Feat(eos_designs): Add support for Zscaler internet-exit policy (#3833)

Co-authored-by: Claus Holbech <[email protected]>

.pre-commit-config.yaml

@@ -145,7 +145,8 @@ repos:
             ansible_collections/arista/avd/roles/.*/docs/tables/.*\.md| # Exclude all .md files in tables
             ansible_collections/arista/avd/roles/.*/schemas/.*schema\.yml| # Exclude YAML schemas file
             ansible_collections/arista/avd/roles/.*/schemas/.*jsonschema\.json| # Exclude JSON schemas file
-            ansible_collections/arista/avd/plugins/plugin_utils/cv_client/api/.*| # Exclude auto generated files for cv API
+            ansible_collections/arista/avd/plugins/plugin_utils/cv_client/api/.*| # Exclude auto generated files for CV API
+            ansible_collections/arista/avd/plugins/plugin_utils/cv_client/extra_cv_protos/.*| # Exclude extra CV proto files
             ansible-avd/ansible_collections/arista/avd/docs/plugins/.* | # Excluded auto generated doc for Ansible plugins
           )$
 
@@ -166,6 +167,13 @@ repos:
         types: [python]
         files: ansible_collections/arista/avd/plugins/filter/
 
+      - id: docs-plugin-lookup
+        name: Build documentation for collection lookup plugins
+        entry: ansible-doc-extractor --template ansible_collections/arista/avd/docs/templates/plugin-docs.j2 --markdown "ansible_collections/arista/avd/docs/plugins/Lookup_plugins/"
+        language: system
+        types: [python]
+        files: ansible_collections/arista/avd/plugins/lookup/
+
       - id: docs-plugin-test
         name: Build documentation for collection test plugins
         entry: ansible-doc-extractor --template ansible_collections/arista/avd/docs/templates/plugin-docs.j2 --markdown "ansible_collections/arista/avd/docs/plugins/Test_plugins/"

ansible_collections/arista/avd/docs/plugins/Lookup_plugins/cv_zscaler_endpoints.md

@@ -0,0 +1,55 @@
+---
+# This title is used for search results
+title: arista.avd.cv_zscaler_endpoints
+---
+<!--
+  ~ Copyright (c) 2023-2024 Arista Networks, Inc.
+  ~ Use of this source code is governed by the Apache License 2.0
+  ~ that can be found in the LICENSE file.
+  -->
+
+# cv_zscaler_endpoints
+
+!!! note
+    Always use the FQCN (Fully Qualified Collection Name) `arista.avd.cv_zscaler_endpoints` when using this plugin.
+
+PREVIEW - Fetch Zscaler endpoints used for CV Pathfinder internet-exit integration.
+
+## Synopsis
+
+Use this to autofill the `zscaler_endpoints` data model.
+
+The arguments are optional. If not set the same vars must be set.
+
+## Requirements
+
+The below requirements are needed on the host that executes this module.
+
+- md_toc
+
+## Parameters
+
+| Argument | Type | Required | Default | Value Restrictions | Description |
+| -------- | ---- | -------- | ------- | ------------------ | ----------- |
+| <samp>cv_server</samp> | str | True | None |  | CV server. |
+| <samp>cv_token</samp> | str | True | None |  | CV token. |
+| <samp>cv_verify_certs</samp> | bool | optional | True |  | Verify SSL certificates. |
+| <samp>serial_number</samp> | str | True | None |  | Device serial number. |
+| <samp>inventory_hostname</samp> | str | True | None |  | Device inventory hostname. |
+
+## Examples
+
+```yaml
+---
+zscaler_endpoints: "{{ lookup('arista.avd.cv_zscaler_endpoints') }}"
+```
+
+## Return Values
+
+| Name | Type | Description |
+| ---- | ---- | ----------- |
+| _value | dict | Dict according to the `zscaler_endpoints` data model. |
+
+## Authors
+
+- Arista Ansible Team (@aristanetworks)

ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/host_vars/duplicate-tunnel-interface-internet-exit.yml

