community / community.aws / 2.6.0 / module / networkfirewall manage AWS Network Firewall firewalls | "added in version" 4.0.0 of community.aws" Authors: Mark Chappell (@tremble)community.aws.networkfirewall (2.6.0) — module
Install with ansible-galaxy collection install community.aws:==2.6.0
collections: - name: community.aws version: 2.6.0
A module for creating, updating and deleting AWS Network Firewall firewalls.
# Create an AWS Network Firewall - community.aws.networkfirewall: name: 'ExampleFirewall' state: present policy: 'ExamplePolicy' subnets: - 'subnet-123456789abcdef01'
# Create an AWS Network Firewall with various options, don't wait for creation # to finish. - community.aws.networkfirewall: name: 'ExampleFirewall' state: present delete_protection: True description: "An example Description" policy: 'ExamplePolicy' policy_change_protection: True subnets: - 'subnet-123456789abcdef01' - 'subnet-abcdef0123456789a' subnet_change_protection: True tags: ExampleTag: Example Value another_tag: another_example wait: false
# Delete an AWS Network Firewall - community.aws.networkfirewall: state: absent name: 'ExampleFirewall'
arn: aliases: - firewall_arn description: - The ARN of the firewall. - Exactly one of I(arn) or I(name) must be provided. required: false type: str name: aliases: - firewall_name description: - The name of the firewall. - Cannot be updated after creation. - Exactly one of I(arn) or I(name) must be provided. required: false type: str tags: aliases: - resource_tags description: - A dictionary representing the tags to be applied to the resource. - If the I(tags) parameter is not set then tags will not be modified. required: false type: dict wait: default: true description: - On creation, whether to wait for the firewall to reach the C(READY) state. - On deletion, whether to wait for the firewall to reach the C(DELETED) state. - On update, whether to wait for the firewall to reach the C(IN_SYNC) configuration synchronization state. required: false type: bool state: choices: - present - absent default: present description: - Create or remove the firewall. required: false type: str policy: aliases: - firewall_policy_arn description: - The ARN of the Network Firewall policy to use for the firewall. - Required when creating a new firewall. required: false type: str region: aliases: - aws_region - ec2_region description: - The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region) type: str profile: aliases: - aws_profile description: - The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key) and I(security_token) options. type: str subnets: description: - The ID of the subnets to which the firewall will be associated. - Required when creating a new firewall. elements: str required: false type: list aws_config: description: - A dictionary to modify the botocore configuration. - Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config). type: dict purge_tags: default: true description: - If I(purge_tags=true) and I(tags) is set, existing tags will be purged from the resource to match exactly what is defined by I(tags) parameter. - If the I(tags) parameter is not set then tags will not be modified, even if I(purge_tags=True). - Tag keys beginning with C(aws:) are reserved by Amazon and can not be modified. As such they will be ignored for the purposes of the I(purge_tags) parameter. See the Amazon documentation for more information U(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions). required: false type: bool description: description: - A description for the firewall. required: false type: str endpoint_url: aliases: - ec2_url - aws_endpoint_url - s3_url description: - URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints). Ignored for modules where region is required. Must be specified for all other modules if region is not used. If not set then the value of the EC2_URL environment variable, if any, is used. type: str wait_timeout: description: - Maximum time, in seconds, to wait for the firewall to reach the expected state. - Defaults to 600 seconds. required: false type: int aws_ca_bundle: description: - The location of a CA Bundle to use when validating SSL certificates. - 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied from the controller if not run locally.' type: path purge_subnets: default: true description: - If I(purge_subnets=true), existing subnets will be removed from the firewall as necessary to match exactly what is defined by I(subnets). required: false type: bool aws_access_key: aliases: - ec2_access_key - access_key description: - C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variable is used. - The I(aws_access_key) and I(profile) options are mutually exclusive. type: str aws_secret_key: aliases: - ec2_secret_key - secret_key description: - C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment variable is used. - The I(aws_secret_key) and I(profile) options are mutually exclusive. type: str security_token: aliases: - aws_session_token - session_token - aws_security_token - access_token description: - C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment variable is used. - The I(security_token) and I(profile) options are mutually exclusive. - Aliases I(aws_session_token) and I(session_token) have been added in version 3.2.0. type: str validate_certs: default: true description: - When set to "no", SSL certificates will not be validated for communication with the AWS APIs. type: bool delete_protection: description: - When I(delete_protection=True), the firewall is protected from deletion. - Defaults to C(false) when not provided on creation. required: false type: bool policy_change_protection: aliases: - firewall_policy_change_protection description: - When I(policy_change_protection=True), the firewall is protected from changes to which policy is attached to the firewall. - Defaults to C(false) when not provided on creation. required: false type: bool subnet_change_protection: description: - When I(subnet_change_protection=True), the firewall is protected from changes to which subnets is attached to the firewall. - Defaults to C(false) when not provided on creation. required: false type: bool debug_botocore_endpoint_logs: default: 'no' description: - Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action" API calls made during a task, outputing the set to the resource_actions key in the task results. Use the aws_resource_action callback to output to total list made during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also be used. type: bool
firewall: contains: firewall: contains: delete_protection: description: A flag indicating whether it is possible to delete the firewall. example: true returned: success type: str description: description: A description of the firewall. example: Description returned: success type: str firewall_arn: description: The ARN of the firewall. example: arn:aws:network-firewall:us-east-1:123456789012:firewall/ExampleFirewall returned: success type: str firewall_id: description: A unique ID for the firewall. example: 12345678-abcd-1234-abcd-123456789abc returned: success type: str firewall_name: description: The name of the firewall. example: ExampleFirewall returned: success type: str firewall_policy_arn: description: The ARN of the firewall policy used by the firewall. example: arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ExamplePolicy returned: success type: str firewall_policy_change_protection: description: - A flag indicating whether it is possible to change which firewall policy is used by the firewall. example: false returned: success type: bool subnet_change_protection: description: - A flag indicating whether it is possible to change which subnets the firewall endpoints are in. example: true returned: success type: bool subnet_mappings: contains: subnet_id: description: The ID of the subnet. example: subnet-12345678 returned: success type: str description: A list representing the subnets the firewall endpoints are in. elements: dict type: list subnets: description: A list of the subnets the firewall endpoints are in. elements: str example: - subnet-12345678 - subnet-87654321 type: list tags: description: The tags associated with the firewall. example: '{"SomeTag": "SomeValue"}' returned: success type: dict vpc_id: description: The ID of the VPC that the firewall is used by. example: vpc-0123456789abcdef0 returned: success type: str description: The details of the firewall returned: success type: dict firewall_metadata: contains: configuration_sync_state_summary: description: - A short summary of the synchronization status of the policy and rule groups. example: IN_SYNC returned: success type: str status: description: - A short summary of the status of the firewall endpoints. example: READY returned: success type: str sync_states: description: - A description, broken down by availability zone, of the status of the firewall endpoints as well as the synchronization status of the policies and rule groups. example: us-east-1a: attachment: endpoint_id: vpce-123456789abcdef01 status: READY subnet_id: subnet-12345678 config: arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/Ansible-Example: sync_status: IN_SYNC update_token: abcdef01-0000-0000-0000-123456789abc arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/ExampleDomainList: sync_status: IN_SYNC update_token: 12345678-0000-0000-0000-abcdef012345 returned: success type: dict description: Metadata about the firewall returned: success type: dict description: The full details of the firewall returned: success type: dict