azure.azcollection.azure_rm_firewallpolicyrulecollectiongroup module – Manage rule collection groups of an Azure Firewall Policy

Note

This module is part of the azure.azcollection collection (version 3.19.0).

You might already have this collection installed if you are using the ansible package. It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install azure.azcollection. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: azure.azcollection.azure_rm_firewallpolicyrulecollectiongroup.

New in azure.azcollection 3.19.0

Synopsis

• Create, update or delete a rule collection group of an Azure Firewall Policy.

• A rule collection group hosts an ordered list of filter and/or NAT rule collections, each of which contains application, network or NAT rules.

Requirements

The below requirements are needed on the host that executes this module.

• python >= 2.7

• The host that executes this module must have the azure.azcollection collection installed via galaxy

• All python packages listed in collection’s requirements.txt must be installed via pip on the host that executes modules from azure.azcollection

• Full installation instructions may be found https://galaxy.ansible.com/azure/azcollection

Parameters

Parameter	Comments
ad_user string	Active Directory username. Use when authenticating with an Active Directory user rather than service principal.
adfs_authority_url string added in azure.azcollection 0.0.1	Azure AD authority url. Use when authenticating with Username/password, and has your own ADFS authority.
api_profile string added in azure.azcollection 0.0.1	Selects an API profile to use when communicating with Azure services. Default value of latest is appropriate for public clouds; future values will allow use with Azure Stack. Default: "latest"
auth_source string added in azure.azcollection 0.0.1	Controls the source of the credentials to use for authentication. Can also be set via the ANSIBLE_AZURE_AUTH_SOURCE environment variable. When set to auto (the default) the precedence is module parameters -> env -> credential_file -> cli. When set to env, the credentials will be read from the environment variables. When set to credential_file, it will read the profile from ~/.azure/credentials. When set to cli, the credentials will be sources from the Azure CLI profile. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if more than one is present otherwise the default az cli subscription is used. When set to msi, the host machine must be an azure resource with an enabled MSI extension. subscription_id or the environment variable AZURE_SUBSCRIPTION_ID can be used to identify the subscription ID if the resource is granted access to more than one subscription, otherwise the first subscription is chosen. The msi was added in Ansible 2.6. Choices: "auto" ← (default) "cli" "credential_file" "env" "msi"
cert_validation_mode string added in azure.azcollection 0.0.1	Controls the certificate validation behavior for Azure endpoints. By default, all modules will validate the server certificate, but when an HTTPS proxy is in use, or against Azure Stack, it may be necessary to disable this behavior by passing ignore. Can also be set via credential file profile or the AZURE_CERT_VALIDATION environment variable. Choices: "ignore" "validate"
client_id string	Azure client ID. Use when authenticating with a Service Principal or Managed Identity (msi). Can also be set via the AZURE_CLIENT_ID environment variable.
cloud_environment string added in azure.azcollection 0.0.1	For cloud environments other than the US public cloud, the environment name (as defined by Azure Python SDK, eg, AzureChinaCloud, AzureUSGovernment), or a metadata discovery endpoint URL (required for Azure Stack). Can also be set via credential file profile or the AZURE_CLOUD_ENVIRONMENT environment variable. Default: "AzureCloud"
disable_instance_discovery boolean added in azure.azcollection 2.3.0	Determines whether or not instance discovery is performed when attempting to authenticate. Setting this to true will completely disable both instance discovery and authority validation. This functionality is intended for use in scenarios where the metadata endpoint cannot be reached such as in private clouds or Azure Stack. The process of instance discovery entails retrieving authority metadata from https://login.microsoft.com/ to validate the authority. By setting this to **True**, the validation of the authority is disabled. As a result, it is crucial to ensure that the configured authority host is valid and trustworthy. Set via credential file profile or the AZURE_DISABLE_INSTANCE_DISCOVERY environment variable. Choices: false ← (default) true
firewall_policy_name string / required	The name of the parent firewall policy.
log_mode string	Parent argument.
log_path string	Parent argument.
name string / required	The name of the rule collection group.
