Defined Type: aws_firewall::rule::ipset

Defined in:
manifests/rule/ipset.pp

Overview

Create an ipset-based rule allowing access to selected AWS services.

Examples:

Explicit creation of the IP set:

aws_firewall::ipset { 'us-east-1-s3':
  regions  => ['us-east-1'],
  services => ['S3'],
}
aws_firewall::rule::ipset { '200 Allow access to S3 in us-east-1':
  ipset => 'us-east-1-s3',
}

Implicit creation of the IP set:

aws_firewall::rule::ipset { '200 Allow access to S3 in us-east-1':
  ipset => {
    'us-east-1-s3' => {
      regions  => ['us-east-1'],
      services => ['S3'],
    },
  },
}

Parameters:

  • ipset (Variant[AWS_Firewall::IPSet::Name, AWS_Firewall::IPSet::Data])

    The ipset used by the firewall rule

  • chain (Enum['OUTPUT', 'FORWARD'])

    The iptables chain in which the rule will be created

  • source (Optional[IP::Address::V4]) (defaults to: undef)

    The source host or network

  • uid (Optional[AWS_Firewall::Auth::NameOrID]) (defaults to: undef)

    The UID or username

  • gid (Optional[AWS_Firewall::Auth::NameOrID]) (defaults to: undef)

    The GID or group

  • action (Enum['accept', 'drop']) (defaults to: 'accept')

    The rule accept



29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
 
# File 'manifests/rule/ipset.pp', line 29

define aws_firewall::rule::ipset(
  Variant[AWS_Firewall::IPSet::Name, AWS_Firewall::IPSet::Data] $ipset,
  Enum['OUTPUT', 'FORWARD'] $chain,
  Optional[IP::Address::V4] $source = undef,
  Optional[AWS_Firewall::Auth::NameOrID] $uid = undef,
  Optional[AWS_Firewall::Auth::NameOrID] $gid = undef,
  Enum['accept', 'drop'] $action = 'accept',
) {

  # We don't need a default case, thanks to typing.
  # lint:ignore:case_without_default
  case $ipset {
    AWS_Firewall::IPSet::Data: {
      create_resources(aws_firewall::ipset, $ipset)
      $ipset_name = keys($ipset)[0]
    }
    AWS_Firewall::IPSet::Name: {
      $ipset_name = $ipset
    }
  }
  # lint:endignore

  firewall { $title:
    chain    => $chain,
    uid      => $uid,
    gid      => $gid,
    source   => $source,
    ipset    => "${ipset_name} dst",
    dport    => 443,
    proto    => 'tcp',
    state    => 'NEW',
    action   => $action,
    provider => 'iptables',
    require  => Aws_firewall::Ipset[$ipset_name],
  }

}