oracle / oracle.oci / 4.21.0 / module / oci_network_firewall_policy_facts Fetches details about one or multiple NetworkFirewallPolicy resources in Oracle Cloud Infrastructure | "added in version" 2.9.0 of oracle.oci" Authors: Oracle (@oracle) preview | supported by communityoracle.oci.oci_network_firewall_policy_facts (4.21.0) — module
Install with ansible-galaxy collection install oracle.oci:==4.21.0
collections: - name: oracle.oci version: 4.21.0
Fetches details about one or multiple NetworkFirewallPolicy resources in Oracle Cloud Infrastructure
Returns a list of Network Firewall Policies.
If I(network_firewall_policy_id) is specified, the details of a single NetworkFirewallPolicy will be returned.
- name: Get a specific network_firewall_policy oci_network_firewall_policy_facts: # required network_firewall_policy_id: "ocid1.networkfirewallpolicy.oc1..xxxxxxEXAMPLExxxxxx"
- name: List network_firewall_policies oci_network_firewall_policy_facts: # required compartment_id: "ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx" # optional display_name: display_name_example lifecycle_state: CREATING sort_order: ASC sort_by: timeCreated
region: description: - The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set, then the value of the OCI_REGION variable, if any, is used. This option is required if the region is not specified through a configuration file (See C(config_file_location)). Please refer to U(https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm) for more information on OCI regions. type: str sort_by: choices: - timeCreated - displayName description: - The field to sort by. Only one sort order may be provided. Default order for timeCreated is descending. Default order for displayName is ascending. type: str tenancy: description: - OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if any, is used. This option is required if the tenancy OCID is not specified through a configuration file (See C(config_file_location)). To get the tenancy OCID, please refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm) type: str api_user: description: - The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the value of the OCI_USER_ID environment variable, if any, is used. This option is required if the user is not specified through a configuration file (See C(config_file_location)). To get the user's OCID, please refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm). type: str auth_type: choices: - api_key - instance_principal - instance_obo_user - resource_principal default: api_key description: - The type of authentication to use for making API requests. By default C(auth_type="api_key") based authentication is performed and the API key (see I(api_user_key_file)) in your config file will be used. If this 'auth_type' module option is not specified, the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use C(auth_type="instance_principal") to use instance principal based authentication when running ansible playbooks within an OCI compute instance. type: str sort_order: choices: - ASC - DESC description: - The sort order to use, either 'ASC' or 'DESC'. type: str cert_bundle: description: - The full path to a CA certificate bundle to be used for SSL verification. This will override the default CA certificate bundle. If not set, then the value of the OCI_ANSIBLE_CERT_BUNDLE variable, if any, is used. type: str auth_purpose: choices: - service_principal description: - The auth purpose which can be used in conjunction with 'auth_type=instance_principal'. The default auth_purpose for instance_principal is None. type: str display_name: aliases: - name description: - A filter to return only resources that match the entire display name given. type: str compartment_id: description: - The ID of the compartment in which to list resources. - Required to list multiple network_firewall_policies. type: str lifecycle_state: choices: - CREATING - UPDATING - ACTIVE - DELETING - DELETED - FAILED description: - A filter to return only resources with a lifecycleState matching the given value. type: str api_user_key_file: description: - Full path and filename of the private key (in PEM format). If not set, then the value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required if the private key is not specified through a configuration file (See C(config_file_location)). If the key is encrypted with a pass-phrase, the C(api_user_key_pass_phrase) option must also be provided. type: str config_profile_name: description: - The profile to load from the config file referenced by C(config_file_location). If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any, is used. Otherwise, defaults to the "DEFAULT" profile in C(config_file_location). type: str api_user_fingerprint: description: - Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT environment variable, if any, is used. This option is required if the key fingerprint is not specified through a configuration file (See C(config_file_location)). To get the key pair's fingerprint value please refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm). type: str config_file_location: description: - Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment variable, if any, is used. Otherwise, defaults to ~/.oci/config. type: str api_user_key_pass_phrase: description: - Passphrase used by the key referenced in C(api_user_key_file), if it is encrypted. If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is used. This option is required if the key passphrase is not specified through a configuration file (See C(config_file_location)). type: str network_firewall_policy_id: aliases: - id description: - Unique Network Firewall Policy identifier - Required to get a specific network_firewall_policy. type: str realm_specific_endpoint_template_enabled: description: - Enable/Disable realm specific endpoint template for service client. By Default, realm specific endpoint template is disabled. If not set, then the value of the OCI_REALM_SPECIFIC_SERVICE_ENDPOINT_TEMPLATE_ENABLED variable, if any, is used. type: bool
