f5networks.f5_modules.bigip_apm_acl module – Manage user-defined APM ACLs

Note

This module is part of the f5networks.f5_modules collection (version 1.32.1).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install f5networks.f5_modules.

To use it in a playbook, specify: f5networks.f5_modules.bigip_apm_acl.

New in f5networks.f5_modules 1.0.0

Synopsis 

Manage user-defined APM ACLs.

Parameters 

Parameter	Comments
acl_order integer	Specifies a number that indicates the order of this ACL relative to other ACLs. When not set, the device will always place the ACL after the last one created. The lower the number, the higher the ACL will be in the general order, with the lowest number `0` being the topmost one. Valid range of values is between `0` and `65535` inclusive.
description string	User created ACL description.
entries list / elements=dictionary	Access control entries that define the ACL matching and its respective behavior. The order in which the rules are placed as arguments to this parameter determines their order in the ACL, in other words changing the order of the same elements will cause a change on the unit. Changes in the number of rules will always trigger device change. This means user input will take precedence over what is on device.
action string / required	Specifies the action that the access control entry takes when a match for this access control entry is encountered. Choices: `"allow"` `"reject"` `"discard"` `"continue"`
dst_addr string	Specifies the destination IP address for the access control entry. When set to `any` the ACL will match any destination address, `dst_mask` is ignored in this case.
dst_mask string	Optional parameter that specifies the destination network mask for the access control entry. If not specified and `dst_addr` is not `any`, the `dst_addr` is deemed to be host address.
dst_port string	Specifies the destination port for the access control entry. Can be set to `*` to indicate all ports. Parameter is mutually exclusive with `dst_port_range`.
dst_port_range string	Specifies the destination port range for the access control entry. Parameter is mutually exclusive with `dst_port_range`. To indicate all ports the `dst_port` parameter must be used and set to `*`.
host_name string	This parameter applies to Layer 7 access control entries only. Specifies a host to which the access control entry applies.
log string	Specifies the log level that is logged when actions of this type occur. When `none` it will log nothing, which is a default action. When `packet` it will log the matched packet. Choices: `"none"` `"packet"`
paths string	This parameter applies to Layer 7 access control entries only. Specifies the path or paths to which the access control entry applies.
protocol string	This parameter applies to Layer 4 access control entries only. Specifies the protocol: `tcp`, `udp`, `icmp` or `all` protocols, to which the access control entry applies. Choices: `"tcp"` `"icmp"` `"udp"` `"all"`
scheme string	This parameter applies to Layer 7 access control entries only. Specifies the URI scheme: `http`, `https` or `any` on which the access control entry operates. Choices: `"http"` `"https"` `"any"`
src_addr string	Specifies the source IP address for the access control entry. When set to `any` the ACL will match any source address, `src_mask` is ignored in this case.
src_mask string	Optional parameter that specifies the source network mask for the access control entry. If not specified and `src_addr` is not `any`, the `src_addr` is deemed to be host address.
src_port string	Specifies the source port for the access control entry. Can be set to `*` to indicate all ports. Parameter is mutually exclusive with `src_port_range`.
src_port_range string	Specifies the source port range for the access control entry. Parameter is mutually exclusive with `src_port_range`. To indicate all ports the `src_port` parameter must be used and set to `*`.
name string / required	Specifies the name of the ACL to manage.
partition string	Device partition to manage resources on. Default: `"Common"`
path_match_case boolean	Specifies whether alphabetic case is considered when matching paths in an access control entry. Choices: `false` `true`
provider dictionary added in f5networks.f5_modules 1.0.0	A dict object containing connection details.
auth_provider string	Configures the auth provider for to obtain authentication tokens from the remote device. This option is really used when working with BIG-IQ devices.
no_f5_teem boolean	If `yes`, TEEM telemetry data is not sent to F5. You may omit this option by setting the environment variable `F5_TELEMETRY_OFF`. Previously used variable `F5_TEEM` is deprecated as its name was confusing. Choices: `false` ← (default) `true`
password aliases: pass, pwd string / required	The password for the user account used to connect to the BIG-IP or the BIG-IQ. You may omit this option by setting the environment variable `F5_PASSWORD`.
server string / required	The BIG-IP host or the BIG-IQ host. You may omit this option by setting the environment variable `F5_SERVER`.
server_port integer	The BIG-IP server port. You may omit this option by setting the environment variable `F5_SERVER_PORT`. Default: `443`
timeout integer	Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
transport string	Configures the transport connection to use when connecting to the remote device. Choices: `"rest"` ← (default)
user string / required	The username to connect to the BIG-IP or the BIG-IQ. This user must have administrative privileges on the device. You may omit this option by setting the environment variable `F5_USER`.
validate_certs boolean	If `no`, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates. You may omit this option by setting the environment variable `F5_VALIDATE_CERTS`. Choices: `false` `true` ← (default)
state string	When `state` is `present`, ensures that the ACL exists. When `state` is `absent`, ensures that the ACL is removed. Choices: `"present"` ← (default) `"absent"`
type string	Specifies the type of ACL to create. Once the type is set it cannot be changed. Choices: `"static"` `"dynamic"`

