cs_securitygroup_rule - Manages security group rules on Apache CloudStack based clouds.¶

New in version 2.0.

Synopsis
- Requirements
Parameters
Notes
Examples
Return Values
Status
Maintenance
- Author

Synopsis ¶

Add and remove security group rules.

Requirements ¶

The below requirements are needed on the host that executes this module.

python >= 2.6
cs >= 0.6.10

Parameters ¶

Parameter	Choices/Defaults	Comments
api_http_method	Choices: get post	HTTP method used to query the API endpoint. If not given, the `CLOUDSTACK_METHOD` env variable is considered. As the last option, the value is taken from the ini config file, also see the notes. Fallback value is `get` if not specified.
api_key		API key of the CloudStack API. If not given, the `CLOUDSTACK_KEY` env variable is considered. As the last option, the value is taken from the ini config file, also see the notes.
api_region	Default: cloudstack	Name of the ini section in the `cloustack.ini` file. If not given, the `CLOUDSTACK_REGION` env variable is considered.
api_secret		Secret key of the CloudStack API. If not set, the `CLOUDSTACK_SECRET` env variable is considered. As the last option, the value is taken from the ini config file, also see the notes.
api_timeout		HTTP timeout in seconds. If not given, the `CLOUDSTACK_TIMEOUT` env variable is considered. As the last option, the value is taken from the ini config file, also see the notes. Fallback value is 10 seconds if not specified.
api_url		URL of the CloudStack API e.g. https://cloud.example.com/client/api. If not given, the `CLOUDSTACK_ENDPOINT` env variable is considered. As the last option, the value is taken from the ini config file, also see the notes.
cidr	Default: 0.0.0.0/0	CIDR (full notation) to be used for security group rule.
end_port		End port for this rule. Required if `protocol=tcp` or `protocol=udp`, but `start_port` will be used if not set.
icmp_code		Error code for this icmp message. Required if `protocol=icmp`.
icmp_type		Type of the icmp message being sent. Required if `protocol=icmp`.
poll_async	Default: yes	Poll async jobs until job has finished.
project		Name of the project the security group to be created in.
protocol	Choices: tcp ← udp icmp ah esp gre	Protocol of the security group rule.
security_group required		Name of the security group the rule is related to. The security group must be existing.
start_port		Start port for this rule. Required if `protocol=tcp` or `protocol=udp`. aliases: port
state	Choices: present ← absent	State of the security group rule.
type	Choices: ingress ← egress	Ingress or egress security group rule.
user_security_group		Security group this rule is based of.

Notes ¶

Note

Ansible uses the cs library’s configuration method if credentials are not provided by the arguments api_url, api_key, api_secret. Configuration is read from several locations, in the following order. The CLOUDSTACK_ENDPOINT, CLOUDSTACK_KEY, CLOUDSTACK_SECRET and CLOUDSTACK_METHOD. CLOUDSTACK_TIMEOUT environment variables. A CLOUDSTACK_CONFIG environment variable pointing to an .ini file. A cloudstack.ini file in the current working directory. A .cloudstack.ini file in the users home directory. Optionally multiple credentials and endpoints can be specified using ini sections in cloudstack.ini. Use the argument api_region to select the section name, default section is cloudstack. See https://github.com/exoscale/cs for more information.
A detailed guide about cloudstack modules can be found in the CloudStack Cloud Guide.
This module supports check mode.

Examples ¶

---
- name: allow inbound port 80/tcp from 1.2.3.4 added to security group 'default'
  local_action:
    module: cs_securitygroup_rule
    security_group: default
    port: 80
    cidr: 1.2.3.4/32

- name: allow tcp/udp outbound added to security group 'default'
  local_action:
    module: cs_securitygroup_rule
    security_group: default
    type: egress
    start_port: 1
    end_port: 65535
    protocol: '{{ item }}'
  with_items:
  - tcp
  - udp

- name: allow inbound icmp from 0.0.0.0/0 added to security group 'default'
  local_action:
    module: cs_securitygroup_rule
    security_group: default
    protocol: icmp
    icmp_code: -1
    icmp_type: -1

- name: remove rule inbound port 80/tcp from 0.0.0.0/0 from security group 'default'
  local_action:
    module: cs_securitygroup_rule
    security_group: default
    port: 80
    state: absent

- name: allow inbound port 80/tcp from security group web added to security group 'default'
  local_action:
    module: cs_securitygroup_rule
    security_group: default
    port: 80
    user_security_group: web

Return Values ¶

Common return values are documented here, the following are the fields unique to this module:

Key	Returned	Description
cidr string	success and cidr is defined	CIDR of the rule. Sample: 0.0.0.0/0
end_port int	success	end port of the rule. Sample: 80
id string	success	UUID of the of the rule. Sample: a6f7a5fc-43f8-11e5-a151-feff819cdc9f
protocol string	success	protocol of the rule. Sample: tcp
security_group string	success	security group of the rule. Sample: default
start_port int	success	start port of the rule. Sample: 80
type string	success	type of the rule. Sample: ingress
user_security_group string	success and user_security_group is defined	user security group of the rule. Sample: default

Status ¶

This module is flagged as stableinterface which means that the maintainers for this module guarantee that no backward incompatible interface changes will be made.

Maintenance ¶

This module is flagged as community which means that it is maintained by the Ansible Community. See Module Maintenance & Support for more info.

For a list of other modules that are also maintained by the Ansible Community, see here.

Author ¶

René Moser (@resmo)

Hint

If you notice any issues in this documentation you can edit this document to improve it.