Adding state and execution modules for compliance workflows. (#404)

* Add salt state and execution modules for compliance check PoC. (#396)

* Add salt state and execution modules for compliance check use cases.

* Add vcenter state module

* rename module names.

* incorporate new config module changes.

---------

Co-authored-by: ramurugesan <[email protected]>

* Compliance control state and execution module refactoring (#397)

* VCFSC-42: Add salt state and execution modules for jpmc compliance check use cases.

* Add vcenter state module

* rename module names.

* incorporate new config module changes.

* refactoring modules.

---------

Co-authored-by: ramurugesan <[email protected]>

* change version to dev

* Multi product auth support.

* fix error message.

* Compliance check changes to handle exceptions (#399)

* Compliance check changes to handle exceptions

* Fix pre-commit issue

* Minor fix for compliance check response

* Fix unit test cases.

---------

Co-authored-by: ramurugesan <[email protected]>

* Minor fix to read config from pillar information and then grain (#400)

* Incrementing version

* Fix priority of importing credentials from pillar first

* Adding support for NSX product (#401)

* Incrementing version

* Fix priority of importing credentials from pillar first

* Adding support for product NSX

* Add more product support

* ESXi Context changes and response format changes.

* set results to True for dry-run.

* Incorporated config module framework changes.

* hostname from grains ('fqdn') if available and then fallback to pillars.

* Retrieve hostname from grains and fallback to pillar

* Reading ssl verification flag from pillar

* Adding product filtering

* Optional ssl_thumbprint for esxi context

* Fix skipped remediation status for compliance controls

* Add controller metadata module (#403)

Add controller metadata module

---------

Co-authored-by: Russell Jew <[email protected]>

* Cleanup code and adding unit test cases

* Adding config-module dependency and resolving comment

* Ignoring linkcheck for broken links due to migration

* Remove docs for invalid modules

* Updating tests to run on 3006.9 and python version to 3.10

* Removing python < 3.10 from tests; remove cython dependency from windows; update pytest-salt-factories dependency version

* Upgrading salt requires

* Test pipeline with previous changes

---------

Co-authored-by: Raja Murugesan <[email protected]>
Co-authored-by: ramurugesan <[email protected]>
Co-authored-by: rjew-bc <[email protected]>

.github/workflows/test.yml

@@ -33,7 +33,7 @@ jobs:
     steps:
     - uses: actions/checkout@v2
 
-    - name: Set up Python 3.7 For Nox
+    - name: Set up Python 3.10 For Nox
       uses: actions/setup-python@v4
       with:
         python-version: "3.10"
@@ -64,12 +64,9 @@ jobs:
       max-parallel: 4
       matrix:
         python-version:
-          - 3.7
-          - 3.8
-          - 3.9
           - "3.10"
         salt-version:
-          - 3006.4
+          - 3006.9
 
     steps:
     - uses: actions/checkout@v2
@@ -187,7 +184,7 @@ jobs:
         python-version:
           - "3.10"
         salt-version:
-          - 3006.4
+          - 3006.9
 
     steps:
     - uses: actions/checkout@v2
@@ -206,7 +203,6 @@ jobs:
       shell: bash
       env:
         SALT_REQUIREMENT: salt==${{ matrix.salt-version }}
-        EXTRA_REQUIREMENTS_INSTALL: Cython
       run: |
         export PATH="/C/Program Files (x86)/Windows Kits/10/bin/10.0.18362.0/x64;$PATH"
         nox --force-color -e tests-3 --install-only
@@ -310,7 +306,7 @@ jobs:
         python-version:
           - "3.10"
         salt-version:
-          - 3006.4
+          - 3006.9
 
     steps:
     - uses: actions/checkout@v2

docs/conf.py

@@ -148,8 +148,17 @@
 # <---- Autodoc Config -----------------------------------------------------------------------------------------------
 
 linkcheck_timeout = 10
+
+# Ignoring linkcheck for links migrated from vmware to broadcom
+linkcheck_ignore = [
+    r"https://developer\.vmware\.com/.*",
+    r"http://pubs\.vmware\.com/.*",
+    r"https://code\.vmware\.com/.*",
+]
 if not os.environ.get("SKIP_LINKCHECK_IGNORE"):
-    linkcheck_ignore = ["https://docs.github.com/en/authentication/connecting-to-github-with-ssh"]
+    linkcheck_ignore.append(
+        "https://docs.github.com/en/authentication/connecting-to-github-with-ssh"
+    )
 
 
 def setup(app):

docs/ref/modules/all.rst

@@ -11,6 +11,8 @@ Execution Modules
     saltext.vmware.modules.cluster
     saltext.vmware.modules.cluster_drs
     saltext.vmware.modules.cluster_ha
+    saltext.vmware.modules.compliance_control
+    saltext.vmware.modules.controller_metadata
     saltext.vmware.modules.datacenter
     saltext.vmware.modules.datastore
     saltext.vmware.modules.dvportgroup

docs/ref/modules/saltext.vmware.modules.compliance_control.rst

@@ -0,0 +1,6 @@
+
+saltext.vmware.modules.compliance_control
+=========================================
+
+.. automodule:: saltext.vmware.modules.compliance_control
+    :members:

docs/ref/modules/saltext.vmware.modules.controller_metadata.rst

@@ -0,0 +1,6 @@
+
+saltext.vmware.modules.controller_metadata
+==========================================
+
+.. automodule:: saltext.vmware.modules.controller_metadata
+    :members:

docs/ref/states/all.rst

@@ -8,6 +8,8 @@ State Modules
 .. autosummary::
     :toctree:
 
