Ansible ufw module ERROR: Could not find a profile matching 'xxxxx'

Question

I'm working to setup UFW rules via Ansible. I'm able to get it installed, start it and deny everything. I then attempt to allow connections from http, https, and ssh. All attempts to add the allow for those items are met with errors that look like:

failed: [lempy1] (item={u'service': u'http'}) => {"failed": true, "item": {"service": "http"}, "msg": "ERROR: Could not find a profile matching 'http'\n"}
failed: [lempy1] (item={u'service': u'https'}) => {"failed": true, "item": {"service": "https"}, "msg": "ERROR: Could not find a profile matching 'https'\n"}
failed: [lempy1] (item={u'service': u'ssh'}) => {"failed": true, "item": {"service": "ssh"}, "msg": "ERROR: Could not find a profile matching 'ssh'\n"}

The entire role looks like this:

tasks/main.yml

     ---
    - name: Install ufw
      apt: name=ufw state=present
      tags:
        - security

    - name: Allow webservery things
      ufw:
        rule: allow
        name: '{{item.service}}'
      with_items:
        - service: http
        - service: https
        - service: ssh
      tags:
        - security

    - name: Start ufw
      ufw: state=enabled policy=deny
      tags:
        - security

Any idea why I wouldn't be able to allow these services? I am able to add the services properly when ssh'ing into the server and running sudo ufw allow http, etc.

Answer 1

As mentioned in the ufw module docs, the name (or app) parameter uses applications that are registered in /etc/ufw/applications.d which have an INI format and look something like this:

[CUPS]
title=Common UNIX Printing System server
description=CUPS is a printing system with support for IPP, samba, lpd, and other protocols.
ports=631

Normally you can use ufw allow application-profile to allow an application defined either in /etc/ufw/applications.d or /etc/services to open up iptables for things that aren't necessarily defined in /etc/ufw/applications.d.

Unfortunately, Ansible's ufw module instead builds the ufw command in this format instead:

/usr/sbin/ufw allow from any to any app 'application-profile'

Which only uses the /etc/ufw/applications.d list and won't read /etc/services.

In your case you could simply specify the ports as these are well known, potentially using a named variable to further explain your Ansible code:

- name: Allow webservery things
  ufw:
    rule: allow
    port: '{{ item }}'
  with_items:
    - '{{ http_port }}'
    - '{{ https_port }}'
    - '{{ ssh_port }}'
  tags:
    - security

And then define the variables somewhere (such as your role defaults):

http_port: 80
https_port: 443
ssh_port: 22

As an aside, you might want to notice that I simplified your list of dictionaries with a single key into a simpler straight list which tidies up your task a bit.

Alternatively you could easily template the application profiles using Ansible's template module.