Try Spottermanage AWS Network Firewall firewalls
| "added in version" 4.0.0 of community.aws"
Authors: Mark Chappell (@tremble)
Install with ansible-galaxy collection install community.aws:==2.6.0
collections:
- name: community.aws
version: 2.6.0A module for creating, updating and deleting AWS Network Firewall firewalls.
# Create an AWS Network Firewall
- community.aws.networkfirewall:
name: 'ExampleFirewall'
state: present
policy: 'ExamplePolicy'
subnets:
- 'subnet-123456789abcdef01'
# Create an AWS Network Firewall with various options, don't wait for creation
# to finish.
- community.aws.networkfirewall:
name: 'ExampleFirewall'
state: present
delete_protection: True
description: "An example Description"
policy: 'ExamplePolicy'
policy_change_protection: True
subnets:
- 'subnet-123456789abcdef01'
- 'subnet-abcdef0123456789a'
subnet_change_protection: True
tags:
ExampleTag: Example Value
another_tag: another_example
wait: false
# Delete an AWS Network Firewall
- community.aws.networkfirewall:
state: absent
name: 'ExampleFirewall'
arn:
aliases:
- firewall_arn
description:
- The ARN of the firewall.
- Exactly one of I(arn) or I(name) must be provided.
required: false
type: str
name:
aliases:
- firewall_name
description:
- The name of the firewall.
- Cannot be updated after creation.
- Exactly one of I(arn) or I(name) must be provided.
required: false
type: str
tags:
aliases:
- resource_tags
description:
- A dictionary representing the tags to be applied to the resource.
- If the I(tags) parameter is not set then tags will not be modified.
required: false
type: dict
wait:
default: true
description:
- On creation, whether to wait for the firewall to reach the C(READY) state.
- On deletion, whether to wait for the firewall to reach the C(DELETED) state.
- On update, whether to wait for the firewall to reach the C(IN_SYNC) configuration
synchronization state.
required: false
type: bool
state:
choices:
- present
- absent
default: present
description:
- Create or remove the firewall.
required: false
type: str
policy:
aliases:
- firewall_policy_arn
description:
- The ARN of the Network Firewall policy to use for the firewall.
- Required when creating a new firewall.
required: false
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use. If not specified then the value of the AWS_REGION or EC2_REGION
environment variable, if any, is used. See U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region)
type: str
profile:
aliases:
- aws_profile
description:
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
subnets:
description:
- The ID of the subnets to which the firewall will be associated.
- Required when creating a new firewall.
elements: str
required: false
type: list
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found at U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
purge_tags:
default: true
description:
- If I(purge_tags=true) and I(tags) is set, existing tags will be purged from the
resource to match exactly what is defined by I(tags) parameter.
- If the I(tags) parameter is not set then tags will not be modified, even if I(purge_tags=True).
- Tag keys beginning with C(aws:) are reserved by Amazon and can not be modified. As
such they will be ignored for the purposes of the I(purge_tags) parameter. See
the Amazon documentation for more information U(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions).
required: false
type: bool
description:
description:
- A description for the firewall.
required: false
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to use to connect to EC2 or your Eucalyptus cloud (by default the module will
use EC2 endpoints). Ignored for modules where region is required. Must be specified
for all other modules if region is not used. If not set then the value of the EC2_URL
environment variable, if any, is used.
type: str
wait_timeout:
description:
- Maximum time, in seconds, to wait for the firewall to reach the expected state.
- Defaults to 600 seconds.
required: false
type: int
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- 'Note: The CA Bundle is read ''module'' side and may need to be explicitly copied
from the controller if not run locally.'
type: path
purge_subnets:
default: true
description:
- If I(purge_subnets=true), existing subnets will be removed from the firewall as
necessary to match exactly what is defined by I(subnets).
required: false
type: bool
aws_access_key:
aliases:
- ec2_access_key
- access_key
description:
- C(AWS access key). If not set then the value of the C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY)
or C(EC2_ACCESS_KEY) environment variable is used.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
type: str
aws_secret_key:
aliases:
- ec2_secret_key
- secret_key
description:
- C(AWS secret key). If not set then the value of the C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY),
or C(EC2_SECRET_KEY) environment variable is used.