@@ -0,0 +1,144 @@
+---
+wan_mode: cv-pathfinder
+# Disabling underlay for tests
+underlay_routing_protocol: none
+
+type: wan_router
+
+bgp_as: 65000
+
+cv_pathfinder_regions:
+  - name: AVD_Land_West
+    id: 42
+    description: AVD Region
+    sites:
+      - name: Site422
+        id: 422
+        location: Somewhere
+
+bgp_peer_groups:
+  wan_overlay_peers:
+    password: "htm4AZe9mIQOO1uiMuGgYQ=="
+    listen_range_prefixes:
+      - 192.168.255.0/24
+
+wan_route_servers:
+  - hostname: cv-pathfinder-pathfinder
+    vtep_ip: 10.10.10.10
+    path_groups:
+      - name: INET
+        interfaces:
+          - name: Ethernet1
+            public_ip: 192.168.55.55
+
+wan_ipsec_profiles:
+  control_plane:
+    shared_key: ABCDEF1234567890
+  data_plane:
+    shared_key: ABCDEF1234567890666
+
+wan_router:
+  defaults:
+    loopback_ipv4_pool: 192.168.42.0/24
+    vtep_loopback_ipv4_pool: 192.168.255.0/24
+    filter:
+      always_include_vrfs_in_tenants: [TenantA]
+  nodes:
+    - name: duplicate-tunnel-interface-internet-exit
+      cv_pathfinder_region: AVD_Land_West
+      cv_pathfinder_site: Site422
+      id: 1
+      l3_interfaces:
+        - name: Ethernet1
+          wan_carrier: ATT
+          wan_circuit_id: 666
+          dhcp_accept_default_route: true
+          ip_address: dhcp
+          cv_pathfinder_internet_exit:
+            policies:
+              - name: ZSCALER-EXIT-POLICY-1
+                tunnel_interface_numbers: 100-102
+        - name: Ethernet2
+          wan_carrier: ATT
+          wan_circuit_id: 777
+          dhcp_accept_default_route: true
+          ip_address: dhcp
+          cv_pathfinder_internet_exit:
+            policies:
+              - name: ZSCALER-EXIT-POLICY-2
+                # Clashing IDs with Ethernet1
+                tunnel_interface_numbers: 100-102
+
+wan_path_groups:
+  - name: INET
+    id: 101
+
+wan_carriers:
+  - name: ATT
+    path_group: INET
+    trusted: true
+
+tenants:
+  - name: TenantA
+    vrfs:
+      - name: default
+        vrf_id: 1
+      - name: PROD
+        vrf_id: 42
+
+wan_virtual_topologies:
+  vrfs:
+    - name: PROD
+      wan_vni: 42
+  policies:
+    - name: DEFAULT-POLICY
+      default_virtual_topology:
+        drop_unmatched: true
+      application_virtual_topologies:
+        - application_profile: TEST
+          path_groups:
+            - names: [ INET ]
+          internet_exit:
+            policy: ZSCALER-EXIT-POLICY-1
+          id: 42
+        - application_profile: TEST2
+          path_groups:
+            - names: [ INET ]
+          internet_exit:
+            policy: ZSCALER-EXIT-POLICY-2
+          id: 43
+
+application_classification:
+  application_profiles:
+    - name: TEST
+    - name: TEST2
+
+cv_pathfinder_internet_exit_policies:
+  - name: ZSCALER-EXIT-POLICY-1
+    type: zscaler
+    zscaler:
+      cloud_name: zscalerbeta
+      domain_name: test.local
+      ipsec_key_salt: THIS_SHOULD_BE_VAULTED
+  - name: ZSCALER-EXIT-POLICY-2
+    fallback_to_system_default: False
+    type: zscaler
+    zscaler:
+      cloud_name: zscalerbeta
+      domain_name: test.local
+      ipsec_key_salt: THIS_SHOULD_BE_VAULTED
+
+zscaler_endpoints:
+  primary:
+    city: Fremont, CA
+    datacenter: FMT1
+    country: United States
+    latitude: 37
+    longitude: -121
+    ip_address: 10.37.121.1 # Not the correct address
+
+expected_error_message: >-
+  Found duplicate objects with conflicting data while generating configuration for Tunnel interface for Internet Exit policy.
+  {'name': 'Tunnel100', 'description': 'Internet Exit ZSCALER-EXIT-POLICY-2 PRI', 'ip_address': 'unnumbered Ethernet2', 'source_interface': 'Ethernet2'}
+  conflicts with
+  {'name': 'Tunnel100', 'description': 'Internet Exit ZSCALER-EXIT-POLICY-1 PRI', 'ip_address': 'unnumbered Ethernet1', 'source_interface': 'Ethernet1'}.

ansible_collections/arista/avd/molecule/eos_designs_negative_unit_tests/inventory/hosts.yml

@@ -88,6 +88,7 @@ all:
         duplicate-vni-l2vlans-vxlan-interface:
         duplicate-interfaces-underlay:
         duplicate-ip-address-uplink-switch-router-bgp:
+        duplicate-tunnel-interface-internet-exit:
         failure-missing-evpn-vlan-bundle:
         failure-missing-evpn-vlan-bundle_svi:
         failure-missing-evpn-multicast-l3-with-pim: