Try SpotterCreate/update/delete Illumio PCE pairing profiles
| "added in version" 0.2.0 of illumio.core"
Authors: Duncan Sommerville (@dsommerville-illumio)
Install with ansible-galaxy collection install illumio.core:==0.2.6
collections:
- name: illumio.core
version: 0.2.6This module allows you to create and manipulate pairing profile objects on the Illumio PCE to pair Illumio VEN agents.
Supports check mode.
- name: "Create profile with default labels"
illumio.core.pairing_profile:
name: PP-DB
state: present
enabled: true
labels:
- href: /orgs/1/labels/1
- href: /orgs/1/labels/2
- name: "Create profile with pairing key uses and lifespan limitations"
illumio.core.pairing_profile:
name: PP-AUTOMATION
state: present
enforcement_mode: visibility_only
allowed_uses_per_key: 1
key_lifespan: 30
- name: "Remove existing profile"
illumio.core.pairing_profile:
name: PP-DB
state: absent
- name: "Remove profile by HREF"
illumio.core.pairing_profile:
href: /orgs/1/pairing_profiles/1
state: absent
href:
description: HREF of an existing pairing profile.
type: str
name:
description:
- Pairing profile display name.
- Required for creating a pairing profile or when HREF is not specified.
type: str
state:
choices:
- present
- absent
default: present
description:
- Desired pairing profile state.
- If C(present), the profile will be created if it does not exist, or updated to match
the provided parameters if it does.
- If C(absent), the profile will be removed if it exists.
type: str
labels:
default: []
description:
- List of default labels to apply to workloads paired using this profile.
- Labels can only be referenced by HREF, and only one Label of each type can be specified.
elements: dict
suboptions:
href:
description: Label HREF.
required: true
type: str
type: list
enabled:
default: 'yes'
description: Determines whether or not the profile is enabled for pairing.
type: bool
pce_port:
default: 443
description:
- HTTP(S) port used by the PCE.
- Can be set with the environment variable C(ILLUMIO_PCE_PORT).
type: int
pce_org_id:
default: 1
description:
- PCE Organization ID.
- Can be set with the environment variable C(ILLUMIO_PCE_ORG_ID).
type: int
pce_tls_ca:
description:
- Path to a custom root CA certificate bundle to use for the PCE connection.
- If set, overrides C(pce_tls_verify).
type: str
description:
default: ''
description: Pairing profile description.
type: str
ven_version:
description:
- Optional parameter to set the VEN version used by this pairing profile.
- If not set, the profile will use the default VEN version configured in the PCE's
VEN library.
type: str
key_lifespan:
default: unlimited
description:
- The number of seconds pairing profile keys will be valid for.
- By default, each key lasts an unlimited amount of time.
type: str
pce_hostname:
aliases:
- pce_url
description:
- URL or FQDN of Illumio Policy Compute Engine. C(pce_url) is an alias for C(pce_hostname).
- Can be set with the environment variable C(ILLUMIO_PCE_HOST).
required: true
type: str
api_key_secret:
description:
- Illumio PCE API key secret.
- Can be set with the environment variable C(ILLUMIO_API_KEY_SECRET).
required: true
type: str
app_label_lock:
default: 'yes'
description: If set to C(false), allows the app label to be overridden when pairing.
type: bool
env_label_lock:
default: 'yes'
description: If set to C(false), allows the environment label to be overridden when
pairing.
type: bool
loc_label_lock:
default: 'yes'
description: If set to C(false), allows the location label to be overridden when pairing.
type: bool
pce_http_proxy:
description:
- HTTP proxy server to use when connecting to the PCE.
- If not set, it will use the default C(http_proxy) environment variable.
type: str
pce_tls_verify:
default: true
description:
- Flag denoting whether TLS verification should be enabled on the PCE connection.
type: bool
pce_https_proxy:
description:
- HTTPS proxy server to use when connecting to the PCE.
- If not set, it will use the default C(https_proxy) environment variable.
type: str
role_label_lock:
default: 'yes'
description: If set to C(false), allows the role label to be overridden when pairing.
type: bool
api_key_username:
description:
- Illumio PCE API key username.
- Can be set with the environment variable C(ILLUMIO_API_KEY_USERNAME).
required: true
type: str
enforcement_mode:
choices:
- idle
- visibility_only
- selective
- full
default: idle
description:
- Pairing profile default enforcement mode.
- VENs paired using this profile will be put into the provided enforcement mode by
default.
- 'C(idle): the VEN will not take control of the host firewall.'
- 'C(visibility_only): no traffic will be blocked by PCE policy.'
- 'C(selective): segmentation rules are enforced only for selected inbound services
when the host is within the scope of an enforcement boundary.'
- 'C(full): segmentation rules are enforced for all inbound and outbound services.
