Documentation

cs_network_acl_rule - Manages network access control list (ACL) rules on Apache CloudStack based clouds.

New in version 2.4.

Synopsis

  • Add, update and remove network ACL rules.

Options

parameter required default choices comments
account
no
Account the VPC is related to.
action_policy
no ingress
  • allow
  • deny
Action policy of the rule.

aliases: action
api_http_method
no get
  • get
  • post
HTTP method used.
api_key
no
API key of the CloudStack API.
api_region
no cloudstack
Name of the ini section in the cloustack.ini file.
api_secret
no
Secret key of the CloudStack API.
api_timeout
no 10
HTTP timeout.
api_url
no
URL of the CloudStack API e.g. https://cloud.example.com/client/api.
cidr
no 0.0.0.0/0
CIDR of the rule.
domain
no
Domain the VPC is related to.
end_port
no
End port for this rule.
Considered if protocol=tcp or protocol=udp.
If not specified, equal start_port.
icmp_code
no
Error code for this icmp message.
Considered if protocol=icmp.
icmp_type
no
Type of the icmp message being sent.
Considered if protocol=icmp.
network_acl
yes
Name of the network ACL.

aliases: acl
poll_async
no True
Poll async jobs until job has finished.
project
no
Name of the project the VPC is related to.
protocol
no tcp
  • tcp
  • udp
  • icmp
  • all
  • by_number
Protocol of the rule
protocol_number
no
Protocol number from 1 to 256 required if protocol=by_number.
rule_position
yes
CIDR of the rule.

aliases: number
start_port
no
Start port for this rule.
Considered if protocol=tcp or protocol=udp.

aliases: port
state
no present
  • present
  • absent
State of the network ACL rule.
tags
no
List of tags. Tags are a list of dictionaries having keys key and value.
If you want to delete all tags, set a empty list e.g. tags: [].

aliases: tag
traffic_type
no ingress
  • ingress
  • egress
Traffic type of the rule.

aliases: type
vpc
yes
VPC the network ACL is related to.
zone
no
Name of the zone the VPC related to.
If not set, default zone is used.

Examples

# create a network ACL rule, allow port 80 ingress
local_action:
  module: cs_network_acl_rule
  network_acl: web
  rule_position: 1
  vpc: my vpc
  traffic_type: ingress
  action_policy: allow
  port: 80
  cidr: 0.0.0.0/0

# create a network ACL rule, deny port range 8000-9000 ingress for 10.20.0.0/16
local_action:
  module: cs_network_acl_rule
  network_acl: web
  rule_position: 1
  vpc: my vpc
  traffic_type: ingress
  action_policy: deny
  start_port: 8000
  end_port: 8000
  cidr: 10.20.0.0/16

# create a network ACL rule
local_action:
  module: cs_network_acl_rule
  network_acl: web
  rule_position: 1
  vpc: my vpc
  traffic_type: ingress
  action_policy: deny
  start_port: 8000
  end_port: 8000
  cidr: 10.20.0.0/16

# remove a network ACL rule
local_action:
  module: cs_network_acl_rule
  network_acl: web
  rule_position: 1
  vpc: my vpc
  state: absent

Return Values

Common return values are documented here Return Values, the following are the fields unique to this module:

name description returned type sample
icmp_code
ICMP code of the network ACL rule.
success int 8
domain
Domain the network ACL rule is related to.
success string example domain
protocol
Protocol of the network ACL rule.
success string tcp
action_policy
Action policy of the network ACL rule.
success string deny
tags
List of resource tags associated with the network ACL rule.
success dict [ { "key": "foo", "value": "bar" } ]
end_port
End port of the network ACL rule.
success int 80
network_acl
Name of the network ACL.
success string customer acl
vpc
VPC of the network ACL.
success string customer vpc
start_port
Start port of the network ACL rule.
success int 80
cidr
CIDR of the network ACL rule.
success string 0.0.0.0/0
icmp_type
ICMP type of the network ACL rule.
success int 0
account
Account the network ACL rule is related to.
success string example account
zone
Zone the VPC is related to.
success string ch-gva-2
protocol_number
Protocol number in case protocol is by number.
success int 8
rule_position
Position of the network ACL rule.
success int 1
project
Name of project the network ACL rule is related to.
success string Production
state
State of the network ACL rule.
success string Active
traffic_type
Traffic type of the network ACL rule.
success string ingress


Notes

Note

  • Ansible uses the cs library’s configuration method if credentials are not provided by the arguments api_url, api_key, api_secret. Configuration is read from several locations, in the following order. - The CLOUDSTACK_ENDPOINT, CLOUDSTACK_KEY, CLOUDSTACK_SECRET and CLOUDSTACK_METHOD. CLOUDSTACK_TIMEOUT environment variables. - A CLOUDSTACK_CONFIG environment variable pointing to an .ini file, - A cloudstack.ini file in the current working directory. - A .cloudstack.ini file in the users home directory. Optionally multiple credentials and endpoints can be specified using ini sections in cloudstack.ini. Use the argument api_region to select the section name, default section is cloudstack. See https://github.com/exoscale/cs for more information.
  • A detailed guide about cloudstack modules can be found on http://docs.ansible.com/ansible/guide_cloudstack.html
  • This module supports check mode.

Status

This module is flagged as preview which means that it is not guaranteed to have a backwards compatible interface.

For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Testing Ansible and Developing Modules.