Try Spottermanage AWS Network Firewall policies
| "added in version" 4.0.0 of community.aws"
Authors: Mark Chappell (@tremble)
Install with ansible-galaxy collection install community.aws:==5.1.0
collections:
- name: community.aws
version: 5.1.0A module for creating, updating and deleting AWS Network Firewall policies.
# Create an AWS Network Firewall Policy with default rule order
- community.aws.networkfirewall_policy:
stateful_rule_order: 'default'
state: present
name: 'ExamplePolicy'
# Create an AWS Network Firewall Policy with strict rule order
- community.aws.networkfirewall_policy:
stateful_rule_order: 'strict'
state: present
name: 'ExampleStrictPolicy'
# Create an AWS Network Firewall Policy that defaults to dropping all packets
- community.aws.networkfirewall_policy:
stateful_rule_order: 'strict'
state: present
name: 'ExampleDropPolicy'
stateful_default_actions:
- 'aws:drop_strict'
stateful_rule_groups:
- 'ExampleStrictRuleGroup'
- 'arn:aws:network-firewall:us-east-1:aws-managed:stateful-rulegroup/BotNetCommandAndControlDomainsStrictOrder'
# Delete an AWS Network Firewall Policy
- community.aws.networkfirewall_policy:
state: absent
name: 'ExampleDropPolicy'
arn:
description:
- The ARN of the Network Firewall policy.
- Exactly one of I(arn) or I(name) must be provided.
required: false
type: str
name:
description:
- The name of the Network Firewall policy.
- Cannot be updated after creation.
- Exactly one of I(arn) or I(name) must be provided.
required: false
type: str
tags:
aliases:
- resource_tags
description:
- A dictionary representing the tags to be applied to the resource.
- If the I(tags) parameter is not set then tags will not be modified.
required: false
type: dict
wait:
default: true
description:
- Whether to wait for the firewall policy to reach the C(ACTIVE) or C(DELETED) state
before the module returns.
required: false
type: bool
state:
choices:
- present
- absent
default: present
description:
- Create or remove the Network Firewall policy.
required: false
type: str
region:
aliases:
- aws_region
- ec2_region
description:
- The AWS region to use.
- For global services such as IAM, Route53 and CloudFront, I(region) is ignored.
- The C(AWS_REGION) or C(EC2_REGION) environment variables may also be used.
- See the Amazon AWS documentation for more information U(http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region).
- The C(ec2_region) alias has been deprecated and will be removed in a release after
2024-12-01
- Support for the C(EC2_REGION) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
profile:
aliases:
- aws_profile
description:
- A named AWS profile to use for authentication.
- See the AWS documentation for more information about named profiles U(https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html).
- The C(AWS_PROFILE) environment variable may also be used.
- The I(profile) option is mutually exclusive with the I(aws_access_key), I(aws_secret_key)
and I(security_token) options.
type: str
access_key:
aliases:
- aws_access_key_id
- aws_access_key
- ec2_access_key
description:
- AWS access key ID.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_ACCESS_KEY_ID), C(AWS_ACCESS_KEY) or C(EC2_ACCESS_KEY) environment variables
may also be used in decreasing order of preference.
- The I(aws_access_key) and I(profile) options are mutually exclusive.
- The I(aws_access_key_id) alias was added in release 5.1.0 for consistency with the
AWS botocore SDK.
- The I(ec2_access_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_ACCESS_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
aws_config:
description:
- A dictionary to modify the botocore configuration.
- Parameters can be found in the AWS documentation U(https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config).
type: dict
purge_tags:
default: true
description:
- If I(purge_tags=true) and I(tags) is set, existing tags will be purged from the
resource to match exactly what is defined by I(tags) parameter.
- If the I(tags) parameter is not set then tags will not be modified, even if I(purge_tags=True).
- Tag keys beginning with C(aws:) are reserved by Amazon and can not be modified. As
such they will be ignored for the purposes of the I(purge_tags) parameter. See
the Amazon documentation for more information U(https://docs.aws.amazon.com/general/latest/gr/aws_tagging.html#tag-conventions).
required: false
type: bool
secret_key:
aliases:
- aws_secret_access_key
- aws_secret_key
- ec2_secret_key
description:
- AWS secret access key.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SECRET_ACCESS_KEY), C(AWS_SECRET_KEY), or C(EC2_SECRET_KEY) environment
variables may also be used in decreasing order of preference.
- The I(secret_key) and I(profile) options are mutually exclusive.
- The I(aws_secret_access_key) alias was added in release 5.1.0 for consistency with
the AWS botocore SDK.
