#!/usr/bin/python
# -*- coding: utf-8 -*-


DOCUMENTATION = '''
---
module: ec2_group
short_description: maintain an ec2 VPC security group.
description:
    - maintains ec2 security groups. This module has a dependency on python-boto >= 2.5
options:
  name:
    description:
      - Name of the security group.
    required: true
  description:
    description:
      - Description of the security group.
    required: true
  vpc_id:
    description:
      - ID of the VPC to create the group in.
    required: false
  rules:
    description:
      - List of firewall rules to enforce in this group (see example).
    required: true
  region:
    description:
      - the EC2 region to use
    required: false
    default: null
    aliases: []
  ec2_url:
    description:
      - Url to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints)
    required: false
    default: null
    aliases: []
  ec2_secret_key:
    description:
      - EC2 secret key
    required: false
    default: null
    aliases: []
  ec2_access_key:
    description:
      - EC2 access key
    required: false
    default: null
    aliases: []
requirements: [ "boto" ]
'''

EXAMPLES = '''
- name: example ec2 group
  local_action:
    module: ec2_group
    name: example
    description: an example EC2 group
    vpc_id: 12345
    region: eu-west-1a
    ec2_secret_key: SECRET
    ec2_access_key: ACCESS
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
      - proto: tcp
        from_port: 22
        to_port: 22
        cidr_ip: 10.0.0.0/8
      - proto: udp
        from_port: 10050
        to_port: 10050
        cidr_ip: 10.0.0.0/8
      - proto: udp
        from_port: 10051
        to_port: 10051
        group_id: abcdef
'''

try:
    import boto.ec2
except ImportError:
    print "failed=True msg='boto required for this module'"
    sys.exit(1)


def addRulesToLookup(rules, prefix, dict):
    for rule in rules:
        for grant in rule.grants:
            dict["%s-%s-%s-%s-%s-%s" % (prefix, rule.ip_protocol, rule.from_port, rule.to_port,
                                        grant.group_id, grant.cidr_ip)] = rule

def main():
    module = AnsibleModule(
        argument_spec=dict(
            name=dict(required=True),
            description=dict(required=True),
            vpc_id=dict(),
            rules=dict(),
            ec2_url=dict(aliases=['EC2_URL']),
            ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True),
            ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']),
            region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']),
        ),
        supports_check_mode=True,
    )
    name = module.params['name']
    description = module.params['description']
    vpc_id = module.params['vpc_id']
    rules = module.params['rules']
    ec2_url = module.params.get('ec2_url')
    ec2_secret_key = module.params.get('ec2_secret_key')
    ec2_access_key = module.params.get('ec2_access_key')
    region = module.params.get('region')

    changed = False

    # allow eucarc environment variables to be used if ansible vars aren't set
    if not ec2_url and 'EC2_URL' in os.environ:
        ec2_url = os.environ['EC2_URL']
    if not ec2_secret_key and 'EC2_SECRET_KEY' in os.environ:
        ec2_secret_key = os.environ['EC2_SECRET_KEY']
    if not ec2_access_key and 'EC2_ACCESS_KEY' in os.environ:
        ec2_access_key = os.environ['EC2_ACCESS_KEY']

    # If we have a region specified, connect to its endpoint.
    if region:
        try:
            ec2 = boto.ec2.connect_to_region(region, aws_access_key_id=ec2_access_key, aws_secret_access_key=ec2_secret_key)
        except boto.exception.NoAuthHandlerFound, e:
            module.fail_json(msg=str(e))
    # Otherwise, no region so we fallback to the old connection method
    else:
        try:
            if ec2_url:  # if we have an URL set, connect to the specified endpoint
                ec2 = boto.connect_ec2_endpoint(ec2_url, ec2_access_key, ec2_secret_key)
            else:  # otherwise it's Amazon.
                ec2 = boto.connect_ec2(ec2_access_key, ec2_secret_key)
        except boto.exception.NoAuthHandlerFound, e:
            module.fail_json(msg=str(e))

    # find the group if present
    group = None
    groups = {}
    for curGroup in ec2.get_all_security_groups():
        groups[curGroup.id] = curGroup

        if curGroup.name == name and curGroup.vpc_id == vpc_id:
            group = curGroup

    # if found, check the group parameters are correct
    if group:
        group_in_use = False
        rs = ec2.get_all_instances()
        for r in rs:
            for i in r.instances:
                group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)

        if group.description != description:
            if group_in_use:
                module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
            group.delete()
            group = None

    # if the group doesn't exist, create it now
    if not group:
        if not module.check_mode:
            group = ec2.create_security_group(name, description, vpc_id=vpc_id)
        changed = True

    # create a lookup for all existing rules on the group
    groupRules = {}
    if group:
        addRulesToLookup(group.rules, 'in', groupRules)

    # Now, go through all the defined rules and ensure they are there.
    if rules:
        for rule in rules:
            group_id = None
            ip = None
            if 'group_id' in rule and 'cidr_ip' in rule:
                module.fail_json(msg="Specify group_id OR cidr_ip, not both")
            elif 'group_id' in rule:
                group_id = rule['group_id']
            elif 'cidr_ip' in rule:
                ip = rule['cidr_ip']

            if rule['proto'] == 'all':
                rule['proto'] = -1
                rule['from_port'] = None
                rule['to_port'] = None

            ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
            if ruleId in groupRules:
                del groupRules[ruleId]
                continue

            grantGroup = None
            if group_id:
                grantGroup = groups[group_id]

            if not module.check_mode:
                group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
            changed = True

    # Finally, remove anything left in the groupRules -- these will be defunct rules
    for rule in groupRules.itervalues():
        for grant in rule.grants:
            grantGroup = None
            if grant.group_id:
                grantGroup = groups[grant.group_id]
            if not module.check_mode:
                group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
            changed = True

    if not group:
        module.exit_json(changed=changed, group_id=None)
    module.exit_json(changed=changed, group_id=group.id)

# this is magic, see lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
main()
