AWS Security Group and VPC Peering

Archives Ansible Project
1

I am trying to allow a security group from a VPC peer, access to resources on another security group. Exactly what is described here. I am using ansible 2.5

https://github.com/ansible/ansible/pull/28876

My VPC is active.

`
(venv) [ec2-user@ip-10-99-200-10 deployment]$ aws ec2 describe-vpc-peering-connections
{
“VpcPeeringConnections”: [
{
“Status”: {
“Message”: “Active”,
“Code”: “active”
},
“Tags”: [
{
“Value”: “MGR-CLOUD”,
“Key”: “Name”
}
],
“AccepterVpcInfo”: {
“PeeringOptions”: {
“AllowEgressFromLocalVpcToRemoteClassicLink”: false,
“AllowDnsResolutionFromRemoteVpc”: true,
“AllowEgressFromLocalClassicLinkToRemoteVpc”: false
},
“OwnerId”: “xxxxx0107728”,
“CidrBlockSet”: [
{
“CidrBlock”: “10.99.100.0/24”
}
],
“CidrBlock”: “10.99.100.0/24”,
“VpcId”: “vpc-7abd281f”
},
“VpcPeeringConnectionId”: “pcx-8e51c0e7”,
“RequesterVpcInfo”: {
“PeeringOptions”: {
“AllowEgressFromLocalVpcToRemoteClassicLink”: false,
“AllowDnsResolutionFromRemoteVpc”: true,
“AllowEgressFromLocalClassicLinkToRemoteVpc”: false
},
“OwnerId”: “xxxxx0107728”,
“CidrBlockSet”: [
{
“CidrBlock”: “10.99.200.0/24”
}
],
“CidrBlock”: “10.99.200.0/24”,
“VpcId”: “vpc-55f36730”
}
}
]
}

`

(venv) [ec2-user@ip-10-99-200-10 deployment]$

The security groups do exist.
`

(venv) [ec2-user@ip-10-99-200-10 deployment]$ aws ec2 describe-security-groups --query ‘SecurityGroups[*].{VPCID:VpcId,Account:OwnerId,NAME:GroupName,ID:GroupId}’
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-ccfa6ea9”,
“NAME”: “default”,
“ID”: “sg-2c777549”
},
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-7abd281f”,
“NAME”: “secgrp-cloudmfa-appliance-prd”,
“ID”: “sg-35848450”
},
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-55f36730”,
“NAME”: “secgrp-mfamgr-bastion-prd”,
“ID”: “sg-8f6567ea”
},
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-ccfa6ea9”,
“NAME”: “secgrp-mfacloud-appliance-prd”,
“ID”: “sg-b8797bdd”
},
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-55f36730”,
“NAME”: “default”,
“ID”: “sg-da6567bf”
},
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-8e7daceb”,
“NAME”: “default”,
“ID”: “sg-de0c8cbb”
},
{
“Account”: “xxxxx0107728”,
“VPCID”: “vpc-7abd281f”,
“NAME”: “default”,
“ID”: “sg-f5848490”
}
]

`

Yet no matter what I try to put in for ‘group_name’ or group_id i get the same error.

I have tried.
group_id: xxxxx0107728/sg-8f6567ea/secgrp-mfacloud-appliance-prd
group_id: sg-8f6567ea
group_name: secgrp-mfacloud-appliance-prd

Here is the relevant portion of my task.

`

  • name: SECURITY GROUP | Ensure MFA Appliance Security Group Exists
    ec2_group:
    name: secgrp-{{ vpc_name }}-appliance-{{vpc_environment_tag }}
    description: Security Group For MFA Cloud Appliances
    vpc_id: “{{ vpc_id }}”
    region: “{{ vpc_region }}”
    rules:

  • proto: tcp
    ports:

  • 80

  • 443

  • 2195

  • 5228-52230
    cidr_ip: 0.0.0.0/0

  • proto: udp
    ports:

  • 5228-52230

  • 2195
    cidr_ip: 0.0.0.0/0

  • proto: tcp
    ports:

  • 5985

  • 5986

  • 1433
    group_name: secgrp-mfamgr-bastion-prd
    tags:
    Name: “secgrp-{{ vpc_name }}-appliance-{{vpc_environment_tag }}”
    Environment: “{{ vpc_environment_tag }}”
    Customer: “{{ vpc_customer_tag }}”
    register: mfa_secgrp_appliance

  • name: SECURITY GROUP | Set MFA Appliance Security Group ID
    set_fact:
    secgrp_appliance_id: “{{ mfa_secgrp_appliance.group_id }}”
    `

and the error

fa_aws : SECURITY GROUP | Ensure MFA Appliance Security Group Exists] **************************************************************************************************************************************
An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: You have specified two resources that belong to different networks.
fatal: [localhost]: FAILED! => {“changed”: false, “error”: {“code”: “InvalidGroup.NotFound”, “message”: “You have specified two resources that belong to different networks.”}, “failed”: true, “msg”: “Unable to authorize ingress for group sg-8f6567ea security group ‘secgrp-mfacloud-appliance-prd’ - An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: You have specified two resources that belong to different networks.”, “response_metadata”: {“http_headers”: {“connection”: “close”, “date”: “Fri, 26 Jan 2018 17:47:20 GMT”, “server”: “AmazonEC2”, “transfer-encoding”: “chunked”}, “http_status_code”: 400, “request_id”: “ad5bb10a-fe5c-48a1-9c1f-832de0d6a0af”, “retry_attempts”: 0}}