nsxt_policy_security_policy – Create or Delete a Policy Security Policy¶

New in version 2.8.

Synopsis
Parameters
Examples
Status

Synopsis ¶

Creates or deletes a Policy Security Policy. Required attributes include id and display_name.

Parameters ¶

Parameter			Choices/Defaults	Comments
ca_path string				Path to the CA bundle to be used to verify host's SSL certificate
category string				A way to classify a security policy, if needed. Distributed Firewall - Policy framework provides five pre-defined categories for classifying a security policy. They are "Ethernet",Emergency", "Infrastructure", "Environment" and "Application". There is a pre-determined order in which the policy framework manages the priority of these security policies. Ethernet category is for supporting layer 2 firewall rules. The other four categories are applicable for layer 3 rules. Amongst them, the Emergency category has the highest priority followed by Infrastructure, Environment and then Application rules. Administrator can choose to categorize a security policy into the above categories or can choose to leave it empty. If empty it will have the least precedence w.r.t the above four categories. Edge Firewall - Policy Framework for Edge Firewall provides six pre-defined categories "Emergency", "SystemRules", "SharedPreRules", "LocalGatewayRules", "AutoServiceRules" and "Default", in order of priority of rules. All categories are allowed for Gatetway Policies that belong to 'default' Domain. However, for user created domains, category is restricted to "SharedPreRules" or "LocalGatewayRules" only. Also, the users can add/modify/delete rules from only the "SharedPreRules" and "LocalGatewayRules" categories. If user doesn't specify the category then defaulted to "Rules". System generated category is used by NSX created rules, for example BFD rules. Autoplumbed category used by NSX verticals to autoplumb data path rules. Finally, "Default" category is the placeholder default rules with lowest in the order of priority.
comments string				SecurityPolicy lock/unlock comments
connectivity_strategy string				Connectivity strategy applicable for this SecurityPolicy This field indicates the default connectivity policy for the security policy. Based on the connectivitiy strategy, a default rule for this security policy will be created. An appropriate action will be set on the rule based on the value of the connectivity strategy. If NONE is selected or no connectivity strategy is specified, then no default rule for the security policy gets created. The default rule that gets created will be a any-any rule and applied to entities specified in the scope of the security policy. Specifying the connectivity_strategy without specifying the scope is not allowed. The scope has to be a Group and one cannot specify IPAddress directly in the group that is used as scope. This default rule is only applicable for the Layer3 security policies WHITELIST - Adds a default drop rule. Administrator can then use "allow" rules (aka whitelist) to allow traffic between groups BLACKLIST - Adds a default allow rule. Admin can then use "drop" rules (aka blacklist) to block traffic between groups WHITELIST_ENABLE_LOGGING - Whitelising with logging enabled BLACKLIST_ENABLE_LOGGING - Blacklisting with logging enabled NONE - No default rule is created
description string				Security Policy description.
display_name string				Display name. If resource ID is not specified, display_name will be used as ID.
do_wait_till_create boolean			Choices: no ← yes	Can be used to wait for the realization of subresource before the request to create the next resource is sent to the Manager. Can be specified for each subresource.
domain_id string / required				The domain id where the Security Policy is realized.
hostname string / required				Deployed NSX manager hostname.
id string				The id of the Policy Security Policy.
locked boolean			Choices: no yes	Lock a security policy Indicates whether a security policy should be locked. If the security policy is locked by a user, then no other user would be able to modify this security policy. Once the user releases the lock, other users can update this security policy.
nsx_cert_path string				Path to the certificate created for the Principal Identity using which the CRUD operations should be performed
nsx_key_path string				Path to the certificate key created for the Principal Identity using which the CRUD operations should be performed Must be specified if nsx_cert_path is specified
password string				The password to authenticate with the NSX manager. Must be specified if username is specified
request_headers dictionary				HTTP request headers to be sent to the host while making any request
rules list				Rules that are a part of this SecurityPolicy
	action string		Choices: ALLOW DROP REJECT	The action to be applied to all the services
	description string			Description of this resource
	destination_groups list / required			Destination group paths
