early version works for create, not idempotent

playbooks/library/ec2_acl

+#!/usr/bin/env python
+# This file is part of Ansible
+#
+# Ansible is free software: you can redistribute it and/or modify
+# it under the terms of the GNU General Public License as published by
+# the Free Software Foundation, either version 3 of the License, or
+# (at your option) any later version.
+#
+# Ansible is distributed in the hope that it will be useful,
+# but WITHOUT ANY WARRANTY; without even the implied warranty of
+# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
+# GNU General Public License for more details.
+#
+# You should have received a copy of the GNU General Public License
+# along with Ansible.  If not, see <http://www.gnu.org/licenses/>.
+
+DOCUMENTATION = """
+---
+module: ec2_acl
+short_description: Create or delete AWS Network ACLs.
+description:
+  - Can create or delete AwS Network ACLs.
+version_added: "1.8"
+author: Edward Zarecor
+options:
+  state:
+    description:
+      - create, update or delete the acl
+    required: true
+    choices: ['present', 'absent']
+  name:
+    description:
+      - Unique name for acl
+    required: true
+  vpc_id:
+    description:
+      - The VPC that this acl belongs to
+    required: true
+    default: null
+extends_documentation_fragment: aws
+"""
+
+EXAMPLES = '''
+- ec2_acl:
+    name: public-acls
+    state: present
+    vpc_id: 'vpc-abababab'
+
+'''
+
+from ansible.module_utils.basic import *
+from ansible.module_utils.ec2 import *
+import sys
+try:
+    import boto.vpc
+except ImportError:
+    print "failed=True msg={0}".format(sys.executable)
+    #print "failed=True msg='boto required for this module'"
+    sys.exit(1)
+
+from boto.exception import NoAuthHandlerFound
+
+PROTOCOL_NUMBERS = {"ICMP": 1, "TCP": 6, "UPD": 17}
+
+
+class DuplicateAclError(Exception):
+    pass
+
+
+class ACLManager():
+
+    def __init__(self, connection, vpc_id, acl_name, rules, tags=[]):
+        self.connection = connection
+        self.vpc_id = vpc_id
+        self.acl_name = acl_name
+        self.rules = rules
+        self.tags = tags
+        self.acl = None
+
+    def get_acl(self):
+
+        if not self.acl:
+            results = self.connection.get_all_network_acls(filters={"vpc_id": self.vpc_id, "tag:Name": self.acl_name})
+
+            if len(results) == 1:
+                self.acl = results[0]
+            elif len(results) > 1:
+                raise DuplicateAclError("Found multiple network acls name {0} in vpc with id {1}".
+                                        format(self.acl_name, self.vpc_id))
+            else:
+                # Does exist yet
+                pass
+
+        return self.acl
+
+    def create_acl(self):
+        self.acl = self.connection.create_network_acl(self.vpc_id)
+        changed = True
+        self.do_tags()
+        return changed
+
+    def update_acl(self):
+        changed = False
+        self.update_rules()
+        self.do_tags()
+        return changed
+
+    def update_rules(self):
+        # TODO implement
+        rules = []
+        return rules
+
+    def create_rules(self):
+
+        for rule in self.rules:
+            egress = True if rule['type'] == "egress" else False
+            protocol = PROTOCOL_NUMBERS[rule['protocol'].upper()]
+            self.connection.create_network_acl_entry(
+                self.acl.id,
+                rule['number'],
+                protocol,
+                rule['rule_action'],
+                rule['cidr_block'],
+                egress=egress,
+                port_range_from=rule['from_port'],
+                port_range_to=rule['to_port'])
+
+    def do_tags(self):
+
+        if not self.tags:
+            return
+
+        tags = {'Name': self.acl_name}
+        for tag in self.tags:
+            tags[tag['key']] = tag['value']
+        self.get_acl().add_tags(tags)
+
+    def present(self):
+
+        existing = self.get_acl()
+
+        if not existing:
+            changed = self.create_acl()
+            self.create_rules()
+        else:
+            changed = self.update_acl()
+
+        results = dict(changed=changed,
+                       id=self.acl.id,
+                       name=self.acl_name,
+                       entries=self.rules)
+
+        return results
+
+    def absent(self):
+        acl = self.get_acl()
+        changed = False
+
+        if acl:
+            changed = self.connection.delete_network_acl(acl.id)
+        results = dict(changed=changed,
+                       id=self.acl.id,
+                       name=self.acl_name)
+
+        return results
+
+
+def main():
+    argument_spec = ec2_argument_spec()
+    argument_spec.update(
+        dict(
+            name=dict(required=True, type='str'),
+            state=dict(default='present', choices=['present', 'absent']),
+            vpc_id=dict(required=True, type='str'),
+            rules=dict(type='list'),
+            tags=dict(type='list'),
+        )
+    )
+
+    module = AnsibleModule(argument_spec=argument_spec)
+
+    ec2_url, aws_access_key, aws_secret_key, region = get_ec2_creds(module)
+    profile = module.params.get('profile')
+    if region:
+        try:
+            connection = boto.vpc.connect_to_region(region, profile_name=profile)
+        except boto.exception.NoAuthHandlerFound, e:
+            module.fail_json(msg=str(e))
+    else:
+        module.fail_json(msg="region must be specified")
+
+    vpc_id = module.params.get('vpc_id')
+    acl_name = module.params.get('name')
+    rules_in = module.params.get('rules')
+    tags = module.params.get('tags')
+
+    manager = ACLManager(connection, vpc_id, acl_name, rules_in, tags)
+
+    state = module.params.get('state')
+
+    results = dict()
+
+    if state == 'present':
+        results = manager.present()
+    elif state == 'absent':
+        results = manager.absent()
+
+    module.exit_json(**results)
+
+main()