Try SpotterFetches details about one or multiple NetworkFirewallPolicy resources in Oracle Cloud Infrastructure
| "added in version" 2.9.0 of oracle.oci"
Authors: Oracle (@oracle)
preview | supported by community
Install with ansible-galaxy collection install oracle.oci:==5.0.0
collections:
- name: oracle.oci
version: 5.0.0Fetches details about one or multiple NetworkFirewallPolicy resources in Oracle Cloud Infrastructure
Returns a list of Network Firewall Policies.
If I(network_firewall_policy_id) is specified, the details of a single NetworkFirewallPolicy will be returned.
- name: Get a specific network_firewall_policy
oci_network_firewall_policy_facts:
# required
network_firewall_policy_id: "ocid1.networkfirewallpolicy.oc1..xxxxxxEXAMPLExxxxxx"
- name: List network_firewall_policies
oci_network_firewall_policy_facts:
# required
compartment_id: "ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx"
# optional
display_name: display_name_example
lifecycle_state: CREATING
sort_order: ASC
sort_by: timeCreated
region:
description:
- The Oracle Cloud Infrastructure region to use for all OCI API requests. If not set,
then the value of the OCI_REGION variable, if any, is used. This option is required
if the region is not specified through a configuration file (See C(config_file_location)).
Please refer to U(https://docs.us-phoenix-1.oraclecloud.com/Content/General/Concepts/regions.htm)
for more information on OCI regions.
type: str
sort_by:
choices:
- timeCreated
- displayName
description:
- The field to sort by. Only one sort order may be provided. Default order for timeCreated
is descending. Default order for displayName is ascending.
type: str
tenancy:
description:
- OCID of your tenancy. If not set, then the value of the OCI_TENANCY variable, if
any, is used. This option is required if the tenancy OCID is not specified through
a configuration file (See C(config_file_location)). To get the tenancy OCID, please
refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm)
type: str
api_user:
description:
- The OCID of the user, on whose behalf, OCI APIs are invoked. If not set, then the
value of the OCI_USER_ID environment variable, if any, is used. This option is required
if the user is not specified through a configuration file (See C(config_file_location)).
To get the user's OCID, please refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm).
type: str
auth_type:
choices:
- api_key
- instance_principal
- instance_obo_user
- resource_principal
- security_token
default: api_key
description:
- The type of authentication to use for making API requests. By default C(auth_type="api_key")
based authentication is performed and the API key (see I(api_user_key_file)) in
your config file will be used. If this 'auth_type' module option is not specified,
the value of the OCI_ANSIBLE_AUTH_TYPE, if any, is used. Use C(auth_type="instance_principal")
to use instance principal based authentication when running ansible playbooks within
an OCI compute instance.
type: str
sort_order:
choices:
- ASC
- DESC
description:
- The sort order to use, either 'ASC' or 'DESC'.
type: str
cert_bundle:
description:
- The full path to a CA certificate bundle to be used for SSL verification. This will
override the default CA certificate bundle. If not set, then the value of the OCI_ANSIBLE_CERT_BUNDLE
variable, if any, is used.
type: str
auth_purpose:
choices:
- service_principal
description:
- The auth purpose which can be used in conjunction with 'auth_type=instance_principal'.
The default auth_purpose for instance_principal is None.
type: str
display_name:
aliases:
- name
description:
- A filter to return only resources that match the entire display name given.
type: str
compartment_id:
description:
- The ID of the compartment in which to list resources.
- Required to list multiple network_firewall_policies.
type: str
lifecycle_state:
choices:
- CREATING
- UPDATING
- ACTIVE
- DELETING
- DELETED
- FAILED
description:
- A filter to return only resources with a lifecycleState matching the given value.
type: str
api_user_key_file:
description:
- Full path and filename of the private key (in PEM format). If not set, then the
value of the OCI_USER_KEY_FILE variable, if any, is used. This option is required
if the private key is not specified through a configuration file (See C(config_file_location)).
If the key is encrypted with a pass-phrase, the C(api_user_key_pass_phrase) option
must also be provided.
type: str
config_profile_name:
description:
- The profile to load from the config file referenced by C(config_file_location).
