initial update of entries

playbooks/edx-east/edx_service.yml

@@ -55,25 +55,25 @@
           - "id"
       register: acl_data
          
-    - name: Manage ELB Subnets
-      ec2_subnet:
-        state: "{{ state }}"
-        region: "{{ aws_region }}"
-        name: "{{ item.name }}"
-        vpc_id: "{{ vpc_id }}"
-        cidr_block: "{{ item.cidr }}"
-        az: "{{ item.az }}"
-        route_table_id: "{{ item.route_table_id }}"
-        tags: "{{ item.tags }}"
-      register: created_elb_subnets
-      with_items: elb_subnets
+    # - name: Manage ELB Subnets
+    #   ec2_subnet:
+    #     state: "{{ state }}"
+    #     region: "{{ aws_region }}"
+    #     name: "{{ item.name }}"
+    #     vpc_id: "{{ vpc_id }}"
+    #     cidr_block: "{{ item.cidr }}"
+    #     az: "{{ item.az }}"
+    #     route_table_id: "{{ item.route_table_id }}"
+    #     tags: "{{ item.tags }}"
+    #   register: created_elb_subnets
+    #   with_items: elb_subnets
 
       #
       # Hack alert, this registers a list in the global namespace
       # of just the subnet ids that were created above
       #
-    - debug: msg="{{ created_elb_subnets.results|map(attribute='subnet_id')| list }}"
-      register: elb_sn_list
+    # - debug: msg="{{ created_elb_subnets.results|map(attribute='subnet_id')| list }}"
+    #   register: elb_sn_list
       
     - name: Manage Service Subnets
       ec2_subnet:
@@ -109,7 +109,7 @@
         name: "{{ elb_name }}"
         state: "{{ state }}"
         security_group_ids: "{{ elb_sec_group.group_id }}"
-        subnets: "{{ elb_sn_list.msg }}"
+        subnets: "{{ elb_subnets }}"
         health_check: "{{ elb_healthcheck }}"
         listeners: "{{ elb_listeners }}"
       register: elb
@@ -151,7 +151,7 @@
       register: asg
 
     - name: Manage scaling policies
-      ec2_scaling_policy:
+      ec2_scaling_policy_1.8:
         state: "{{ item.state }}"
         profile: "{{ item.profile }}"
         region: "{{ item.region }}"

playbooks/library/ec2_acl

@@ -105,10 +105,85 @@ class ACLManager():
         self.do_tags()
         return changed
 
+    # TODO refactor out repitition
     def update_rules(self):
-        # TODO implement
-        rules = []
-        return rules
+
+        current_ingress = [x.rule_number for x in self.acl.network_acl_entries if x.egress == 'false']
+        current_egress = [x.rule_number for x in self.acl.network_acl_entries if x.egress == 'true']
+
+        modified_ingress = []
+        modified_egress = []
+
+        for rule in self.rules:
+            egress = True if rule['type'] == "egress" else False
+            protocol = PROTOCOL_NUMBERS[rule['protocol'].upper()]
+
+            if not egress:
+                if rule['number'] not in current_ingress:
+                    # new rule
+                    self.connection.create_network_acl_entry(
+                        self.acl.id,
+                        rule['number'],
+                        protocol,
+                        rule['rule_action'],
+                        rule['cidr_block'],
+                        egress=egress,
+                        port_range_from=rule['from_port'],
+                        port_range_to=rule['to_port'])
+                else:
+                    # blindly replace rather than attempting
+                    # to determine in the entry has changed
+                    modified_ingress.append(rule['number'])
+                    self.connection.replace_network_acl_entry (
+                        self.acl.id,
+                        rule['number'],
+                        protocol,
+                        rule['rule_action'],
+                        rule['cidr_block'],
+                        egress=egress,
+                        port_range_from=rule['from_port'],
+                        port_range_to=rule['to_port'])
+            else:
+                if rule['number'] not in current_egress:
+                    # new rule
+                    self.connection.create_network_acl_entry(
+                        self.acl.id,
+                        rule['number'],
+                        protocol,
+                        rule['rule_action'],
+                        rule['cidr_block'],
+                        egress=egress,
+                        port_range_from=rule['from_port'],
+                        port_range_to=rule['to_port'])
+                else:
+                    # blindly replace rather than attempting
+                    # to determine in the entry has changed
+                    modified_egress.append(rule['number'])
+                    self.connection.replace_network_acl_entry (
+                        self.acl.id,
+                        rule['number'],
+                        protocol,
+                        rule['rule_action'],
+                        rule['cidr_block'],
+                        egress=egress,
+                        port_range_from=rule['from_port'],
+                        port_range_to=rule['to_port'])
+
+        removed_ingress_rule_numbers = [ c for c in current_ingress if c not in modified_ingress ]
+        removed_egress_rule_numbers = [ c for c in current_egress if c not in modified_egress ]
+
+        for number in removed_ingress_rule_numbers:
+            n = int(number)
+            # reserved range for AWS
+            if n <  32767:
+                self.connection.delete_network_acl_entry(self.acl.id, n, False)
+
+        for number in removed_egress_rule_numbers:
+            n = int(number)
+            # reserved range for AWS
+            if n <  32767:
+                self.connection.delete_network_acl_entry(self.acl.id, n, True)
+
 
     def create_rules(self):