bigip_apm_acl – Manage user-defined APM ACLs

New in version 2.9.

Synopsis

  • Manage user-defined APM ACLs.

Parameters

Parameter Choices/Defaults Comments
acl_order
integer
Specifies a number that indicates the order of this ACL relative to other ACLs.
When not set, the device will always place the ACL after the last one created.
The lower number the higher the ACL will be in the general order, with lowest number 0 being the topmost one.
Valid range of values is between 0 and 65535 inclusive.
description
string
User created ACL description.
entries
list
Access control entries that define the ACL matching and its respective behavior.
The order in which the rules are placed as arguments to this parameter, determines their order in the ACL, in other words changing the order of the same elements will cause a change on the unit.
action
string / required
    Choices:
  • allow
  • reject
  • discard
  • continue
Specifies the action that the access control entry takes when a match for this access control entry is encountered.
dst_addr
string
Specifies the destination IP address for the access control entry.
When set to any the ACL will match any destination address, dst_mask is ignored in this case.
dst_mask
string
Optional parameter that specifies the destination network mask for the access control entry.
If not specified and dst_addr is not any the dst_addr is deemed to be host address.
dst_port
string
Specifies the destination port for the access control entry.
Can be set to * to indicate all ports.
Parameter is mutually exclusive with dst_port_range.
dst_port_range
string
Specifies the destination port range for the access control entry.
Parameter is mutually exclusive with dst_port_range.
To indicate all ports the dst_port parameter must be used and set to *.
host_name
string
This parameter applies to Layer 7 access control entries only.
Specifies a host to which the access control entry applies.
log
string
    Choices:
  • none
  • packet
Specifies the log level that is logged when actions of this type occur.
When none it will log nothing, which is a default action.
When packet it will log the matched packet.
paths
string
This parameter applies to Layer 7 access control entries only.
Specifies the path or paths to which the access control entry applies.
protocol
string
    Choices:
  • tcp
  • icmp
  • udp
  • all
This parameter applies to Layer 4 access control entries only.
Specifies the protocol: tcp, udp, icmp or all protocols, to which the access control entry applies.
scheme
string
    Choices:
  • http
  • https
  • any
This parameter applies to Layer 7 access control entries only.
Specifies the URI scheme: http, https or any on which the access control entry operates.
src_addr
string
Specifies the source IP address for the access control entry.
When set to any the ACL will match any source address, src_mask is ignored in this case.
src_mask
string
Optional parameter that specifies the source network mask for the access control entry.
If not specified and src_addr is not any the src_addr is deemed to be host address.
src_port
string
Specifies the source port for the access control entry.
Can be set to * to indicate all ports.
Parameter is mutually exclusive with src_port_range.
src_port_range
string
Specifies the source port range for the access control entry.
Parameter is mutually exclusive with src_port_range.
To indicate all ports the src_port parameter must be used and set to *.
name
string / required
Specifies the name of the ACL to manage.
partition
string
Default:
"Common"
Device partition to manage resources on.
path_match_case
boolean
    Choices:
  • no
  • yes
Specifies whether alphabetic case is considered when matching paths in an access control entry.
provider
dictionary
added in 2.5
A dict object containing connection details.
auth_provider
string
Configures the auth provider for to obtain authentication tokens from the remote device.
This option is really used when working with BIG-IQ devices.
password
string / required
The password for the user account used to connect to the BIG-IP.
You may omit this option by setting the environment variable F5_PASSWORD.

aliases: pass, pwd
server
string / required
The BIG-IP host.
You may omit this option by setting the environment variable F5_SERVER.
server_port
integer
Default:
443
The BIG-IP server port.
You may omit this option by setting the environment variable F5_SERVER_PORT.
ssh_keyfile
path
Specifies the SSH keyfile to use to authenticate the connection to the remote device. This argument is only used for cli transports.
You may omit this option by setting the environment variable ANSIBLE_NET_SSH_KEYFILE.
timeout
integer
Specifies the timeout in seconds for communicating with the network device for either connecting or sending commands. If the timeout is exceeded before the operation is completed, the module will error.
transport
string
    Choices:
  • cli
  • rest ←
Configures the transport connection to use when connecting to the remote device.
user
string / required
The username to connect to the BIG-IP with. This user must have administrative privileges on the device.
You may omit this option by setting the environment variable F5_USER.
validate_certs
boolean
    Choices:
  • no
  • yes ←
If no, SSL certificates are not validated. Use this only on personally controlled sites using self-signed certificates.
You may omit this option by setting the environment variable F5_VALIDATE_CERTS.
state
string
    Choices:
  • present ←
  • absent
When state is present, ensures that the ACL exists.
When state is absent, ensures that the ACL is removed.
type
string
    Choices:
  • static
  • dynamic
Specifies the type of ACL to create.
Once the type is set it cannot be changed.

