---
- name: "Get all existing firewalls"
  uri:
    method: GET
    url: "https://api.hetzner.cloud/v1/firewalls?per_page=1000"
    body_format: json
    headers:
      accept: application/json
      authorization: Bearer {{ hetzner_authentication_ansible }}
    status_code: [200]
  register: hcloud_firewalls_all
  delegate_to: 127.0.0.1
  become: false

- name: "Setting hetzner firewall pagination count: <{{ hcloud_firewalls_all.json.meta.pagination.last_page }}>"
  set_fact:
    total_server_pages: "{{ hcloud_firewalls_all.json.meta.pagination.last_page }}"
  become: false
  tags:
    - always


- name: "BLOCK << WITHOUT >> pagination"
  block:
    - name: "Get firewall object from list"
      set_fact:
        lookup_fw_obj: "{{ hcloud_firewalls_all.json.firewalls | community.general.json_query(jsonquery_find_firewall_name) }}"
      vars:
        jsonquery_find_firewall_name: "[?name=='{{ firewall_object.name }}']"
  when:
    - total_server_pages == '1'


- name: "<< WITH >> pagination"
  block:
    - name: "Get all existing firewalls"
      uri:
        method: GET
        url: "https://api.hetzner.cloud/v1/firewalls?page={{ item }}"
        body_format: json
        headers:
          accept: application/json
          authorization: Bearer {{ hetzner_authentication_ansible }}
        status_code: [200]
      register: hcloud_firewalls_all
      delegate_to: 127.0.0.1
      become: false

    - name: "Get firewall object from list"
      set_fact:
        lookup_fw_obj: "{{ hcloud_firewalls_all.json.results | community.general.json_query(querystr1) | first | community.general.json_query(querystr2) | community.general.json_query(querystr2) }}"
      vars:
        querystr1: "[[*].json.firewalls]"
        querystr2: "[?name=='{{ firewall_object.name }}']"
  when:
    - total_server_pages != '1'

- name: "Create firewall rule for <<{{ firewall_object.name }}>>"
  uri:
    method: POST
    url: "https://api.hetzner.cloud/v1/firewalls"
    body_format: json
    headers:
      Content-Type: application/json
      authorization: Bearer {{ hetzner_authentication_ansible }}
    body: "{{ firewall_object | to_json }}"
    return_content: yes
    status_code: [201]
  delegate_to: 127.0.0.1
  become: false
  when:
    - firewall_object.state == 'present'
    - lookup_fw_obj | length == 0

- name: "Update firewall rule for <<{{ firewall_object.name }}>>"
  block:

    - name: "Step_1: update FW rule <<{{ firewall_object.name }}>>"
      uri:
        method: PUT
        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}"
        body_format: json
        headers:
          Content-Type: application/json
          authorization: Bearer {{ hetzner_authentication_ansible }}
        body: "{{ firewall_object | to_json }}"
        return_content: yes
        status_code: [200]
      register: fw_update_step1
      delegate_to: 127.0.0.1
      become: false

    - name: "Setting VAR"
      set_fact:
        rules_obj:
          rules: "{{ firewall_object.rules }}"
        applyto_obj:
          apply_to: "{{ firewall_object.apply_to }}"

    - name: "Step_2: update FW rule - update rules"
      uri:
        method: POST
        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}/actions/set_rules"
        body_format: json
        headers:
          Content-Type: application/json
          authorization: Bearer {{ hetzner_authentication_ansible }}
        body: "{{ rules_obj | to_json }}"
        return_content: yes
        status_code: [201]
      register: fw_update_step2
      delegate_to: 127.0.0.1
      become: false

    - name: "Step_3: update FW rule - apply-to-resources"
      uri:
        method: POST
        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}/actions/apply_to_resources"
        body_format: json
        headers:
          Content-Type: application/json
          authorization: Bearer {{ hetzner_authentication_ansible }}
        body: "{{ applyto_obj | to_json }}"
        return_content: yes
        status_code: [201]
      register: fw_update_step2
      delegate_to: 127.0.0.1
      become: false

  rescue:
    - name: "Rescueing FW-apply-to part "
      debug:
        msg: "Everything fine - FW-apply-to part already applied"
      when:
        - fw_update_step2.status in [422]
        - fw_update_step2.json.error.code == 'firewall_already_applied'

  when:
    - firewall_object.state == 'present'
    - lookup_fw_obj | length > 0

- name: "Delete firewall rule for <<{{ firewall_object.name }}>>"
  block:

    - name: "Create firewall object for deactivation"
      set_fact:
        deactivate_fw_obj:
          remove_from: "{{ firewall_object.apply_to }}"

    - name: "Step_1: Unset usage of firewall rule <<{{ firewall_object.name }}>>"
      uri:
        method: POST
        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}/actions/remove_from_resources"
        body_format: json
        headers:
          Content-Type: application/json
          authorization: Bearer {{ hetzner_authentication_ansible }}
        body: "{{ deactivate_fw_obj | to_json }}"
        return_content: yes
        status_code: [201]
      delegate_to: 127.0.0.1
      become: false

    - name: "Step_2: Delete firewall rule for <<{{ firewall_object.name }}>>"
      uri:
        method: DELETE
        url: "https://api.hetzner.cloud/v1/firewalls/{{ lookup_fw_obj.0.id }}"
        body_format: json
        headers:
          Content-Type: application/json
          authorization: Bearer {{ hetzner_authentication_ansible }}
        return_content: yes
        status_code: [204]
      register: cleanup_firewall
      delegate_to: 127.0.0.1
      become: false
      until: cleanup_firewall.status in [204]
      retries: 15
      delay: 10

  when:
    - firewall_object.state == 'absent'
    - lookup_fw_obj | length > 0