network_firewall_policies: contains: application_lists: description: - Map defining application lists of the policy. The value of an entry is a list of "applications", each consisting of a protocol identifier (such as TCP, UDP, or ICMP) and protocol- specific parameters (such as a port range). The associated key is the identifier by which the application list is referenced. - Returned for get operation returned: on success sample: {} type: dict compartment_id: description: - The L(OCID,https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the compartment containing the NetworkFirewall Policy. returned: on success sample: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx type: str decryption_profiles: contains: are_certificate_extensions_restricted: description: - Whether to block sessions if the server's certificate uses extensions other than key usage and/or extended key usage. returned: on success sample: true type: bool is_auto_include_alt_name: description: - Whether to automatically append SAN to impersonating certificate if server certificate is missing SAN. returned: on success sample: true type: bool is_expired_certificate_blocked: description: - Whether to block sessions if server's certificate is expired. returned: on success sample: true type: bool is_out_of_capacity_blocked: description: - Whether to block sessions if the firewall is temporarily unable to decrypt their traffic. returned: on success sample: true type: bool is_revocation_status_timeout_blocked: description: - Whether to block sessions if the revocation status check for server's certificate does not succeed within the maximum allowed time (defaulting to 5 seconds). returned: on success sample: true type: bool is_unknown_revocation_status_blocked: description: - Whether to block sessions if the revocation status check for server's certificate results in "unknown". returned: on success sample: true type: bool is_unsupported_cipher_blocked: description: - Whether to block sessions if SSL cipher suite is not supported. returned: on success sample: true type: bool is_unsupported_version_blocked: description: - Whether to block sessions if SSL version is not supported. returned: on success sample: true type: bool is_untrusted_issuer_blocked: description: - Whether to block sessions if server's certificate is issued by an untrusted certificate authority (CA). returned: on success sample: true type: bool type: description: - Describes the type of Decryption Profile SslForwardProxy or SslInboundInspection. returned: on success sample: SSL_INBOUND_INSPECTION type: str description: - Map defining decryption profiles of the policy. The value of an entry is a decryption profile. The associated key is the identifier by which the decryption profile is referenced. - Returned for get operation returned: on success type: complex decryption_rules: contains: action: description: - 'Action:' - '* NO_DECRYPT - Matching traffic is not decrypted. * DECRYPT - Matching traffic is decrypted with the specified `secret` according to the specified `decryptionProfile`.' returned: on success sample: NO_DECRYPT type: str condition: contains: destinations: description: - An array of IP address list names to be evaluated against the traffic destination address. returned: on success sample: [] type: list sources: description: - An array of IP address list names to be evaluated against the traffic source address. returned: on success sample: [] type: list description: - '' returned: on success type: complex decryption_profile: description: - The name of the decryption profile to use. returned: on success sample: decryption_profile_example type: str name: description: - Name for the decryption rule, must be unique within the policy. returned: on success sample: name_example type: str secret: description: - The name of a mapped secret. Its `type` must match that of the specified decryption profile. returned: on success sample: secret_example type: str description: - List of Decryption Rules defining the behavior of the policy. The first rule with a matching condition determines the action taken upon network traffic. - Returned for get operation returned: on success type: complex defined_tags: description: - 'Defined tags for this resource. Each key is predefined and scoped to a namespace. Example: `{"foo-namespace": {"bar-key": "value"}}`' returned: on success sample: Operations: CostCenter: US type: dict display_name: description: - A user-friendly optional name for the firewall policy. Avoid entering confidential information. returned: on success sample: display_name_example type: str freeform_tags: description: - 'Simple key-value pair that is applied without any predefined name, type or scope. Exists for cross-compatibility only. Example: `{"bar-key": "value"}`' returned: on success sample: Department: Finance type: dict id: description: - The L(OCID,https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm) of the resource - Network Firewall Policy. returned: on success sample: ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx type: str ip_address_lists: description: - Map defining IP address lists of the policy. The value of an entry is a list of IP addresses or prefixes in CIDR notation. The associated key is the identifier by which the IP address list is referenced. - Returned for get operation returned: on success sample: {} type: dict is_firewall_attached: description: - To determine if any Network Firewall is associated with this Network Firewall