Try SpotterManages network access control list (ACL) rules on Apache CloudStack based clouds.
Authors: René Moser (@resmo)
preview | supported by community
Install with ansible-galaxy collection install community.general:==0.1.1
collections:
- name: community.general
version: 0.1.1Add, update and remove network ACL rules.
- name: create a network ACL rule, allow port 80 ingress
cs_network_acl_rule:
network_acl: web
rule_position: 1
vpc: my vpc
traffic_type: ingress
action_policy: allow
port: 80
cidr: 0.0.0.0/0
delegate_to: localhost
- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16 and 10.22.0.0/16
cs_network_acl_rule:
network_acl: web
rule_position: 1
vpc: my vpc
traffic_type: ingress
action_policy: deny
start_port: 8000
end_port: 9000
cidrs:
- 10.20.0.0/16
- 10.22.0.0/16
delegate_to: localhost
- name: remove a network ACL rule
cs_network_acl_rule:
network_acl: web
rule_position: 1
vpc: my vpc
state: absent
delegate_to: localhost
vpc:
description:
- VPC the network ACL is related to.
required: true
type: str
tags:
aliases:
- tag
description:
- List of tags. Tags are a list of dictionaries having keys I(key) and I(value).
- 'If you want to delete all tags, set a empty list e.g. I(tags: []).'
type: list
zone:
description:
- Name of the zone the VPC related to.
- If not set, default zone is used.
type: str
cidrs:
aliases:
- cidr
default:
- 0.0.0.0/0
description:
- CIDRs of the rule.
type: list
state:
choices:
- present
- absent
default: present
description:
- State of the network ACL rule.
type: str
domain:
description:
- Domain the VPC is related to.
type: str
account:
description:
- Account the VPC is related to.
type: str
api_key:
description:
- API key of the CloudStack API.
- If not given, the C(CLOUDSTACK_KEY) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
type: str
api_url:
description:
- URL of the CloudStack API e.g. https://cloud.example.com/client/api.
- If not given, the C(CLOUDSTACK_ENDPOINT) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
type: str
project:
description:
- Name of the project the VPC is related to.
type: str
end_port:
description:
- End port for this rule.
- Considered if I(protocol=tcp) or I(protocol=udp).
- If not specified, equal I(start_port).
type: int
protocol:
choices:
- tcp
- udp
- icmp
- all
- by_number
default: tcp
description:
- Protocol of the rule
type: str
icmp_code:
description:
- Error code for this icmp message.
- Considered if I(protocol=icmp).
type: int
icmp_type:
description:
- Type of the icmp message being sent.
- Considered if I(protocol=icmp).
type: int
api_region:
default: cloudstack
description:
- Name of the ini section in the C(cloustack.ini) file.
- If not given, the C(CLOUDSTACK_REGION) env variable is considered.
type: str
api_secret:
description:
- Secret key of the CloudStack API.
- If not set, the C(CLOUDSTACK_SECRET) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
type: str
poll_async:
default: true
description:
- Poll async jobs until job has finished.
type: bool
start_port:
aliases:
- port
description:
- Start port for this rule.
- Considered if I(protocol=tcp) or I(protocol=udp).
type: int
api_timeout:
description:
- HTTP timeout in seconds.
- If not given, the C(CLOUDSTACK_TIMEOUT) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
- Fallback value is 10 seconds if not specified.
type: int
network_acl:
aliases:
- acl
description:
- Name of the network ACL.
required: true
type: str
traffic_type:
aliases:
- type
choices:
- ingress
- egress
default: ingress
description:
- Traffic type of the rule.
type: str
action_policy:
aliases:
- action
choices:
- allow
- deny
default: allow
description:
- Action policy of the rule.
type: str
rule_position:
aliases:
- number
description:
- The position of the network ACL rule.
required: true
type: int
api_http_method:
choices:
- get
- post
description:
- HTTP method used to query the API endpoint.
- If not given, the C(CLOUDSTACK_METHOD) env variable is considered.
- As the last option, the value is taken from the ini config file, also see the notes.
- Fallback value is C(get) if not specified.
type: str
protocol_number:
description:
- Protocol number from 1 to 256 required if I(protocol=by_number).
type: int
account:
description: Account the network ACL rule is related to.
returned: success
sample: example account
type: str
action_policy:
description: Action policy of the network ACL rule.
returned: success
sample: deny
type: str
cidr:
description: CIDR of the network ACL rule.
returned: success
sample: 0.0.0.0/0
type: str
cidrs:
description: CIDRs of the network ACL rule.
returned: success
sample:
- 0.0.0.0/0
type: list
version_added: '2.9'
version_added_collection: community.general
domain:
description: Domain the network ACL rule is related to.
returned: success
sample: example domain
type: str
end_port:
description: End port of the network ACL rule.
returned: success
sample: 80
type: int
icmp_code:
description: ICMP code of the network ACL rule.
returned: success
sample: 8
type: int
icmp_type:
description: ICMP type of the network ACL rule.
returned: success
sample: 0
type: int
network_acl:
description: Name of the network ACL.
returned: success
sample: customer acl
type: str
project:
description: Name of project the network ACL rule is related to.
returned: success
sample: Production
type: str
protocol:
description: Protocol of the network ACL rule.
returned: success
sample: tcp
type: str
protocol_number:
description: Protocol number in case protocol is by number.
returned: success
sample: 8
type: int
rule_position:
description: Position of the network ACL rule.
returned: success
sample: 1
type: int
start_port:
description: Start port of the network ACL rule.
returned: success
sample: 80
type: int
state:
description: State of the network ACL rule.
returned: success
sample: Active
type: str
tags:
description: List of resource tags associated with the network ACL rule.
returned: success
sample: '[ { "key": "foo", "value": "bar" } ]'
type: list
traffic_type:
description: Traffic type of the network ACL rule.
returned: success
sample: ingress
type: str
vpc:
description: VPC of the network ACL.
returned: success
sample: customer vpc
type: str
zone:
description: Zone the VPC is related to.
returned: success
sample: ch-gva-2
type: str