Remove a rule from AWS EC2 Security group using Ansible

Rahul_Mehrotra · May 15, 2015, 5:32pm

I have an Ansible script to create EC2 security group. It looks like this

- name: Create HTTP Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
  register: sg_http

I would like to write a task which deletes the rule but not security group. I tried using the state as present, but it doesn’t work

- name: Delete HTTP Rule
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
        state: absent
  register: sg_http

What would be the better way to do this. Regards

Brent_Langston1 · May 15, 2015, 5:49pm

remove the rule from the list.

rules:

Rahul_Mehrotra · May 15, 2015, 5:58pm

Hi,
Can you please provide an example. I am specifically interested in removing
egress rules allowing everything automatically added by AWS when security
groups are created. Thank you

Brent_Langston1 · May 15, 2015, 6:00pm

the security group module will just make your list of rules look like whatever you have currently defined in yml. If you remove a rule from the list, and run the task again, the rule will be removed from the security group at aws. This hold true for both ingress and egress.

In other words, for this module don’t think “state: present” or “state: absent” – that is determined by the rule being defined or not.

Rahul_Mehrotra · May 15, 2015, 6:18pm

Thanks Brent that does explain a good detail about how security groups are handled by Ansible.
I would still appreciate if you can answer this question.

I am creating a security group using

- name: Create HTTP Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: [0.0.0.0/0](http://0.0.0.0/0)
  register: sg_http

However this created a security group with inbound http access but also full outbound (egress) access automatically. I do not want those egress rules to be present, how should I remove them.

Brent_Langston1 · May 16, 2015, 2:37am

Create an egress_rules: list that is empty.

Rahul_Mehrotra · May 18, 2015, 5:16pm

Hi,
I have tried your suggestion of having an empty egress_rules list. However for some reason an all access egress rules are always enabled in all the security groups.

Barry_Kaplan · May 19, 2015, 3:12am

I think removing the global rule is broken:

https://groups.google.com/forum/#!topic/ansible-project/9FiCbvUR_Cs

benno_joy · May 19, 2015, 3:21am

Seems to work fine in the devel branch, could you please give it a try

Topic		Views
Add egress rules in ec2_group Ansible Developer	2	February 21, 2014
Add egress rules in ec2_group Ansible Project	0	February 5, 2014
Delete an ingress/egress rule in security group Ansible Developer	1	April 4, 2016
ec2_group task creates security group but not rules Ansible Project aws	0	October 18, 2014
ec2_group removed egress rules for internal IPs Ansible Project aws	1	July 7, 2015

Remove a rule from AWS EC2 Security group using Ansible

Related topics