cs_securitygroup_rule – Manages security group rules on Apache CloudStack based clouds

From Get docs
Ansible/docs/2.8/modules/cs securitygroup rule module


cs_securitygroup_rule – Manages security group rules on Apache CloudStack based clouds

New in version 2.0.


Synopsis

  • Add and remove security group rules.

Requirements

The below requirements are needed on the host that executes this module.

  • python >= 2.6
  • cs >= 0.6.10

Parameters

Parameter Choices/Defaults Comments

api_http_method

string

  • get
  • post

HTTP method used to query the API endpoint.

If not given, the CLOUDSTACK_METHOD env variable is considered.

As the last option, the value is taken from the ini config file, also see the notes.

Fallback value is get if not specified.

api_key

string

API key of the CloudStack API.

If not given, the CLOUDSTACK_KEY env variable is considered.

As the last option, the value is taken from the ini config file, also see the notes.

api_region

string

Default:

"cloudstack"

Name of the ini section in the cloustack.ini file.

If not given, the CLOUDSTACK_REGION env variable is considered.

api_secret

string

Secret key of the CloudStack API.

If not set, the CLOUDSTACK_SECRET env variable is considered.

As the last option, the value is taken from the ini config file, also see the notes.

api_timeout

integer

HTTP timeout in seconds.

If not given, the CLOUDSTACK_TIMEOUT env variable is considered.

As the last option, the value is taken from the ini config file, also see the notes.

Fallback value is 10 seconds if not specified.

api_url

string

URL of the CloudStack API e.g. https://cloud.example.com/client/api.

If not given, the CLOUDSTACK_ENDPOINT env variable is considered.

As the last option, the value is taken from the ini config file, also see the notes.

cidr

string

Default:

"0.0.0.0/0"

CIDR (full notation) to be used for security group rule.

end_port

integer

End port for this rule. Required if protocol=tcp or protocol=udp, but start_port will be used if not set.

icmp_code

integer

Error code for this icmp message. Required if protocol=icmp.

icmp_type

integer

Type of the icmp message being sent. Required if protocol=icmp.

poll_async

boolean

  • no
  • yes

Poll async jobs until job has finished.

project

string

Name of the project the security group to be created in.

protocol

string

  • tcp

  • udp
  • icmp
  • ah
  • esp
  • gre

Protocol of the security group rule.

security_group

string / required

Name of the security group the rule is related to. The security group must be existing.

start_port

integer

Start port for this rule. Required if protocol=tcp or protocol=udp.


aliases: port

state

string

  • present

  • absent

State of the security group rule.

type

string

  • ingress

  • egress

Ingress or egress security group rule.

user_security_group

string

Security group this rule is based of.



Notes

Note

  • Ansible uses the cs library’s configuration method if credentials are not provided by the arguments api_url, api_key, api_secret. Configuration is read from several locations, in the following order. The CLOUDSTACK_ENDPOINT, CLOUDSTACK_KEY, CLOUDSTACK_SECRET and CLOUDSTACK_METHOD. CLOUDSTACK_TIMEOUT environment variables. A CLOUDSTACK_CONFIG environment variable pointing to an .ini file. A cloudstack.ini file in the current working directory. A .cloudstack.ini file in the users home directory. Optionally multiple credentials and endpoints can be specified using ini sections in cloudstack.ini. Use the argument api_region to select the section name, default section is cloudstack. See https://github.com/exoscale/cs for more information.
  • A detailed guide about cloudstack modules can be found in the CloudStack Cloud Guide.
  • This module supports check mode.


Examples

---
- name: allow inbound port 80/tcp from 1.2.3.4 added to security group 'default'
  cs_securitygroup_rule:
    security_group: default
    port: 80
    cidr: 1.2.3.4/32
  delegate_to: localhost

- name: allow tcp/udp outbound added to security group 'default'
  cs_securitygroup_rule:
    security_group: default
    type: egress
    start_port: 1
    end_port: 65535
    protocol: '{{ item }}'
  with_items:
  - tcp
  - udp
  delegate_to: localhost

- name: allow inbound icmp from 0.0.0.0/0 added to security group 'default'
  cs_securitygroup_rule:
    security_group: default
    protocol: icmp
    icmp_code: -1
    icmp_type: -1
  delegate_to: localhost

- name: remove rule inbound port 80/tcp from 0.0.0.0/0 from security group 'default'
  cs_securitygroup_rule:
    security_group: default
    port: 80
    state: absent
  delegate_to: localhost

- name: allow inbound port 80/tcp from security group web added to security group 'default'
  cs_securitygroup_rule:
    security_group: default
    port: 80
    user_security_group: web
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description

cidr

string

success and cidr is defined

CIDR of the rule.


Sample:

0.0.0.0/0

end_port

integer

success

end port of the rule.


Sample:

80

id

string

success

UUID of the of the rule.


Sample:

a6f7a5fc-43f8-11e5-a151-feff819cdc9f

protocol

string

success

protocol of the rule.


Sample:

tcp

security_group

string

success

security group of the rule.


Sample:

default

start_port

integer

success

start port of the rule.


Sample:

80

type

string

success

type of the rule.


Sample:

ingress

user_security_group

string

success and user_security_group is defined

user security group of the rule.


Sample:

default




Status

Authors

  • René Moser (@resmo)

Hint

If you notice any issues in this documentation you can edit this document to improve it.


© 2012–2018 Michael DeHaan
© 2018–2019 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/2.8/modules/cs_securitygroup_rule_module.html