+    saltext.vmware.states.compliance_control
+    saltext.vmware.states.controller_metadata
     saltext.vmware.states.datacenter
     saltext.vmware.states.datastore
     saltext.vmware.states.esxi

docs/ref/states/saltext.vmware.states.compliance_control.rst

@@ -0,0 +1,6 @@
+
+saltext.vmware.states.compliance_control
+========================================
+
+.. automodule:: saltext.vmware.states.compliance_control
+    :members:

docs/ref/states/saltext.vmware.states.controller_metadata.rst

@@ -0,0 +1,6 @@
+
+saltext.vmware.states.controller_metadata
+=========================================
+
+.. automodule:: saltext.vmware.states.controller_metadata
+    :members:

setup.cfg

@@ -43,12 +43,13 @@ install_requires =
     pyvmomi==7.0.3
     importlib_metadata; python_version < "3.8"
     jinja2>=3.1.0
+    config_modules_vmware
 
 [options.extras_require]
 tests =
   pytest>=6.1.0
   pytest-cov
-  pytest-salt-factories>=1.0.0rc27
+  pytest-salt-factories>=1.0.1
 dev =
   nox
   towncrier==21.9.0rc1

src/saltext/vmware/modules/compliance_control.py

@@ -0,0 +1,77 @@
+# SPDX-License: Apache-2.0
+import logging
+
+import salt.exceptions
+import saltext.vmware.utils.compliance_control as compliance_control_util
+from config_modules_vmware.interfaces.controller_interface import ControllerInterface
+
+log = logging.getLogger(__name__)
+
+__virtualname__ = "vmware_compliance_control"
+
+
+def __virtual__():
+    return __virtualname__
+
+
+def control_config_compliance_check(control_config, product, auth_context=None):
+    """
+    Checks compliance of control config. Control config can be ntp, dns, syslog, etc.
+    Returns control compliance response object.
+
+    control_config
+        control config dict object.
+    product
+        appliance name - vcenter, sddc-manager, etc.
+    auth_context
+        optional auth context to access product.
+    """
+
+    log.info("Checking compliance %s", control_config)
+    if not auth_context:
+        config = __opts__
+        auth_context = compliance_control_util.create_auth_context(config=config, product=product)
+
+    try:
+        controller_interface_obj = ControllerInterface(auth_context)
+        response_check_compliance = controller_interface_obj.check_compliance(
+            desired_state_spec=control_config
+        )
+        log.debug("Response for compliance check %s", response_check_compliance)
+        return response_check_compliance
+    except Exception as exc:
+        log.error("Compliance check encountered an error: %s", str(exc))
+        raise salt.exceptions.VMwareRuntimeError(str(exc))
+
+
+def control_config_remediate(control_config, product, auth_context=None):
+    """
+    Remediate given compliance control config. Control config can be ntp, dns, syslog, etc.
+    Returns remediation response object.
+
+    control_config
+        control config dict object.
+    product
+        appliance name. vcenter, sddc-manager, etc.
+    auth_context
+        Optional auth context to access product.
+    """
+
+    log.info("Remediation : %s", control_config)
+
+    if not auth_context:
+        config = __opts__
+        auth_context = compliance_control_util.create_auth_context(config=config, product=product)
+
+    try:
+        controller_interface_obj = ControllerInterface(auth_context)
+        response_remediate = controller_interface_obj.remediate_with_desired_state(
+            desired_state_spec=control_config
+        )
+        log.debug("Remediation response %s", response_remediate)
+        return response_remediate
+
+    except Exception as exc:
+        # Handle exceptions by setting status as false and including exception details
+        log.error("Remediation encountered an error: %s", str(exc))
+        raise salt.exceptions.VMwareRuntimeError(str(exc))

src/saltext/vmware/modules/controller_metadata.py

@@ -0,0 +1,30 @@
+# SPDX-License: Apache-2.0
+import logging
+
+import salt.exceptions
+from config_modules_vmware.interfaces.metadata_interface import ControllerMetadataInterface
+
+log = logging.getLogger(__name__)
+
+__virtualname__ = "vmware_controller_metadata"
+
+
+def __virtual__():
+    return __virtualname__
+
+
+def validate(controller_metadata):
+    """
+    Validates that the controller custom metadata is valid - has correct product/controls, format, and types.
+
+    controller_metadata
+        controller metadata dict to validate
+    """
+
+    log.info("Validating controller metadata: %s", controller_metadata)
+
+    try:
+        ControllerMetadataInterface.validate_custom_metadata(controller_metadata)
+    except Exception as exc:
+        log.error("Error when validating controller metadata: %s", str(exc))
+        raise salt.exceptions.VMwareRuntimeError(str(exc))