graphiant.naas.graphiant_security_policy module – Manage device security policy rulesets and zone pair attachments
Note
This module is part of the graphiant.naas collection (version 26.6.0).
You might already have this collection installed if you are using the ansible package.
It is not included in ansible-core.
To check whether it is installed, run ansible-galaxy collection list.
To install it, use: ansible-galaxy collection install graphiant.naas.
You need further requirements to be able to use this module,
see Requirements for details.
To use it in a playbook, specify: graphiant.naas.graphiant_security_policy.
New in graphiant.naas 26.6.0
Synopsis
Configure or delete device-level security policy rulesets under
edge.trafficPolicy.securityRulesets.Attach or detach a named ruleset on zone pairs under
edge.trafficPolicy.zones.Reads a structured YAML config file and builds the raw device-config payload in Python.
The configure workflow applies rulesets (
operation=configure) and attaches them to zone pairs (operation=attach_to_zone_pairs). The deconfigure workflow clears zone pair references (operation=detach_from_zone_pairs) and deletes listed rulesets (operation=deconfigure).Configure is idempotent: compares intended rulesets to existing device state and skips push when already matched.
Deconfigure deletes only the rulesets listed in the YAML by setting
ruleset: nullper ruleset key.Under
configure, setstate: absenton a ruleset or individual rule in YAML to delete only that object (sendsruleset: nullorrule: nullin the payload). Omittedstatemeanspresent.Rule
action(per rule):accept,reject,inspect, ordrop. RulesetimplicitRuleAction(catch-all for unmatched traffic):acceptorrejectonly. Values are normalized to lowercase strings in the device-config payload.Each rule supports one primary match type: application (
applicationBuiltin/applicationCustom) or network/L4 (ipProtocol,sourceNetwork,destinationNetwork, ports). Combining both in the same rule is rejected.You cannot change a rule’s primary match type in place (for example, from
applicationBuiltintoipProtocol/destinationNetwork, or the reverse). The device API merges rule updates and leaves stale match criteria. Delete the rule (state: absent) and add a new rule with the desired match instead.Attach/detach operations compare each listed zone pair’s ruleset reference to the device and skip when unchanged.
With
ansible-playbook --check, writes are skipped butchangedreflects whether an apply would update at least one device. Use--diffto previewdetails.diff_planand Ansiblediff.
Requirements
The below requirements are needed on the host that executes this module.
python >= 3.7
graphiant-sdk >= 25.12.1
Parameters
Parameter |
Comments |
|---|---|
Bearer token for API authentication (for example, from If not passed as a module argument, the collection reads When a bearer token is present (module argument or environment), it takes precedence over If no valid token is available, the module authenticates with |
|
Enable detailed logging. Choices:
|
|
Graphiant portal host URL for API connectivity. Example: “https://api.graphiant.com” |
|
Specific operation to perform.
Choices:
|
|
Graphiant portal password for authentication. Required for password-based login when no valid bearer token is available from |
|
Path to the security policy YAML file. Can be an absolute path or relative to the configured config_path. Expected top-level key is Each device may define |
|
Desired state for security policy rulesets.
Choices:
|
|
Graphiant portal username for authentication. Required for password-based login when no valid bearer token is available from |
Attributes
Attribute |
Support |
Description |
|---|---|---|
Support: full In check mode, no configuration is pushed to devices, but the module still reads current device state to determine whether changes would be made. Payloads that would be pushed are logged with a |
Supports check mode. |
|
Support: full When the playbook runs with |
Supports Ansible’s |
Notes
Note
One YAML file may define both
securityRulesetsandzones.configure/deconfigurereadsecurityRulesetsonly;attach_to_zone_pairs/detach_from_zone_pairsreadzonesonly. Run both steps for a full security policy lifecycle, or use the sample playbook tagsconfigureanddeconfigure.Configuration files support Jinja2 templating syntax for dynamic configuration generation.
Check mode (
--check) reads live device state, skips writes, setschangedfrom whether an apply would update at least one device, and logs would-be payloads with a[check_mode]prefix whendetailed_logsis enabled.Diff mode (
--diff) adds Ansiblediff(before/afterstrings) anddetails.diff_plan. Ruleset entries list only changed rules underrules(plus_metawhen ruleset metadata changes). Zone pair attach/detach diffs show per-pair ruleset references underzones.
Examples
- name: Configure device-level security policy rulesets
graphiant.naas.graphiant_security_policy:
operation: configure
security_policy_config_file: "sample_device_security_policies.yaml"
host: "{{ graphiant_host }}"
username: "{{ graphiant_username }}"
password: "{{ graphiant_password }}"
detailed_logs: true
- name: Attach security ruleset to zone pairs
graphiant.naas.graphiant_security_policy:
operation: attach_to_zone_pairs
security_policy_config_file: "sample_device_security_policies.yaml"
host: "{{ graphiant_host }}"
username: "{{ graphiant_username }}"
password: "{{ graphiant_password }}"
detailed_logs: true
# Preview pending changes without pushing (check mode)
- name: Preview security policy configure (dry run)
graphiant.naas.graphiant_security_policy:
operation: configure
security_policy_config_file: "sample_device_security_policies.yaml"
host: "{{ graphiant_host }}"
username: "{{ graphiant_username }}"
password: "{{ graphiant_password }}"
detailed_logs: true
check_mode: true
register: security_policy_preview
# Preview per-rule diffs (run playbook with --diff or set diff: true on the task)
- name: Preview security policy rule changes
graphiant.naas.graphiant_security_policy:
operation: configure
security_policy_config_file: "sample_device_security_policies.yaml"
host: "{{ graphiant_host }}"
username: "{{ graphiant_username }}"
password: "{{ graphiant_password }}"
diff: true
register: security_policy_diff
# details.diff_plan[].before/after.securityRulesets.<name>.rules.<seq> — changed rules only
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key |
Description |
|---|---|
Whether the operation would push config to at least one device. In check mode ( Returned: always |
|
Device names where configuration was pushed (when changed=true). Returned: when supported |
|
Raw manager result details (includes Each Returned: when supported |
|
Ansible diff output when the playbook runs with Built from Returned: when diff mode is enabled and |
|
Result message (includes detailed logs when enabled). Returned: always |
|
The operation performed. Returned: always |
|
The security policy config file used for the operation. Returned: always |
|
Device names that were skipped because desired state already matched. Returned: when supported |