	destinations_excluded boolean		Choices: no ← yes	Negation of destination groups If set to true, the rule gets applied on all the groups that are NOT part of the destination groups. If false, the rule applies to the destination groups.
	direction string		Choices: IN OUT IN_OUT	Define direction of traffic.
	disabled boolean		Choices: no ← yes	Flag to disable the rule
	display_name string			Identifier to use when displaying entity in logs or GUI. Defaults to ID if not set
	id string / required			Unique identifier of this resource
	ip_protocol string		Choices: IPV4 IPV6 IPV4_IPV6	IPv4 vs IPv6 packet type Type of IP packet that should be matched while enforcing the rule. The value is set to IPV4_IPV6 for Layer3 rule if not specified. For Layer2/Ether rule the value must be null.
	logged boolean		Choices: no ← yes	Flag to enable packet logging. Default is disabled.
	notes string			Text for additional notes on changes
	profiles list			Layer 7 service profiles Holds the list of layer 7 service profile paths. These profiles accept attributes and sub-attributes of various network services (e.g. L4 AppId, encryption algorithm, domain name, etc) as key value pairs
	scope list			The list of policy paths where the rule is applied LR/Edge/T0/T1/LRP etc. Note that a given rule can be applied on multiple LRs/LRPs
	sequence_number integer			Sequence number of the this Rule
	service_entries list / elements=dictionary			Raw services In order to specify raw services this can be used, along with services which contains path to services. This can be empty or null
	services list / required			Paths of services In order to specify all services, use the constant "ANY". This is case insensitive. If "ANY" is used, it should be the ONLY element in the services array. Error will be thrown if ANY is used in conjunction with other values.
	source_groups list / required			Source group paths
	sources_excluded boolean		Choices: no ← yes	Negation of source groups If set to true, the rule gets applied on all the groups that are NOT part of the source groups. If false, the rule applies to the source groups
	tag string			Tag applied on the rule User level field which will be printed in CLI and packet logs.
	tags list / elements=dictionary			Opaque identifiers meaningful to the API user
		scope string		Tag scope
		tag string		Tag value
scheduler_path string				Path to the scheduler for time based scheduling Provides a mechanism to apply the rules in this policy for a specified time duration.
scope list				The list of group paths where the rules in this policy will get applied. This scope will take precedence over rule level scope. Supported only for security policies.
sequence_number integer				Sequence number to resolve conflicts across Domains
state - / required			Choices: present absent	State can be either 'present' or 'absent'. 'present' is used to create or update resource. 'absent' is used to delete resource.
stateful boolean			Choices: no yes	Stateful nature of the entries within this security policy. Stateful or Stateless nature of security policy is enforced on all rules in this security policy. When it is stateful, the state of the network connects are tracked and a stateful packet inspection is performed. Layer3 security policies can be stateful or stateless. By default, they are stateful. Layer2 security policies can only be stateless.
tags dictionary				Opaque identifiers meaningful to the API user.
	scope string / required			Tag scope.
	tag string / required			Tag value.
tcp_strict boolean			Choices: no yes	Enforce strict tcp handshake before allowing data packets Ensures that a 3 way TCP handshake is done before the data packets are sent. tcp_strict=true is supported only for stateful security policies
username string				The username to authenticate with the NSX manager.
validate_certs boolean			Choices: no ← yes	Enable server certificate verification.

Examples ¶

- name: create Security Policy
  nsxt_policy_security_policy:
    hostname: "10.10.10.10"
    nsx_cert_path: /root/com.vmware.nsx.ncp/nsx.crt
    nsx_key_path: /root/com.vmware.nsx.ncp/nsx.key
    validate_certs: False
    id: test-sec-pol
    display_name: test-sec-pol
    state: "present"
    domain_id: "default"
    locked: True
    rules:
      - action: "ALLOW"
        description: "example-rule"
        sequence_number: 1
        display_name: "test-example-rule"
        id: "test-example-rule"
        source_groups: ["/infra/domains/vmc/groups/dbgroup"]
        destination_groups: ["/infra/domains/vmc/groups/appgroup"]
        services: ["/infra/services/HTTP", "/infra/services/CIM-HTTP"]
        tag: my-tag
        tags:
          - scope: scope-1
            tag: tag-1
        logged: True
        notes: dummy-notes
        ip_protocol: IPV4_IPV6
        scope: my-scope
        profiles: "encryption algorithm"

Status ¶

This module is not guaranteed to have a backwards compatible interface. [preview]
This module is maintained by the Ansible Community. [community]

Authors¶

Gautam Verma