ec2_group does not honour empty 'rules_egress:'

Archives Ansible Project
1

The docs (in the code) say:

rules_egress:
description:

  • List of firewall outbound rules to enforce in this group (see
    example). If none are supplied, a default all-out rule is assumed.
    If an empty list is supplied, no outbound rules will be enabled.

And while the code seems to do this:

`
if rules_egress is not None:
for rule in rules_egress:

elif vpc_id and not module.check_mode:

when using a vpc, but no egress rules are specified,

we add in a default allow all out rule, which was the

default behavior before egress rules were added

default_egress_rule = ‘out–1-None-None-None-0.0.0.0/0’

`

The default rule is always created. eg:

`

  • name: Declare api-service ELB security group
    ec2_group:
    name: “{{env_prefix}}api-service-elb”
    description: API Service ELB security group
    vpc_id: “{{ec2_vpc_id}}”
    rules:
    rules_egress:
    purge_rules: false
    purge_rules_egress: false

`

Is ‘’ not an empty list?

2

This http://stackoverflow.com/questions/1725517/how-to-check-if-a-list-is-empty-in-python seems to imply that the using ‘is not None’ will not work for an empty list. Is this a bug?

3

Hi Barry,

works for me if purge_rules and purge_rules_egress is true.

`

  • name: Declare api-service ELB security group
    ec2_group:
    name: “{{env_prefix}}api-service-elb”
    description: API Service ELB security group
    vpc_id: “{{ec2_vpc_id}}”
    state: present
    rules:
    rules_egress:
    purge_rules: true
    purge_rules_egress: true

`

Abey

4

Hmm. That sure did not work for me. I will have to try this some more and see what I was doing wrong. Thanks Abey.

5

Hi Barry,

I am seeing the same issue with v1.9.2. The stable-1.9 branch does not have the code snippet you pasted earlier. I believe you are referencing code in the devel branch. Here is the code in stable-1.9:

https://github.com/ansible/ansible-modules-core/blob/stable-1.9/cloud/amazon/ec2_group.py#L319-L321

Note the lines,


|

  • |

`

Now, go through all provided rules and ensure they are there.

if rules_egress:
for rule in rules_egress:

elif vpc_id and not module.check_mode:

when using a vpc, but no egress rules are specified,

we add in a default allow all out rule, which was the

default behavior before egress rules were added

default_egress_rule = ‘out–1-None-None-None-0.0.0.0/0’

`

The “if” will evaluate false for empty list. The documentation regarding empty list appears not to apply to 1.9.