crowdstrike.falcon.host_group module – Manage Falcon host groups

Note

This module is part of the crowdstrike.falcon collection (version 4.9.1).

It is not included in ansible-core. To check whether it is installed, run ansible-galaxy collection list.

To install it, use: ansible-galaxy collection install crowdstrike.falcon. You need further requirements to be able to use this module, see Requirements for details.

To use it in a playbook, specify: crowdstrike.falcon.host_group.

New in crowdstrike.falcon 4.10.0

Synopsis

  • Create, update, delete, and manage Falcon host groups.

  • Supports static, dynamic, and staticByID group types.

  • Can manage host group membership by adding or removing hosts.

  • Provides idempotent operations that only make changes when necessary.

Requirements

The below requirements are needed on the host that executes this module.

  • Host Groups [READ, WRITE] API scope

  • crowdstrike-falconpy >= 1.3.0

  • python >= 3.6

Parameters

Parameter

Comments

assignment_rule

string

FQL (Falcon Query Language) filter for dynamic group membership.

Required when group_type=dynamic.

Ignored for static and staticByID groups.

Examples: platform_name:'Linux', tags:'production'+os_version:'*Server*'.

auth

dictionary

The registered result of the crowdstrike.falcon.auth module, or a dictionary containing the access_token and cloud keys.

If provided, the client_id, client_secret, member_cid, and cloud options are ignored.

Useful when needing to make multiple API calls to avoid rate limiting issues.

access_token

string

The OAuth2 access token to use for authentication.

cloud

string

The CrowdStrike cloud region to use.

This can differ from the module’s cloud argument due to autodiscovery.

client_id

aliases: falcon_client_id

string

The CrowdStrike API client ID to use.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_ID environment variable can also be used.

client_secret

aliases: falcon_client_secret

string

The CrowdStrike API secret that corresponds to the client ID.

See the Falcon documentation for more information about API clients.

The FALCON_CLIENT_SECRET environment variable can also be used.

cloud

string

The CrowdStrike cloud region to use.

All clouds are automatically discovered if not specified, except for the us-gov-1 cloud.

The FALCON_CLOUD environment variable can also be used.

Choices:

  • "us-1" ← (default)

  • "us-2"

  • "us-gov-1"

  • "eu-1"

description

string

A description for the host group.

Only used when state=present.

ext_headers

dictionary

Extended headers that are prepended to the default headers dictionary.

group_type

string

The type of host group to create or validate.

static groups contain manually assigned hosts.

dynamic groups automatically include hosts based on assignment rules.

staticByID groups contain hosts assigned by their device IDs.

Cannot be changed after group creation.

Choices:

  • "static" ← (default)

  • "dynamic"

  • "staticByID"

host_action

string

The action to perform with the hosts specified in hosts.

add adds hosts to the group.

remove removes hosts from the group.

Requires hosts to be specified.

Choices:

  • "add"

  • "remove"

host_group

string

The ID of an existing host group.

Can be used with state=absent for deletion by ID.

If provided with state=present, the module will update the existing group.

Note: Either name or host_group is required for state=absent.

hosts

list / elements=string

List of host IDs (AIDs) to add to or remove from the host group.

Use with host_action to specify the operation.

Only applicable for existing groups and when state=present.

member_cid

string

The CrowdStrike member CID for MSSP authentication.

See the Falcon documentation for more information about API clients.

The FALCON_MEMBER_CID environment variable can also be used.

name

string

The name of the host group.

Required when state=present and creating a new group.

Can be used for state=absent to delete by name (supports true idempotency).

Cannot be used to rename existing groups (use host_group to identify the group).

state

string

The desired state of the host group.

present ensures the host group exists with the specified configuration.

absent ensures the host group does not exist.

Choices:

  • "present" ← (default)

  • "absent"

user_agent

string

Custom User-Agent string to use for requests to the API.

The user agent string is prepended to the default user agent string (crowdstrike-ansible/<version>).

See RFC 7231 for more information.

The FALCON_USER_AGENT environment variable can also be used.

Notes

Note

  • Idempotency: This module is idempotent and will only make changes when the current state differs from the desired state.

  • Group Types: The group type cannot be changed after creation. To change a group’s type, delete the existing group and create a new one.

  • Dynamic Groups: Assignment rules for dynamic groups are evaluated by CrowdStrike’s backend and may take some time to reflect membership changes.

  • Host Management: Adding or removing hosts only works with existing groups. Host operations are performed after group creation/update operations.

Examples

# PRIMARY WORKFLOW: Name-based Operations

- name: Create a static host group using names (recommended)
  crowdstrike.falcon.host_group:
    name: "Web Servers"
    description: "All web server hosts in the environment"
    group_type: static

- name: Create a dynamic host group with assignment rules
  crowdstrike.falcon.host_group:
    name: "Linux Production Hosts"
    description: "All Linux hosts with production tags"
    group_type: dynamic
    assignment_rule: "platform_name:'Linux'+tags:'production'"

- name: Create a staticByID host group for device ID management
  crowdstrike.falcon.host_group:
    name: "Critical Infrastructure"
    description: "Manually assigned critical infrastructure hosts"
    group_type: staticByID

- name: Update an existing group using name (detects changes automatically)
  crowdstrike.falcon.host_group:
    name: "Web Servers"
    description: "Updated description for all web server hosts"

- name: Update dynamic group assignment rule using name
  crowdstrike.falcon.host_group:
    name: "Linux Production Hosts"
    assignment_rule: "platform_name:'Linux'+(tags:'production'+tags:'web')"

