New in version 2.0.
The below requirements are needed on the host that executes this module.
Parameter | Choices/Defaults | Comments |
---|---|---|
account
string
|
Account the firewall rule is related to.
|
|
api_http_method
string
|
|
HTTP method used to query the API endpoint.
If not given, the
CLOUDSTACK_METHOD env variable is considered.As the last option, the value is taken from the ini config file, also see the notes.
Fallback value is
get if not specified. |
api_key
string
|
API key of the CloudStack API.
If not given, the
CLOUDSTACK_KEY env variable is considered.As the last option, the value is taken from the ini config file, also see the notes.
|
|
api_region
string
|
Default: "cloudstack"
|
Name of the ini section in the
cloustack.ini file.If not given, the
CLOUDSTACK_REGION env variable is considered. |
api_secret
string
|
Secret key of the CloudStack API.
If not set, the
CLOUDSTACK_SECRET env variable is considered.As the last option, the value is taken from the ini config file, also see the notes.
|
|
api_timeout
integer
|
HTTP timeout in seconds.
If not given, the
CLOUDSTACK_TIMEOUT env variable is considered.As the last option, the value is taken from the ini config file, also see the notes.
Fallback value is 10 seconds if not specified.
|
|
api_url
string
|
URL of the CloudStack API e.g. https://cloud.example.com/client/api.
If not given, the
CLOUDSTACK_ENDPOINT env variable is considered.As the last option, the value is taken from the ini config file, also see the notes.
|
|
cidrs
list
|
Default: "0.0.0.0/0"
|
List of CIDRs (full notation) to be used for firewall rule.
Since version 2.5, it is a list of CIDR.
aliases: cidr |
domain
string
|
Domain the firewall rule is related to.
|
|
end_port
integer
|
End port for this rule. Considered if protocol=tcp or protocol=udp.
If not specified, equal start_port.
|
|
icmp_code
integer
|
Error code for this icmp message.
Considered if protocol=icmp.
|
|
icmp_type
integer
|
Type of the icmp message being sent.
Considered if protocol=icmp.
|
|
ip_address
string
|
Public IP address the ingress rule is assigned to.
Required if type=ingress.
|
|
network
string
|
Network the egress rule is related to.
Required if type=egress.
|
|
poll_async
boolean
|
|
Poll async jobs until job has finished.
|
project
string
|
Name of the project the firewall rule is related to.
|
|
protocol
string
|
|
Protocol of the firewall rule.
all is only available if type=egress. |
start_port
integer
|
Start port for this rule.
Considered if protocol=tcp or protocol=udp.
aliases: port |
|
state
string
|
|
State of the firewall rule.
|
tags
list
added in 2.4 |
List of tags. Tags are a list of dictionaries having keys key and value.
To delete all tags, set an empty list e.g. tags: [].
aliases: tag |
|
type
string
|
|
Type of the firewall rule.
|
zone
string
|
Name of the zone in which the virtual machine is in.
If not set, default zone is used.
|
Note
cs
library’s configuration method if credentials are not provided by the arguments api_url
, api_key
, api_secret
. Configuration is read from several locations, in the following order. The CLOUDSTACK_ENDPOINT
, CLOUDSTACK_KEY
, CLOUDSTACK_SECRET
and CLOUDSTACK_METHOD
. CLOUDSTACK_TIMEOUT
environment variables. A CLOUDSTACK_CONFIG
environment variable pointing to an .ini
file. A cloudstack.ini
file in the current working directory. A .cloudstack.ini
file in the users home directory. Optionally multiple credentials and endpoints can be specified using ini sections in cloudstack.ini
. Use the argument api_region
to select the section name, default section is cloudstack
. See https://github.com/exoscale/cs for more information.- name: Allow inbound port 80/tcp from 1.2.3.4 to 4.3.2.1
cs_firewall:
ip_address: 4.3.2.1
port: 80
cidr: 1.2.3.4/32
delegate_to: localhost
- name: Allow inbound tcp/udp port 53 to 4.3.2.1
cs_firewall:
ip_address: 4.3.2.1
port: 53
protocol: '{{ item }}'
with_items:
- tcp
- udp
delegate_to: localhost
- name: Ensure firewall rule is removed
cs_firewall:
ip_address: 4.3.2.1
start_port: 8000
end_port: 8888
cidr: 17.0.0.0/8
state: absent
delegate_to: localhost
- name: Allow all outbound traffic
cs_firewall:
network: my_network
type: egress
protocol: all
delegate_to: localhost
- name: Allow only HTTP outbound traffic for an IP
cs_firewall:
network: my_network
type: egress
port: 80
cidr: 10.101.1.20
delegate_to: localhost
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
cidr
string
|
success |
CIDR string of the rule.
Sample:
0.0.0.0/0
|
cidrs
list
added in 2.5 |
success |
CIDR list of the rule.
Sample:
['0.0.0.0/0']
|
end_port
integer
|
success |
End port of the rule.
Sample:
80
|
icmp_code
integer
|
success |
ICMP code of the rule.
Sample:
1
|
icmp_type
integer
|
success |
ICMP type of the rule.
Sample:
1
|
id
string
|
success |
UUID of the rule.
Sample:
04589590-ac63-4ffc-93f5-b698b8ac38b6
|
ip_address
string
|
success |
IP address of the rule if
type=ingress Sample:
10.100.212.10
|
network
string
|
success |
Name of the network if
type=egress Sample:
my_network
|
protocol
string
|
success |
Protocol of the rule.
Sample:
tcp
|
start_port
integer
|
success |
Start port of the rule.
Sample:
80
|
type
string
|
success |
Type of the rule.
Sample:
ingress
|
Hint
If you notice any issues in this documentation you can edit this document to improve it.