Skip to content
Projects
Groups
Snippets
Help
This project
Loading...
Sign in / Register
Toggle navigation
A
ansible
Overview
Overview
Details
Activity
Cycle Analytics
Repository
Repository
Files
Commits
Branches
Tags
Contributors
Graph
Compare
Charts
Issues
0
Issues
0
List
Board
Labels
Milestones
Merge Requests
0
Merge Requests
0
CI / CD
CI / CD
Pipelines
Jobs
Schedules
Charts
Wiki
Wiki
Snippets
Snippets
Members
Members
Collapse sidebar
Close sidebar
Activity
Graph
Charts
Create a new issue
Jobs
Commits
Issue Boards
Open sidebar
OpenEdx
ansible
Commits
53ee1ea2
Commit
53ee1ea2
authored
Mar 28, 2014
by
Michael DeHaan
Browse files
Options
Browse Files
Download
Plain Diff
Merge branch 'aws-ec2-egress-rules' of
git://github.com/mmoya/ansible
into devel
parents
5424c933
6a92d48b
Hide whitespace changes
Inline
Side-by-side
Showing
1 changed file
with
132 additions
and
23 deletions
+132
-23
library/cloud/ec2_group
+132
-23
No files found.
library/cloud/ec2_group
View file @
53ee1ea2
...
...
@@ -24,8 +24,12 @@ options:
required: false
rules:
description:
- List of firewall rules to enforce in this group (see example).
required: true
- List of firewall inbound rules to enforce in this group (see example).
required: false
rules_egress:
description:
- List of firewall outbound rules to enforce in this group (see example).
required: false
region:
description:
- the EC2 region to use
...
...
@@ -81,6 +85,11 @@ options:
version_added: "1.6"
requirements: [ "boto" ]
notes:
- If a rule declares a group_name and that group doesn't exist, it will be
automatically created. In that case, group_desc should be provided as well.
The module will refuse to create a depended-on group without a description.
'''
EXAMPLES
=
'''
...
...
@@ -113,6 +122,13 @@ EXAMPLES = '''
- proto: all
# the containing group name may be specified here
group_name: example
rules_egress:
- proto: tcp
from_port: 80
to_port: 80
group_name: example-other
# description to use if example-other needs to be created
group_desc: other example EC2 group
'''
try
:
...
...
@@ -128,6 +144,55 @@ def addRulesToLookup(rules, prefix, dict):
dict
[
"
%
s-
%
s-
%
s-
%
s-
%
s-
%
s"
%
(
prefix
,
rule
.
ip_protocol
,
rule
.
from_port
,
rule
.
to_port
,
grant
.
group_id
,
grant
.
cidr_ip
)]
=
rule
def
get_target_from_rule
(
rule
,
name
,
groups
):
"""
Returns tuple of (group_id, ip) after validating rule params.
rule: Dict describing a rule.
name: Name of the security group being managed.
groups: Dict of all available security groups.
AWS accepts an ip range or a security group as target of a rule. This
function validate the rule specification and return either a non-None
group_id or a non-None ip range.
"""
group_id
=
None
group_name
=
None
ip
=
None
target_group_created
=
False
if
'group_id'
in
rule
and
'cidr_ip'
in
rule
:
module
.
fail_json
(
msg
=
"Specify group_id OR cidr_ip, not both"
)
elif
'group_name'
in
rule
and
'cidr_ip'
in
rule
:
module
.
fail_json
(
msg
=
"Specify group_name OR cidr_ip, not both"
)
elif
'group_id'
in
rule
and
'group_name'
in
rule
:
module
.
fail_json
(
msg
=
"Specify group_id OR group_name, not both"
)
elif
'group_id'
in
rule
:
group_id
=
rule
[
'group_id'
]
elif
'group_name'
in
rule
:
group_name
=
rule
[
'group_name'
]
if
group_name
in
groups
:
group_id
=
groups
[
group_name
]
.
id
elif
group_name
==
name
:
group_id
=
group
.
id
groups
[
group_id
]
=
group
groups
[
group_name
]
=
group
else
:
if
not
rule
.
get
(
'group_desc'
,
''
)
.
strip
():
module
.
fail_json
(
msg
=
"group
%
s will be automatically created by rule
%
s and no description was provided"
%
(
group_name
,
rule
))
if
not
module
.
check_mode
:
auto_group
=
ec2
.
create_security_group
(
group_name
,
rule
[
'group_desc'
],
vpc_id
=
vpc_id
)
group_id
=
auto_group
.
id
groups
[
group_id
]
=
auto_group
groups
[
group_name
]
=
auto_group
target_group_created
=
True
elif
'cidr_ip'
in
rule
:
ip
=
rule
[
'cidr_ip'
]
return
group_id
,
ip
,
target_group_created
def
main
():
argument_spec
=
ec2_argument_spec
()
argument_spec
.
update
(
dict
(
...
...
@@ -135,6 +200,7 @@ def main():
description
=
dict
(
required
=
True
),
vpc_id
=
dict
(),
rules
=
dict
(),
rules_egress
=
dict
(),
state
=
dict
(
default
=
'present'
,
choices
=
[
'present'
,
'absent'
]),
)
)
...
...