If not set, then the value of the OCI_CONFIG_PROFILE environment variable, if any,
is used. Otherwise, defaults to the "DEFAULT" profile in C(config_file_location).
type: str
api_user_fingerprint:
description:
- Fingerprint for the key pair being used. If not set, then the value of the OCI_USER_FINGERPRINT
environment variable, if any, is used. This option is required if the key fingerprint
is not specified through a configuration file (See C(config_file_location)). To
get the key pair's fingerprint value please refer U(https://docs.us-phoenix-1.oraclecloud.com/Content/API/Concepts/apisigningkey.htm).
type: str
config_file_location:
description:
- Path to configuration file. If not set then the value of the OCI_CONFIG_FILE environment
variable, if any, is used. Otherwise, defaults to ~/.oci/config.
type: str
api_user_key_pass_phrase:
description:
- Passphrase used by the key referenced in C(api_user_key_file), if it is encrypted.
If not set, then the value of the OCI_USER_KEY_PASS_PHRASE variable, if any, is
used. This option is required if the key passphrase is not specified through a configuration
file (See C(config_file_location)).
type: str
network_firewall_policy_id:
aliases:
- id
description:
- Unique Network Firewall Policy identifier
- Required to get a specific network_firewall_policy.
type: str
realm_specific_endpoint_template_enabled:
description:
- Enable/Disable realm specific endpoint template for service client. By Default,
realm specific endpoint template is disabled. If not set, then the value of the
OCI_REALM_SPECIFIC_SERVICE_ENDPOINT_TEMPLATE_ENABLED variable, if any, is used.
type: bool
network_firewall_policies:
contains:
application_lists:
description:
- Map defining application lists of the policy. The value of an entry is a list
of "applications", each consisting of a protocol identifier (such as TCP,
UDP, or ICMP) and protocol- specific parameters (such as a port range). The
associated key is the identifier by which the application list is referenced.
- Returned for get operation
returned: on success
sample: {}
type: dict
compartment_id:
description:
- The L(OCID,https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)
of the compartment containing the NetworkFirewall Policy.
returned: on success
sample: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
type: str
decryption_profiles:
contains:
are_certificate_extensions_restricted:
description:
- Whether to block sessions if the server's certificate uses extensions
other than key usage and/or extended key usage.
returned: on success
sample: true
type: bool
is_auto_include_alt_name:
description:
- Whether to automatically append SAN to impersonating certificate if server
certificate is missing SAN.
returned: on success
sample: true
type: bool
is_expired_certificate_blocked:
description:
- Whether to block sessions if server's certificate is expired.
returned: on success
sample: true
type: bool
is_out_of_capacity_blocked:
description:
- Whether to block sessions if the firewall is temporarily unable to decrypt
their traffic.
returned: on success
sample: true
type: bool
is_revocation_status_timeout_blocked:
description:
- Whether to block sessions if the revocation status check for server's
certificate does not succeed within the maximum allowed time (defaulting
to 5 seconds).
returned: on success
sample: true
type: bool
is_unknown_revocation_status_blocked:
description:
- Whether to block sessions if the revocation status check for server's
certificate results in "unknown".
returned: on success
sample: true
type: bool
is_unsupported_cipher_blocked:
description:
- Whether to block sessions if SSL cipher suite is not supported.
returned: on success
sample: true
type: bool
is_unsupported_version_blocked:
description:
- Whether to block sessions if SSL version is not supported.
returned: on success
sample: true
type: bool
is_untrusted_issuer_blocked:
description:
- Whether to block sessions if server's certificate is issued by an untrusted
certificate authority (CA).
returned: on success
sample: true
type: bool
type:
description:
- Describes the type of Decryption Profile SslForwardProxy or SslInboundInspection.
returned: on success
sample: SSL_INBOUND_INSPECTION
type: str
description:
- Map defining decryption profiles of the policy. The value of an entry is a
decryption profile. The associated key is the identifier by which the decryption
profile is referenced.