- The I(aws_secret_key) and I(profile) options are mutually exclusive.
type: str
security_token:
aliases:
- aws_session_token
- session_token
- aws_security_token
- access_token
description:
- C(AWS STS security token). If not set then the value of the C(AWS_SECURITY_TOKEN)
or C(EC2_SECURITY_TOKEN) environment variable is used.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) have been added in version 3.2.0.
type: str
validate_certs:
default: true
description:
- When set to "no", SSL certificates will not be validated for communication with
the AWS APIs.
type: bool
delete_protection:
description:
- When I(delete_protection=True), the firewall is protected from deletion.
- Defaults to C(false) when not provided on creation.
required: false
type: bool
policy_change_protection:
aliases:
- firewall_policy_change_protection
description:
- When I(policy_change_protection=True), the firewall is protected from changes to
which policy is attached to the firewall.
- Defaults to C(false) when not provided on creation.
required: false
type: bool
subnet_change_protection:
description:
- When I(subnet_change_protection=True), the firewall is protected from changes to
which subnets is attached to the firewall.
- Defaults to C(false) when not provided on creation.
required: false
type: bool
debug_botocore_endpoint_logs:
default: 'no'
description:
- Use a botocore.endpoint logger to parse the unique (rather than total) "resource:action"
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the aws_resource_action callback to output to total list made
during a playbook. The ANSIBLE_DEBUG_BOTOCORE_LOGS environment variable may also
be used.
type: bool
firewall:
contains:
firewall:
contains:
delete_protection:
description: A flag indicating whether it is possible to delete the firewall.
example: true
returned: success
type: str
description:
description: A description of the firewall.
example: Description
returned: success
type: str
firewall_arn:
description: The ARN of the firewall.
example: arn:aws:network-firewall:us-east-1:123456789012:firewall/ExampleFirewall
returned: success
type: str
firewall_id:
description: A unique ID for the firewall.
example: 12345678-abcd-1234-abcd-123456789abc
returned: success
type: str
firewall_name:
description: The name of the firewall.
example: ExampleFirewall
returned: success
type: str
firewall_policy_arn:
description: The ARN of the firewall policy used by the firewall.
example: arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ExamplePolicy
returned: success
type: str
firewall_policy_change_protection:
description:
- A flag indicating whether it is possible to change which firewall policy
is used by the firewall.
example: false
returned: success
type: bool
subnet_change_protection:
description:
- A flag indicating whether it is possible to change which subnets the firewall
endpoints are in.
example: true
returned: success
type: bool
subnet_mappings:
contains:
subnet_id:
description: The ID of the subnet.
example: subnet-12345678
returned: success
type: str
description: A list representing the subnets the firewall endpoints are
in.
elements: dict
type: list
subnets:
description: A list of the subnets the firewall endpoints are in.
elements: str
example:
- subnet-12345678
- subnet-87654321
type: list
tags:
description: The tags associated with the firewall.
example: '{"SomeTag": "SomeValue"}'
returned: success
type: dict
vpc_id:
description: The ID of the VPC that the firewall is used by.
example: vpc-0123456789abcdef0
returned: success
type: str
description: The details of the firewall
returned: success
type: dict
firewall_metadata:
contains:
configuration_sync_state_summary:
description:
- A short summary of the synchronization status of the policy and rule groups.
example: IN_SYNC
returned: success
type: str
status:
description:
- A short summary of the status of the firewall endpoints.
example: READY
returned: success
type: str
sync_states:
description:
- A description, broken down by availability zone, of the status of the
firewall endpoints as well as the synchronization status of the policies
and rule groups.
example:
us-east-1a:
attachment:
endpoint_id: vpce-123456789abcdef01
status: READY
subnet_id: subnet-12345678
config:
arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/Ansible-Example:
sync_status: IN_SYNC
update_token: abcdef01-0000-0000-0000-123456789abc
arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/ExampleDomainList:
sync_status: IN_SYNC
update_token: 12345678-0000-0000-0000-abcdef012345
returned: success
type: dict
description: Metadata about the firewall
returned: success
type: dict
description: The full details of the firewall
returned: success
type: dict