It looks like you can't specify a prefix list in a security group rule in
ec2_group, which you might want to do if you have egress rules and want to
allow access to S3. (To put a finer point on it, *we* want to do this,
because we have egress rules, and want to include a rule that allows
access to S3, via the S3 prefix list. :^)
Would this be a desirable addition to the ec2_group module?
-Josh (jbs@care.com)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
I’d love this, and I’ve thought of doing the same thing myself. The tricky thing is that, at least when I looked at it, boto2 didn’t support targeting a prefix list in security groups, so it would have to be done through boto3. The current stance of Ansible is that it’s fine to require boto3 for features in modules when those features aren’t available in boto2, but that the module should work just fine if the feature which requires boto3 isn’t requested and boto3 is not installed. And the way the current code is structured, it felt like it would be very messy to try to do that “surgically” so I never got around to doing it. It might be best to just include two different implementations, one with boto3 and one with boto2, rather than try to surgically fit boto3 in there.
I still don’t see support for this with Ansible 2.4. What is puzzling is that terraform supports this, and I would debate that terraform is a newer automation tool in the environment.