- Returned for get operation
returned: on success
type: complex
decryption_rules:
contains:
action:
description:
- 'Action:'
- '* NO_DECRYPT - Matching traffic is not decrypted. * DECRYPT - Matching
traffic is decrypted with the specified `secret` according to the specified
`decryptionProfile`.'
returned: on success
sample: NO_DECRYPT
type: str
condition:
contains:
destinations:
description:
- An array of IP address list names to be evaluated against the traffic
destination address.
returned: on success
sample: []
type: list
sources:
description:
- An array of IP address list names to be evaluated against the traffic
source address.
returned: on success
sample: []
type: list
description:
- ''
returned: on success
type: complex
decryption_profile:
description:
- The name of the decryption profile to use.
returned: on success
sample: decryption_profile_example
type: str
name:
description:
- Name for the decryption rule, must be unique within the policy.
returned: on success
sample: name_example
type: str
secret:
description:
- The name of a mapped secret. Its `type` must match that of the specified
decryption profile.
returned: on success
sample: secret_example
type: str
description:
- List of Decryption Rules defining the behavior of the policy. The first rule
with a matching condition determines the action taken upon network traffic.
- Returned for get operation
returned: on success
type: complex
defined_tags:
description:
- 'Defined tags for this resource. Each key is predefined and scoped to a namespace.
Example: `{"foo-namespace": {"bar-key": "value"}}`'
returned: on success
sample:
Operations:
CostCenter: US
type: dict
display_name:
description:
- A user-friendly optional name for the firewall policy. Avoid entering confidential
information.
returned: on success
sample: display_name_example
type: str
freeform_tags:
description:
- 'Simple key-value pair that is applied without any predefined name, type or
scope. Exists for cross-compatibility only. Example: `{"bar-key": "value"}`'
returned: on success
sample:
Department: Finance
type: dict
id:
description:
- The L(OCID,https://docs.cloud.oracle.com/iaas/Content/General/Concepts/identifiers.htm)
of the resource - Network Firewall Policy.
returned: on success
sample: ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
type: str
ip_address_lists:
description:
- Map defining IP address lists of the policy. The value of an entry is a list
of IP addresses or prefixes in CIDR notation. The associated key is the identifier
by which the IP address list is referenced.
- Returned for get operation
returned: on success
sample: {}
type: dict
is_firewall_attached:
description:
- To determine if any Network Firewall is associated with this Network Firewall
Policy.
- Returned for get operation
returned: on success
sample: true
type: bool
lifecycle_details:
description:
- A message describing the current state in more detail. For example, can be
used to provide actionable information for a resource in Failed state.
returned: on success
sample: lifecycle_details_example
type: str
lifecycle_state:
description:
- The current state of the Network Firewall Policy.
returned: on success
sample: CREATING
type: str
mapped_secrets:
contains:
source:
description:
- Source of the secrets, where the secrets are stored.
returned: on success
sample: OCI_VAULT
type: str
type:
description:
- Type of the secrets mapped based on the policy.
- '* `SSL_INBOUND_INSPECTION`: For Inbound inspection of SSL traffic. *
`SSL_FORWARD_PROXY`: For forward proxy certificates for SSL inspection.'
returned: on success
sample: SSL_INBOUND_INSPECTION
type: str
vault_secret_id:
description:
- OCID for the Vault Secret to be used.
returned: on success
sample: ocid1.vaultsecret.oc1..xxxxxxEXAMPLExxxxxx
type: str
version_number:
description:
- Version number of the secret to be used.
returned: on success
sample: 56
type: int
description:
- Map defining secrets of the policy. The value of an entry is a "mapped secret"
consisting of a purpose and source. The associated key is the identifier by
which the mapped secret is referenced.
- Returned for get operation
returned: on success
type: complex
security_rules:
contains:
action:
description:
- Types of Action on the Traffic flow.
