Try Spottercreate and delete WAF Web ACLs
| "added in version" 2.5 of ansible.builtin"
Authors: Mike Mochan (@mmochan), Will Thames (@willthames)
preview | supported by community
pipInstall with pip install ansible==2.6.10
Read the AWS documentation for WAF U(https://aws.amazon.com/documentation/waf/)
- name: create web ACL
aws_waf_web_acl:
name: my_web_acl
rules:
- name: my_rule
priority: 1
action: block
default_action: block
purge_rules: yes
state: present
- name: delete the web acl
aws_waf_web_acl:
name: my_web_acl
state: absent
name:
description: Name of the Web Application Firewall ACL to manage
required: true
rules:
description:
- A list of rules that the Web ACL will enforce.
- Each rule must contain I(name), I(action), I(priority) keys.
- Priorities must be unique, but not necessarily consecutive. Lower numbered priorities
are evalauted first.
- The I(type) key can be passed as C(rate_based), it defaults to C(regular)
state:
choices:
- present
- absent
default: present
description: whether the Web ACL should be present or absent
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used. Prior to release 6.0.0
the C(AWS_PROFILE) environment variable will be ignored if any of I(access_key),
I(secret_key), or I(session_token) are passed. After release 6.0.0 I(profile) will
always fall back to the C(AWS_PROFILE) environment variable if set.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference. Prior to release 6.0.0 these
environment variables will be ignored if the I(profile) parameter is passed. After
release 6.0.0 I(access_key) will always fall back to the environment variables if
set.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference. Prior to release
6.0.0 these environment variables will be ignored if the I(profile) parameter is
passed. After release 6.0.0 I(secret_key) will always fall back to the environment
variables if set.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
metric_name:
description:
- A friendly name or description for the metrics for this WebACL
- The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't
contain whitespace.
- You can't change metric_name after you create the WebACL
- Metric name will default to I(name) with disallowed characters stripped out
purge_rules:
description: Whether to remove rules that aren't passed with C(rules). Defaults to
false
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference. Prior to release 6.0.0
these environment variables will be ignored if the I(profile) parameter is passed. After
release 6.0.0 I(session_token) will always fall back to the environment variables
if set.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
default_action:
choices:
- block
- allow
- count
description: The action that you want AWS WAF to take when a request doesn't match
the criteria specified in any of the Rule objects that are associated with the WebACL
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
web_acl:
contains:
default_action:
description: Default action taken by the Web ACL if no rules match
returned: always
sample:
type: BLOCK
type: dict
metric_name:
description: Metric name used as an identifier
returned: always
sample: mywebacl
type: string
name:
description: Friendly name of the Web ACL
returned: always
sample: my web acl
type: string
rules:
contains:
action:
description: Action taken by the WAF when the rule matches
returned: always
sample:
type: ALLOW
type: complex
priority:
description: priority number of the rule (lower numbers are run first)
returned: always
sample: 2
type: int
rule_id:
description: Rule ID
returned: always
sample: a6fc7ab5-287b-479f-8004-7fd0399daf75
type: string
type:
description: Type of rule (either REGULAR or RATE_BASED)
returned: always
sample: REGULAR
type: string
description: List of rules
returned: always
type: complex
web_acl_id:
description: Unique identifier of Web ACL
returned: always
sample: 10fff965-4b6b-46e2-9d78-24f6d2e2d21c
type: string
description: contents of the Web ACL
returned: always
type: complex