damex.incus.incus_network_acl module – Ensure Incus network ACL

Note

This module is part of the damex.incus collection (version 1.9.0).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install damex.incus.

To use it in a playbook, specify: damex.incus.incus_network_acl.

Synopsis

  • Create, update, and delete Incus network ACLs via the Incus REST API.

  • Network ACLs define traffic rules that control access between instances connected to the same network, and access to and from other networks.

  • Rules are automatically ordered by action priority (drop, reject, allow-stateless, allow).

Parameters

Parameter

Comments

client_cert

string

Client certificate content for remote authentication.

Requires url and client_key. Mutually exclusive with token and client_cert_path.

client_cert_path

string

Path to the client certificate for remote authentication.

Requires url and client_key_path. Mutually exclusive with token and client_cert.

client_key

string

Client key content for remote authentication.

Requires url and client_cert. Mutually exclusive with client_key_path.

client_key_path

string

Path to the client key for remote authentication.

Requires url and client_cert_path. Mutually exclusive with client_key.

config

dictionary

ACL configuration key-value pairs.

Only user-defined keys (user.*) are supported.

Default: {}

description

string

Description of the network ACL.

Default: ""

egress

list / elements=dictionary

List of egress (outbound) traffic rules.

Rules are order-independent and automatically sorted by action priority.

action

string / required

Action to perform on rule match.

Choices:

  • "allow"

  • "allow-stateless"

  • "reject"

  • "drop"

description

string

Description of the rule.

destination

string

Destination address (CIDR, IP range, or selector).

destination_port

string

Destination port or port range for TCP/UDP.

icmp_code

string

ICMP code number.

icmp_type

string

ICMP type number.

protocol

string

Network protocol to match.

Choices:

  • "icmp4"

  • "icmp6"

  • "tcp"

  • "udp"

source

string

Source address (CIDR, IP range, or selector).

source_port

string

Source port or port range for TCP/UDP.

state

string

State of the rule.

Choices:

  • "enabled" ← (default)

  • "disabled"

  • "logged"

ingress

list / elements=dictionary

List of ingress (inbound) traffic rules.

Rules are order-independent and automatically sorted by action priority.

action

string / required

Action to perform on rule match.

Choices:

  • "allow"

  • "allow-stateless"

  • "reject"

  • "drop"

description

string

Description of the rule.

destination

string

Destination address (CIDR, IP range, or selector).

destination_port

string

Destination port or port range for TCP/UDP.

icmp_code

string

ICMP code number.

icmp_type

string

ICMP type number.

protocol

string

Network protocol to match.

Choices:

  • "icmp4"

  • "icmp6"

  • "tcp"

  • "udp"

source

string

Source address (CIDR, IP range, or selector).

source_port

string

Source port or port range for TCP/UDP.

state

string

State of the rule.

Choices:

  • "enabled" ← (default)

  • "disabled"

  • "logged"

name

string / required

Name of the network ACL.

project

string

Incus project to query.

Default: "default"

server_cert

string

Server certificate content for remote verification.

Requires url. Mutually exclusive with server_cert_path.

server_cert_path

string

Path to the server certificate for remote verification.

Requires url. Mutually exclusive with server_cert.

socket_path

string

Path to the Incus Unix socket for local connections.

Default: "/var/lib/incus/unix.socket"

state

string

Desired state of the network ACL.

Choices:

  • "present" ← (default)

  • "absent"

token

string

Token for remote authentication.

Requires url. Mutually exclusive with client_cert.

url

string

URL of the remote Incus server (e.g. https://host:8443).

If specified, connects via HTTPS instead of Unix socket.

validate_certs

boolean

Whether to validate the server TLS certificate.

Choices:

  • false

  • true ← (default)

wait

boolean

Whether to wait for async operations to complete before returning.

Set to false for fire-and-forget behaviour.

Choices:

  • false

  • true ← (default)

Examples

- name: Ensure network ACL allowing web traffic
  damex.incus.incus_network_acl:
    name: web
    description: Web server ACL
    ingress:
      - action: allow
        source: "@internal"
        protocol: tcp
        destination_port: 80,443
        description: Allow HTTP and HTTPS
    egress:
      - action: allow
        destination: 8.8.8.8/32,8.8.4.4/32
        protocol: udp
        destination_port: "53"
        description: Allow DNS queries to Google DNS

- name: Ensure network ACL blocking all traffic
  damex.incus.incus_network_acl:
    name: deny-all
    ingress:
      - action: drop
    egress:
      - action: drop

- name: Ensure network ACL is absent
  damex.incus.incus_network_acl:
    name: web
    state: absent

Authors

  • Roman Kuzmitskii (@damex)