Merge pull request #4338 from jlaska/ec2_group_idempotency

Add idempotency support to ec2_group

Merge pull request #4338 from jlaska/ec2_group_idempotency
Add idempotency support to ec2_group
df529b9b · Michael DeHaan · 1d08bcd7 · e002496f · df529b9b
Commit df529b9b authored Oct 02, 2013 by Michael DeHaan
Hide whitespace changes
Inline Side-by-side

Showing with 89 additions and 59 deletions

library/cloud/ec2_group
+89 -59

No files found.
--- a/library/cloud/ec2_group
+++ b/library/cloud/ec2_group
@@ -49,6 +49,14 @@ options:
    required: false
    default: null
    aliases: []
+  state:
+    version_added: "1.4"
+    description:
+      - create or delete security group
+    required: false
+    default: 'present'
+    aliases: []
 requirements: [ "boto" ]
 '''
@@ -105,6 +113,7 @@ def main():
            ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True),
            ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']),
            region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']),
+            state = dict(default='present', choices=['present', 'absent']),
        ),
        supports_check_mode=True,
    )
@@ -116,6 +125,7 @@ def main():
    ec2_secret_key = module.params.get('ec2_secret_key')
    ec2_access_key = module.params.get('ec2_access_key')
    region = module.params.get('region')
+    state = module.params.get('state')
    changed = False
@@ -152,74 +162,94 @@ def main():
        if curGroup.name == name and curGroup.vpc_id == vpc_id:
            group = curGroup
-    # if found, check the group parameters are correct
+    # Ensure requested group is absent
-    if group:
+    if state == 'absent':
-        group_in_use = False
+        if group:
-        rs = ec2.get_all_instances()
+            '''found a match, delete it'''
-        for r in rs:
+            try:
-            for i in r.instances:
+                group.delete()
-                group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
+            except Exception, e:
+                module.fail_json(msg="Unable to delete security group '%s' - %s" % (group, e))
-        if group.description != description:
+            else:
-            if group_in_use:
+                group = None
-                module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
+                changed = True
-            group.delete()
+        else:
-            group = None
+            '''no match found, no changes required'''
-    # if the group doesn't exist, create it now
+    # Ensure requested group is present
-    if not group:
+    elif state == 'present':
-        if not module.check_mode:
+        if group:
-            group = ec2.create_security_group(name, description, vpc_id=vpc_id)
+            '''existing group found'''
-        changed = True
+            # check the group parameters are correct
+            group_in_use = False
+            rs = ec2.get_all_instances()
+            for r in rs:
+                for i in r.instances:
+                    group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
+            if group.description != description:
+                if group_in_use:
+                    module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
+        # if the group doesn't exist, create it now
+        else:
+            '''no match found, create it'''
+            if not module.check_mode:
+                group = ec2.create_security_group(name, description, vpc_id=vpc_id)
+            changed = True
+    else:
+        module.fail_json(msg="Unsupported state requested: %s" % state)
    # create a lookup for all existing rules on the group
-    groupRules = {}
    if group:
+        groupRules = {}
        addRulesToLookup(group.rules, 'in', groupRules)
-    # Now, go through all the defined rules and ensure they are there.
+        # Now, go through all provided rules and ensure they are there.
-    if rules:
+        if rules:
-        for rule in rules:
+            for rule in rules:
-            group_id = None
+                group_id = None
-            ip = None
+                ip = None
-            if 'group_id' in rule and 'cidr_ip' in rule:
+                if 'group_id' in rule and 'cidr_ip' in rule:
-                module.fail_json(msg="Specify group_id OR cidr_ip, not both")
+                    module.fail_json(msg="Specify group_id OR cidr_ip, not both")
-            elif 'group_id' in rule:
+                elif 'group_id' in rule:
-                group_id = rule['group_id']
+                    group_id = rule['group_id']
-            elif 'cidr_ip' in rule:
+                elif 'cidr_ip' in rule:
-                ip = rule['cidr_ip']
+                    ip = rule['cidr_ip']
-            if rule['proto'] == 'all':
-                rule['proto'] = -1
-                rule['from_port'] = None
-                rule['to_port'] = None
-            ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
-            if ruleId in groupRules:
-                del groupRules[ruleId]
-                continue
-            grantGroup = None
-            if group_id:
-                grantGroup = groups[group_id]
-            if not module.check_mode:
+                if rule['proto'] == 'all':
-                group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
+                    rule['proto'] = -1
-            changed = True
+                    rule['from_port'] = None
+                    rule['to_port'] = None
-    # Finally, remove anything left in the groupRules -- these will be defunct rules
+                # If rule already exists, don't later delete it
-    for rule in groupRules.itervalues():
+                ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
-        for grant in rule.grants:
+                if ruleId in groupRules:
-            grantGroup = None
+                    del groupRules[ruleId]
-            if grant.group_id:
+                # Otherwise, add new rule
-                grantGroup = groups[grant.group_id]
+                else:
-            if not module.check_mode:
+                    grantGroup = None
-                group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
+                    if group_id:
-            changed = True
+                        grantGroup = groups[group_id]
+                    if not module.check_mode:
+                        group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
+                    changed = True
+        # Finally, remove anything left in the groupRules -- these will be defunct rules
+        for rule in groupRules.itervalues():
+            for grant in rule.grants:
+                grantGroup = None
+                if grant.group_id:
+                    grantGroup = groups[grant.group_id]
+                if not module.check_mode:
+                    group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
+                changed = True
-    if not group:
+    if group:
+        module.exit_json(changed=changed, group_id=group.id)
+    else:
        module.exit_json(changed=changed, group_id=None)
-    module.exit_json(changed=changed, group_id=group.id)
 # this is magic, see lib/ansible/module_common.py
 #<<INCLUDE_ANSIBLE_MODULE_COMMON>>