Possible bug in repeated runs of ec2_group module with wide-open rule

Archives Ansible Project
1

I have the following as part of a playbook that makes sure we have the
appropriate security groups setup and all of them work just fine
except this one:

    - name: Create wide-open testing security group
      local_action:
        module: ec2_group
        name: 'WIDE OPEN'
        description: 'WIDE OPEN for TESTING ONLY!'
        vpc_id: "{{ vpc_id }}"
        region: "{{ aws_region }}"
        state: present
        rules:
          # everything from anywhere
          - proto: -1
            from_port: -1
            to_port: -1
            cidr_ip: 0.0.0.0/0

The first time I run the playbook with this task it works just fine.
But every time it's run after that I get this error:

failed: [localhost] => {"failed": true, "parsed": false}
invalid output was: Traceback (most recent call last):
  File "/home/mpeters/.ansible/tmp/ansible-tmp-1403128269.19-243664471754105/ec2_group",
line 1754, in <module>
    main()
  File "/home/mpeters/.ansible/tmp/ansible-tmp-1403128269.19-243664471754105/ec2_group",
line 268, in main
    group.authorize(rule['proto'], rule['from_port'], rule['to_port'],
ip, grantGroup)
  File "/usr/lib/python2.7/site-packages/boto/ec2/securitygroup.py",
line 204, in authorize
    dry_run=dry_run)
  File "/usr/lib/python2.7/site-packages/boto/ec2/connection.py", line
3144, in authorize_security_group
    params, verb='POST')
  File "/usr/lib/python2.7/site-packages/boto/connection.py", line
1196, in get_status
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidPermission.Duplicate</Code><Message>the
specified rule "peer: 0.0.0.0/0, ALL, ALLOW" already
exists</Message></Error></Errors><RequestID>d5f91251-0cbb-478c-86ce-bb371fcf0361</RequestID></Response>

Firstly, I've heard several times on this list that anytime there's a
Traceback thrown to the screen it's a bug in the sense that it needs
better error handling, right?

But before I create a ticket for InvalidPermission.Duplicate error on
repeated runs I wanted to make sure that I wasn't doing anything
wrong. Using "-1" for proto, from_port and to_port is a little
unusual, but it should still be supported for multiple runs right?

Thanks,
Michael

2

Yes, definitely a bug, so please open an issue for this. And the “-1” is used by the AWS API to indicate “any”, so for the error above it’s trying to create a default ingress rule which will also use -1’s for the same fields, but for some reason it’s not seeing you adding that rule yourself.

3

Thanks for the confirmation. Filed as
https://github.com/ansible/ansible/issues/7832