Traffic that is not allowed by a segmentation rule is blocked.'
type: str
visibility_level:
choices:
- flow_summary
- flow_drops
- flow_off
- enhanced_data_collection
default: flow_summary
description:
- Determines what traffic will be logged by VENs paired with this profile.
- 'C(flow_summary): log connection information for allowed, blocked, and potentially
blocked traffic.'
- 'C(flow_drops): log connection information for blocked and potentially blocked traffic.'
- 'C(flow_off): do not log any traffic information.'
- 'C(enhanced_data_collection): log byte counts in addition to connection details
for all traffic.'
type: str
external_data_set:
description:
- External data set identifier.
- Must be set if using C(external_data_reference).
type: str
allowed_uses_per_key:
default: unlimited
description:
- The number of times pairing profile keys can be used.
- By default, each key has unlimited uses.
type: str
pce_tls_client_certs:
description:
- Optional paths to client-side certificate files.
- May point to separate cert and private key files or a PEM bundle containing both.
elements: str
type: list
enforcement_mode_lock:
default: 'yes'
description: If set to C(false), allows the enforcement mode to be overridden when
pairing.
type: bool
visibility_level_lock:
default: 'yes'
description: If set to C(false), allows the visibility level to be overridden when
pairing.
type: bool
external_data_reference:
description:
- External data reference identifier.
- Must be set if using C(external_data_set).
type: str
pairing_profile:
contains:
agent_software_release:
description: The VEN version used by this pairing profile.
returned: always
type: str
allowed_uses_per_key:
description: The number of times each pairing key generated by this profile
can be used to pair VENs.
returned: always
type: str
app_label_lock:
description: A flag that denotes whether the app label set by this profile can
be overridden from the pairing script.
returned: always
type: bool
caps:
description:
- Array of permissions on the entity held by the requesting user.
- An empty array implies readonly permission.
elements: str
returned: always
type: list
created_at:
description: A timestamp denoting when this pairing profile was created.
returned: always
type: str
created_by:
description: A reference to the user object that created this profile.
returned: always
sample:
created_by:
href: /users/1
type: dict
description:
description: A description of the pairing profile.
returned: always
type: str
enabled:
description: A flag that determines whether or not this profile is enabled for
pairing.
returned: always
type: bool
enforcement_mode:
description: The enforcement mode that will be applied to VENs paired using
this profile.
returned: always
type: str
enforcement_mode_lock:
description: A flag that denotes whether the enforcement mode set by this profile
can be overridden from the pairing script.
returned: always
type: bool
env_label_lock:
description: A flag that denotes whether the environment label set by this profile
can be overridden from the pairing script.
returned: always
type: bool
href:
description: The pairing profile's HREF.
returned: always
type: str
is_default:
description: A flag that denotes whether this profile is the default pairing
profile for the PCE.
returned: always
type: bool
key_lifespan:
description: The amount of time, in seconds, that a pairing key generated by
this profile will be valid for.
returned: always
type: str
labels:
description: A list of labels that will be applied to VENs paired using this
profile.
elements: dict
returned: always
sample:
- href: /orgs/1/labels/1
type: list
loc_label_lock:
description: A flag that denotes whether the location label set by this profile
can be overridden from the pairing script.
returned: always
type: bool
name:
description: The pairing profile's name.
returned: always
type: str
role_label_lock:
description: A flag that denotes whether the role label set by this profile
can be overridden from the pairing script.
returned: always
type: bool
total_use_count:
description: The total number of times this profile has been used to pair VENs.
returned: always
type: int
updated_at:
description: A timestamp denoting when this pairing profile was last updated.
returned: always
type: str
updated_by:
description: A reference to the user object that last updated this profile.
returned: always
sample:
updated_by:
href: /users/1
type: dict
visibility_level:
description: Determines what traffic will be logged by VENs paired with this
profile.
returned: always
type: str
visibility_level_lock:
description: A flag that denotes whether the visibility level set by this profile
can be overridden from the pairing script.
returned: always
type: bool
description: Information about the pairing profile that was created or updated.
returned: success
sample:
pairing_profile:
agent_software_release: Default (21.2.0-7831)
allowed_uses_per_key: unlimited
app_label_lock: true
caps:
- write
- generate_pairing_key
created_at: '2022-06-07T00:11:10.923Z'
created_by:
href: /users/1
description: Created with Ansible
enabled: true
enforcement_mode: visibility_only
enforcement_mode_lock: true
env_label_lock: true
href: /orgs/1/pairing_profiles/1500
is_default: false
key_lifespan: unlimited
labels: []
loc_label_lock: true
name: PP-ANSIBLE-TEST
role_label_lock: true
total_use_count: 0
updated_at: '2022-06-07T17:51:56.606Z'
updated_by:
href: /users/1
visibility_level: flow_summary
visibility_level_lock: true
type: complex