I may have a need to export large numbers of security groups from VPCs and import them into new VPCs; basically I want to clone all the security groups from one VPC, and import them to another.
To my mind, it would be preferable to have a copy of the security groups in ec2_group format, so that I can use Ansible to make the changes. Going forward, people who edit the Ansible ec2_group rules should commit changes to Git first, so we can track who makes changes to security rules for auditing purposes. It seems preferable to use Ansible as tool of choice, but maybe there is a better way? My initial impression is that it makes sense to maintain Ansible playbooks using ec2_group to maintain Security Groups.
There are a fairly large number of Security Groups that need to be maintained, so if there’s a script out there that exports from ec2_group_facts and imports into ec2_group it would save a lot of time
It does seem a bit odd to me. I ended up using Vim search and replace functions to make the changes, and did some of the work manually. On a related note, I discovered two things that may be useful to people faced with a similar task: you can insert multiple ports in a rule, as a list, one after another instead of having a new rule for each port; when you export the rules, it exports each port as it’s own rule, which makes for a lot of unnecessary work when editing. Also, there is a clone option in AWS GUI which I didn’t realize; this might also come in handy. In the end what I noticed though is that once you get familiar with the Ansible ec2_group syntax, it’s often faster to make the change to the script then through the GUI specifically because it is possible to insert multiple ports in one rule, it’s like you can collapse large numbers of rules into one rule with a list of ports; if you make changes to security groups through the GUI, it seems to me that you have to make a new rule for each port.
Yes - there’s a relatively new syntax in Ansible that allows source groups of ports, ranges and other groups.
I need to do my changes dynamically - I can’t take code, edit it manually, then run something, I need to be able to grab what’s there, add a rule and write it back.
Having looked at the two modules, it looks as if modifying ec2_group_facts to generate group-compatible output would be quite hard. It’s a very simple module that essentially returns what the AWS API returns. But it looks as if it would be less difficult to make ec2_group accept that output, and it would be able to discriminate between the two formats quite easily. At the moment it validates one format; just validate that, if it fails validate the other, and if that fails, complain.
I hope someone fixes this. Neither your nor my issues can be uncommon…
