ngine_io.cloudstack.cs_network_acl_rule – Manages network access control list (ACL) rules on Apache CloudStack based clouds.

Note

This plugin is part of the ngine_io.cloudstack collection (version 2.1.0).

To install it use: ansible-galaxy collection install ngine_io.cloudstack.

To use it in a playbook, specify: ngine_io.cloudstack.cs_network_acl_rule.

New in version 0.1.0: of ngine_io.cloudstack

Synopsis

  • Add, update and remove network ACL rules.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.6

  • cs >= 0.9.0

Parameters

Parameter Choices/Defaults Comments
account
string
Account the VPC is related to.
action_policy
string
    Choices:
  • allow ←
  • deny
Action policy of the rule.

aliases: action
api_http_method
string
    Choices:
  • get ←
  • post
HTTP method used to query the API endpoint.
If not given, the CLOUDSTACK_METHOD env variable is considered.
api_key
string / required
API key of the CloudStack API.
If not given, the CLOUDSTACK_KEY env variable is considered.
api_secret
string / required
Secret key of the CloudStack API.
If not set, the CLOUDSTACK_SECRET env variable is considered.
api_timeout
integer
Default:
10
HTTP timeout in seconds.
If not given, the CLOUDSTACK_TIMEOUT env variable is considered.
api_url
string / required
URL of the CloudStack API e.g. https://cloud.example.com/client/api.
If not given, the CLOUDSTACK_ENDPOINT env variable is considered.
api_verify_ssl_cert
string
Verify CA authority cert file.
If not given, the CLOUDSTACK_VERIFY env variable is considered.
cidrs
list / elements=string
Default:
["0.0.0.0/0"]
CIDRs of the rule.

aliases: cidr
domain
string
Domain the VPC is related to.
end_port
integer
End port for this rule.
Considered if protocol=tcp or protocol=udp.
If not specified, equal start_port.
icmp_code
integer
Error code for this icmp message.
Considered if protocol=icmp.
icmp_type
integer
Type of the icmp message being sent.
Considered if protocol=icmp.
network_acl
string / required
Name of the network ACL.

aliases: acl
poll_async
boolean
    Choices:
  • no
  • yes ←
Poll async jobs until job has finished.
project
string
Name of the project the VPC is related to.
protocol
string
    Choices:
  • tcp ←
  • udp
  • icmp
  • all
  • by_number
Protocol of the rule
protocol_number
integer
Protocol number from 1 to 256 required if protocol=by_number.
rule_position
integer / required
The position of the network ACL rule.

aliases: number
start_port
integer
Start port for this rule.
Considered if protocol=tcp or protocol=udp.

aliases: port
state
string
    Choices:
  • present ←
  • absent
State of the network ACL rule.
tags
list / elements=dictionary
List of tags. Tags are a list of dictionaries having keys key and value.
If you want to delete all tags, set a empty list e.g. tags: [].

aliases: tag
traffic_type
string
    Choices:
  • ingress ←
  • egress
Traffic type of the rule.

aliases: type
vpc
string / required
VPC the network ACL is related to.
zone
string / required
Name of the zone the VPC related to.

Notes

Note

  • A detailed guide about cloudstack modules can be found in the CloudStack Cloud Guide.

  • This module supports check mode.

Examples

- name: create a network ACL rule, allow port 80 ingress
  ngine_io.cloudstack.cs_network_acl_rule:
    network_acl: web
    rule_position: 1
    vpc: my vpc
    zone: zone01
    traffic_type: ingress
    action_policy: allow
    port: 80
    cidr: 0.0.0.0/0

- name: create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16 and 10.22.0.0/16
  ngine_io.cloudstack.cs_network_acl_rule:
    network_acl: web
    rule_position: 1
    vpc: my vpc
    zone: zone01
    traffic_type: ingress
    action_policy: deny
    start_port: 8000
    end_port: 9000
    cidrs:
    - 10.20.0.0/16
    - 10.22.0.0/16

- name: remove a network ACL rule
  ngine_io.cloudstack.cs_network_acl_rule:
    network_acl: web
    rule_position: 1
    vpc: my vpc
    zone: zone01
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
account
string
success
Account the network ACL rule is related to.

Sample:
example account
action_policy
string
success
Action policy of the network ACL rule.

Sample:
deny
cidr
string
success
CIDR of the network ACL rule.

Sample:
0.0.0.0/0
cidrs
list / elements=string
success
CIDRs of the network ACL rule.

Sample:
['0.0.0.0/0']
domain
string
success
Domain the network ACL rule is related to.

Sample:
example domain
end_port
integer
success
End port of the network ACL rule.

Sample:
80
icmp_code
integer
success
ICMP code of the network ACL rule.

Sample:
8
icmp_type
integer
success
ICMP type of the network ACL rule.
network_acl
string
success
Name of the network ACL.

Sample:
customer acl
project
string
success
Name of project the network ACL rule is related to.

Sample:
Production
protocol
string
success
Protocol of the network ACL rule.

Sample:
tcp
protocol_number
integer
success
Protocol number in case protocol is by number.

Sample:
8
rule_position
integer
success
Position of the network ACL rule.

Sample:
1
start_port
integer
success
Start port of the network ACL rule.

Sample:
80
state
string
success
State of the network ACL rule.

Sample:
Active
tags
list / elements=string
success
List of resource tags associated with the network ACL rule.

Sample:
[ { "key": "foo", "value": "bar" } ]
traffic_type
string
success
Traffic type of the network ACL rule.

Sample:
ingress
vpc
string
success
VPC of the network ACL.

Sample:
customer vpc
zone
string
success
Zone the VPC is related to.

Sample:
ch-gva-2


Authors

  • René Moser (@resmo)