ansible-ferm icon indicating copy to clipboard operation
ansible-ferm copied to clipboard

Published 20 hours ago verified publisher icon debops

ferm_input_group_list documentation

Open starkers opened this issue 9 years ago • 1 comments

I'm completely lost as to what the promisingly named ferm_input_group_list array does.

I am really hoping it is something along the lines of policies that can be adjusted to input from other inventory group(s)?

Anyway, I've attempted to understand the task, template but in the absence of any documentation or example vars I am totally confused.

I will be running experiments now on some dev boxes soon I hope.

Could someone either:

  1. Document it
  2. Show me an example and I will test and document

NB: @drybjed great collection of roles, I thought I knew ansible before I tried reading this.. clearly I have a lot to still learn.. anyway its quite a relief to see such well written stuff compared to the non-idempotent trash I normally see

starkers avatar Dec 23 '15 18:12 starkers

Hey @starkers, sorry for the long reply (holiday season).

First of all, you can ignore ferm_input_*_list variables and focus on ferm_*_rules variables instead, the former ones are obsolete and will be removed in the future.

This is actually a very common usage pattern in DebOps roles. The general idea is, Ansible allows you to configure things in inventory on three levels - group_vars/all which is applied to all hosts, group_vars/<group_name>/ which is applied to hosts in a group and overrides "all" level, and host_vars/<hostname>/ which is applied to individual hosts and overrides both "all" and "group" levels. This system lets you mix and match the configuration on all your hosts any way you like, for example by setting up default values for all hosts and overriding them as necessary per host.

The issue wiith this system is, that a variable with a given name will be "masked" by variables on lower level, so using just one variable for example to specify list of hosts that are allowed to connect to a host over SSH you cannot combine configuration from different levels. This is where the split to multiple variables comes in.

For example, in debops.ferm we have:

  • ferm_rules which defines rules for all hosts;
  • ferm_group_rules which defines rules for a group of hosts (only one group is supported at a time, but you can handle that with some creative variable names);
  • ferm_host_rules allow you to specify firewall rules for individual hosts
  • ferm_default_rules defines firewall rules that are set by the role by default. This lets you easily add your own rules to defaults, or disable the defaults and create your own custom firewall configuration;
  • ferm_dependent_rules is meant to be used by other Ansible roles to define their own rules without interference of other variables;

As you can see, this lets you define firewall rules on different inventory levels very easily, and they will be combined by Ansible during playbook run to create complete firewall configuration. Other roles use this pattern as well, for similar purpose - to let you define configuration for different host groups, or individual hosts, or all of them at once.

drybjed avatar Dec 24 '15 22:12 drybjed