Hi all,
I’m using Ansible 1.7 and trying to populate an ec2_group with a list of allowed IPs inbound. My playbook looks like so:
`
Hi Aaron, is it valid to specify a list of IPs for the cidr_ip value in the rules (or was this a cut/paste mistake)?
It’s valid. When you run a playbook that passes a list of IPs, it’ll generate a rule for each IP in the list. However, when you run the playbook a second time, AWS throw’s an error that those SG entries already exist.
I was cribbing from Michael DeHaan’s solution here. Looks like others have solved this with a template.
I ask, because as far as I can tell from looking at the source code, we do not check that the cidr_ip may be a list of IPs rather than a single item. That means for things like this (where ip is the cidr_ip from the parsed rule data structure):
ruleId = “%s-%s-%s-%s-%s-%s” % (‘out’, rule[‘proto’], rule[‘from_port’], rule[‘to_port’], group_id, ip)
The purge functionality is actually quite nice for my use case, however. I’m dynamically gathering a list of hosts with a particular tag, then creating security group ingress rules to allow only those IPs (oh, the joys of VPC / public cloud inter-networking). So if a host is stopped/started, I need to get rid of the old IP and replace it with the new one when I run my playbook.
I solved this problem via the template method linked to previously. I’m not sure if updated Ansible code to loop through a list and create individual rules would be appropriate or not (I’m guessing not), so this may be the best method anyway.
Thanks for your help.
-Aaron
No problem, feel free to open an issue on github for this too, as I’m pretty sure the module was not designed to work with a list of IPs natively like that (though maybe the AWS API will work the way we’re stuffing those in there).
Thanks!