- ' * ALLOW - Allows the traffic. * DROP - Silently drops the traffic, e.g.
without sending a TCP reset. * REJECT - Rejects the traffic, sending a
TCP reset to client and/or server as applicable. * INSPECT - Inspects
traffic for vulnerability as specified in `inspection`, which may result
in rejection.'
returned: on success
sample: ALLOW
type: str
condition:
contains:
applications:
description:
- An array of application list names to be evaluated against the traffic
protocol and protocol-specific parameters.
returned: on success
sample: []
type: list
destinations:
description:
- An array of IP address list names to be evaluated against the traffic
destination address.
returned: on success
sample: []
type: list
sources:
description:
- An array of IP address list names to be evaluated against the traffic
source address.
returned: on success
sample: []
type: list
urls:
description:
- An array of URL pattern list names to be evaluated against the HTTP(S)
request target.
returned: on success
sample: []
type: list
description:
- ''
returned: on success
type: complex
inspection:
description:
- Type of inspection to affect the Traffic flow. This is only applicable
if action is INSPECT.
- ' * INTRUSION_DETECTION - Intrusion Detection. * INTRUSION_PREVENTION
- Intrusion Detection and Prevention. Traffic classified as potentially
malicious will be rejected as described in `type`.'
returned: on success
sample: INTRUSION_DETECTION
type: str
name:
description:
- Name for the Security rule, must be unique within the policy.
returned: on success
sample: name_example
type: str
description:
- List of Security Rules defining the behavior of the policy. The first rule
with a matching condition determines the action taken upon network traffic.
- Returned for get operation
returned: on success
type: complex
system_tags:
description:
- 'Usage of system tag keys. These predefined keys are scoped to namespaces.
Example: `{"orcl-cloud": {"free-tier-retained": "true"}}`'
returned: on success
sample: {}
type: dict
time_created:
description:
- 'The time instant at which the Network Firewall Policy was created in the
format defined by L(RFC3339,https://tools.ietf.org/html/rfc3339). Example:
`2016-08-25T21:10:29.600Z`'
returned: on success
sample: '2013-10-20T19:20:30+01:00'
type: str
time_updated:
description:
- 'The time instant at which the Network Firewall Policy was updated in the
format defined by L(RFC3339,https://tools.ietf.org/html/rfc3339). Example:
`2016-08-25T21:10:29.600Z`'
returned: on success
sample: '2013-10-20T19:20:30+01:00'
type: str
url_lists:
description:
- Map defining URL pattern lists of the policy. The value of an entry is a list
of URL patterns. The associated key is the identifier by which the URL pattern
list is referenced.
- Returned for get operation
returned: on success
sample: {}
type: dict
description:
- List of NetworkFirewallPolicy resources
returned: on success
sample:
- application_lists: {}
compartment_id: ocid1.compartment.oc1..xxxxxxEXAMPLExxxxxx
decryption_profiles:
are_certificate_extensions_restricted: true
is_auto_include_alt_name: true
is_expired_certificate_blocked: true
is_out_of_capacity_blocked: true
is_revocation_status_timeout_blocked: true
is_unknown_revocation_status_blocked: true
is_unsupported_cipher_blocked: true
is_unsupported_version_blocked: true
is_untrusted_issuer_blocked: true
type: SSL_INBOUND_INSPECTION
decryption_rules:
- action: NO_DECRYPT
condition:
destinations: []
sources: []
decryption_profile: decryption_profile_example
name: name_example
secret: secret_example
defined_tags:
Operations:
CostCenter: US
display_name: display_name_example
freeform_tags:
Department: Finance
id: ocid1.resource.oc1..xxxxxxEXAMPLExxxxxx
ip_address_lists: {}
is_firewall_attached: true
lifecycle_details: lifecycle_details_example
lifecycle_state: CREATING
mapped_secrets:
source: OCI_VAULT
type: SSL_INBOUND_INSPECTION
vault_secret_id: ocid1.vaultsecret.oc1..xxxxxxEXAMPLExxxxxx
version_number: 56
security_rules:
- action: ALLOW
condition:
applications: []
destinations: []
sources: []
urls: []
inspection: INTRUSION_DETECTION
name: name_example
system_tags: {}
time_created: '2013-10-20T19:20:30+01:00'
time_updated: '2013-10-20T19:20:30+01:00'
url_lists: {}
type: complex