Notes 

Note

For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
Requires BIG-IP software version >= 12.
The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples 

- name: Create a static ACL with L4 entries
  bigip_apm_acl:
    name: L4foo
    acl_order: 0
    type: static
    entries:
      - action: allow
        dst_port: '80'
        dst_addr: '192.168.1.1'
        src_port: '443'
        src_addr: '10.10.10.0'
        src_mask: '255.255.255.128'
        protocol: tcp
      - action: reject
        dst_port: '*'
        dst_addr: '192.168.1.1'
        src_port: '*'
        src_addr: '10.10.10.0'
        src_mask: '255.255.255.128'
        protocol: tcp
        log: packet
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Create a static ACL with L7 entries
  bigip_apm_acl:
    name: L7foo
    acl_order: 1
    type: static
    path_match_case: false
    entries:
      - action: allow
        host_name: 'foobar.com'
        paths: '/shopfront'
        scheme: https
      - action: reject
        host_name: 'internal_foobar.com'
        paths: '/admin'
        scheme: any
        log: packet
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Create a static ACL with L7/L4 entries
  bigip_apm_acl:
    name: L7L4foo
    acl_order: 2
    type: static
    path_match_case: false
    entries:
      - action: allow
        host_name: 'foobar.com'
        paths: '/shopfront'
        scheme: https
        dst_port: '8181'
        dst_addr: '192.168.1.1'
        protocol: tcp
      - action: reject
        dst_addr: '192.168.1.1'
        host_name: 'internal_foobar.com'
        paths: '/admin'
        scheme: any
        protocol: all
        log: packet
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Modify a static ACL entries
  bigip_apm_acl:
    name: L4foo
    entries:
      - action: allow
        dst_port: '80'
        dst_addr: '192.168.1.1'
        src_port: '443'
        src_addr: '10.10.10.0'
        src_mask: '255.255.255.128'
        protocol: tcp
      - action: discard
        dst_port: '*'
        dst_addr: 192.168.1.1
        src_port: '*'
        src_addr: '10.10.10.0'
        src_mask: '255.2155.255.128'
        protocol: all
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Remove static ACL
  bigip_apm_acl:
    name: L4foo
    state: absent
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

Return Values 

Common return values are documented here, the following are the fields unique to this module:

Key	Description
acl_order integer	The order of this ACL relative to other ACLs. Returned: changed Sample: `10`
description string	The new description of the ACL. Returned: changed Sample: `"My ACL"`
entries complex	Access control entries that define the ACL matching and its respective behavior. Returned: changed Sample: `"hash/dictionary of values"`
action string	Action the access control entry takes when a match for this access control entry is encountered. Returned: changed Sample: `"allow"`
dst_addr string	The destination IP address for the access control entry. Returned: changed Sample: `"192.168.0.1"`
dst_mask string	The destination network mask for the access control entry. Returned: changed Sample: `"255.255.255.128"`
dst_port string	The destination port for the access control entry. Returned: changed Sample: `"80"`
dst_port_range string	The destination port range for the access control entry. Returned: changed Sample: `"80-81"`
host_name string	The host to which the access control entry applies. Returned: changed Sample: `"foobar.com"`
log string	The log level that is logged when actions of this type occur. Returned: changed Sample: `"packet"`
paths string	The path or paths to which the access control entry applies. Returned: changed Sample: `"/fooshop"`
protocol string	The protocol to which the access control entry applies. Returned: changed Sample: `"tcp"`
scheme string	The URI scheme on which the access control entry operates. Returned: changed Sample: `"https"`
src_addr string	The source IP address for the access control entry. Returned: changed Sample: `"192.168.0.1"`
src_mask string	The source network mask for the access control entry. Returned: changed Sample: `"255.255.255.128"`
src_port string	The source port for the access control entry. Returned: changed Sample: `"80"`
src_port_range string	The source port range for the access control entry. Returned: changed Sample: `"80-81"`
path_match_case boolean	Specifies whether alphabetic case is considered when matching paths in an access control entry. Returned: changed Sample: `true`
type string	The type of ACL to create. Returned: changed Sample: `"static"`

Authors

Wojciech Wypior (@wojtek0806)

f5networks.f5_modules.bigip_apm_acl module – Manage user-defined APM ACLs

Synopsis

Parameters

Notes

Examples

Return Values