Unless I’m misreading the code, there is no module to manage VPC ACL groups, and the ec2_group module only manages security groups.
I could either add the ACL functionality to the ec2_group module, but these issues would arise:
1) There would be a mixture of module parameters, possibly confusingly so,
2) VPC ACLs aren’t specific to ec2, and including them in a module named ‘ec2_group’ would also be confusing.
3) Rules work slightly differently for network ACLs than for security groups.
Adding another module (probably aws_vpc_acl or the like; I wish all the Amazon modules started with “aws”) would be cleaner from a cognitive standpoint. I would, however, possibly refactor ec2_group as the rules functionality is more or less shared, other than rule order which only exists for ACLs.
Is the design aesthetic for Ansible more weighted towards single-function modules, or large do-it-all modules? I personally prefer the former.
On a slightly different subject, as mentioned above: what is the appetite for doing some reasonable renaming of the Amazon modules to start with aws, with a deprecation period? As an example, the “ec2_vpc” module isn’t specific to ec2.
(1) We already do have a ec2_vpc module and there are several pull requests against it.
(2) It definitely shouldn’t mingle with the security group module – this would be very bad.
(3) We are not going to rename any modules at this time.
(4) We do not want to entertain any refactoring at this time until various open cloud pull requests get merged, and in doing so must preserve module signatures.
(5) We seek modules that fit the “right” amount of encapsulation to model a particular resource or noun. I wouldn’t describe them as functions.
I was looking to use Ansible to configure some network ACLs just now, and
was surprised that there doesn't seem to be a way to do this. :^( https://github.com/ansible/ansible-modules-core/pull/403 was a PR for an
ec2_vpc_nacl module, which got some feedback, and was eventually closed as
part of the "new modules go in extras first" rule, with an encouragement
to the author (herbyg-axial) to resubmit it, but it doesn't seem like it
ever was.
Anyone working on this now? Or is it already there and I missed it?
I don't have any experience with module development, but I could probably
take herbyg-axial's code, try to apply the feedback to it, and put in a PR
for it, if no one else already has this in progress.
-Josh (jbs@care.com)
(apologies for the following automatic mandatory corporate disclaimer)
This email is intended for the person(s) to whom it is addressed and may contain information that is PRIVILEGED or CONFIDENTIAL. Any unauthorized use, distribution, copying, or disclosure by any person other than the addressee(s) is strictly prohibited. If you have received this email in error, please notify the sender immediately by return email and delete the message and any attachments from your system.
I don't think anyone is working on this, if taking over please try to
maintain attribution to Herb's work. He just probably got slammed and
pulled in other directions and never had time to come back to this
(this seems common in our line of work).