community.aws.networkfirewall_rule_group_info module – describe AWS Network Firewall rule groups
Note
This module is part of the community.aws collection (version 5.5.0).
You might already have this collection installed if you are using the ansible
package.
It is not included in ansible-core
.
To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.aws
.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: community.aws.networkfirewall_rule_group_info
.
New in community.aws 4.0.0
Synopsis
A module for describing AWS Network Firewall rule groups.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.6
boto3 >= 1.18.0
botocore >= 1.21.0
Parameters
Parameter |
Comments |
---|---|
AWS access key ID. See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys. The The aws_access_key and profile options are mutually exclusive. The aws_access_key_id alias was added in release 5.1.0 for consistency with the AWS botocore SDK. The ec2_access_key alias has been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
The ARN of the Network Firewall rule group. At time of writing AWS does not support describing Managed Rules. |
|
The location of a CA Bundle to use when validating SSL certificates. The |
|
A dictionary to modify the botocore configuration. Parameters can be found in the AWS documentation https://botocore.amazonaws.com/v1/documentation/api/latest/reference/config.html#botocore.config.Config. |
|
Use a The Choices:
|
|
URL to connect to instead of the default AWS endpoints. While this can be used to connection to other AWS-compatible services the amazon.aws and community.aws collections are only tested against AWS. The The ec2_url and s3_url aliases have been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
The name of the Network Firewall rule group. |
|
A named AWS profile to use for authentication. See the AWS documentation for more information about named profiles https://docs.aws.amazon.com/cli/latest/userguide/cli-configure-profiles.html. The The profile option is mutually exclusive with the aws_access_key, aws_secret_key and security_token options. |
|
The AWS region to use. For global services such as IAM, Route53 and CloudFront, region is ignored. The See the Amazon AWS documentation for more information http://docs.aws.amazon.com/general/latest/gr/rande.html#ec2_region. The Support for the |
|
Indicates whether the rule group is stateless or stateful. Required if name is provided. Choices:
|
|
The scope of the request. When scope=’account’ returns a description of all rule groups in the account. When scope=’managed’ returns a list of available managed rule group arns. By default searches only at the account scope. scope=’managed’ requires botocore>=1.23.23. Choices:
|
|
AWS secret access key. See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys. The The secret_key and profile options are mutually exclusive. The aws_secret_access_key alias was added in release 5.1.0 for consistency with the AWS botocore SDK. The ec2_secret_key alias has been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
AWS STS session token for use with temporary credentials. See the AWS documentation for more information about access tokens https://docs.aws.amazon.com/general/latest/gr/aws-sec-cred-types.html#access-keys-and-secret-access-keys. The The security_token and profile options are mutually exclusive. Aliases aws_session_token and session_token were added in release 3.2.0, with the parameter being renamed from security_token to session_token in release 6.0.0. The security_token, aws_security_token, and access_token aliases have been deprecated and will be removed in a release after 2024-12-01. Support for the |
|
When set to Setting validate_certs=false is strongly discouraged, as an alternative, consider setting aws_ca_bundle instead. Choices:
|
Notes
Note
Caution: For modules, environment variables and configuration files are read from the Ansible ‘host’ context and not the ‘controller’ context. As such, files may need to be explicitly copied to the ‘host’. For lookup and connection plugins, environment variables and configuration files are read from the Ansible ‘controller’ context and not the ‘host’ context.
The AWS SDK (boto3) that Ansible uses may also read defaults for credentials and other settings, such as the region, from its configuration files in the Ansible ‘host’ context (typically
~/.aws/credentials
). See https://boto3.amazonaws.com/v1/documentation/api/latest/guide/credentials.html for more information.
