Try SpotterManage user-defined APM ACLs
| "added in version" 1.0.0 of f5networks.f5_modules"
Authors: Wojciech Wypior (@wojtek0806)
Install with ansible-galaxy collection install f5networks.f5_modules:==1.28.0
collections:
- name: f5networks.f5_modules
version: 1.28.0Manage user-defined APM ACLs.
- name: Create a static ACL with L4 entries
bigip_apm_acl:
name: L4foo
acl_order: 0
type: static
entries:
- action: allow
dst_port: '80'
dst_addr: '192.168.1.1'
src_port: '443'
src_addr: '10.10.10.0'
src_mask: '255.255.255.128'
protocol: tcp
- action: reject
dst_port: '*'
dst_addr: '192.168.1.1'
src_port: '*'
src_addr: '10.10.10.0'
src_mask: '255.255.255.128'
protocol: tcp
log: packet
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create a static ACL with L7 entries
bigip_apm_acl:
name: L7foo
acl_order: 1
type: static
path_match_case: false
entries:
- action: allow
host_name: 'foobar.com'
paths: '/shopfront'
scheme: https
- action: reject
host_name: 'internal_foobar.com'
paths: '/admin'
scheme: any
log: packet
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create a static ACL with L7/L4 entries
bigip_apm_acl:
name: L7L4foo
acl_order: 2
type: static
path_match_case: false
entries:
- action: allow
host_name: 'foobar.com'
paths: '/shopfront'
scheme: https
dst_port: '8181'
dst_addr: '192.168.1.1'
protocol: tcp
- action: reject
dst_addr: '192.168.1.1'
host_name: 'internal_foobar.com'
paths: '/admin'
scheme: any
protocol: all
log: packet
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Modify a static ACL entries
bigip_apm_acl:
name: L4foo
entries:
- action: allow
dst_port: '80'
dst_addr: '192.168.1.1'
src_port: '443'
src_addr: '10.10.10.0'
src_mask: '255.255.255.128'
protocol: tcp
- action: discard
dst_port: '*'
dst_addr: 192.168.1.1
src_port: '*'
src_addr: '10.10.10.0'
src_mask: '255.2155.255.128'
protocol: all
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Remove static ACL
bigip_apm_acl:
name: L4foo
state: absent
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
name:
description:
- Specifies the name of the ACL to manage.
required: true
type: str
type:
choices:
- static
- dynamic
description:
- Specifies the type of ACL to create.
- Once the type is set it cannot be changed.
type: str
state:
choices:
- present
- absent
default: present
description:
- When C(state) is C(present), ensures that the ACL exists.
- When C(state) is C(absent), ensures that the ACL is removed.
type: str
entries:
description:
- Access control entries that define the ACL matching and its respective behavior.
- The order in which the rules are placed as arguments to this parameter determines
their order in the ACL, in other words changing the order of the same elements will
cause a change on the unit.
- Changes in the number of rules will always trigger device change. This means user
input will take precedence over what is on device.
elements: dict
suboptions:
action:
choices:
- allow
- reject
- discard
- continue
description:
- Specifies the action that the access control entry takes when a match for this
access control entry is encountered.
required: true
type: str
dst_addr:
description:
- Specifies the destination IP address for the access control entry.
- When set to C(any) the ACL will match any destination address, C(dst_mask) is
ignored in this case.
type: str
dst_mask:
description:
- Optional parameter that specifies the destination network mask for the access
control entry.
- If not specified and C(dst_addr) is not C(any), the C(dst_addr) is deemed to
be host address.
type: str
dst_port:
description:
- Specifies the destination port for the access control entry.
- Can be set to C(*) to indicate all ports.
- Parameter is mutually exclusive with C(dst_port_range).
type: str
dst_port_range:
description:
- Specifies the destination port range for the access control entry.
- Parameter is mutually exclusive with C(dst_port_range).
- To indicate all ports the C(dst_port) parameter must be used and set to C(*).
type: str
host_name:
description:
- This parameter applies to Layer 7 access control entries only.
- Specifies a host to which the access control entry applies.
type: str
log:
choices:
- none
- packet
description:
- Specifies the log level that is logged when actions of this type occur.
- When C(none) it will log nothing, which is a default action.
- When C(packet) it will log the matched packet.
type: str
paths:
description:
- This parameter applies to Layer 7 access control entries only.
- Specifies the path or paths to which the access control entry applies.
type: str
protocol:
choices:
- tcp
- icmp
- udp
- all
description:
- This parameter applies to Layer 4 access control entries only.
- 'Specifies the protocol: C(tcp), C(udp), C(icmp) or C(all) protocols, to which
the access control entry applies.'
type: str
scheme:
choices:
- http
- https
- any
description:
- This parameter applies to Layer 7 access control entries only.
- 'Specifies the URI scheme: C(http), C(https) or C(any) on which the access control
entry operates.'
type: str
src_addr:
description:
- Specifies the source IP address for the access control entry.
