Try SpotterManage cloud firewalls within DigitalOcean
| "added in version" 1.1.0 of community.digitalocean"
Authors: Anthony Bond (@BondAnthony), Lucas Basquerotto (@lucasbasquerotto)
Install with ansible-galaxy collection install community.digitalocean:==1.26.0
collections:
- name: community.digitalocean
version: 1.26.0This module can be used to add or remove firewalls on the DigitalOcean cloud platform.
# Allows tcp connections to port 22 (SSH) from specific sources
# Allows tcp connections to ports 80 and 443 from any source
# Allows outbound access to any destination for protocols tcp, udp and icmp
# The firewall rules will be applied to any droplets with the tag "sample"
- name: Create a Firewall named my-firewall
digital_ocean_firewall:
name: my-firewall
state: present
inbound_rules:
- protocol: "tcp"
ports: "22"
sources:
addresses: ["1.2.3.4"]
droplet_ids: ["my_droplet_id_1", "my_droplet_id_2"]
load_balancer_uids: ["my_lb_id_1", "my_lb_id_2"]
tags: ["tag_1", "tag_2"]
- protocol: "tcp"
ports: "80"
sources:
addresses: ["0.0.0.0/0", "::/0"]
- protocol: "tcp"
ports: "443"
sources:
addresses: ["0.0.0.0/0", "::/0"]
outbound_rules:
- protocol: "tcp"
ports: "1-65535"
destinations:
addresses: ["0.0.0.0/0", "::/0"]
- protocol: "udp"
ports: "1-65535"
destinations:
addresses: ["0.0.0.0/0", "::/0"]
- protocol: "icmp"
ports: "1-65535"
destinations:
addresses: ["0.0.0.0/0", "::/0"]
droplet_ids: []
tags: ["sample"]
name:
description:
- Name of the firewall rule to create or manage
required: true
type: str
tags:
description:
- List of tags to be assigned to the firewall
elements: str
required: false
type: list
state:
choices:
- present
- absent
default: present
description:
- Assert the state of the firewall rule. Set to 'present' to create or update and
'absent' to remove.
type: str
baseurl:
default: https://api.digitalocean.com/v2
description:
- DigitalOcean API base url.
type: str
timeout:
default: 30
description:
- The timeout in seconds used for polling DigitalOcean's API.
type: int
droplet_ids:
description:
- List of droplet ids to be assigned to the firewall
elements: str
required: false
type: list
oauth_token:
aliases:
- api_token
description:
- DigitalOcean OAuth token.
- There are several other environment variables which can be used to provide this
value.
- i.e., - C(DO_API_TOKEN), C(DO_API_KEY), C(DO_OAUTH_TOKEN) and C(OAUTH_TOKEN).
type: str
inbound_rules:
description:
- Firewall rules specifically targeting inbound network traffic into DigitalOcean
elements: dict
required: false
suboptions:
ports:
description:
- The ports on which traffic will be allowed, single, range, or all
required: true
type: str
protocol:
choices:
- udp
- tcp
- icmp
default: tcp
description:
- Network protocol to be accepted.
required: false
type: str
sources:
description:
- Dictionary of locations from which inbound traffic will be accepted
required: true
suboptions:
addresses:
description:
- List of strings containing the IPv4 addresses, IPv6 addresses, IPv4 CIDRs,
and/or IPv6 CIDRs to which the firewall will allow traffic
elements: str
required: false
type: list
droplet_ids:
description:
- List of integers containing the IDs of the Droplets to which the firewall
will allow traffic
elements: str
required: false
type: list
load_balancer_uids:
description:
- List of strings containing the IDs of the Load Balancers to which the firewall
will allow traffic
elements: str
required: false
type: list
tags:
description:
- List of strings containing the names of Tags corresponding to groups of
Droplets to which the Firewall will allow traffic
elements: str
required: false
type: list
type: dict
type: list
outbound_rules:
description:
- Firewall rules specifically targeting outbound network traffic from DigitalOcean
elements: dict
required: false
suboptions:
destinations:
description:
- Dictionary of locations from which outbound traffic will be allowed
required: true
suboptions:
addresses:
description:
- List of strings containing the IPv4 addresses, IPv6 addresses, IPv4 CIDRs,
and/or IPv6 CIDRs to which the firewall will allow traffic
elements: str
required: false
type: list
droplet_ids:
description:
- List of integers containing the IDs of the Droplets to which the firewall
will allow traffic
elements: str
required: false
type: list
load_balancer_uids:
description:
- List of strings containing the IDs of the Load Balancers to which the firewall
will allow traffic
elements: str
required: false
type: list
tags:
description:
- List of strings containing the names of Tags corresponding to groups of
Droplets to which the Firewall will allow traffic
elements: str
required: false
type: list
type: dict
ports:
description:
- The ports on which traffic will be allowed, single, range, or all
required: true
type: str
protocol:
choices:
- udp
- tcp
- icmp
default: tcp
description:
- Network protocol to be accepted.
required: false
type: str
type: list
validate_certs:
default: true
description:
- If set to C(no), the SSL certificates will not be validated.
- This should only set to C(no) used on personally controlled sites using self-signed
certificates.
type: bool
data:
description: DigitalOcean firewall resource
returned: success
sample:
created_at: '2020-08-11T18:41:30Z'
droplet_ids: []
id: 7acd6ee2-257b-434f-8909-709a5816d4f9
inbound_rules:
- ports: '443'
protocol: tcp
sources:
addresses:
- 1.2.3.4
droplet_ids:
- my_droplet_id_1
- my_droplet_id_2
load_balancer_uids:
- my_lb_id_1
- my_lb_id_2
tags:
- tag_1
- tag_2
- ports: '80'
protocol: tcp
sources:
addresses:
- 0.0.0.0/0
- ::/0
- ports: '443'
protocol: tcp
sources:
addresses:
- 0.0.0.0/0
- ::/0
name: my-firewall
outbound_rules:
- destinations:
addresses:
- 0.0.0.0/0
- ::/0
ports: 1-65535
protocol: tcp
- destinations:
addresses:
- 0.0.0.0/0
- ::/0
ports: 1-65535
protocol: udp
- destinations:
addresses:
- 0.0.0.0/0
- ::/0
ports: 1-65535
protocol: icmp
pending_changes: []
status: succeeded
tags:
- sample
type: dict