- name: Delete a host group using name (true idempotency - recommended)
  crowdstrike.falcon.host_group:
    name: "Web Servers"
    state: absent

# TRUE IDEMPOTENCY PATTERN: Same Task Definition for Entire Lifecycle

- name: Manage host group lifecycle with identical task definition
  crowdstrike.falcon.host_group:
    name: "Application Servers"
    description: "All application server hosts"
    group_type: static
    state: "{{ desired_state }}"  # 'present' for create/update, 'absent' for delete

- name: Complete dynamic group lifecycle example
  crowdstrike.falcon.host_group:
    name: "Windows Domain Controllers"
    description: "All Windows domain controller hosts"
    group_type: dynamic
    assignment_rule: "platform_name:'Windows'+tags:'domain-controller'"
    state: "{{ lifecycle_state | default('present') }}"

# HOST MANAGEMENT: Adding and Removing Hosts from Groups

- name: Create group first, then manage hosts using returned ID
  crowdstrike.falcon.host_group:
    name: "Database Servers"
    description: "All database server hosts"
    group_type: static
  register: db_group_result

- name: Add hosts to the database group
  crowdstrike.falcon.host_group:
    host_group: "{{ db_group_result.host_group.id }}"
    hosts:
      - "15dbb9d8f06b45fe9f61eb46e829d986"
      - "2ae94761f78e4a6d9e2f8b5c4d1a7b3e"
    host_action: add

- name: Remove specific hosts from the group
  crowdstrike.falcon.host_group:
    host_group: "{{ db_group_result.host_group.id }}"
    hosts:
      - "15dbb9d8f06b45fe9f61eb46e829d986"
    host_action: remove

# DYNAMIC HOST MANAGEMENT: Using host_ids Lookup Plugin

- name: Create group and populate with Windows hosts dynamically
  crowdstrike.falcon.host_group:
    name: "Windows Production Servers"
    description: "All Windows hosts in production environment"
    group_type: static
    hosts: "{{ lookup('crowdstrike.falcon.host_ids', 'platform_name:\"Windows\"+tags:\"production\"') }}"
    host_action: add

# ID-BASED OPERATIONS: When Working with Existing Groups

- name: Update existing group using ID (when you have the group ID)
  crowdstrike.falcon.host_group:
    host_group: "a1b2c3d4e5f6789012345678901234ab"
    description: "Updated description using group ID"

- name: Delete a host group using ID (legacy approach)
  crowdstrike.falcon.host_group:
    host_group: "a1b2c3d4e5f6789012345678901234ab"
    state: absent

# ADVANCED PATTERNS: Complex Assignment Rules and Error Handling

- name: Create dynamic group with complex FQL assignment rule
  crowdstrike.falcon.host_group:
    name: "High-Risk Linux Servers"
    description: "Linux servers requiring enhanced monitoring"
    group_type: dynamic
    assignment_rule: "platform_name:'Linux'+(tags:'production'+tags:'database'+!tags:'patched')"

- name: Conditional group management with error handling
  crowdstrike.falcon.host_group:
    name: "{{ group_name }}"
    description: "{{ group_description | default('Managed by Ansible') }}"
    group_type: "{{ group_type | default('static') }}"
    assignment_rule: "{{ assignment_rule | default(omit) }}"
    state: present
  register: group_result
  failed_when: false  # Handle errors gracefully

- name: Verify group creation succeeded before proceeding
  ansible.builtin.assert:
    that:
      - group_result is succeeded
      - group_result.host_group.name == group_name
    fail_msg: "Failed to create or update host group {{ group_name }}"

Return Values

Common return values are documented here, the following are the fields unique to this module:

Key

Description

action_results

dictionary

Results of host management actions (add/remove hosts).

Returned: when host_action is performed

failed_hosts

list / elements=dictionary

List of host IDs that failed to be added or removed.

Returned: when some hosts fail

code

integer

The error code returned by the API.

Returned: success

Sample: 404

id

string

The host ID that failed.

Returned: success

Sample: "a1b2c3d4e5f6789012345678901234ab"

message

string

The error message returned by the API.

Returned: success

Sample: "Host not found"

successful_hosts

list / elements=string

List of host IDs that were successfully added or removed.

Returned: success

Sample: ["d78cd791785442a98ec75249d8c385dd"]

host_group

dictionary

Information about the host group that was created, updated, or managed.

Returned: when state=present

assignment_rule

string

The assignment rule for dynamic groups.

Returned: when group_type=dynamic

Sample: "platform_name:'Linux'+tags:'production'"

created_by

string

The user who created the host group.

Returned: success

Sample: "user@example.com"

created_timestamp

string

The timestamp when the host group was created.

Returned: success

Sample: "2024-01-15T10:30:00.000000Z"

description

string

The description of the host group.

Returned: success

Sample: "All web server hosts"

group_type

string

The type of host group (static, dynamic, or staticByID).

Returned: success

Sample: "static"

id

string

The unique identifier of the host group.

Returned: success

Sample: "12345678901234567890abcdef123456"

modified_by

string

The user who last modified the host group.

Returned: success

Sample: "admin@example.com"

modified_timestamp

string

The timestamp when the host group was last modified.

Returned: success

Sample: "2024-02-01T14:22:30.000000Z"

name

string

The name of the host group.

Returned: success

Sample: "Web Servers"

Authors

  • Carlos Matos (@carlosmmatos)