- When set to C(any) the ACL will match any source address, C(src_mask) is ignored
in this case.
type: str
src_mask:
description:
- Optional parameter that specifies the source network mask for the access control
entry.
- If not specified and C(src_addr) is not C(any), the C(src_addr) is deemed to
be host address.
type: str
src_port:
description:
- Specifies the source port for the access control entry.
- Can be set to C(*) to indicate all ports.
- Parameter is mutually exclusive with C(src_port_range).
type: str
src_port_range:
description:
- Specifies the source port range for the access control entry.
- Parameter is mutually exclusive with C(src_port_range).
- To indicate all ports the C(src_port) parameter must be used and set to C(*).
type: str
type: list
provider:
description:
- A dict object containing connection details.
suboptions:
auth_provider:
description:
- Configures the auth provider for to obtain authentication tokens from the remote
device.
- This option is really used when working with BIG-IQ devices.
type: str
no_f5_teem:
default: false
description:
- If C(yes), TEEM telemetry data is not sent to F5.
- You may omit this option by setting the environment variable C(F5_TELEMETRY_OFF).
- Previously used variable C(F5_TEEM) is deprecated as its name was confusing.
type: bool
password:
aliases:
- pass
- pwd
description:
- The password for the user account used to connect to the BIG-IP or the BIG-IQ.
- You may omit this option by setting the environment variable C(F5_PASSWORD).
required: true
type: str
server:
description:
- The BIG-IP host or the BIG-IQ host.
- You may omit this option by setting the environment variable C(F5_SERVER).
required: true
type: str
server_port:
default: 443
description:
- The BIG-IP server port.
- You may omit this option by setting the environment variable C(F5_SERVER_PORT).
type: int
timeout:
description:
- Specifies the timeout in seconds for communicating with the network device for
either connecting or sending commands. If the timeout is exceeded before the
operation is completed, the module will error.
type: int
transport:
choices:
- rest
default: rest
description:
- Configures the transport connection to use when connecting to the remote device.
type: str
user:
description:
- The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative
privileges on the device.
- You may omit this option by setting the environment variable C(F5_USER).
required: true
type: str
validate_certs:
default: true
description:
- If C(no), SSL certificates are not validated. Use this only on personally controlled
sites using self-signed certificates.
- You may omit this option by setting the environment variable C(F5_VALIDATE_CERTS).
type: bool
type: dict
version_added: 1.0.0
version_added_collection: f5networks.f5_modules
acl_order:
description:
- Specifies a number that indicates the order of this ACL relative to other ACLs.
- When not set, the device will always place the ACL after the last one created.
- The lower the number, the higher the ACL will be in the general order, with the
lowest number C(0) being the topmost one.
- Valid range of values is between C(0) and C(65535) inclusive.
type: int
partition:
default: Common
description:
- Device partition to manage resources on.
type: str
description:
description:
- User created ACL description.
type: str
path_match_case:
description:
- Specifies whether alphabetic case is considered when matching paths in an access
control entry.
type: bool
acl_order:
description: The order of this ACL relative to other ACLs.
returned: changed
sample: 10
type: int
description:
description: The new description of the ACL.
returned: changed
sample: My ACL
type: str
entries:
contains:
action:
description: Action the access control entry takes when a match for this access
control entry is encountered.
returned: changed
sample: allow
type: str
dst_addr:
description: The destination IP address for the access control entry.
returned: changed
sample: 192.168.0.1
type: str
dst_mask:
description: The destination network mask for the access control entry.
returned: changed
sample: 255.255.255.128
type: str
dst_port:
description: The destination port for the access control entry.
returned: changed
sample: '80'
type: str
dst_port_range:
description: The destination port range for the access control entry.
returned: changed
sample: 80-81
type: str
host_name:
description: The host to which the access control entry applies.
returned: changed
sample: foobar.com
type: str
log:
description: The log level that is logged when actions of this type occur.
returned: changed
sample: packet
type: str
paths:
description: The path or paths to which the access control entry applies.
returned: changed
sample: /fooshop
type: str
protocol:
description: The protocol to which the access control entry applies.
returned: changed
sample: tcp
type: str
scheme:
description: The URI scheme on which the access control entry operates.
returned: changed
sample: https
type: str
src_addr:
description: The source IP address for the access control entry.
returned: changed
sample: 192.168.0.1
type: str
src_mask:
description: The source network mask for the access control entry.
returned: changed
sample: 255.255.255.128
type: str
src_port:
description: The source port for the access control entry.
returned: changed
sample: '80'
type: str
src_port_range:
description: The source port range for the access control entry.
returned: changed
sample: 80-81
type: str
description: Access control entries that define the ACL matching and its respective
behavior.
returned: changed
sample: hash/dictionary of values
type: complex
path_match_case:
description: Specifies whether alphabetic case is considered when matching paths
in an access control entry.
returned: changed
sample: true
type: bool
type:
description: The type of ACL to create.
returned: changed
sample: static
type: str