Is there a way to update the properties of a running ec2 instance? Specifically, I’d like to add security groups to a running VPC instance.
I’ve used the ec2 module to create an instance, but once it’s running, adding a security group to the ‘group’ parameter and re-running the playbook has no effect. The exceptions are the count_tag and exact_count parameters, which create/destroy instances accordingly.
aws doesn’t allow you to change the security group association of a instance once created, you CAN change the rules of the existing security group. Ansible cannot give you something that aws itself doesn’t support.
Whoa. Maybe I’m misunderstanding you but I add and remove security groups on instances while running all the time. It would be cool to do that via ansible.
this might have changed, I have not even tried in a good while. This used to be a restriction, I stand corrected and happy to hear, it was a major pain.
just double checked aws documentation:
“After you launch an instance in EC2-Classic, you can’t change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group.”
will try this later to confirm, not sure what ‘classic’ means either
ah, VPC instances have different rules, ‘classic’ is non VPC from what I can see.
Yep. that must be the difference. I’m all VPC.
Yes, you can update an instance’s list of security groups if that instance is in a VPC:
http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html (see “Differences Between Security Groups for EC2-Classic and EC2-VPC”)
I’ll create a pull request.
As an aside, updating any of the ec2 module parameters will not update the instance. Which is often in practice is undesirable or impossible, because most of the parameters would require a restart (think instance_type, etc). However, ‘volumes’ is one such parameter that could be updatable (but isn’t, I tried). I worked around that by creating a ‘ec2_vol’, and specifying the instance_id in there.
Hi Louis et. all,
This just bit us (performing modifications of security groups/volumes of running instances using ec2 module in the context of a VPC)
Did you ever end up modifying the module to support these mutations in a VPC based enviornment? We’d love to use them if so!
Thank you,
iain
Ah, i see this is possible in ec2_vol, we are going to pursue that route. Hopefully we can get ec2 module modified to support security group mutations when in a VPC and will submit a pull request if we do!
Thank you,
iain