Try SpotterManages firewall rules on Apache CloudStack based clouds.
Authors: René Moser (@resmo)
stableinterface | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Creates and removes firewall rules.
- name: Allow inbound port 80/tcp from 1.2.3.4 to 4.3.2.1
cs_firewall:
ip_address: 4.3.2.1
port: 80
cidr: 1.2.3.4/32
delegate_to: localhost
- name: Allow inbound tcp/udp port 53 to 4.3.2.1
cs_firewall:
ip_address: 4.3.2.1
port: 53
protocol: '{{ item }}'
with_items:
- tcp
- udp
delegate_to: localhost
- name: Ensure firewall rule is removed
cs_firewall:
ip_address: 4.3.2.1
start_port: 8000
end_port: 8888
cidr: 17.0.0.0/8
state: absent
delegate_to: localhost
- name: Allow all outbound traffic
cs_firewall:
network: my_network
type: egress
protocol: all
delegate_to: localhost
- name: Allow only HTTP outbound traffic for an IP
cs_firewall:
network: my_network
type: egress
port: 80
cidr: 10.101.1.20
delegate_to: localhost
tags:
aliases:
- tag
description:
- List of tags. Tags are a list of dictionaries having keys I(key) and I(value).
- 'To delete all tags, set an empty list e.g. I(tags: []).'
type: list
type:
choices:
- ingress
- egress
default: ingress
description:
- Type of the firewall rule.
type: str
zone:
description:
- Name of the zone in which the virtual machine is in.
- If not set, default zone is used.
type: str
cidrs:
aliases:
- cidr
default: 0.0.0.0/0
description:
- List of CIDRs (full notation) to be used for firewall rule.
- Since version 2.5, it is a list of CIDR.
type: list
state:
choices:
- present
- absent
default: present
description:
- State of the firewall rule.
type: str
domain:
description:
- Domain the firewall rule is related to.
type: str
account:
description:
- Account the firewall rule is related to.
type: str
api_key:
description:
- API key of the CloudStack API.
- If not given, the C(CLOUDSTACK_KEY) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
type: str
api_url:
description:
- URL of the CloudStack API e.g. https://cloud.example.com/client/api.
- If not given, the C(CLOUDSTACK_ENDPOINT) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
type: str
network:
description:
- Network the egress rule is related to.
- Required if I(type=egress).
type: str
project:
description:
- Name of the project the firewall rule is related to.
type: str
end_port:
description:
- End port for this rule. Considered if I(protocol=tcp) or I(protocol=udp).
- If not specified, equal I(start_port).
type: int
protocol:
choices:
- tcp
- udp
- icmp
- all
default: tcp
description:
- Protocol of the firewall rule.
- C(all) is only available if I(type=egress).
type: str
icmp_code:
description:
- Error code for this icmp message.
- Considered if I(protocol=icmp).
type: int
icmp_type:
description:
- Type of the icmp message being sent.
- Considered if I(protocol=icmp).
type: int
api_region:
default: cloudstack
description:
- Name of the ini section in the C(cloustack.ini) file.
- If not given, the C(CLOUDSTACK_REGION) env variable is considered.
type: str
api_secret:
description:
- Secret key of the CloudStack API.
- If not set, the C(CLOUDSTACK_SECRET) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
type: str
ip_address:
description:
- Public IP address the ingress rule is assigned to.
- Required if I(type=ingress).
type: str
poll_async:
default: true
description:
- Poll async jobs until job has finished.
type: bool
start_port:
aliases:
- port
description:
- Start port for this rule.
- Considered if I(protocol=tcp) or I(protocol=udp).
type: int
api_timeout:
description:
- HTTP timeout in seconds.
- If not given, the C(CLOUDSTACK_TIMEOUT) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
- Fallback value is 10 seconds if not specified.
type: int
api_http_method:
choices:
- get
- post
description:
- HTTP method used to query the API endpoint.
- If not given, the C(CLOUDSTACK_METHOD) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
- Fallback value is C(get) if not specified.
type: str
cidr: description: CIDR string of the rule. returned: success sample: 0.0.0.0/0 type: str cidrs: description: CIDR list of the rule. returned: success sample: - 0.0.0.0/0 type: list version_added: '2.5' version_added_collection: community.general end_port: description: End port of the rule. returned: success sample: 80 type: int icmp_code: description: ICMP code of the rule. returned: success sample: 1 type: int icmp_type: description: ICMP type of the rule. returned: success sample: 1 type: int id: description: UUID of the rule. returned: success sample: 04589590-ac63-4ffc-93f5-b698b8ac38b6 type: str ip_address: description: IP address of the rule if C(type=ingress) returned: success sample: 10.100.212.10 type: str network: description: Name of the network if C(type=egress) returned: success sample: my_network type: str protocol: description: Protocol of the rule. returned: success sample: tcp type: str start_port: description: Start port of the rule. returned: success sample: 80 type: int type: description: Type of the rule. returned: success sample: ingress type: str