How to change the ec2_group configuration in Ansible

Archives Ansible Project
1

Hi, I have a simple ec2_group configuration like this:

  • name: Create cc
    hosts: localhost
    tasks:
  • name: Create security group
    ec2_group:
    name: cc
    description: Security group for cc
    region: ap-northeast-1
    state: absent
    rules:
  • proto: tcp
    from_port: 80
    to_port: 80
    cidr_ip: 0.0.0.0/0
  • proto: tcp
    from_port: 22
    to_port: 22
    cidr_ip: 0.0.0.0/0

To change this security group’s configuration, it seems that I need delete it first and create a new one.
If I have an ec2 instance that is using that security group, I need to delete the instance.

What’s the best practice here to change the configuration of ec2 security group and other ec2 module?

2

- create new group with new rules
- reassign instances to new group
- delete old group

3

If you only want to change the security group's rules you don't need
to delete and recreate it, that can be changed on the fly with
ansible, just change the rules configuration. As far as I know you
would only need to destroy and recreate it to change the description.

As for Brian's suggestion, you can only reassign security groups on
instances inside a VPC (the provided sample seems to be for EC2
Classic). If you really need to recreate a security group in EC2
Classic, then new instances will need to be created as well.

4

sorry, yes, I assumed EC2 classic which was much more restrictive with
security groups.