Notes

Note

  • For more information on using Ansible to manage F5 Networks devices see https://www.ansible.com/integrations/networks/f5.
  • Requires BIG-IP software version >= 12.
  • The F5 modules only manipulate the running configuration of the F5 product. To ensure that BIG-IP specific configuration persists to disk, be sure to include at least one task that uses the bigip_config module to save the running configuration. Refer to the module’s documentation for the correct usage of the module to save your running configuration.

Examples

- name: Create a static ACL with L4 entries
  bigip_apm_acl:
    name: L4foo
    acl_order: 0
    type: static
    entries:
      - action: allow
        dst_port: '80'
        dst_addr: '192.168.1.1'
        src_port: '443'
        src_addr: '10.10.10.0'
        src_mask: '255.255.255.128'
        protocol: tcp
      - action: reject
        dst_port: '*'
        dst_addr: '192.168.1.1'
        src_port: '*'
        src_addr: '10.10.10.0'
        src_mask: '255.255.255.128'
        protocol: tcp
        log: packet
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Create a static ACL with L7 entries
  bigip_apm_acl:
    name: L7foo
    acl_order: 1
    type: static
    path_match_case: no
    entries:
      - action: allow
        host_name: 'foobar.com'
        paths: '/shopfront'
        scheme: https
      - action: reject
        host_name: 'internal_foobar.com'
        paths: '/admin'
        scheme: any
        log: packet
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Create a static ACL with L7/L4 entries
  bigip_apm_acl:
    name: L7L4foo
    acl_order: 2
    type: static
    path_match_case: no
    entries:
      - action: allow
        host_name: 'foobar.com'
        paths: '/shopfront'
        scheme: https
        dst_port: '8181'
        dst_addr: '192.168.1.1'
        protocol: tcp
      - action: reject
        dst_addr: '192.168.1.1'
        host_name: 'internal_foobar.com'
        paths: '/admin'
        scheme: any
        protocol: all
        log: packet
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Modify a static ACL entries
  bigip_apm_acl:
    name: L4foo
    entries:
      - action: allow
        dst_port: '80'
        dst_addr: '192.168.1.1'
        src_port: '443'
        src_addr: '10.10.10.0'
        src_mask: '255.255.255.128'
        protocol: tcp
      - action: discard
        dst_port: '*'
        dst_addr: 192.168.1.1
        src_port: '*'
        src_addr: '10.10.10.0'
        src_mask: '255.2155.255.128'
        protocol: all
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

- name: Remove static ACL
  bigip_apm_acl:
    name: L4foo
    state: absent
    provider:
      password: secret
      server: lb.mydomain.com
      user: admin
  delegate_to: localhost

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key Returned Description
acl_order
integer
changed
The order of this ACL relative to other ACLs.

Sample:
10
description
string
changed
The new description of the ACL.

Sample:
My ACL
entries
complex
changed
Access control entries that define the ACL matching and its respective behavior.

Sample:
hash/dictionary of values
 
action
string
changed
Action that the access control entry takes when a match for this access control entry is encountered.

Sample:
allow
 
dst_addr
string
changed
The destination IP address for the access control entry.

Sample:
192.168.0.1
 
dst_mask
string
changed
The destination network mask for the access control entry.

Sample:
255.255.255.128
 
dst_port
string
changed
The destination port for the access control entry.

Sample:
80
 
dst_port_range
string
changed
The destination port range for the access control entry.

Sample:
80-81
 
host_name
string
changed
The host to which the access control entry applies.

Sample:
foobar.com
 
log
string
changed
The log level that is logged when actions of this type occur.

Sample:
packet
 
paths
string
changed
The path or paths to which the access control entry applies.

Sample:
/fooshop
 
protocol
string
changed
The protocol to which the access control entry applies.

Sample:
tcp
 
scheme
string
changed
The URI scheme on which the access control entry operates.

Sample:
https
 
src_addr
string
changed
The source IP address for the access control entry.

Sample:
192.168.0.1
 
src_mask
string
changed
The source network mask for the access control entry.

Sample:
255.255.255.128
 
src_port
string
changed
The source port for the access control entry.

Sample:
80
 
src_port_range
string
changed
The source port range for the access control entry.

Sample:
80-81
path_match_case
boolean
changed
Specifies whether alphabetic case is considered when matching paths in an access control entry.

Sample:
True
type
string
changed
The type of ACL to create.

Sample:
static


Status

Authors

  • Wojciech Wypior (@wojtek0806)

Hint

If you notice any issues in this documentation, you can edit this document to improve it.