Documentation

os_security_group_rule - Add/Delete rule from an existing security group

New in version 2.0.

Synopsis

Add or Remove rule from an existing security group

Requirements (on host that executes module)

  • python >= 2.7
  • shade

Options

parameter required default choices comments
api_timeout
no None
    How long should the socket layer wait before timing out for API calls. If this is omitted, nothing will be passed to the requests library.
    auth
    no
      Dictionary containing auth information as needed by the cloud's auth plugin strategy. For the default password plugin, this would contain auth_url, username, password, project_name and any information about domains if the cloud supports them. For other plugins, this param will need to contain whatever parameters that auth plugin requires. This parameter is not needed if a named cloud is provided or OpenStack OS_* environment variables are present.
      auth_type
      no password
        Name of the auth plugin to use. If the cloud uses something other than password authentication, the name of the plugin should be indicated here and the contents of the auth parameter should be updated accordingly.
        availability_zone
        no
          Name of the availability zone.
          cacert
          no None
            A path to a CA Cert bundle that can be used as part of verifying SSL API requests.
            cert
            no None
              A path to a client certificate to use as part of the SSL transaction
              cloud
              no
                Named cloud to operate against. Provides default values for auth and auth_type. This parameter is not needed if auth is provided or if OpenStack OS_* environment variables are present.
                direction
                no ingress
                • egress
                • ingress
                The direction in which the security group rule is applied. Not all providers support egress.
                endpoint_type
                no public
                • public
                • internal
                • admin
                Endpoint URL type to fetch from the service catalog.
                ethertype
                no IPv4
                • IPv4
                • IPv6
                Must be IPv4 or IPv6, and addresses represented in CIDR must match the ingress or egress rules. Not all providers support IPv6.
                key
                no None
                  A path to a client key to use as part of the SSL transaction
                  port_range_max
                  no None
                    Ending port
                    port_range_min
                    no None
                      Starting port
                      protocol
                      no None
                      • tcp
                      • udp
                      • icmp
                      • None
                      IP protocol
                      region_name
                      no
                        Name of the region.
                        remote_group
                        no
                          ID of Security group to link (exclusive with remote_ip_prefix)
                          remote_ip_prefix
                          no
                            Source IP address(es) in CIDR notation (exclusive with remote_group)
                            security_group
                            yes
                              Name of the security group
                              state
                              no present
                              • present
                              • absent
                              Should the resource be present or absent.
                              timeout
                              no 180
                                How long should ansible wait for the requested resource.
                                validate_certs
                                no True
                                  Whether or not SSL API requests should be verified.

                                  aliases: verify
                                  wait
                                  no yes
                                  • yes
                                  • no
                                  Should ansible wait until the requested resource is complete.

                                  Examples

                                  # Create a security group rule
                                  - os_security_group_rule:
                                      cloud: mordred
                                      security_group: foo
                                      protocol: tcp
                                      port_range_min: 80
                                      port_range_max: 80
                                      remote_ip_prefix: 0.0.0.0/0
                                  
                                  # Create a security group rule for ping
                                  - os_security_group_rule:
                                      cloud: mordred
                                      security_group: foo
                                      protocol: icmp
                                      remote_ip_prefix: 0.0.0.0/0
                                  
                                  # Another way to create the ping rule
                                  - os_security_group_rule:
                                      cloud: mordred
                                      security_group: foo
                                      protocol: icmp
                                      port_range_min: -1
                                      port_range_max: -1
                                      remote_ip_prefix: 0.0.0.0/0
                                  
                                  # Create a TCP rule covering all ports
                                  - os_security_group_rule:
                                      cloud: mordred
                                      security_group: foo
                                      protocol: tcp
                                      port_range_min: 1
                                      port_range_max: 65535
                                      remote_ip_prefix: 0.0.0.0/0
                                  
                                  # Another way to create the TCP rule above (defaults to all ports)
                                  - os_security_group_rule:
                                      cloud: mordred
                                      security_group: foo
                                      protocol: tcp
                                      remote_ip_prefix: 0.0.0.0/0
                                  

                                  Return Values

                                  Common return values are documented here Common Return Values, the following are the fields unique to this module:

                                  name description returned type sample
                                  direction The direction in which the security group rule is applied. string egress
                                  protocol The protocol that is matched by the security group rule. string tcp
                                  ethertype One of IPv4 or IPv6. string IPv4
                                  port_range_max The maximum port number in the range that is matched by the security group rule. int 8000
                                  security_group_id The security group ID to associate with this security group rule. string
                                  port_range_min The minimum port number in the range that is matched by the security group rule. int 8000
                                  remote_ip_prefix The remote IP prefix to be associated with this security group rule. string 0.0.0.0/0
                                  id Unique rule UUID. string


                                  Notes

                                  Note

                                  The standard OpenStack environment variables, such as OS_USERNAME may be used instead of providing explicit values.

                                  Note

                                  Auth information is driven by os-client-config, which means that values can come from a yaml config file in /etc/ansible/openstack.yaml, /etc/openstack/clouds.yaml or ~/.config/openstack/clouds.yaml, then from standard environment variables, then finally by explicit parameters in plays. More information can be found at http://docs.openstack.org/developer/os-client-config

                                  This is a Core Module

                                  For more information on what this means please read Core Modules

                                  For help in developing on modules, should you be so inclined, please read Community Information & Contributing, Helping Testing PRs and Developing Modules.