@ -60,7 +60,7 @@ EXAMPLES = '''
'''
RETURN = '''
nacl :
nacl s :
description : Returns an array of complex objects as described below .
returned : success
type : complex
@ -86,20 +86,29 @@ nacl:
returned : always
type : list of string
ingress :
description : A list of NACL ingress rules .
description :
- A list of NACL ingress rules with the following format .
- [ rule no , protocol , allow / deny , v4 or v6 cidr , icmp_type , icmp_code , port from , port to ]
returned : always
type : list of list
sample : [ [ 100 , ' tcp ' , ' allow ' , ' 0.0.0.0/0 ' , null , null , 22 , 22 ] ]
egress :
description : A list of NACL egress rules .
description :
- A list of NACL egress rules with the following format .
- [ rule no , protocol , allow / deny , v4 or v6 cidr , icmp_type , icmp_code , port from , port to ]
returned : always
type : list of list
sample : [ [ 100 , ' all ' , ' allow ' , ' 0.0.0.0/0 ' , null , null , null , null ] ]
'''
import traceback
try :
from botocore . exceptions import ClientError , NoCredentialsError
from botocore . exceptions import ClientError , BotoCore Error
except ImportError :
pass # caught by imported HAS_BOTO3
from ansible . module_utils . _text import to_native
from ansible . module_utils . basic import AnsibleModule
from ansible . module_utils . ec2 import ( ec2_argument_spec , boto3_conn , get_aws_connection_info ,
ansible_dict_to_boto3_filter_list , HAS_BOTO3 ,
@ -116,10 +125,17 @@ def list_ec2_vpc_nacls(connection, module):
nacl_ids = module . params . get ( " nacl_ids " )
filters = ansible_dict_to_boto3_filter_list ( module . params . get ( " filters " ) )
if nacl_ids is None :
nacl_ids = [ ]
try :
nacls = connection . describe_network_acls ( NetworkAclIds = nacl_ids , Filters = filters )
except ( ClientError , NoCredentialsError ) as e :
module . fail_json ( msg = e . message , * * camel_dict_to_snake_dict ( e . response ) )
except ClientError as e :
module . fail_json ( msg = " Unable to describe network ACLs {0} : {1} " . format ( nacl_ids , to_native ( e ) ) ,
exception = traceback . format_exc ( ) , * * camel_dict_to_snake_dict ( e . response ) )
except BotoCoreError as e :
module . fail_json ( msg = " Unable to describe network ACLs {0} : {1} " . format ( nacl_ids , to_native ( e ) ) ,
exception = traceback . format_exc ( ) )
# Turn the boto3 result in to ansible_friendly_snaked_names
snaked_nacls = [ ]
@ -132,9 +148,9 @@ def list_ec2_vpc_nacls(connection, module):
nacl [ ' tags ' ] = boto3_tag_list_to_ansible_dict ( nacl [ ' tags ' ] , ' key ' , ' value ' )
if ' entries ' in nacl :
nacl [ ' egress ' ] = [ nacl_entry_to_list ( entry ) for entry in nacl [ ' entries ' ]
if entry [ ' rule_number ' ] != 32767 and entry [ ' egress ' ] ]
if entry [ ' rule_number ' ] < 32767 and entry [ ' egress ' ] ]
nacl [ ' ingress ' ] = [ nacl_entry_to_list ( entry ) for entry in nacl [ ' entries ' ]
if entry [ ' rule_number ' ] != 32767 and not entry [ ' egress ' ] ]
if entry [ ' rule_number ' ] < 32767 and not entry [ ' egress ' ] ]
del nacl [ ' entries ' ]
if ' associations ' in nacl :
nacl [ ' subnets ' ] = [ a [ ' subnet_id ' ] for a in nacl [ ' associations ' ] ]
@ -148,21 +164,36 @@ def list_ec2_vpc_nacls(connection, module):
def nacl_entry_to_list ( entry ) :
elist = [ entry [ ' rule_number ' ] ,
PROTOCOL_NAMES [ entry [ ' protocol ' ] ] ,
entry [ ' rule_action ' ] ,
entry [ ' cidr_block ' ]
]
if entry [ ' protocol ' ] == ' 1 ' :
elist = elist + [ - 1 , - 1 ]
# entry list format
# [ rule_num, protocol name or number, allow or deny, ipv4/6 cidr, icmp type, icmp code, port from, port to]
elist = [ ]
elist . append ( entry [ ' rule_number ' ] )
if entry . get ( ' protocol ' ) in PROTOCOL_NAMES :
elist . append ( PROTOCOL_NAMES [ entry [ ' protocol ' ] ] )
else :
elist . append ( entry . get ( ' protocol ' ) )
elist . append ( entry [ ' rule_action ' ] )
if entry . get ( ' cidr_block ' ) :
elist . append ( entry [ ' cidr_block ' ] )
elif entry . get ( ' ipv6_cidr_block ' ) :
elist . append ( entry [ ' ipv6_cidr_block ' ] )
else :
elist = elist + [ None , None , None , None ]
elist . append ( None )
elist = elist + [ None , None , None , None ]
if ' icmp_type_code ' in entry :
elist [ 4 ] = entry [ ' icmp_type_code ' ] [ ' type ' ]
elist [ 5 ] = entry [ ' icmp_type_code ' ] [ ' code ' ]
if entry [ ' protocol ' ] in ( ' 1 ' , ' 58 ' ) :
elist [ 4 ] = entry . get ( ' icmp_type_code ' , { } ) . get ( ' type ' )
elist [ 5 ] = entry . get ( ' icmp_type_code ' , { } ) . get ( ' code ' )
if ' port_range ' in entry :
if entry [ ' protocol ' ] not in ( ' 1 ' , ' 6 ' , ' 17 ' , ' 58 ' ) :
elist [ 6 ] = 0
elist [ 7 ] = 65535
elif ' port_range ' in entry :
elist [ 6 ] = entry [ ' port_range ' ] [ ' from ' ]
elist [ 7 ] = entry [ ' port_range ' ] [ ' to ' ]
@ -179,19 +210,14 @@ def main():
)
)
module = AnsibleModule ( argument_spec = argument_spec ,
mutually_exclusive = [ [ ' nacl_ids ' , ' filters ' ] ] )
module = AnsibleModule ( argument_spec = argument_spec , supports_check_mode = True )
if not HAS_BOTO3 :
module . fail_json ( msg = ' boto3 required for this module ' )
region , ec2_url , aws_connect_params = get_aws_connection_info ( module , boto3 = True )
if region :
connection = boto3_conn ( module , conn_type = ' client ' , resource = ' ec2 ' ,
region = region , endpoint = ec2_url , * * aws_connect_params )
else :
module . fail_json ( msg = " region must be specified " )
connection = boto3_conn ( module , conn_type = ' client ' , resource = ' ec2 ' ,
region = region , endpoint = ec2_url , * * aws_connect_params )
list_ec2_vpc_nacls ( connection , module )