states.azurerm.network.network_security_group

Azure Resource Manager (ARM) Network Security Group State Module

New in version 1.0.0.

Changed in version 4.0.0.

maintainer:

<devops@eitr.tech>
configuration:

This module requires Azure Resource Manager credentials to be passed via acct. Note that the authentication parameters are case sensitive.

Required provider parameters:

if using username and password:
  • subscription_id
  • username
  • password
if using a service principal:
  • subscription_id
  • tenant
  • client_id
  • secret

Optional provider parameters:

cloud_environment: Used to point the cloud driver to different API endpoints, such as Azure GovCloud. Possible values:

  • AZURE_PUBLIC_CLOUD (default)
  • AZURE_CHINA_CLOUD
  • AZURE_US_GOV_CLOUD
  • AZURE_GERMAN_CLOUD

Example acct setup for Azure Resource Manager authentication:

azurerm:
    default:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        tenant: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        client_id: ABCDEFAB-1234-ABCD-1234-ABCDEFABCDEF
        secret: XXXXXXXXXXXXXXXXXXXXXXXX
        cloud_environment: AZURE_PUBLIC_CLOUD
    user_pass_auth:
        subscription_id: 3287abc8-f98a-c678-3bde-326766fd3617
        username: fletch
        password: 123pass

The authentication parameters can also be passed as a dictionary of keyword arguments to the connection_auth parameter of each state, but this is not preferred and could be deprecated in the future.
idem_azurerm.states.azurerm.network.network_security_group.absent(hub, ctx, name, resource_group, connection_auth=None, **kwargs)

New in version 1.0.0.

Ensure a network security group does not exist in the resource group.

Parameters:
  • name – Name of the network security group.
  • resource_group – The resource group assigned to the network security group.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure nsg is absent:
    azurerm.network.network_security_group.absent:
        - name: nsg1
        - resource_group: group1
idem_azurerm.states.azurerm.network.network_security_group.present(hub, ctx, name, resource_group, tags=None, security_rules=None, connection_auth=None, **kwargs)

New in version 1.0.0.

Changed in version 4.0.0.

Ensure a network security group exists.

Parameters:
  • name – Name of the network security group.
  • resource_group – The resource group assigned to the network security group.
  • tags – A dictionary of strings can be passed as tag metadata to the network security group object.
  • security_rules – A list of dictionaries representing valid SecurityRule objects. See the documentation for the security_rule_present state or security_rule_create_or_update execution module for more information on required and optional parameters for security rules. The rules are only managed if this parameter is present. When this parameter is absent, implemented rules will not be removed, and will merely become unmanaged.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure network security group exists:
    azurerm.network.network_security_group.present:
        - name: nsg1
        - resource_group: group1
        - security_rules:
          - name: nsg1_rule1
            priority: 100
            protocol: tcp
            access: allow
            direction: outbound
            source_address_prefix: virtualnetwork
            destination_address_prefix: internet
            source_port_range: '*'
            destination_port_range: '*'
          - name: nsg1_rule2
            priority: 101
            protocol: tcp
            access: allow
            direction: inbound
            source_address_prefix: internet
            destination_address_prefix: virtualnetwork
            source_port_range: '*'
            destination_port_ranges:
              - '80'
              - '443'
        - tags:
            contact_name: Elmer Fudd Gantry
idem_azurerm.states.azurerm.network.network_security_group.security_rule_absent(hub, ctx, name, security_group, resource_group, connection_auth=None, **kwargs)

New in version 1.0.0.

Ensure a security rule does not exist in the network security group.

Parameters:
  • name – Name of the security rule.
  • security_group – The network security group containing the security rule.
  • resource_group – The resource group assigned to the network security group.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure security rule absent:
    azurerm.network.network_security_group.security_rule_absent:
        - name: nsg1_rule2
        - security_group: nsg1
        - resource_group: group1
idem_azurerm.states.azurerm.network.network_security_group.security_rule_present(hub, ctx, name, access, direction, priority, protocol, security_group, resource_group, destination_address_prefix=None, destination_port_range=None, source_address_prefix=None, source_port_range=None, description=None, destination_address_prefixes=None, destination_port_ranges=None, source_address_prefixes=None, source_port_ranges=None, connection_auth=None, **kwargs)

New in version 1.0.0.

Changed in version 4.0.0.

Ensure a security rule exists.

Parameters:
  • name – Name of the security rule.
  • access – ‘allow’ or ‘deny’
  • direction – ‘inbound’ or ‘outbound’
  • priority – Integer between 100 and 4096 used for ordering rule application.
  • protocol – ‘tcp’, ‘udp’, or ‘*’
  • security_group – The name of the existing network security group to contain the security rule.
  • resource_group – The resource group assigned to the network security group.
  • description – Optional description of the security rule.
  • destination_address_prefix – The CIDR or destination IP range. Asterix ‘*’ can also be used to match all destination IPs. Default tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. If this is an ingress rule, specifies where network traffic originates from.
  • destination_port_range – The destination port or range. Integer or range between 0 and 65535. Asterix ‘*’ can also be used to match all ports.
  • source_address_prefix – The CIDR or source IP range. Asterix ‘*’ can also be used to match all source IPs. Default tags such as ‘VirtualNetwork’, ‘AzureLoadBalancer’ and ‘Internet’ can also be used. If this is an ingress rule, specifies where network traffic originates from.
  • source_port_range – The source port or range. Integer or range between 0 and 65535. Asterix ‘*’ can also be used to match all ports.
  • destination_address_prefixes – A list of destination_address_prefix values. This parameter overrides destination_address_prefix and will cause any value entered there to be ignored.
  • destination_port_ranges – A list of destination_port_range values. This parameter overrides destination_port_range and will cause any value entered there to be ignored.
  • source_address_prefixes – A list of source_address_prefix values. This parameter overrides source_address_prefix and will cause any value entered there to be ignored.
  • source_port_ranges – A list of source_port_range values. This parameter overrides source_port_range and will cause any value entered there to be ignored.
  • connection_auth – A dict with subscription and authentication parameters to be used in connecting to the Azure Resource Manager API.

Example usage:

Ensure security rule exists:
    azurerm.network.network_security_group.security_rule_present:
        - name: nsg1_rule2
        - security_group: nsg1
        - resource_group: group1
        - priority: 101
        - protocol: tcp
        - access: allow
        - direction: inbound
        - source_address_prefix: internet
        - destination_address_prefix: virtualnetwork
        - source_port_range: '*'
        - destination_port_ranges:
          - '80'
          - '443'