f5networks.f5_modules.bigip_apm_acl – Manage user-defined APM ACLs
Note
This plugin is part of the f5networks.f5_modules collection (version 1.12.0).
You might already have this collection installed if you are using the ansible
package. It is not included in ansible-core
. To check whether it is installed, run ansible-galaxy collection list
.
To install it, use: ansible-galaxy collection install f5networks.f5_modules
.
To use it in a playbook, specify: f5networks.f5_modules.bigip_apm_acl
.
New in version 1.0.0: of f5networks.f5_modules
Synopsis
- Manage user-defined APM ACLs.
Parameters
Parameter | Choices/Defaults | Comments | |
---|---|---|---|
acl_order integer | Specifies a number that indicates the order of this ACL relative to other ACLs. When not set, the device will always place the ACL after the last one created. The lower the number, the higher the ACL will be in the general order, with the lowest number 0 being the topmost one.Valid range of values is between 0 and 65535 inclusive. | ||
description string | User created ACL description. | ||
entries list / elements=dictionary | Access control entries that define the ACL matching and its respective behavior. The order in which the rules are placed as arguments to this parameter determines their order in the ACL, in other words changing the order of the same elements will cause a change on the unit. Changes in the number of rules will always trigger device change. This means user input will take precedence over what is on device. | ||
action string / required |
| Specifies the action that the access control entry takes when a match for this access control entry is encountered. | |
dst_addr string | Specifies the destination IP address for the access control entry. When set to any the ACL will match any destination address, dst_mask is ignored in this case. | ||
dst_mask string | Optional parameter that specifies the destination network mask for the access control entry. If not specified and dst_addr is not any , the dst_addr is deemed to be host address. | ||
dst_port string | Specifies the destination port for the access control entry. Can be set to * to indicate all ports.Parameter is mutually exclusive with dst_port_range . | ||
dst_port_range string | Specifies the destination port range for the access control entry. Parameter is mutually exclusive with dst_port_range .To indicate all ports the dst_port parameter must be used and set to * . | ||
host_name string | This parameter applies to Layer 7 access control entries only. Specifies a host to which the access control entry applies. | ||
log string |
| Specifies the log level that is logged when actions of this type occur. When none it will log nothing, which is a default action.When packet it will log the matched packet. | |
paths string | This parameter applies to Layer 7 access control entries only. Specifies the path or paths to which the access control entry applies. | ||
protocol string |
| This parameter applies to Layer 4 access control entries only. Specifies the protocol: tcp , udp , icmp or all protocols, to which the access control entry applies. | |
scheme string |
| This parameter applies to Layer 7 access control entries only. Specifies the URI scheme: http , https or any on which the access control entry operates. | |
src_addr string | Specifies the source IP address for the access control entry. When set to any the ACL will match any source address, src_mask is ignored in this case. | ||
src_mask string | Optional parameter that specifies the source network mask for the access control entry. If not specified and src_addr is not any , the src_addr is deemed to be host address. | ||
src_port string | Specifies the source port for the access control entry. Can be set to * to indicate all ports.Parameter is mutually exclusive with src_port_range . | ||
src_port_range string | Specifies the source port range for the access control entry. Parameter is mutually exclusive with src_port_range .To indicate all ports the src_port parameter must be used and set to * . | ||
name string / required | Specifies the name of the ACL to manage. | ||
partition string | Default: "Common" | Device partition to manage resources on. | |
path_match_case boolean |
| Specifies whether alphabetic case is considered when matching paths in an access control entry. | |
provider dictionary added in 1.0.0 of f5networks.f5_modules | A dict object containing connection details. | ||
auth_provider string | Configures the auth provider for to obtain authentication tokens from the remote device. This option is really used when working with BIG-IQ devices. | ||
no_f5_teem boolean |
| If yes , TEEM telemetry data is not sent to F5.You may omit this option by setting the environment variable F5_TELEMETRY_OFF .Previously used variable F5_TEEM is deprecated as its name was confusing. | |
password string / required | The password for the user account used to connect to the BIG-IP. You may omit this option by setting the environment variable F5_PASSWORD .aliases: pass, pwd | ||
server string / required | The BIG-IP host. You may omit this option by setting the environment variable F5_SERVER . | ||
server_port integer | Default: 443 | The BIG-IP server port. You may omit this option by setting the environment variable F5_SERVER_PORT . | |
timeout integer | Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error. | ||
transport string |
| Configures the transport connection to use when connecting to the remote device. | |
user string / required | The username to connect to the BIG-IP with. This user must have administrative privileges on the device. You may omit this option by setting the environment variable F5_USER . | ||
validate_certs boolean |
| If no , SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.You may omit this option by setting the environment variable F5_VALIDATE_CERTS . | |
state string |
| When state is present , ensures that the ACL exists.When state is absent , ensures that the ACL is removed. | |
type string |
| Specifies the type of ACL to create. Once the type is set it cannot be changed. |
Notes
Note
- For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
- Requires BIG-IP software version >= 12.
