hetzner.hcloud.firewall module – Create and manage firewalls on the Hetzner Cloud.

Note

This module is part of the hetzner.hcloud collection (version 4.2.2).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install hetzner.hcloud. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: hetzner.hcloud.firewall.

Synopsis

  • Create, update and manage firewalls on the Hetzner Cloud.

Aliases: hcloud_firewall

Requirements

The below requirements are needed on the host that executes this module.

  • python-dateutil >= 2.7.5

  • requests >=2.20

Parameters

Parameter

Comments

api_endpoint

aliases: endpoint

string

The API Endpoint for the Hetzner Cloud.

You can also set this option by using the HCLOUD_ENDPOINT environment variable.

Default: "https://api.hetzner.cloud/v1"

api_token

string / required

The API Token for the Hetzner Cloud.

You can also set this option by using the HCLOUD_TOKEN environment variable.

force

boolean

Force the deletion of the Firewall when still in use.

Choices:

  • false ← (default)

  • true

id

integer

The ID of the Hetzner Cloud Firewall to manage.

Only required if no firewall name is given.

labels

dictionary

User-defined labels (key-value pairs).

name

string

The Name of the Hetzner Cloud Firewall to manage.

Only required if no firewall id is given, or the firewall does not exist.

rules

list / elements=dictionary

List of rules the firewall contain.

description

string

User defined description of this rule.

destination_ips

list / elements=string

List of CIDRs that are allowed within this rule.

Use 0.0.0.0/0 to allow all IPv4 addresses and ::/0 to allow all IPv6 addresses.

Only used if rules[].direction=out.

Default: []

direction

string

The direction of the firewall rule.

Choices:

  • "in"

  • "out"

port

string

The port or port range allowed by this rule.

A port range can be specified by separating two ports with a dash, e.g 1024-5000.

Only used if rules[].protocol=tcp or rules[].protocol=udp.

protocol

string

The protocol of the firewall rule.

Choices:

  • "icmp"

  • "tcp"

  • "udp"

  • "esp"

  • "gre"

source_ips

list / elements=string

List of CIDRs that are allowed within this rule.

Use 0.0.0.0/0 to allow all IPv4 addresses and ::/0 to allow all IPv6 addresses.

Only used if rules[].direction=in.

Default: []

state

string

State of the firewall.

Choices:

  • "absent"

  • "present" ← (default)

See Also

See also

Documentation for Hetzner Cloud API

Complete reference for the Hetzner Cloud API.

Examples

- name: Create a basic firewall
  hetzner.hcloud.firewall:
    name: my-firewall
    state: present

- name: Create a firewall with rules
  hetzner.hcloud.firewall:
    name: my-firewall
    rules:
      - description: allow icmp from everywhere
        direction: in
        protocol: icmp
        source_ips:
          - 0.0.0.0/0
          - ::/0
    state: present

- name: Create a firewall with labels
  hetzner.hcloud.firewall:
    name: my-firewall
    labels:
      key: value
      mylabel: 123
    state: present

- name: Ensure the firewall is absent (remove if needed)
  hetzner.hcloud.firewall:
    name: my-firewall
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

hcloud_firewall

dictionary

The firewall instance.

Returned: always

applied_to

list / elements=dictionary

List of Resources the Firewall is applied to.

Returned: always

applied_to_resources

list / elements=dictionary

List of Resources the Firewall label selector is applied to.

Returned: if hcloud_firewall.applied_to[].type=label_selector

server

integer

ID of the Server.

Returned: success

Sample: 12345

type

string

Type of resource referenced.

Returned: success

Can only return:

  • "server"

Sample: "server"

label_selector

string

Label selector value.

Returned: success

Sample: "env=prod"

server

integer

ID of the server.

Returned: success

Sample: 12345

type

string

Type of the resource.

Returned: success

Can only return:

  • "server"

  • "label_selector"

Sample: "label_selector"

id

integer

Numeric identifier of the firewall.

Returned: always

Sample: 1937415

labels

dictionary

User-defined labels (key-value pairs).

Returned: always

name

string

Name of the firewall.

Returned: always

Sample: "my-firewall"

rules

list / elements=dictionary

List of rules the firewall contain.

Returned: always

description

string

User defined description of this rule.

Returned: always

Sample: "allow http from anywhere"

destination_ips

list / elements=string

List of destination CIDRs that are allowed within this rule.

Returned: always

Sample: []

direction

string

The direction of the firewall rule.

Returned: always

Sample: "in"

port

string

The port or port range allowed by this rule.

Returned: if hcloud_firewall.rules[].protocol=tcp or hcloud_firewall.rules[].protocol=udp

Sample: "80"

protocol

string

The protocol of the firewall rule.

Returned: always

Sample: "tcp"

source_ips

list / elements=string

List of source CIDRs that are allowed within this rule.

Returned: always

Sample: ["0.0.0.0/0", "::/0"]

Authors

  • Lukas Kaemmerling (@lkaemmerling)