- The I(ec2_secret_key) alias has been deprecated and will be removed in a release
after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) environment variable has been deprecated and will
be removed in a release after 2024-12-01.
type: str
description:
description:
- A description for the Network Firewall policy.
required: false
type: str
endpoint_url:
aliases:
- ec2_url
- aws_endpoint_url
- s3_url
description:
- URL to connect to instead of the default AWS endpoints. While this can be used
to connection to other AWS-compatible services the amazon.aws and community.aws
collections are only tested against AWS.
- The C(AWS_URL) or C(EC2_URL) environment variables may also be used, in decreasing
order of preference.
- The I(ec2_url) and I(s3_url) aliases have been deprecated and will be removed in
a release after 2024-12-01.
- Support for the C(EC2_URL) environment variable has been deprecated and will be
removed in a release after 2024-12-01.
type: str
wait_timeout:
description:
- Maximum time, in seconds, to wait for the firewall policy to reach the expected
state.
- Defaults to 600 seconds.
required: false
type: int
aws_ca_bundle:
description:
- The location of a CA Bundle to use when validating SSL certificates.
- The C(AWS_CA_BUNDLE) environment variable may also be used.
type: path
session_token:
aliases:
- aws_session_token
- security_token
- aws_security_token
- access_token
description:
- AWS STS session token for use with temporary credentials.
- See the AWS documentation for more information about access tokens U(https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys).
- The C(AWS_SESSION_TOKEN), C(AWS_SECURITY_TOKEN) or C(EC2_SECURITY_TOKEN) environment
variables may also be used in decreasing order of preference.
- The I(security_token) and I(profile) options are mutually exclusive.
- Aliases I(aws_session_token) and I(session_token) were added in release 3.2.0, with
the parameter being renamed from I(security_token) to I(session_token) in release
6.0.0.
- The I(security_token), I(aws_security_token), and I(access_token) aliases have been
deprecated and will be removed in a release after 2024-12-01.
- Support for the C(EC2_SECRET_KEY) and C(AWS_SECURITY_TOKEN) environment variables
has been deprecated and will be removed in a release after 2024-12-01.
type: str
validate_certs:
default: true
description:
- When set to C(false), SSL certificates will not be validated for communication with
the AWS APIs.
- Setting I(validate_certs=false) is strongly discouraged, as an alternative, consider
setting I(aws_ca_bundle) instead.
type: bool
stateful_rule_order:
aliases:
- rule_order
choices:
- default
- strict
description:
- Indicates how to manage the order of stateful rule evaluation for the policy.
- When I(strict_rule_order='strict') rules and rule groups are evaluated in the order
that they're defined.
- Cannot be updated after creation.
- I(stateful_rule_order) requires botocore>=1.21.52.
required: false
type: str
stateful_rule_groups:
aliases:
- stateful_groups
description:
- A list of names or ARNs of stateful firewall rule groups.
elements: str
required: false
type: list
stateless_rule_groups:
aliases:
- stateless_groups
description:
- A list of names or ARNs of stateless firewall rule groups.
elements: str
required: false
type: list
stateful_default_actions:
description:
- Actions to take on a packet if it doesn't match any of the stateful rules in the
policy.
- Common actions are C(aws:drop_strict), C(aws:drop_established), C(aws:alert_strict)
and C(aws:alert_established).
- Only valid for policies where I(strict_rule_order=true).
- When creating a new policy defaults to C(aws:drop_strict).
- I(stateful_default_actions) requires botocore>=1.21.52.
elements: str
required: false
type: list
stateless_custom_actions:
aliases:
- custom_stateless_actions
description:
- A list of dictionaries defining custom actions which can be used in I(stateless_default_actions)
and I(stateless_fragment_default_actions).
elements: dict
required: false
suboptions:
name:
description:
- The name of the custom action.
required: true
type: str
publish_metric_dimension_value:
aliases:
- publish_metric_dimension_values
description:
- When the custom action is used, metrics will have a dimension of C(CustomAction)
the value of which is set to I(publish_metric_dimension_value).
required: false
type: str
type: list
stateless_default_actions:
description:
- Actions to take on a packet if it doesn't match any of the stateless rules in the
policy.
- Common actions are C(aws:pass), C(aws:drop) and C(aws:forward_to_sfe).
- When creating a new policy defaults to C(aws:forward_to_sfe).
elements: str
required: false
type: list
debug_botocore_endpoint_logs:
default: false
description:
- Use a C(botocore.endpoint) logger to parse the unique (rather than total) C("resource:action")
API calls made during a task, outputing the set to the resource_actions key in the
task results. Use the C(aws_resource_action) callback to output to total list made
during a playbook.
