Try SpotterManage firewall configurations about an ESXi host
Authors: Abhijeet Kasurde (@Akasurde), Aaron Longchamps (@alongchamps)
Install with ansible-galaxy collection install community.vmware:==4.2.0
collections:
- name: community.vmware
version: 4.2.0This module can be used to manage firewall configurations about an ESXi host when ESXi hostname or Cluster name is given.
- name: Enable vvold rule set for all ESXi Host in given Cluster
community.vmware.vmware_host_firewall_manager:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
cluster_name: cluster_name
rules:
- name: vvold
enabled: true
allowed_hosts:
all_ip: true
delegate_to: localhost
- name: Enable vvold rule set for an ESXi Host
community.vmware.vmware_host_firewall_manager:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
esxi_hostname: '{{ esxi_hostname }}'
rules:
- name: vvold
enabled: true
allowed_hosts:
all_ip: true
delegate_to: localhost
- name: Manage multiple rule set for an ESXi Host
community.vmware.vmware_host_firewall_manager:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
esxi_hostname: '{{ esxi_hostname }}'
rules:
- name: vvold
enabled: true
allowed_hosts:
all_ip: true
- name: CIMHttpServer
enabled: false
delegate_to: localhost
- name: Manage IP and network based firewall permissions for ESXi
community.vmware.vmware_host_firewall_manager:
hostname: '{{ vcenter_hostname }}'
username: '{{ vcenter_username }}'
password: '{{ vcenter_password }}'
esxi_hostname: '{{ esxi_hostname }}'
rules:
- name: gdbserver
enabled: true
allowed_hosts:
all_ip: false
ip_address:
- 192.168.20.10
- 192.168.20.11
- name: CIMHttpServer
enabled: true
allowed_hosts:
all_ip: false
ip_network:
- 192.168.100.0/24
- name: remoteSerialPort
enabled: true
allowed_hosts:
all_ip: false
ip_address:
- 192.168.100.11
ip_network:
- 192.168.200.0/24
delegate_to: localhost
port:
default: 443
description:
- The port number of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PORT)
will be used instead.
type: int
rules:
default: []
description:
- A list of Rule set which needs to be managed.
- Each member of list is rule set name and state to be set the rule.
- Both rule name and rule state are required parameters.
- Additional IPs and networks can also be specified
- Please see examples for more information.
elements: dict
suboptions:
allowed_hosts:
description:
- Define the allowed hosts for this rule set.
suboptions:
all_ip:
description:
- Whether all hosts should be allowed or not.
required: true
type: bool
ip_address:
default: []
description:
- List of allowed IP addresses.
elements: str
type: list
ip_network:
default: []
description:
- List of allowed IP networks.
elements: str
type: list
type: dict
enabled:
description:
- Whether the rule set is enabled or not.
required: true
type: bool
name:
description:
- Rule set name.
required: true
type: str
type: list
hostname:
description:
- The hostname or IP address of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_HOST)
will be used instead.
type: str
password:
aliases:
- pass
- pwd
description:
- The password of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PASSWORD)
will be used instead.
type: str
username:
aliases:
- admin
- user
description:
- The username of the vSphere vCenter or ESXi server.
- If the value is not specified in the task, the value of environment variable E(VMWARE_USER)
will be used instead.
type: str
proxy_host:
description:
- Address of a proxy that will receive all HTTPS requests and relay them.
- The format is a hostname or a IP.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PROXY_HOST)
will be used instead.
required: false
type: str
proxy_port:
description:
- Port of the HTTP proxy that will receive all HTTPS requests and relay them.
- If the value is not specified in the task, the value of environment variable E(VMWARE_PROXY_PORT)
will be used instead.
required: false
type: int
cluster_name:
description:
- Name of the cluster.
- Firewall settings are applied to every ESXi host system in given cluster.
- If O(esxi_hostname) is not given, this parameter is required.
type: str
esxi_hostname:
description:
- ESXi hostname.
- Firewall settings are applied to this ESXi host system.
- If O(cluster_name) is not given, this parameter is required.
type: str
validate_certs:
default: true
description:
- Allows connection when SSL certificates are not valid. Set to V(false) when certificates
are not trusted.
- If the value is not specified in the task, the value of environment variable E(VMWARE_VALIDATE_CERTS)
will be used instead.
type: bool
rule_set_state:
description:
- dict with hostname as key and dict with firewall rule set facts as value
returned: success
sample:
rule_set_state:
localhost.localdomain:
CIMHttpServer:
allowed_hosts:
current_allowed_all: true
current_allowed_ip: []
current_allowed_networks: []
desired_allowed_all: true
desired_allowed_ip: []
desired_allowed_networks: []
previous_allowed_all: true
previous_allowed_ip: []
previous_allowed_networks: []
current_state: false
desired_state: false
previous_state: true
remoteSerialPort:
allowed_hosts:
current_allowed_all: false
current_allowed_ip:
- 192.168.100.11
current_allowed_networks:
- 192.168.200.0/24
desired_allowed_all: false
desired_allowed_ip:
- 192.168.100.11
desired_allowed_networks:
- 192.168.200.0/24
previous_allowed_all: true
previous_allowed_ip: []
previous_allowed_networks: []
current_state: true
desired_state: true
previous_state: true
type: dict