community.digitalocean.digital_ocean_firewall – Manage cloud firewalls within DigitalOcean
Note
This plugin is part of the community.digitalocean collection (version 1.11.0).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install community.digitalocean
.
To use it in a playbook, specify: community.digitalocean.digital_ocean_firewall
.
New in version 1.1.0: of community.digitalocean
Synopsis
- This module can be used to add or remove firewalls on the DigitalOcean cloud platform.
Parameters
Parameter | Choices/Defaults | Comments | ||
---|---|---|---|---|
droplet_ids list / elements=string | List of droplet ids to be assigned to the firewall | |||
inbound_rules list / elements=dictionary / required | Firewall rules specifically targeting inbound network traffic into DigitalOcean | |||
ports string / required | The ports on which traffic will be allowed, single, range, or all | |||
protocol string |
| Network protocol to be accepted. | ||
sources dictionary / required | Dictionary of locations from which inbound traffic will be accepted | |||
addresses list / elements=string | List of strings containing the IPv4 addresses, IPv6 addresses, IPv4 CIDRs, and/or IPv6 CIDRs to which the firewall will allow traffic | |||
droplet_ids list / elements=string | List of integers containing the IDs of the Droplets to which the firewall will allow traffic | |||
load_balancer_uids list / elements=string | List of strings containing the IDs of the Load Balancers to which the firewall will allow traffic | |||
tags list / elements=string | List of strings containing the names of Tags corresponding to groups of Droplets to which the Firewall will allow traffic | |||
name string / required | Name of the firewall rule to create or manage | |||
oauth_token string | DigitalOcean OAuth token. There are several other environment variables which can be used to provide this value. i.e., - 'DO_API_TOKEN', 'DO_API_KEY', 'DO_OAUTH_TOKEN' and 'OAUTH_TOKEN' aliases: api_token | |||
outbound_rules list / elements=dictionary / required | Firewall rules specifically targeting outbound network traffic from DigitalOcean | |||
destinations dictionary / required | Dictionary of locations from which outbound traffic will be allowed | |||
addresses list / elements=string | List of strings containing the IPv4 addresses, IPv6 addresses, IPv4 CIDRs, and/or IPv6 CIDRs to which the firewall will allow traffic | |||
droplet_ids list / elements=string | List of integers containing the IDs of the Droplets to which the firewall will allow traffic | |||
load_balancer_uids list / elements=string | List of strings containing the IDs of the Load Balancers to which the firewall will allow traffic | |||
tags list / elements=string | List of strings containing the names of Tags corresponding to groups of Droplets to which the Firewall will allow traffic | |||
ports string / required | The ports on which traffic will be allowed, single, range, or all | |||
protocol string |
| Network protocol to be accepted. | ||
state string |
| Assert the state of the firewall rule. Set to 'present' to create or update and 'absent' to remove. | ||
tags list / elements=string | List of tags to be assigned to the firewall | |||
timeout integer | Default: 30 | The timeout in seconds used for polling DigitalOcean's API. | ||
validate_certs boolean |
| If set to no , the SSL certificates will not be validated.This should only set to no used on personally controlled sites using self-signed certificates. |
Examples
# Allows tcp connections to port 22 (SSH) from specific sources # Allows tcp connections to ports 80 and 443 from any source # Allows outbound access to any destination for protocols tcp, udp and icmp # The firewall rules will be applied to any droplets with the tag "sample" - name: Create a Firewall named my-firewall digital_ocean_firewall: name: my-firewall state: present inbound_rules: - protocol: "tcp" ports: "22" sources: addresses: ["1.2.3.4"] droplet_ids: ["my_droplet_id_1", "my_droplet_id_2"] load_balancer_uids: ["my_lb_id_1", "my_lb_id_2"] tags: ["tag_1", "tag_2"] - protocol: "tcp" ports: "80" sources: addresses: ["0.0.0.0/0", "::/0"] - protocol: "tcp" ports: "443" sources: addresses: ["0.0.0.0/0", "::/0"] outbound_rules: - protocol: "tcp" ports: "1-65535" destinations: addresses: ["0.0.0.0/0", "::/0"] - protocol: "udp" ports: "1-65535" destinations: addresses: ["0.0.0.0/0", "::/0"] - protocol: "icmp" ports: "1-65535" destinations: addresses: ["0.0.0.0/0", "::/0"] droplet_ids: [] tags: ["sample"]
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description |
---|---|---|
data dictionary | success | DigitalOcean firewall resource Sample: {'created_at': '2020-08-11T18:41:30Z', 'droplet_ids': [], 'id': '7acd6ee2-257b-434f-8909-709a5816d4f9', 'inbound_rules': [{'ports': '443', 'protocol': 'tcp', 'sources': {'addresses': ['1.2.3.4'], 'droplet_ids': ['my_droplet_id_1', 'my_droplet_id_2'], 'load_balancer_uids': ['my_lb_id_1', 'my_lb_id_2'], 'tags': ['tag_1', 'tag_2']}}, {'ports': '80', 'protocol': 'tcp', 'sources': {'addresses': ['0.0.0.0/0', '::/0']}}, {'ports': '443', 'protocol': 'tcp', 'sources': {'addresses': ['0.0.0.0/0', '::/0']}}], 'name': 'my-firewall', 'outbound_rules': [{'destinations': {'addresses': ['0.0.0.0/0', '::/0']}, 'ports': '1-65535', 'protocol': 'tcp'}, {'destinations': {'addresses': ['0.0.0.0/0', '::/0']}, 'ports': '1-65535', 'protocol': 'udp'}, {'destinations': {'addresses': ['0.0.0.0/0', '::/0']}, 'ports': '1-65535', 'protocol': 'icmp'}], 'pending_changes': [], 'status': 'succeeded', 'tags': ['sample']} |
Authors
- Anthony Bond (@BondAnthony)
- Lucas Basquerotto (@lucasbasquerotto)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/community/digitalocean/digital_ocean_firewall_module.html