- The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the f5networks.f5_modules.bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.
Examples
- name: Create a static ACL with L4 entries bigip_apm_acl: name: L4foo acl_order: 0 type: static entries: - action: allow dst_port: '80' dst_addr: '192.168.1.1' src_port: '443' src_addr: '10.10.10.0' src_mask: '255.255.255.128' protocol: tcp - action: reject dst_port: '*' dst_addr: '192.168.1.1' src_port: '*' src_addr: '10.10.10.0' src_mask: '255.255.255.128' protocol: tcp log: packet provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost - name: Create a static ACL with L7 entries bigip_apm_acl: name: L7foo acl_order: 1 type: static path_match_case: no entries: - action: allow host_name: 'foobar.com' paths: '/shopfront' scheme: https - action: reject host_name: 'internal_foobar.com' paths: '/admin' scheme: any log: packet provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost - name: Create a static ACL with L7/L4 entries bigip_apm_acl: name: L7L4foo acl_order: 2 type: static path_match_case: no entries: - action: allow host_name: 'foobar.com' paths: '/shopfront' scheme: https dst_port: '8181' dst_addr: '192.168.1.1' protocol: tcp - action: reject dst_addr: '192.168.1.1' host_name: 'internal_foobar.com' paths: '/admin' scheme: any protocol: all log: packet provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost - name: Modify a static ACL entries bigip_apm_acl: name: L4foo entries: - action: allow dst_port: '80' dst_addr: '192.168.1.1' src_port: '443' src_addr: '10.10.10.0' src_mask: '255.255.255.128' protocol: tcp - action: discard dst_port: '*' dst_addr: 192.168.1.1 src_port: '*' src_addr: '10.10.10.0' src_mask: '255.2155.255.128' protocol: all provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost - name: Remove static ACL bigip_apm_acl: name: L4foo state: absent provider: password: secret server: lb.mydomain.com user: admin delegate_to: localhost
Return Values
Common return values are documented here, the following are the fields unique to this module:
Key | Returned | Description | |
---|---|---|---|
acl_order integer | changed | The order of this ACL relative to other ACLs. Sample: 10 | |
description string | changed | The new description of the ACL. Sample: My ACL | |
entries complex | changed | Access control entries that define the ACL matching and its respective behavior. Sample: hash/dictionary of values | |
action string | changed | Action the access control entry takes when a match for this access control entry is encountered. Sample: allow | |
dst_addr string | changed | The destination IP address for the access control entry. Sample: 192.168.0.1 | |
dst_mask string | changed | The destination network mask for the access control entry. Sample: 255.255.255.128 | |
dst_port string | changed | The destination port for the access control entry. Sample: 80 | |
dst_port_range string | changed | The destination port range for the access control entry. Sample: 80-81 | |
host_name string | changed | The host to which the access control entry applies. Sample: foobar.com | |
log string | changed | The log level that is logged when actions of this type occur. Sample: packet | |
paths string | changed | The path or paths to which the access control entry applies. Sample: /fooshop | |
protocol string | changed | The protocol to which the access control entry applies. Sample: tcp | |
scheme string | changed | The URI scheme on which the access control entry operates. Sample: https | |
src_addr string | changed | The source IP address for the access control entry. Sample: 192.168.0.1 | |
src_mask string | changed | The source network mask for the access control entry. Sample: 255.255.255.128 | |
src_port string | changed | The source port for the access control entry. Sample: 80 | |
src_port_range string | changed | The source port range for the access control entry. Sample: 80-81 | |
path_match_case boolean | changed | Specifies whether alphabetic case is considered when matching paths in an access control entry. Sample: True | |
type string | changed | The type of ACL to create. Sample: static |
Authors
- Wojciech Wypior (@wojtek0806)
© 2012–2018 Michael DeHaan
© 2018–2021 Red Hat, Inc.
Licensed under the GNU General Public License version 3.
https://docs.ansible.com/ansible/latest/collections/f5networks/f5_modules/bigip_apm_acl_module.html