Try Spottercreate and delete Network ACLs
| "added in version" 1.0.0 of community.aws"
Authors: Mike Mochan (@mmochan)
Install with ansible-galaxy collection install community.aws:==2.6.0
collections:
- name: community.aws
version: 2.6.0Read the AWS documentation for Network ACLS U(https://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_ACLs.html)
# Complete example to create and delete a network ACL
# that allows SSH, HTTP and ICMP in, and all traffic out.
- name: "Create and associate production DMZ network ACL with DMZ subnets"
community.aws.ec2_vpc_nacl:
vpc_id: vpc-12345678
name: prod-dmz-nacl
region: ap-southeast-2
subnets: ['prod-dmz-1', 'prod-dmz-2']
tags:
CostCode: CC1234
Project: phoenix
Description: production DMZ
ingress:
# rule no, protocol, allow/deny, cidr, icmp_type, icmp_code,
# port from, port to
- [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]
- [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80]
- [205, 'tcp', 'allow', '::/0', null, null, 80, 80]
- [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8]
- [305, 'ipv6-icmp', 'allow', '::/0', 0, 8]
egress:
- [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
- [105, 'all', 'allow', '::/0', null, null, null, null]
state: 'present'
- name: "Remove the ingress and egress rules - defaults to deny all"
community.aws.ec2_vpc_nacl:
vpc_id: vpc-12345678
name: prod-dmz-nacl
region: ap-southeast-2
subnets:
- prod-dmz-1
- prod-dmz-2
tags:
CostCode: CC1234
Project: phoenix
Description: production DMZ
state: present
- name: "Remove the NACL subnet associations and tags"
community.aws.ec2_vpc_nacl:
vpc_id: 'vpc-12345678'
name: prod-dmz-nacl
region: ap-southeast-2
state: present
- name: "Delete nacl and subnet associations"
community.aws.ec2_vpc_nacl:
vpc_id: vpc-12345678
name: prod-dmz-nacl
state: absent
- name: "Delete nacl by its id"
community.aws.ec2_vpc_nacl:
nacl_id: acl-33b4ee5b
state: absent
name:
description:
- Tagged name identifying a network ACL.
- One and only one of the I(name) or I(nacl_id) is required.
required: false
type: str
tags:
aliases:
- resource_tags
description:
- A dictionary representing the tags to be applied to the resource.
- If the I(tags) parameter is not set then tags will not be modified.
required: false
type: dict
state:
choices:
- present
- absent
default: present
description:
- Creates or modifies an existing NACL
- Deletes a NACL and reassociates subnets to the default NACL
required: false
type: str
egress:
default: []
description:
- A list of rules for outgoing traffic. Each rule must be specified as a list. Each
rule may contain the rule number (integer 1-32766), protocol (one of ['tcp', 'udp',
'icmp', 'ipv6-icmp', '-1', 'all']), the rule action ('allow' or 'deny') the CIDR
of the IPv4 or IPv6 network range to allow or deny, the ICMP type (-1 means all
types), the ICMP code (-1 means all codes), the last port in the range for TCP or
UDP protocols, and the first port in the range for TCP or UDP protocols. See examples.
elements: list
required: false
type: list
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION
environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
type: str
vpc_id:
description:
- VPC id of the requesting VPC.
- Required when state present.
required: false
type: str
ingress:
default: []
description:
- List of rules for incoming traffic. Each rule must be specified as a list. Each
rule may contain the rule number (integer 1-32766), protocol (one of ['tcp', 'udp',
'icmp', 'ipv6-icmp', '-1', 'all']), the rule action ('allow' or 'deny') the CIDR
of the IPv4 or IPv6 network range to allow or deny, the ICMP type (-1 means all
types), the ICMP code (-1 means all codes), the last port in the range for TCP or
UDP protocols, and the first port in the range for TCP or UDP protocols. See examples.
elements: list
required: false
type: list
nacl_id:
description:
- NACL id identifying a network ACL.
- One and only one of the I(name) or I(nacl_id) is required.
required: false
type: str
profile:
aliases:
- aws_profile
description:
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
subnets:
description:
- The list of subnets that should be associated with the network ACL.
- Must be specified as a list
- Each subnet can be specified as subnet ID, or its tagged name.
elements: str
required: false
type: list
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
purge_tags:
default: true
description:
- If I(purge_tags=true) and I(tags) is set, existing tags will be purged from the
resource to match exactly what is defined by I(tags) parameter.
- If the I(tags) parameter is not set then tags will not be modified, even if I(purge_tags=True).
- Tag keys beginning with C(aws:) are reserved by Amazon and can not be modified. As
such they will be ignored for the purposes of the I(purge_tags) parameter. See
the Amazon documentation for more information U(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions).
required: false
type: bool
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will
use EC2 endpoints). Ignored for modules where region is required. Must be specified
for all other modules if region is not used. If not set then the value of the EC2_URL
environment variable, if any, is used.
type: str
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied
from the controller if not run locally.'
type: path
aws_access_key:
aliases:
- ec2_access_key
- access_key
description:
- C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY)
or C(EC2_ACCESS_KEY) environment variable is used.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
type: str
aws_secret_key:
aliases:
- ec2_secret_key
- secret_key
description:
- C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY),
or C(EC2_SECRET_KEY) environment variable is used.
- The I(aws_secret_key) and I(profile) options are mutually exclusive.
type: str
security_token:
aliases:
- aws_session_token
- session_token
- aws_security_token
- access_token
description:
- C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN)
or C(EC2_SECURITY_TOKEN) environment variable is used.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) have been added in version 3.2.0.
type: str
validate_certs:
default: true
description:
- When set to "no", SSL certificates will not be validated for communication with
the AWS APIs.
type: bool
debug_botocore_endpoint_logs:
default: 'no'
description:
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action"
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the aws_resource_action callback to output to total list made
during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also
be used.
type: bool
nacl_id: description: The id of the NACL (when creating or updating an ACL) returned: success sample: acl-123456789abcdef01 type: str task: description: The result of the create, or delete action. returned: success type: dict