hetzner.hcloud.firewall module – Create and manage firewalls on the Hetzner Cloud.

Note

This module is part of the hetzner.hcloud collection (version 4.2.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install hetzner.hcloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: hetzner.hcloud.firewall.

Synopsis

• Create, update and manage firewalls on the Hetzner Cloud.

Aliases: hcloud_firewall

Requirements

The below requirements are needed on the host that executes this module.

• python-dateutil >= 2.7.5

• requests >=2.20

Parameters

Parameter	Comments
api_endpoint aliases: endpoint string	The API Endpoint for the Hetzner Cloud. You can also set this option by using the HCLOUD_ENDPOINT environment variable. Default: "https://api.hetzner.cloud/v1"
api_token string / required	The API Token for the Hetzner Cloud. You can also set this option by using the HCLOUD_TOKEN environment variable.
force boolean	Force the deletion of the Firewall when still in use. Choices: false ← (default) true
id integer	The ID of the Hetzner Cloud Firewall to manage. Only required if no firewall name is given.
labels dictionary	User-defined labels (key-value pairs).
name string	The Name of the Hetzner Cloud Firewall to manage. Only required if no firewall id is given, or the firewall does not exist.
rules list / elements=dictionary	List of rules the firewall contain.
description string	User defined description of this rule.
destination_ips list / elements=string	List of CIDRs that are allowed within this rule. Use 0.0.0.0/0 to allow all IPv4 addresses and ::/0 to allow all IPv6 addresses. Only used if rules[].direction=out. Default: []
direction string	The direction of the firewall rule. Choices: "in" "out"
port string	The port or port range allowed by this rule. A port range can be specified by separating two ports with a dash, e.g 1024-5000. Only used if rules[].protocol=tcp or rules[].protocol=udp.
protocol string	The protocol of the firewall rule. Choices: "icmp" "tcp" "udp" "esp" "gre"
source_ips list / elements=string	List of CIDRs that are allowed within this rule. Use 0.0.0.0/0 to allow all IPv4 addresses and ::/0 to allow all IPv6 addresses. Only used if rules[].direction=in. Default: []
state string	State of the firewall. Choices: "absent" "present" ← (default)

See Also

See also

Documentation for Hetzner Cloud API

Complete reference for the Hetzner Cloud API.

Examples

- name: Create a basic firewall
  hetzner.hcloud.firewall:
    name: my-firewall
    state: present

- name: Create a firewall with rules
  hetzner.hcloud.firewall:
    name: my-firewall
    rules:
      - description: allow icmp from everywhere
        direction: in
        protocol: icmp
        source_ips:
          - 0.0.0.0/0
          - ::/0
    state: present

- name: Create a firewall with labels
  hetzner.hcloud.firewall:
    name: my-firewall
    labels:
      key: value
      mylabel: 123
    state: present

- name: Ensure the firewall is absent (remove if needed)
  hetzner.hcloud.firewall:
    name: my-firewall
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
hcloud_firewall dictionary	The firewall instance. Returned: always
applied_to list / elements=dictionary	List of Resources the Firewall is applied to. Returned: always
applied_to_resources list / elements=dictionary	List of Resources the Firewall label selector is applied to. Returned: if hcloud_firewall.applied_to[].type=label_selector
server integer	ID of the Server. Returned: success Sample: 12345
type string	Type of resource referenced. Returned: success Can only return: "server" Sample: "server"
label_selector string	Label selector value. Returned: success Sample: "env=prod"
server integer	ID of the server. Returned: success Sample: 12345
type string	Type of the resource. Returned: success Can only return: "server" "label_selector" Sample: "label_selector"
id integer	Numeric identifier of the firewall. Returned: always Sample: 1937415
labels dictionary	User-defined labels (key-value pairs). Returned: always
name string	Name of the firewall. Returned: always Sample: "my-firewall"
rules list / elements=dictionary	List of rules the firewall contain. Returned: always
description string	User defined description of this rule. Returned: always Sample: "allow http from anywhere"
destination_ips list / elements=string	List of destination CIDRs that are allowed within this rule. Returned: always Sample: []
direction string	The direction of the firewall rule. Returned: always Sample: "in"
port string	The port or port range allowed by this rule. Returned: if hcloud_firewall.rules[].protocol=tcp or hcloud_firewall.rules[].protocol=udp Sample: "80"
protocol string	The protocol of the firewall rule. Returned: always Sample: "tcp"
source_ips list / elements=string	List of source CIDRs that are allowed within this rule. Returned: always Sample: ["0.0.0.0/0", "::/0"]

Authors

• Lukas Kaemmerling (@lkaemmerling)

Collection links

• Issue Tracker
• Repository (Sources)
• Hetzner Cloud API Reference
• Hetzner Cloud API Changelog