f5networks.f5_modules.bigip_apm_acl module – Manage user-defined APM ACLs
Note
This module is part of the f5networks.f5_modules collection (version 1.17.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install f5networks.f5_modules
.
To use it in a playbook, specify: f5networks.f5_modules.bigip_apm_acl
.
New in version 1.0.0: of f5networks.f5_modules
Parameters
Parameter |
Comments |
---|---|
Specifies a number that indicates the order of this ACL relative to other ACLs. When not set, the device will always place the ACL after the last one created. The lower the number, the higher the ACL will be in the general order, with the lowest number Valid range of values is between |
|
User created ACL description. |
|
Access control entries that define the ACL matching and its respective behavior. The order in which the rules are placed as arguments to this parameter determines their order in the ACL, in other words changing the order of the same elements will cause a change on the unit. Changes in the number of rules will always trigger device change. This means user input will take precedence over what is on device. |
|
Specifies the action that the access control entry takes when a match for this access control entry is encountered. Choices:
|
|
Specifies the destination IP address for the access control entry. When set to |
|
Optional parameter that specifies the destination network mask for the access control entry. If not specified and |
|
Specifies the destination port for the access control entry. Can be set to Parameter is mutually exclusive with |
|
Specifies the destination port range for the access control entry. Parameter is mutually exclusive with To indicate all ports the |
|
This parameter applies to Layer 7 access control entries only. Specifies a host to which the access control entry applies. |
|
Specifies the log level that is logged when actions of this type occur. When When Choices:
|
|
This parameter applies to Layer 7 access control entries only. Specifies the path or paths to which the access control entry applies. |
|
This parameter applies to Layer 4 access control entries only. Specifies the protocol: Choices:
|
|
This parameter applies to Layer 7 access control entries only. Specifies the URI scheme: Choices:
|
|
Specifies the source IP address for the access control entry. When set to |
|
Optional parameter that specifies the source network mask for the access control entry. If not specified and |
|
Specifies the source port for the access control entry. Can be set to Parameter is mutually exclusive with |
|
Specifies the source port range for the access control entry. Parameter is mutually exclusive with To indicate all ports the |
|
Specifies the name of the ACL to manage. |
|
Device partition to manage resources on. Default: “Common” |
|
Specifies whether alphabetic case is considered when matching paths in an access control entry. Choices:
|
|
A dict object containing connection details. |
|
Configures the auth provider for to obtain authentication tokens from the remote device. This option is really used when working with BIG-IQ devices. |
|
If You may omit this option by setting the environment variable Previously used variable Choices:
|
|
The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable |
|
The BIG-IP host. You may omit this option by setting the environment variable |
|
The BIG-IP server port. You may omit this option by setting the environment variable Default: 443 |
|
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. |
|
Configures the transport connection to use when connecting to the remote device. Choices:
|
|
The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable |
|
If You may omit this option by setting the environment variable Choices:
|
|
When When Choices:
|
|
Specifies the type of ACL to create. Once the type is set it cannot be changed. Choices:
|
Notes
Note
For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
Requires BIG-IP software version >= 12.
The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Create a static ACL with L4 entries
bigip_apm_acl:
name: L4foo
acl_order: 0
type: static
entries:
- action: allow
dst_port: '80'
dst_addr: '192.168.1.1'
src_port: '443'
src_addr: '10.10.10.0'
src_mask: '255.255.255.128'
protocol: tcp
- action: reject
dst_port: '*'
dst_addr: '192.168.1.1'
src_port: '*'
src_addr: '10.10.10.0'
src_mask: '255.255.255.128'
protocol: tcp
log: packet
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create a static ACL with L7 entries
bigip_apm_acl:
name: L7foo
acl_order: 1
type: static
path_match_case: no
entries:
- action: allow
host_name: 'foobar.com'
paths: '/shopfront'
scheme: https
- action: reject
host_name: 'internal_foobar.com'
paths: '/admin'
scheme: any
log: packet
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Create a static ACL with L7/L4 entries
bigip_apm_acl:
name: L7L4foo
acl_order: 2
type: static
path_match_case: no
entries:
- action: allow
host_name: 'foobar.com'
paths: '/shopfront'
scheme: https
dst_port: '8181'
dst_addr: '192.168.1.1'
protocol: tcp
- action: reject
dst_addr: '192.168.1.1'
host_name: 'internal_foobar.com'
paths: '/admin'
scheme: any
protocol: all
log: packet
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Modify a static ACL entries
bigip_apm_acl:
name: L4foo
entries:
- action: allow
dst_port: '80'
dst_addr: '192.168.1.1'
src_port: '443'
src_addr: '10.10.10.0'
src_mask: '255.255.255.128'
protocol: tcp
- action: discard
dst_port: '*'
dst_addr: 192.168.1.1
src_port: '*'
src_addr: '10.10.10.0'
src_mask: '255.2155.255.128'
protocol: all
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
- name: Remove static ACL
bigip_apm_acl:
name: L4foo
state: absent
provider:
password: secret
server: lb.mydomain.com
user: admin
delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The order of this ACL relative to other ACLs. Returned: changed Sample: 10 |
|
The new description of the ACL. Returned: changed Sample: “My ACL” |
|
Access control entries that define the ACL matching and its respective behavior. Returned: changed Sample: “hash/dictionary of values” |
|
Action the access control entry takes when a match for this access control entry is encountered. Returned: changed Sample: “allow” |
|
The destination IP address for the access control entry. Returned: changed Sample: “192.168.0.1” |
|
The destination network mask for the access control entry. Returned: changed Sample: “255.255.255.128” |
|
The destination port for the access control entry. Returned: changed Sample: “80” |
|
The destination port range for the access control entry. Returned: changed Sample: “80-81” |
|
The host to which the access control entry applies. Returned: changed Sample: “foobar.com” |
|
The log level that is logged when actions of this type occur. Returned: changed Sample: “packet” |
|
The path or paths to which the access control entry applies. Returned: changed Sample: “/fooshop” |
|
The protocol to which the access control entry applies. Returned: changed Sample: “tcp” |
|
The URI scheme on which the access control entry operates. Returned: changed Sample: “https” |
|
The source IP address for the access control entry. Returned: changed Sample: “192.168.0.1” |
|
The source network mask for the access control entry. Returned: changed Sample: “255.255.255.128” |
|
The source port for the access control entry. Returned: changed Sample: “80” |
|
The source port range for the access control entry. Returned: changed Sample: “80-81” |
|
Specifies whether alphabetic case is considered when matching paths in an access control entry. Returned: changed Sample: true |
|
The type of ACL to create. Returned: changed Sample: “static” |
Authors
Wojciech Wypior (@wojtek0806)