community.digitalocean.digital_ocean_firewall – Manage cloud firewalls within DigitalOcean

Note

This plugin is part of the community.digitalocean collection (version 1.9.0).

To install it use: ansible-galaxy collection install community.digitalocean.

To use it in a playbook, specify: community.digitalocean.digital_ocean_firewall.

New in version 1.1.0: of community.digitalocean

Synopsis

  • This module can be used to add or remove firewalls on the DigitalOcean cloud platform.

Parameters

Parameter Choices/Defaults Comments
droplet_ids
list / elements=string
List of droplet ids to be assigned to the firewall
inbound_rules
list / elements=dictionary / required
Firewall rules specifically targeting inbound network traffic into DigitalOcean
ports
string / required
The ports on which traffic will be allowed, single, range, or all
protocol
string
    Choices:
  • udp
  • tcp ←
  • icmp
Network protocol to be accepted.
sources
dictionary / required
Dictionary of locations from which inbound traffic will be accepted
addresses
list / elements=string
List of strings containing the IPv4 addresses, IPv6 addresses, IPv4 CIDRs, and/or IPv6 CIDRs to which the firewall will allow traffic
droplet_ids
list / elements=string
List of integers containing the IDs of the Droplets to which the firewall will allow traffic
load_balancer_uids
list / elements=string
List of strings containing the IDs of the Load Balancers to which the firewall will allow traffic
tags
list / elements=string
List of strings containing the names of Tags corresponding to groups of Droplets to which the Firewall will allow traffic
name
string / required
Name of the firewall rule to create or manage
oauth_token
string
DigitalOcean OAuth token.
There are several other environment variables which can be used to provide this value.
i.e., - 'DO_API_TOKEN', 'DO_API_KEY', 'DO_OAUTH_TOKEN' and 'OAUTH_TOKEN'

aliases: api_token
outbound_rules
list / elements=dictionary / required
Firewall rules specifically targeting outbound network traffic from DigitalOcean
destinations
dictionary / required
Dictionary of locations from which outbound traffic will be allowed
addresses
list / elements=string
List of strings containing the IPv4 addresses, IPv6 addresses, IPv4 CIDRs, and/or IPv6 CIDRs to which the firewall will allow traffic
droplet_ids
list / elements=string
List of integers containing the IDs of the Droplets to which the firewall will allow traffic
load_balancer_uids
list / elements=string
List of strings containing the IDs of the Load Balancers to which the firewall will allow traffic
tags
list / elements=string
List of strings containing the names of Tags corresponding to groups of Droplets to which the Firewall will allow traffic
ports
string / required
The ports on which traffic will be allowed, single, range, or all
protocol
string
    Choices:
  • udp
  • tcp ←
  • icmp
Network protocol to be accepted.
state
string
    Choices:
  • present ←
  • absent
Assert the state of the firewall rule. Set to 'present' to create or update and 'absent' to remove.
tags
list / elements=string
List of tags to be assigned to the firewall
timeout
integer
Default:
30
The timeout in seconds used for polling DigitalOcean's API.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If set to no, the SSL certificates will not be validated.
This should only set to no used on personally controlled sites using self-signed certificates.

Examples

# Allows tcp connections to port 22 (SSH) from specific sources
# Allows tcp connections to ports 80 and 443 from any source
# Allows outbound access to any destination for protocols tcp, udp and icmp
# The firewall rules will be applied to any droplets with the tag "sample"
- name: Create a Firewall named my-firewall
  digital_ocean_firewall:
    name: my-firewall
    state: present
    inbound_rules:
      - protocol: "tcp"
        ports: "22"
        sources:
          addresses: ["1.2.3.4"]
          droplet_ids: ["my_droplet_id_1", "my_droplet_id_2"]
          load_balancer_uids: ["my_lb_id_1", "my_lb_id_2"]
          tags: ["tag_1", "tag_2"]
      - protocol: "tcp"
        ports: "80"
        sources:
          addresses: ["0.0.0.0/0", "::/0"]
      - protocol: "tcp"
        ports: "443"
        sources:
          addresses: ["0.0.0.0/0", "::/0"]
    outbound_rules:
      - protocol: "tcp"
        ports: "1-65535"
        destinations:
          addresses: ["0.0.0.0/0", "::/0"]
      - protocol: "udp"
        ports: "1-65535"
        destinations:
          addresses: ["0.0.0.0/0", "::/0"]
      - protocol: "icmp"
        ports: "1-65535"
        destinations:
          addresses: ["0.0.0.0/0", "::/0"]
    droplet_ids: []
    tags: ["sample"]

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
data
dictionary
success
DigitalOcean firewall resource

Sample:
{'created_at': '2020-08-11T18:41:30Z', 'droplet_ids': [], 'id': '7acd6ee2-257b-434f-8909-709a5816d4f9', 'inbound_rules': [{'ports': '443', 'protocol': 'tcp', 'sources': {'addresses': ['1.2.3.4'], 'droplet_ids': ['my_droplet_id_1', 'my_droplet_id_2'], 'load_balancer_uids': ['my_lb_id_1', 'my_lb_id_2'], 'tags': ['tag_1', 'tag_2']}}, {'ports': '80', 'protocol': 'tcp', 'sources': {'addresses': ['0.0.0.0/0', '::/0']}}, {'ports': '443', 'protocol': 'tcp', 'sources': {'addresses': ['0.0.0.0/0', '::/0']}}], 'name': 'my-firewall', 'outbound_rules': [{'destinations': {'addresses': ['0.0.0.0/0', '::/0']}, 'ports': '1-65535', 'protocol': 'tcp'}, {'destinations': {'addresses': ['0.0.0.0/0', '::/0']}, 'ports': '1-65535', 'protocol': 'udp'}, {'destinations': {'addresses': ['0.0.0.0/0', '::/0']}, 'ports': '1-65535', 'protocol': 'icmp'}], 'pending_changes': [], 'status': 'succeeded', 'tags': ['sample']}


Authors

  • Anthony Bond (@BondAnthony)

  • Lucas Basquerotto (@lucasbasquerotto)