Examples
# Describe all Rule Groups in an account (excludes managed groups)
- community.aws.networkfirewall_rule_group_info: {}
# List the available Managed Rule groups (AWS doesn't support describing the
# groups)
- community.aws.networkfirewall_rule_group_info:
scope: managed
# Describe a Rule Group by ARN
- community.aws.networkfirewall_rule_group_info:
arn: arn:aws:network-firewall:us-east-1:123456789012:stateful-rulegroup/ExampleRuleGroup
# Describe a Rule Group by name
- community.aws.networkfirewall_rule_group_info:
name: ExampleRuleGroup
type: stateful
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
---|---|
The details of the rule groups Returned: success |
|
Details of the rules in the rule group Returned: success |
|
Settings that are available for use in the rules in the rule group. Returned: When rule variables are attached to the rule group. |
|
A dictionary mapping variable names to IP addresses in CIDR format. Returned: success Sample: |
|
A dictionary mapping variable names to ports Returned: success Sample: |
|
DEFAULT_ACTION_ORDER Returned: success |
|
A description of the criteria for a domain list rule group. Returned: When the rule group is “domain list” based. |
|
Whether the rule group allows or denies access to the domains in the list. Returned: success Sample: |
|
The protocols to be inspected by the rule group. Returned: success Sample: |
|
A list of domain names to be inspected for. Returned: success Sample: |
|
A string describing the rules that the rule group is comprised of. Returned: When the rule group is “rules string” based. |
|
A list of dictionaries describing the rules that the rule group is comprised of. Returned: When the rule group is “rules list” based. |
|
What action to perform when a flow matches the rule criteria. Returned: success Sample: |
|
A description of the criteria used for the rule. Returned: success |
|
The destination address or range of addresses to inspect for. Returned: success Sample: |
|
The destination port to inspect for. Returned: success Sample: |
|
The direction of traffic flow to inspect. Returned: success Sample: |
|
The protocol to inspect for. Returned: success Sample: |
|
The source address or range of addresses to inspect for. Returned: success Sample: |
|
The source port to inspect for. Returned: success Sample: |
|
Additional Suricata RuleOptions settings for the rule. Returned: success |
|
The keyword for the setting. Returned: success Sample: |
|
A list of values passed to the setting. Returned: When values are available |
|
A description of the criteria for a stateless rule group. Returned: When the rule group is a stateless rule group. |
|
A list of individual custom action definitions that are available for use in stateless rules. Returned: success |
|
The custom action associated with the action name. Returned: success |
|
The description of an action which publishes to CloudWatch. Returned: When the action publishes to CloudWatch. |
|
The value to use in an Amazon CloudWatch custom metric dimension. Returned: success |
|
The value to use in the custom metric dimension. Returned: success |
|
The name for the custom action. Returned: success |
|
A list of stateless rules for use in a stateless rule group. Returned: success |
|
Indicates the order in which to run this rule relative to all of the rules that are defined for a stateless rule group. Returned: success |
|
Describes the stateless 5-tuple inspection criteria and actions for the rule. Returned: success |
|
The actions to take when a flow matches the rule. Returned: success Sample: |
|
Describes the stateless 5-tuple inspection criteria for the rule. Returned: success |
|
The destination port ranges to inspect for. Returned: success |
|
The lower limit of the port range. Returned: success |
|
The upper limit of the port range. Returned: success |
|
The destination IP addresses and address ranges to inspect for. Returned: success |
|
An IP address or a block of IP addresses in CIDR notation. Returned: success Sample: |
|
The IANA protocol numbers of the protocols to inspect for. Returned: success Sample: |
|
The source port ranges to inspect for. Returned: success |
|
The lower limit of the port range. Returned: success |
|
The upper limit of the port range. Returned: success |
|
The source IP addresses and address ranges to inspect for. Returned: success |
|
An IP address or a block of IP addresses in CIDR notation. Returned: success Sample: |
|
The TCP flags and masks to inspect for. Returned: success |
|
Used with masks to define the TCP flags that flows are inspected for. Returned: success |
|
The set of flags considered during inspection. Returned: success |
|
Additional options governing how Network Firewall handles stateful rules. Returned: When the rule group is either “rules string” or “rules list” based. |
|
The order in which rules will be evaluated. Returned: success Sample: |
|
Details of the rules in the rule group Returned: success |
|
The maximum operating resources that this rule group can use. Returned: success |
|
The number of capacity units currently consumed by the rule group rules. Returned: success |
|
A description of the rule group. Returned: success |
|
The number of firewall policies that use this rule group. Returned: success |
|
The ARN for the rule group Returned: success Sample: |
|
A unique identifier for the rule group. Returned: success Sample: |
|
The name of the rule group. Returned: success |
|
The current status of a rule group. Returned: success Sample: |
|
A dictionary representing the tags associated with the rule group. Returned: success |
|
Whether the rule group is stateless or stateful. Returned: success Sample: |
|
A list of ARNs of the matching rule groups. Returned: When a rule name isn’t specified |