- The C(ANSIBLE_DEBUG_BOTOCORE_LOGS) environment variable may also be used.
type: bool
purge_stateless_custom_actions:
aliases:
- purge_custom_stateless_actions
default: true
description:
- If I(purge_stateless_custom_actions=true), existing custom actions will be purged
from the resource to match exactly what is defined by the I(stateless_custom_actions)
parameter.
required: false
type: bool
stateless_fragment_default_actions:
description:
- Actions to take on a fragmented UDP packet if it doesn't match any of the stateless
rules in the policy.
- Common actions are C(aws:pass), C(aws:drop) and C(aws:forward_to_sfe).
- When creating a new policy defaults to C(aws:forward_to_sfe).
elements: str
required: false
type: list
policy:
contains:
policy:
contains:
stateful_engine_options:
contains:
rule_order:
description:
- How rule group evaluation will be ordered.
- For more information on rule evaluation ordering see the AWS documentation
U(https://docs.aws.amazon.com/network-firewall/latest/developerguide/suricata-rule-evaluation-order.html).
example: DEFAULT_ACTION_ORDER
returned: success
type: str
description:
- Extra options describing how the stateful rules should be handled.
returned: success
type: dict
stateful_rule_group_references:
contains:
priority:
description:
- An integer that indicates the order in which to run the stateful rule
groups in a single policy.
- This only applies to policies that specify the STRICT_ORDER rule order
in the stateful engine options settings.
example: 1234
returned: success
type: int
resource_arn:
description: The ARN of the rule group.
example: arn:aws:network-firewall:us-east-1:aws-managed:stateful-rulegroup/AbusedLegitMalwareDomainsActionOrder
returned: success
type: str
description: Information about the stateful rule groups attached to the
policy.
elements: dict
returned: success
type: list
stateless_custom_actions:
contains:
action_definition:
contains:
publish_metric_action:
contains:
dimensions:
contains:
value:
description: A value of the CustomAction dimension to set
on the metrics.
example: ExampleRule
returned: success
type: str
description:
- The values of the CustomAction dimension to set on the metrics.
- The dimensions of a metric are used to identify unique streams
of data.
elements: dict
returned: success
type: list
description:
- Definition of a custom metric to be published to CloudWatch.
- U(https://docs.aws.amazon.com/network-firewall/latest/developerguide/monitoring-cloudwatch.html)
returned: success
type: dict
description: The action to perform.
returned: success
type: dict
action_name:
description: A name for the action.
example: ExampleAction
returned: success
type: str
description:
- A description of additional custom actions available for use as default
rules to apply to stateless packets.
elements: dict
returned: success
type: list
stateless_default_actions:
description: The default actions to take on a packet that doesn't match
any stateful rules.
elements: str
example:
- aws:alert_strict
returned: success
type: list
stateless_fragment_default_actions:
description: The actions to take on a packet if it doesn't match any of
the stateless rules in the policy.
elements: str
example:
- aws:pass
returned: success
type: list
stateless_rule_group_references:
contains:
priority:
description:
- An integer that indicates the order in which to run the stateless
rule groups in a single policy.
example: 12345
returned: success
type: str
resource_arn:
description: The ARN of the rule group.
example: arn:aws:network-firewall:us-east-1:123456789012:stateless-rulegroup/ExampleGroup
returned: success
type: str
description: Information about the stateful rule groups attached to the
policy.
elements: dict
returned: success
type: list
description: The details of the policy
returned: success
type: dict
policy_metadata:
contains:
consumed_stateful_rule_capacity:
description: The total number of capacity units used by the stateful rule
groups.
example: 165
returned: success
type: int
consumed_stateless_rule_capacity:
description: The total number of capacity units used by the stateless rule
groups.
example: 2010
returned: success
type: int
firewall_policy_arn:
description: The ARN of the policy.
example: arn:aws:network-firewall:us-east-1:123456789012:firewall-policy/ExamplePolicy
returned: success
type: str
firewall_policy_id:
description: The unique ID of the policy.
example: 12345678-abcd-1234-5678-123456789abc
returned: success
type: str
firewall_policy_name:
description: The name of the policy.
example: ExamplePolicy
returned: success
type: str
firewall_policy_status:
description: The current status of the policy.
example: ACTIVE
returned: success
type: str
number_of_associations:
description: The number of firewalls the policy is associated to.
example: 1
returned: success
type: int
tags:
description: A dictionary representing the tags associated with the policy.
example:
tagName: Some Value
returned: success
type: dict
description: Metadata about the policy
returned: success
type: dict
description: The details of the policy
returned: success
type: dict