oidc_token string added in azure.azcollection 3.17.0	Direct OpenID Connect (OIDC) token (JWT) used for workload identity authentication. This token is exchanged with Azure AD using OIDC federated identity. Useful in CI systems (for example GitHub Actions, Azure DevOps) where an OIDC token is provided directly by the platform. Can also be set via the AZURE_FEDERATED_TOKEN environment variable.
oidc_token_file_path path added in azure.azcollection 3.17.0	Path to a file containing an OpenID Connect (OIDC) token (JWT) used for workload identity authentication. The file must contain only raw token. This method is commonly used in platforms that materialize OIDC tokens as files Can also be set via the AZURE_FEDERATED_TOKEN_FILE environment variable.
password string	Active Directory user password. Use when authenticating with an Active Directory user rather than service principal.
priority integer	Priority of the rule collection group resource. Valid values are between 100 and 65000.
profile string	Security profile found in ~/.azure/credentials file.
resource_group string / required	Name of the resource group.
rule_collections list / elements=dictionary	Group of firewall policy rule collections.
action string	The action of the rule collection. Use allow or deny for filter collections. Use dnat for nat collections. Choices: "allow" "deny" "dnat"
name string / required	Name of the rule collection.
priority integer	Priority of the rule collection. Valid values are between 100 and 65000.
rule_collection_type string / required	The type of the rule collection. Choices: "filter" "nat"
rules list / elements=dictionary	Rules included in this rule collection.
description string	Description of the rule.
destination_addresses list / elements=string	List of destination IP addresses, CIDR ranges or service tags for this rule.
destination_fqdns list / elements=string	List of destination FQDNs for this rule. Used by network rules only.
destination_ip_groups list / elements=string	List of destination IP group resource IDs for this rule. Used by network rules only.
destination_ports list / elements=string	List of destination ports for this rule. Used by network and nat rules only.
fqdn_tags list / elements=string	List of FQDN tags for this rule. Used by application rules only.
http_headers_to_insert list / elements=dictionary	List of HTTP/S headers to insert. Used by application rules only.
header_name string	The name of the header.
header_value string	The value of the header.
ip_protocols list / elements=string	List of IP protocols for this rule. Used by network and nat rules only. Choices: "Any" "TCP" "UDP" "ICMP"
name string / required	Name of the rule.
protocols list / elements=dictionary	List of application protocols for this rule. Used by application rules only.
port integer	Port number for the protocol. Valid values are between 0 and 64000.
type string	Protocol type. Choices: "Http" "Https"
rule_type string / required	Type of the rule. A filter collection may contain application or network rules. A nat collection may contain nat rules. Choices: "application" "network" "nat"
source_addresses list / elements=string	List of source IP addresses or CIDR ranges for this rule.
source_ip_groups list / elements=string	List of source IP group resource IDs for this rule.
target_fqdns list / elements=string	List of destination FQDNs for this rule. Used by application rules only.
target_urls list / elements=string	List of destination URLs for this rule. Used by application rules only.
terminate_tls boolean	Whether to terminate TLS connections for this rule. Used by application rules only. Requires Premium tier firewall policy. Choices: false true
translated_address string	The translated address for this NAT rule. Used by nat rules only.
translated_fqdn string	The translated FQDN for this NAT rule. Used by nat rules only.
translated_port string	The translated port for this NAT rule. Used by nat rules only.
web_categories list / elements=string	List of destination Azure web categories for this rule. Used by application rules only. Requires Premium tier firewall policy.
secret string	Azure client secret. Use when authenticating with a Service Principal.
state string	Assert the state of the rule collection group. Use present to create or update and absent to delete. Choices: "absent" "present" ← (default)
subscription_id string	Your Azure subscription Id.
tenant string	Azure tenant ID. Use when authenticating with a Service Principal.
thumbprint string added in azure.azcollection 1.14.0	The thumbprint of the private key specified in x509_certificate_path. Use when authenticating with a Service Principal. Required if x509_certificate_path is defined.
x509_certificate_path path added in azure.azcollection 1.14.0	Path to the X509 certificate used to create the service principal in PEM format. The certificate must be appended to the private key. Use when authenticating with a Service Principal.