Policy. - Returned for get operation returned: on success sample: true type: bool lifecycle_details: description: - A message describing the current state in more detail. For example, can be used to provide actionable information for a resource in Failed state. returned: on success sample: lifecycle_details_example type: str lifecycle_state: description: - The current state of the Network Firewall Policy. returned: on success sample: CREATING type: str mapped_secrets: contains: source: description: - Source of the secrets, where the secrets are stored. returned: on success sample: OCI_VAULT type: str type: description: - Type of the secrets mapped based on the policy. - '* `SSL_INBOUND_INSPECTION`: For Inbound inspection of SSL traffic. * `SSL_FORWARD_PROXY`: For forward proxy certificates for SSL inspection.' returned: on success sample: SSL_INBOUND_INSPECTION type: str vault_secret_id: description: - OCID for the Vault Secret to be used. returned: on success sample: ocid1.vaultsecret.oc1..xxxxxxEXAMPLExxxxxx type: str version_number: description: - Version number of the secret to be used. returned: on success sample: 56 type: int description: - Map defining secrets of the policy. The value of an entry is a "mapped secret" consisting of a purpose and source. The associated key is the identifier by which the mapped secret is referenced. - Returned for get operation returned: on success type: complex security_rules: contains: action: description: - Types of Action on the Traffic flow. - ' * ALLOW - Allows the traffic. * DROP - Silently drops the traffic, e.g. without sending a TCP reset. * REJECT - Rejects the traffic, sending a TCP reset to client and/or server as applicable. * INSPECT - Inspects traffic for vulnerability as specified in `inspection`, which may result in rejection.' returned: on success sample: ALLOW type: str condition: contains: applications: description: - An array of application list names to be evaluated against the traffic protocol and protocol-specific parameters. returned: on success sample: [] type: list destinations: description: - An array of IP address list names to be evaluated against the traffic destination address. returned: on success sample: [] type: list sources: description: - An array of IP address list names to be evaluated against the traffic source address. returned: on success sample: [] type: list urls: description: - An array of URL pattern list names to be evaluated against the HTTP(S) request target. returned: on success sample: [] type: list description: - '' returned: on success type: complex inspection: description: - Type of inspection to affect the Traffic flow. This is only applicable if action is INSPECT. - ' * INTRUSION_DETECTION - Intrusion Detection. * INTRUSION_PREVENTION - Intrusion Detection and Prevention. Traffic classified as potentially malicious will be rejected as described in `type`.' returned: on success sample: INTRUSION_DETECTION type: str name: description: - Name for the Security rule, must be unique within the policy. returned: on success sample: name_example type: str description: - List of Security Rules defining the behavior of the policy. The first rule with a matching condition determines the action taken upon network traffic. - Returned for get operation returned: on success type: complex system_tags: description: - 'Usage of system tag keys. These predefined keys are scoped to namespaces. Example: `{"orcl-cloud": {"free-tier-retained": "true"}}`' returned: on success sample: {} type: dict time_created: description: - 'The time instant at which the Network Firewall Policy was created in the format defined by L(RFC3339,https://tools.ietf.org/html/rfc3339). Example: `2016-08-25T21:10:29.600Z`' returned: on success sample: '2013-10-20T19:20:30+01:00' type: str time_updated: description: - 'The time instant at which the Network Firewall Policy was updated in the format defined by L(RFC3339,https://tools.ietf.org/html/rfc3339). Example: `2016-08-25T21:10:29.600Z`' returned: on success sample: '2013-10-20T19:20:30+01:00' type: str url_lists: description: - Map defining URL pattern lists of the policy. The value of an entry is a list of URL patterns. The associated key is the identifier by which the URL pattern list is referenced. - Returned for get operation returned: on success sample: {} type: dict description: - List of NetworkFirewallPolicy resources returned: on success sample: - application_lists: {} compartment_id: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx decryption_profiles: are_certificate_extensions_restricted: true is_auto_include_alt_name: true is_expired_certificate_blocked: true is_out_of_capacity_blocked: true is_revocation_status_timeout_blocked: true is_unknown_revocation_status_blocked: true is_unsupported_cipher_blocked: true is_unsupported_version_blocked: true is_untrusted_issuer_blocked: true type: SSL_INBOUND_INSPECTION decryption_rules: - action: NO_DECRYPT condition: destinations: [] sources: [] decryption_profile: decryption_profile_example name: name_example secret: secret_example defined_tags: Operations: CostCenter: US display_name: display_name_example freeform_tags: Department: Finance id: ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx ip_address_lists: {} is_firewall_attached: true lifecycle_details: lifecycle_details_example lifecycle_state: CREATING mapped_secrets: source: OCI_VAULT type: SSL_INBOUND_INSPECTION vault_secret_id: ocid1.vaultsecret.oc1..xxxxxxEXAMPLExxxxxx version_number: 56 security_rules: - action: ALLOW condition: applications: [] destinations: [] sources: [] urls: [] inspection: INTRUSION_DETECTION name: name_example system_tags: {} time_created: '2013-10-20T19:20:30+01:00' time_updated: '2013-10-20T19:20:30+01:00' url_lists: {} type: complex