cs_firewall - Manages firewall rules on Apache CloudStack based clouds.
New in version 2.0.
Synopsis
Creates and removes firewall rules.
Requirements (on host that executes module)
- python >= 2.6
- cs >= 0.6.10
Options
| parameter | required | default | choices | comments |
|---|---|---|---|---|
| account |
no | Account the firewall rule is related to. | ||
| api_http_method |
no | get |
|
HTTP method used. |
| api_key |
no | API key of the CloudStack API. | ||
| api_region |
no | cloudstack | Name of the ini section in the cloustack.ini file. | |
| api_secret |
no | Secret key of the CloudStack API. | ||
| api_timeout |
no | 10 | HTTP timeout. | |
| api_url |
no | URL of the CloudStack API e.g. https://cloud.example.com/client/api. | ||
| cidr |
no | 0.0.0.0/0 | CIDR (full notation) to be used for firewall rule. | |
| domain |
no | Domain the firewall rule is related to. | ||
| end_port |
no | End port for this rule. Considered if protocol=tcp or protocol=udp. If not specified, equal start_port. | ||
| icmp_code |
no | Error code for this icmp message. Considered if protocol=icmp. | ||
| icmp_type |
no | Type of the icmp message being sent. Considered if protocol=icmp. | ||
| ip_address |
no | Public IP address the ingress rule is assigned to. Required if type=ingress. | ||
| network |
no | Network the egress rule is related to. Required if type=egress. | ||
| poll_async |
no | True | Poll async jobs until job has finished. | |
| project |
no | Name of the project the firewall rule is related to. | ||
| protocol |
no | tcp |
|
Protocol of the firewall rule. all is only available if type=egress |
| start_port |
no | Start port for this rule. Considered if protocol=tcp or protocol=udp.aliases: port | ||
| state |
no | present |
|
State of the firewall rule. |
| type |
no | ingress |
|
Type of the firewall rule. |
| zone |
no | Name of the zone in which the virtual machine is in. If not set, default zone is used. |
Examples
# Allow inbound port 80/tcp from 1.2.3.4 to 4.3.2.1 - local_action: module: cs_firewall ip_address: 4.3.2.1 port: 80 cidr: 1.2.3.4/32 # Allow inbound tcp/udp port 53 to 4.3.2.1 - local_action: module: cs_firewall ip_address: 4.3.2.1 port: 53 protocol: '{{ item }}' with_items: - tcp - udp # Ensure firewall rule is removed - local_action: module: cs_firewall ip_address: 4.3.2.1 start_port: 8000 end_port: 8888 cidr: 17.0.0.0/8 state: absent # Allow all outbound traffic - local_action: module: cs_firewall network: my_network type: egress protocol: all # Allow only HTTP outbound traffic for an IP - local_action: module: cs_firewall network: my_network type: egress port: 80 cidr: 10.101.1.20
Return Values
Common return values are documented here Common Return Values, the following are the fields unique to this module:
| name | description | returned | type | sample |
|---|---|---|---|---|
| icmp_code | ICMP code of the rule. | success | int | 1 |
| start_port | Start port of the rule. | success | int | 80 |
| network | Name of the network if C(type=egress) | success | string | my_network |
| type | Type of the rule. | success | string | ingress |
| end_port | End port of the rule. | success | int | 80 |
| protocol | Protocol of the rule. | success | string | tcp |
| cidr | CIDR of the rule. | success | string | 0.0.0.0/0 |
| icmp_type | ICMP type of the rule. | success | int | 1 |
| ip_address | IP address of the rule if C(type=ingress) | success | string | 10.100.212.10 |
| id | UUID of the rule. | success | string | 04589590-ac63-4ffc-93f5-b698b8ac38b6 |
Notes
Note
Ansible uses the cs library’s configuration method if credentials are not provided by the arguments api_url, api_key, api_secret. Configuration is read from several locations, in the following order. - The CLOUDSTACK_ENDPOINT, CLOUDSTACK_KEY, CLOUDSTACK_SECRET and CLOUDSTACK_METHOD. CLOUDSTACK_TIMEOUT environment variables. - A CLOUDSTACK_CONFIG environment variable pointing to an .ini file, - A cloudstack.ini file in the current working directory. - A .cloudstack.ini file in the users home directory. Optionally multiple credentials and endpoints can be specified using ini sections in cloudstack.ini. Use the argument api_region to select the section name, default section is cloudstack. See https://github.com/exoscale/cs for more information.
Note
This module supports check mode.
This is an Extras Module
For more information on what this means please read Extras Modules
For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.