@@ -147,6 +213,7 @@ def main():
description
=
module
.
params
[
'description'
]
vpc_id
=
module
.
params
[
'vpc_id'
]
rules
=
module
.
params
[
'rules'
]
rules_egress
=
module
.
params
[
'rules_egress'
]
state
=
module
.
params
.
get
(
'state'
)
changed
=
False
...
...
@@ -197,39 +264,29 @@ def main():
'''no match found, create it'''
if
not
module
.
check_mode
:
group
=
ec2
.
create_security_group
(
name
,
description
,
vpc_id
=
vpc_id
)
# When a group is created, an egress_rule ALLOW ALL
# to 0.0.0.0/0 is added automatically but it's not
# reflected in the object returned by the AWS API
# call. We re-read the group for getting an updated object
group
=
ec2
.
get_all_security_groups
(
group_ids
=
(
group
.
id
,))[
0
]
changed
=
True
else
:
module
.
fail_json
(
msg
=
"Unsupported state requested:
%
s"
%
state
)
# create a lookup for all existing rules on the group
if
group
:
# Manage ingress rules
groupRules
=
{}
addRulesToLookup
(
group
.
rules
,
'in'
,
groupRules
)
# Now, go through all provided rules and ensure they are there.
if
rules
:
for
rule
in
rules
:
group_id
=
None
group_name
=
None
ip
=
None
if
'group_id'
in
rule
and
'cidr_ip'
in
rule
:
module
.
fail_json
(
msg
=
"Specify group_id OR cidr_ip, not both"
)
elif
'group_name'
in
rule
and
'cidr_ip'
in
rule
:
module
.
fail_json
(
msg
=
"Specify group_name OR cidr_ip, not both"
)
elif
'group_id'
in
rule
and
'group_name'
in
rule
:
module
.
fail_json
(
msg
=
"Specify group_id OR group_name, not both"
)
elif
'group_id'
in
rule
:
group_id
=
rule
[
'group_id'
]
elif
'group_name'
in
rule
:
group_name
=
rule
[
'group_name'
]
if
group_name
in
groups
:
group_id
=
groups
[
group_name
]
.
id
elif
group_name
==
name
:
group_id
=
group
.
id
groups
[
group_id
]
=
group
groups
[
group_name
]
=
group
elif
'cidr_ip'
in
rule
:
ip
=
rule
[
'cidr_ip'
]
group_id
,
ip
,
target_group_created
=
get_target_from_rule
(
rule
,
name
,
groups
)
if
target_group_created
:
changed
=
True
if
rule
[
'proto'
]
==
'all'
:
rule
[
'proto'
]
=
-
1
...
...
@@ -260,6 +317,58 @@ def main():
group
.
revoke
(
rule
.
ip_protocol
,
rule
.
from_port
,
rule
.
to_port
,
grant
.
cidr_ip
,
grantGroup
)
changed
=
True
# Manage egress rules
groupRules
=
{}
addRulesToLookup
(
group
.
rules_egress
,
'out'
,
groupRules
)
# Now, go through all provided rules and ensure they are there.
if
rules_egress
:
for
rule
in
rules_egress
:
group_id
,
ip
,
target_group_created
=
get_target_from_rule
(
rule
,
name
,
groups
)
if
target_group_created
:
changed
=
True
if
rule
[
'proto'
]
==
'all'
:
rule
[
'proto'
]
=
-
1
rule
[
'from_port'
]
=
None
rule
[
'to_port'
]
=
None
# If rule already exists, don't later delete it
ruleId
=
"
%
s-
%
s-
%
s-
%
s-
%
s-
%
s"
%
(
'out'
,
rule
[
'proto'
],
rule
[
'from_port'
],
rule
[
'to_port'
],
group_id
,
ip
)
if
ruleId
in
groupRules
:
del
groupRules
[
ruleId
]
# Otherwise, add new rule
else
:
grantGroup
=
None
if
group_id
:
grantGroup
=
groups
[
group_id
]
.
id
if
not
module
.
check_mode
:
ec2
.
authorize_security_group_egress
(
group_id
=
group
.
id
,
ip_protocol
=
rule
[
'proto'
],
from_port
=
rule
[
'from_port'
],
to_port
=
rule
[
'to_port'
],
src_group_id
=
grantGroup
,
cidr_ip
=
ip
)
changed
=
True
# Finally, remove anything left in the groupRules -- these will be defunct rules
for
rule
in
groupRules
.
itervalues
():
for
grant
in
rule
.
grants
:
grantGroup
=
None
if
grant
.
group_id
:
grantGroup
=
groups
[
grant
.
group_id
]
.
id
if
not
module
.
check_mode
:
ec2
.
revoke_security_group_egress
(
group_id
=
group
.
id
,
ip_protocol
=
rule
.
ip_protocol
,
from_port
=
rule
.
from_port
,
to_port
=
rule
.
to_port
,
src_group_id
=
grantGroup
,
cidr_ip
=
grant
.
cidr_ip
)
changed
=
True
if
group
:
module
.
exit_json
(
changed
=
changed
,
group_id
=
group
.
id
)
else
:
...
...
Write
Preview
Markdown
is supported
0%
Try again
or
attach a new file
Attach a file
Cancel
You are about to add
0
people
to the discussion. Proceed with caution.
Finish editing this message first!
Cancel
Please
register
or
sign in
to comment
