firewall_alias:
      name: google DNS Server
      type: host
      content: 8.8.8.8
      description: The dns servers that google uses
      state: present

[nerrehmit]

BGP ASN aliases added through ansible do not display a Type, compared to BGP ASN Aliases added through the UI as you can see in the screenshot:

EDIT: fixed by updates to the module ✔️

[nerrehmit]

running ansible against an opnsense instance with a manually added BGP ASN alias errors out like this:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'FirewallAliasType' enum not found for 'asn'
fatal: [opnsense]: FAILED! => {
    "changed": false,
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDOUT:

Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1720813227.9266646-65215-109775695243004/AnsiballZ_firewall_alias.py", line 107, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1720813227.9266646-65215-109775695243004/AnsiballZ_firewall_alias.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1720813227.9266646-65215-109775695243004/AnsiballZ_firewall_alias.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.puzzle.opnsense.plugins.modules.firewall_alias', init_globals=dict(_module_fqn='ansible_collections.puzzle.opnsense.plugins.modules.firewall_alias', _modlib_path=modlib_path),
  File "<frozen runpy>", line 226, in run_module
  File "<frozen runpy>", line 98, in _run_module_code
  File "<frozen runpy>", line 88, in _run_code
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/firewall_alias.py", line 273, in <module>
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/firewall_alias.py", line 232, in main
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 275, in __init__
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 288, in _load_aliases
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 288, in <listcomp>
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 174, in from_xml
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 118, in __init__
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 131, in __post_init__
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/enum_utils.py", line 39, in from_string
ValueError: 'FirewallAliasType' enum not found for 'asn'

EDIT: fixed by updates to the module ✔️

[nerrehmit]

We should definitely explain the "refreshfrequency" a bit more. This input is considered fractions of a day. So a value of "0.5" leads to 12 hours, "1.1" to 1d 2.4h.
The smallest possible value is "0.0003" which leads to 0.01h in the UI, so a refresh about every minute. This is the opnsense minimum according to https://forum.opnsense.org/index.php?topic=15483.0
I think we should have an example using that key.

Also this value only shows up in the UI if you configure type "urltable" but the module accepts it for other types. Not sure if that could lead to problems down the line?

[nerrehmit]

the BGP ASN type alias offers a selection for IPv4 and/or IPv6 when done through the UI. We do not have that option in our module yet. We should either add that functionality or mention that restriction in the docs to prevent any surprises for users.

[KiLLuuuhh]

BGP ASN aliases added through ansible do not display a Type, compared to BGP ASN Aliases added through the UI as you can see in the screenshot:

fixed in 64ba9b0.

[KiLLuuuhh]

running ansible against an opnsense instance with a manually added BGP ASN alias errors out like this:

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ValueError: 'FirewallAliasType' enum not found for 'asn'
fatal: [opnsense]: FAILED! => {
    "changed": false,
    "rc": 1
}

MSG:

MODULE FAILURE
See stdout/stderr for the exact error


MODULE_STDOUT:

Traceback (most recent call last):
  File "/root/.ansible/tmp/ansible-tmp-1720813227.9266646-65215-109775695243004/AnsiballZ_firewall_alias.py", line 107, in <module>
    _ansiballz_main()
  File "/root/.ansible/tmp/ansible-tmp-1720813227.9266646-65215-109775695243004/AnsiballZ_firewall_alias.py", line 99, in _ansiballz_main
    invoke_module(zipped_mod, temp_path, ANSIBALLZ_PARAMS)
  File "/root/.ansible/tmp/ansible-tmp-1720813227.9266646-65215-109775695243004/AnsiballZ_firewall_alias.py", line 47, in invoke_module
    runpy.run_module(mod_name='ansible_collections.puzzle.opnsense.plugins.modules.firewall_alias', init_globals=dict(_module_fqn='ansible_collections.puzzle.opnsense.plugins.modules.firewall_alias', _modlib_path=modlib_path),
  File "<frozen runpy>", line 226, in run_module
  File "<frozen runpy>", line 98, in _run_module_code
  File "<frozen runpy>", line 88, in _run_code
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/firewall_alias.py", line 273, in <module>
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/modules/firewall_alias.py", line 232, in main
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 275, in __init__
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 288, in _load_aliases
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 288, in <listcomp>
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 174, in from_xml
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 118, in __init__
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/firewall_alias_utils.py", line 131, in __post_init__
  File "/tmp/ansible_puzzle.opnsense.firewall_alias_payload_qmsbwmar/ansible_puzzle.opnsense.firewall_alias_payload.zip/ansible_collections/puzzle/opnsense/plugins/module_utils/enum_utils.py", line 39, in from_string
ValueError: 'FirewallAliasType' enum not found for 'asn'

fixed in 64ba9b0.

[KiLLuuuhh]

the BGP ASN type alias offers a selection for IPv4 and/or IPv6 when done through the UI. We do not have that option in our module yet. We should either add that functionality or mention that restriction in the docs to prevent any surprises for users.

fixed in 944146b.

[DonGiovanni83]

I have some minor change requests and proposals, but overall it looks good

[DonGiovanni83]

Looks good 👍🏼