Try Spottercreate and delete WAF Web ACLs
| "added in version" 2.5 of ansible.builtin"
Authors: Mike Mochan (@mmochan), Will Thames (@willthames)
preview | supported by community
pipInstall with pip install ansible==2.9.17
Read the AWS documentation for WAF U(https://aws.amazon.com/documentation/waf/)
- name: create web ACL
aws_waf_web_acl:
name: my_web_acl
rules:
- name: my_rule
priority: 1
action: block
default_action: block
purge_rules: yes
state: present
- name: delete the web acl
aws_waf_web_acl:
name: my_web_acl
state: absent
name:
description: Name of the Web Application Firewall ACL to manage
required: true
rules:
description:
- A list of rules that the Web ACL will enforce.
- Each rule must contain I(name), I(action), I(priority) keys.
- Priorities must be unique, but not necessarily consecutive. Lower numbered priorities
are evaluated first.
- The I(type) key can be passed as C(rate_based), it defaults to C(regular)
state:
choices:
- present
- absent
default: present
description: whether the Web ACL should be present or absent
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION
environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
type: str
ec2_url:
aliases:
- aws_endpoint_url
- endpoint_url
description:
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will
use EC2 endpoints). Ignored for modules where region is required. Must be specified
for all other modules if region is not used. If not set then the value of the EC2_URL
environment variable, if any, is used.
type: str
profile:
aliases:
- aws_profile
description:
- Using I(profile) will override I(aws_access_key), I(aws_secret_key) and I(security_token)
and support for passing them at the same time as I(profile) has been deprecated.
- I(aws_access_key), I(aws_secret_key) and I(security_token) will be made mutually
exclusive with I(profile) after 2022-06-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
- Only the 'user_agent' key is used for boto modules. See U(http://boto.cloudhackers.com/en/latest/boto_config_tut.html#boto)
for more boto configuration.
type: dict
metric_name:
description:
- A friendly name or description for the metrics for this WebACL
- The name can contain only alphanumeric characters (A-Z, a-z, 0-9); the name can't
contain whitespace.
- You can't change metric_name after you create the WebACL
- Metric name will default to I(name) with disallowed characters stripped out
purge_rules:
default: false
description:
- Whether to remove rules that aren't passed with C(rules).
type: bool
waf_regional:
default: false
description: Whether to use waf_regional module. Defaults to false.
required: false
type: bool
version_added: '2.9'
version_added_collection: ansible.builtin
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- Not used by boto 2 based modules.
- 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied
from the controller if not run locally.'
type: path
aws_access_key:
aliases:
- ec2_access_key
- access_key
description:
- C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY)
or C(EC2_ACCESS_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_access_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
aws_secret_key:
aliases:
- ec2_secret_key
- secret_key
description:
- C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY),
or C(EC2_SECRET_KEY) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(aws_secret_key) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
default_action:
choices:
- block
- allow
- count
description: The action that you want AWS WAF to take when a request doesn't match
the criteria specified in any of the Rule objects that are associated with the WebACL
security_token:
aliases:
- aws_security_token
- access_token
description:
- C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN)
or C(EC2_SECURITY_TOKEN) environment variable is used.
- If I(profile) is set this parameter is ignored.
- Passing the I(security_token) and I(profile) options at the same time has been deprecated
and the options will be made mutually exclusive after 2022-06-01.
type: str
validate_certs:
default: true
description:
- When set to "no", SSL certificates will not be validated for communication with
the AWS APIs.
type: bool
debug_botocore_endpoint_logs:
default: 'no'
description:
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action"
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the aws_resource_action callback to output to total list made
during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also
be used.
type: bool
web_acl:
contains:
default_action:
description: Default action taken by the Web ACL if no rules match
returned: always
sample:
type: BLOCK
type: dict
metric_name:
description: Metric name used as an identifier
returned: always
sample: mywebacl
type: str
name:
description: Friendly name of the Web ACL
returned: always
sample: my web acl
type: str
rules:
contains:
action:
description: Action taken by the WAF when the rule matches
returned: always
sample:
type: ALLOW
type: complex
priority:
description: priority number of the rule (lower numbers are run first)
returned: always
sample: 2
type: int
rule_id:
description: Rule ID
returned: always
sample: a6fc7ab5-287b-479f-8004-7fd0399daf75
type: str
type:
description: Type of rule (either REGULAR or RATE_BASED)
returned: always
sample: REGULAR
type: str
description: List of rules
returned: always
type: complex
web_acl_id:
description: Unique identifier of Web ACL
returned: always
sample: 10fff965-4b6b-46e2-9d78-24f6d2e2d21c
type: str
description: contents of the Web ACL
returned: always
type: complex