ngine_io.cloudstack.cs_firewall – Manages firewall rules on Apache CloudStack based clouds.

Note

This plugin is part of the ngine_io.cloudstack collection (version 2.1.0).

To install it use: ansible-galaxy collection install ngine_io.cloudstack.

To use it in a playbook, specify: ngine_io.cloudstack.cs_firewall.

New in version 0.1.0: of ngine_io.cloudstack

Synopsis

  • Creates and removes firewall rules.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.6

  • cs >= 0.9.0

Parameters

Parameter Choices/Defaults Comments
account
string
Account the firewall rule is related to.
api_http_method
string
    Choices:
  • get ←
  • post
HTTP method used to query the API endpoint.
If not given, the CLOUDSTACK_METHOD env variable is considered.
api_key
string / required
API key of the CloudStack API.
If not given, the CLOUDSTACK_KEY env variable is considered.
api_secret
string / required
Secret key of the CloudStack API.
If not set, the CLOUDSTACK_SECRET env variable is considered.
api_timeout
integer
Default:
10
HTTP timeout in seconds.
If not given, the CLOUDSTACK_TIMEOUT env variable is considered.
api_url
string / required
URL of the CloudStack API e.g. https://cloud.example.com/client/api.
If not given, the CLOUDSTACK_ENDPOINT env variable is considered.
api_verify_ssl_cert
string
Verify CA authority cert file.
If not given, the CLOUDSTACK_VERIFY env variable is considered.
cidrs
list / elements=string
Default:
"0.0.0.0/0"
List of CIDRs (full notation) to be used for firewall rule.
Since version 2.5, it is a list of CIDR.

aliases: cidr
domain
string
Domain the firewall rule is related to.
end_port
integer
End port for this rule. Considered if protocol=tcp or protocol=udp.
If not specified, equal start_port.
icmp_code
integer
Error code for this icmp message.
Considered if protocol=icmp.
icmp_type
integer
Type of the icmp message being sent.
Considered if protocol=icmp.
ip_address
string
Public IP address the ingress rule is assigned to.
Required if type=ingress.
network
string
Network the egress rule is related to.
Required if type=egress.
poll_async
boolean
    Choices:
  • no
  • yes ←
Poll async jobs until job has finished.
project
string
Name of the project the firewall rule is related to.
protocol
string
    Choices:
  • tcp ←
  • udp
  • icmp
  • all
Protocol of the firewall rule.
all is only available if type=egress.
start_port
integer
Start port for this rule.
Considered if protocol=tcp or protocol=udp.

aliases: port
state
string
    Choices:
  • present ←
  • absent
State of the firewall rule.
tags
list / elements=dictionary
List of tags. Tags are a list of dictionaries having keys key and value.
To delete all tags, set an empty list e.g. tags: [].

aliases: tag
type
string
    Choices:
  • ingress ←
  • egress
Type of the firewall rule.
zone
string / required
Name of the zone in which the virtual machine is in.

Notes

Note

  • A detailed guide about cloudstack modules can be found in the CloudStack Cloud Guide.

  • This module supports check mode.

Examples

- name: Allow inbound port 80/tcp from 1.2.3.4 to 4.3.2.1
  ngine_io.cloudstack.cs_firewall:
    ip_address: 4.3.2.1
    zone: zone01
    port: 80
    cidr: 1.2.3.4/32

- name: Allow inbound tcp/udp port 53 to 4.3.2.1
  ngine_io.cloudstack.cs_firewall:
    ip_address: 4.3.2.1
    zone: zone01
    port: 53
    protocol: '{{ item }}'
  with_items:
  - tcp
  - udp

- name: Ensure firewall rule is removed
  ngine_io.cloudstack.cs_firewall:
    ip_address: 4.3.2.1
    zone: zone01
    start_port: 8000
    end_port: 8888
    cidr: 17.0.0.0/8
    state: absent

- name: Allow all outbound traffic
  ngine_io.cloudstack.cs_firewall:
    network: my_network
    zone: zone01
    type: egress
    protocol: all

- name: Allow only HTTP outbound traffic for an IP
  ngine_io.cloudstack.cs_firewall:
    network: my_network
    zone: zone01
    type: egress
    port: 80
    cidr: 10.101.1.20

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
cidr
string
success
CIDR string of the rule.

Sample:
0.0.0.0/0
cidrs
list / elements=string
success
CIDR list of the rule.

Sample:
['0.0.0.0/0']
end_port
integer
success
End port of the rule.

Sample:
80
icmp_code
integer
success
ICMP code of the rule.

Sample:
1
icmp_type
integer
success
ICMP type of the rule.

Sample:
1
id
string
success
UUID of the rule.

Sample:
04589590-ac63-4ffc-93f5-b698b8ac38b6
ip_address
string
success
IP address of the rule if type=ingress

Sample:
10.100.212.10
network
string
success
Name of the network if type=egress

Sample:
my_network
protocol
string
success
Protocol of the rule.

Sample:
tcp
start_port
integer
success
Start port of the rule.

Sample:
80
type
string
success
Type of the rule.

Sample:
ingress


Authors

  • René Moser (@resmo)