vmware_host_firewall_manager – Manage firewall configurations about an ESXi host

New in version 2.5.

Synopsis

  • This module can be used to manage firewall configurations about an ESXi host when ESXi hostname or Cluster name is given.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.6
  • PyVmomi

Parameters

Parameter Choices/Defaults Comments
cluster_name
string
Name of the cluster.
Firewall settings are applied to every ESXi host system in given cluster.
If esxi_hostname is not given, this parameter is required.
esxi_hostname
string
ESXi hostname.
Firewall settings are applied to this ESXi host system.
If cluster_name is not given, this parameter is required.
hostname
string
The hostname or IP address of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_HOST will be used instead.
Environment variable support added in Ansible 2.6.
password
string
The password of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_PASSWORD will be used instead.
Environment variable support added in Ansible 2.6.

aliases: pass, pwd
port
integer
added in 2.5
 Default:
443
The port number of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_PORT will be used instead.
Environment variable support added in Ansible 2.6.
proxy_host
string
added in 2.9
Address of a proxy that will receive all HTTPS requests and relay them.
The format is a hostname or a IP.
If the value is not specified in the task, the value of environment variable VMWARE_PROXY_HOST will be used instead.
This feature depends on a version of pyvmomi greater than v6.7.1.2018.12
proxy_port
integer
added in 2.9
Port of the HTTP proxy that will receive all HTTPS requests and relay them.
If the value is not specified in the task, the value of environment variable VMWARE_PROXY_PORT will be used instead.
rules
list
Default:
[]
A list of Rule set which needs to be managed.
Each member of list is rule set name and state to be set the rule.
Both rule name and rule state are required parameters.
Additional IPs and networks can also be specified
Please see examples for more information.
username
string
The username of the vSphere vCenter or ESXi server.
If the value is not specified in the task, the value of environment variable VMWARE_USER will be used instead.
Environment variable support added in Ansible 2.6.

aliases: admin, user
validate_certs
boolean
    Choices:
  • no
  • yes ←
Allows connection when SSL certificates are not valid. Set to false when certificates are not trusted.
If the value is not specified in the task, the value of environment variable VMWARE_VALIDATE_CERTS will be used instead.
Environment variable support added in Ansible 2.6.
If set to yes, please make sure Python >= 2.7.9 is installed on the given machine.

Notes

Note

  • Tested on vSphere 6.0, vSphere 6.5

Examples

- name: Enable vvold rule set for all ESXi Host in given Cluster
  vmware_host_firewall_manager:
    hostname: '{{ vcenter_hostname }}'
    username: '{{ vcenter_username }}'
    password: '{{ vcenter_password }}'
    cluster_name: cluster_name
    rules:
        - name: vvold
          enabled: True
  delegate_to: localhost

- name: Enable vvold rule set for an ESXi Host
  vmware_host_firewall_manager:
    hostname: '{{ vcenter_hostname }}'
    username: '{{ vcenter_username }}'
    password: '{{ vcenter_password }}'
    esxi_hostname: '{{ esxi_hostname }}'
    rules:
        - name: vvold
          enabled: True
  delegate_to: localhost

- name: Manage multiple rule set for an ESXi Host
  vmware_host_firewall_manager:
    hostname: '{{ vcenter_hostname }}'
    username: '{{ vcenter_username }}'
    password: '{{ vcenter_password }}'
    esxi_hostname: '{{ esxi_hostname }}'
    rules:
        - name: vvold
          enabled: True
        - name: CIMHttpServer
          enabled: False
  delegate_to: localhost

- name: Manage IP and network based firewall permissions for ESXi
  vmware_host_firewall_manager:
    hostname: '{{ vcenter_hostname }}'
    username: '{{ vcenter_username }}'
    password: '{{ vcenter_password }}'
    esxi_hostname: '{{ esxi_hostname }}'
    rules:
        - name: gdbserver
          enabled: True
          allowed_hosts:
            all_ip: False
            ip_address:
              - 192.168.20.10
              - 192.168.20.11
        - name: CIMHttpServer
          enabled: True
          allowed_hosts:
            all_ip: False
            ip_network:
              - 192.168.100.0/24
        - name: remoteSerialPort
          enabled: True
          allowed_hosts:
            all_ip: False
            ip_address:
              - 192.168.100.11
            ip_network:
              - 192.168.200.0/24
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
rule_set_state
dictionary
success
dict with hostname as key and dict with firewall rule set facts as value

Sample:
{'rule_set_state': {'localhost.localdomain': {'CIMHttpServer': {'current_state': False, 'desired_state': False, 'previous_state': True, 'allowed_hosts': {'current_allowed_all': True, 'previous_allowed_all': True, 'desired_allowed_all': True, 'current_allowed_ip': [], 'previous_allowed_ip': [], 'desired_allowed_ip': [], 'current_allowed_networks': [], 'previous_allowed_networks': [], 'desired_allowed_networks': []}}, 'remoteSerialPort': {'current_state': True, 'desired_state': True, 'previous_state': True, 'allowed_hosts': {'current_allowed_all': False, 'previous_allowed_all': True, 'desired_allowed_all': False, 'current_allowed_ip': ['192.168.100.11'], 'previous_allowed_ip': [], 'desired_allowed_ip': ['192.168.100.11'], 'current_allowed_networks': ['192.168.200.0/24'], 'previous_allowed_networks': [], 'desired_allowed_networks': ['192.168.200.0/24']}}}}}


Status

Authors

  • Abhijeet Kasurde (@Akasurde)
  • Aaron Longchamps (@alongchamps)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.