I have the following as part of a play:

• ec2_group:
  name: group-name
  description: “firewall”
  vpc_id: “{{ vpc_id }}”
  region: “{{ region }}”
  purge_rules: false
  purge_rules_egress: false
  rules:
• proto: tcp
  from_port: 22
  to_port: 22
  cidr_ip: 0.0.0.0/0
  …
  #- proto: all

group_name: group-name

register: group_sg

• debug: msg=“group_id – {{ group_sg.group_id }}”

which fails with the error:

TASK: [debug msg=“group_id – {{ group_sg.group_id }}”] **********************
fatal: [localhost] => One or more undefined variables: ‘dict object’ has no attribute ‘group_id’

Isn’t this the right way of getting this attribute? Or this is not an option for a SG created inside VPC? The SG is being created fine though for the specified VPC and region.

Another thing is that I’m anable to use:

• proto: all
  group_name: group-name

as in the official Ansible page example in the rules since I’m getting the following error:

File “/usr/local/lib/python2.7/dist-packages/boto/connection.py”, line 1226, in get_status
raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request

InvalidGroup.NotFoundYou have specified two resources that belong to different networks.dee577be-…

Any ideas?

$ ansible --version
ansible 1.9.1

Thanks,
Igor

Replying to my self about the second part of my question re:

• proto: all
  group_name: group-name

It came up that the group name has to unique in the region otherwise the call will fail. The AWS console on other hand allows creation of security groups with the same name in same region in case they belong to different VPC’s.

Hi Igor,

• debug: msg=“group_id – {{ group_sg.group_id }}” should work, can you please try

• debug: var=group_sg and see what are the keys that you are getting.

Also for question 2. there were a few fixes added to filter groups in the same vpc, can you please try the latest devel branch,

• Benno

Thanks for replying Benno. I did exactly that with debugging and can see where the problem is.

First let me say I haven’t been completely honest about the way I’ve been invoking the ec2_module. I have simplified the call for readability but from the debug output I can see I shouldn’t have since it covers the problem. In case I do:

• ec2_group:
  name: group-{{ ec2_env }}
  description: “firewall”
  vpc_id: “vpc-xxxxxxxx”
  region: “eu-west-1”
  …
  register: group_sg

then all is fine. The debug message is simple:

ok: [localhost] => {
“msg”: “group_id – {‘invocation’: {‘module_name’: u’ec2_group’, ‘module_args’: ‘’}, ‘changed’: True, ‘group_id’: ‘sg-xxxxxxxx’}”
}

However my case I’m invoking ec2_group via with_dict loop as given below:

• hosts: localhost
  connection: local
  gather_facts: false
  vars_files:
• group_vars/app_servers
• group_vars/vpcs
  tasks:
• name: “Some group”
  ec2_group:
  name: group-{{ ec2_env }}
  description: “group firewall”
  vpc_id: “{{ item.key }}”
  region: “{{ item.value.region }}”
  purge_rules: false
  purge_rules_egress: false
  rules:
• proto: tcp
  from_port: 22
  to_port: 22
  cidr_ip: 0.0.0.0/0
• proto: tcp
  from_port: xxxxx
  to_port: xxxxx
  cidr_ip: “{{ item.value.cidr }}”
  .
  .
  .
• proto: all
  group_name: group-{{ ec2_env }}
  rules_egress:
• proto: all
  type: all
  cidr_ip: 0.0.0.0/0
  with_dict: vpc
  when: item.value.name == ec2_env
  register: group_sg

where the dictionary is a VPC mappings as follows:

vpc:
vpc-xxxxxxxx:
name: nameX
region: ap-southeast-2
cidr: “xxxxxxxx/16”
subnets:

• { zone: “ap-southeast-2a”, subnet: “subnet-xxxxxxxx” }
• { zone: “ap-southeast-2b”, subnet: “subnet-xxxxxxxx” }
  subnets_app:
• { zone: “ap-southeast-2a”, subnet: “subnet-xxxxxxxx” }
• { zone: “ap-southeast-2b”, subnet: “subnet-xxxxxxxx” }
  subnets_db:
• { zone: “ap-southeast-2a”, subnet: “subnet-xxxxxxxx” }
• { zone: “ap-southeast-2b”, subnet: “subnet-xxxxxxxx” }
  .
  .
  .
  vpc-yyyyyyyy:
  name: nameY
  region: eu-west-1
  cidr: “xxxxxxxx/16”
  subnets:
• { zone: “eu-west-1a”, subnet: “subnet-xxxxxxxx” }
• { zone: “eu-west-1b”, subnet: “subnet-xxxxxxxx” }
• { zone: “eu-west-1c”, subnet: “subnet-xxxxxxxx” }
  subnets_app:
• { zone: “eu-west-1a”, subnet: “subnet-xxxxxxxx” }
• { zone: “eu-west-1b”, subnet: “subnet-xxxxxxxx” }
• { zone: “eu-west-1c”, subnet: “subnet-xxxxxxxx” }
  subnets_db:
• { zone: “eu-west-1a”, subnet: “subnet-xxxxxxxx” }
• { zone: “eu-west-1b”, subnet: “subnet-xxxxxxxx” }
• { zone: “eu-west-1c”, subnet: “subnet-xxxxxxxx” }

in which case I get the following complex structure as outout:

TASK: [debug var=group_sg] ***************************************************
ok: [localhost] => {
“var”: {
“group_sg”: {
“changed”: true,
“msg”: “All items completed”,
“results”: [
{
“changed”: false,
“skipped”: true
},
{
“changed”: false,
“skipped”: true
},
{
“changed”: false,
“skipped”: true
},
{
“changed”: true,
“group_id”: “sg-xxxxxxxx”,
“invocation”: {
“module_args”: “”,
“module_name”: “ec2_group”
},
“item”: {
“key”: “vpc-xxxxxxxx”,
“value”: {
“cidr”: “xxxxxxxx/16”,
“name”: “xxxxxxxx”,
“region”: “eu-west-1”,
“subnets”: [
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1a”
},
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1b”
},
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1c”
}
],
“subnets_app”: [
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1a”
},
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1b”
},
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1c”
}
],
“subnets_db”: [
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1a”
},
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1b”
},
{
“subnet”: “subnet-xxxxxxxx”,
“zone”: “eu-west-1c”
}
]
}
}
},
{
“changed”: false,
“skipped”: true
}
]
}
}
}

Yeah, I’m trying to make the play generic and apply to any VPC/subnets in any region.

Thanks again for your help.

Igor

Any idea how to dig out the sg id out of this? Maybe changing the module to not be so verbose and print only the needed info would be easier?