Notes

Note

• For authentication with Azure you can pass parameters, set environment variables, use a profile stored in ~/.azure/credentials, or log in before you run your tasks or playbook with az login.

• Authentication is also possible using a service principal or Active Directory user.

• To authenticate via OIDC, pass client_id, tenant and oidc_token or oidc_token_file_path, or set environment variables AZURE_CLIENT_ID, AZURE_TENANT and AZURE_FEDERATED_TOKEN or AZURE_FEDERATED_TOKEN_FILE.

• To authenticate via service principal, pass subscription_id, client_id, secret and tenant or set environment variables AZURE_SUBSCRIPTION_ID, AZURE_CLIENT_ID, AZURE_SECRET and AZURE_TENANT.

• To authenticate via Active Directory user, pass ad_user and password, or set AZURE_AD_USER and AZURE_PASSWORD in the environment.

• Alternatively, credentials can be stored in ~/.azure/credentials. This is an ini file containing a [default] section and the following keys: subscription_id, client_id, secret and tenant or subscription_id, ad_user and password. It is also possible to add additional profiles. Specify the profile by passing profile or setting AZURE_PROFILE in the environment.

See Also

See also

Sign in with Azure CLI

How to authenticate using the az login command.

Examples

- name: Create a rule collection group with filter and NAT collections
  azure_rm_firewallpolicyrulecollectiongroup:
    resource_group: myResourceGroup
    firewall_policy_name: myFirewallPolicy
    name: myRuleCollectionGroup
    priority: 200
    rule_collections:
      - name: filterCollection
        priority: 300
        rule_collection_type: filter
        action: allow
        rules:
          - name: allowWebApp
            rule_type: application
            source_addresses:
              - 10.0.0.0/24
            protocols:
              - type: Https
                port: 443
            target_fqdns:
              - "*.microsoft.com"
          - name: allowNetwork
            rule_type: network
            ip_protocols:
              - TCP
            source_addresses:
              - 10.0.0.0/24
            destination_addresses:
              - 192.168.1.0/24
            destination_ports:
              - "443"
      - name: natCollection
        priority: 400
        rule_collection_type: nat
        action: dnat
        rules:
          - name: dnatRule
            rule_type: nat
            ip_protocols:
              - TCP
            source_addresses:
              - "*"
            destination_addresses:
              - 13.0.0.1
            destination_ports:
              - "443"
            translated_address: 10.0.0.10
            translated_port: "8443"

- name: Delete a rule collection group
  azure_rm_firewallpolicyrulecollectiongroup:
    resource_group: myResourceGroup
    firewall_policy_name: myFirewallPolicy
    name: myRuleCollectionGroup
    state: absent

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key	Description
state complex	Current state of the rule collection group. Returned: always
etag string	Resource ETag. Returned: always
id string	Resource ID of the rule collection group. Returned: always Sample: "/subscriptions/xxxx/resourceGroups/myResourceGroup/providers/Microsoft.Network/firewallPolicies/ myFirewallPolicy/ruleCollectionGroups/myRuleCollectionGroup"
name string	Name of the rule collection group. Returned: always Sample: "myRuleCollectionGroup"
priority integer	Priority of the rule collection group. Returned: always Sample: 200
provisioning_state string	Provisioning state of the resource. Returned: always Sample: "Succeeded"
rule_collections list / elements=dictionary	Group of rule collections. Returned: always
type string	Resource type. Returned: always Sample: "Microsoft.Network/FirewallPolicies/RuleCollectionGroups"

Authors

• Zun Yang (@zunyangc)

Collection links

• Issue Tracker
• Homepage
• Repository (Sources)