|
|
@ -49,6 +49,14 @@ options:
|
|
|
|
required: false
|
|
|
|
required: false
|
|
|
|
default: null
|
|
|
|
default: null
|
|
|
|
aliases: []
|
|
|
|
aliases: []
|
|
|
|
|
|
|
|
state:
|
|
|
|
|
|
|
|
version_added: "1.4"
|
|
|
|
|
|
|
|
description:
|
|
|
|
|
|
|
|
- create or delete security group
|
|
|
|
|
|
|
|
required: false
|
|
|
|
|
|
|
|
default: 'present'
|
|
|
|
|
|
|
|
aliases: []
|
|
|
|
|
|
|
|
|
|
|
|
requirements: [ "boto" ]
|
|
|
|
requirements: [ "boto" ]
|
|
|
|
'''
|
|
|
|
'''
|
|
|
|
|
|
|
|
|
|
|
@ -105,6 +113,7 @@ def main():
|
|
|
|
ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True),
|
|
|
|
ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True),
|
|
|
|
ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']),
|
|
|
|
ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']),
|
|
|
|
region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']),
|
|
|
|
region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']),
|
|
|
|
|
|
|
|
state = dict(default='present', choices=['present', 'absent']),
|
|
|
|
),
|
|
|
|
),
|
|
|
|
supports_check_mode=True,
|
|
|
|
supports_check_mode=True,
|
|
|
|
)
|
|
|
|
)
|
|
|
@ -116,6 +125,7 @@ def main():
|
|
|
|
ec2_secret_key = module.params.get('ec2_secret_key')
|
|
|
|
ec2_secret_key = module.params.get('ec2_secret_key')
|
|
|
|
ec2_access_key = module.params.get('ec2_access_key')
|
|
|
|
ec2_access_key = module.params.get('ec2_access_key')
|
|
|
|
region = module.params.get('region')
|
|
|
|
region = module.params.get('region')
|
|
|
|
|
|
|
|
state = module.params.get('state')
|
|
|
|
|
|
|
|
|
|
|
|
changed = False
|
|
|
|
changed = False
|
|
|
|
|
|
|
|
|
|
|
@ -152,74 +162,94 @@ def main():
|
|
|
|
if curGroup.name == name and curGroup.vpc_id == vpc_id:
|
|
|
|
if curGroup.name == name and curGroup.vpc_id == vpc_id:
|
|
|
|
group = curGroup
|
|
|
|
group = curGroup
|
|
|
|
|
|
|
|
|
|
|
|
# if found, check the group parameters are correct
|
|
|
|
# Ensure requested group is absent
|
|
|
|
if group:
|
|
|
|
if state == 'absent':
|
|
|
|
group_in_use = False
|
|
|
|
if group:
|
|
|
|
rs = ec2.get_all_instances()
|
|
|
|
'''found a match, delete it'''
|
|
|
|
for r in rs:
|
|
|
|
try:
|
|
|
|
for i in r.instances:
|
|
|
|
group.delete()
|
|
|
|
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
|
|
|
|
except Exception, e:
|
|
|
|
|
|
|
|
module.fail_json(msg="Unable to delete security group '%s' - %s" % (group, e))
|
|
|
|
if group.description != description:
|
|
|
|
else:
|
|
|
|
if group_in_use:
|
|
|
|
group = None
|
|
|
|
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
|
|
|
|
changed = True
|
|
|
|
group.delete()
|
|
|
|
else:
|
|
|
|
group = None
|
|
|
|
'''no match found, no changes required'''
|
|
|
|
|
|
|
|
|
|
|
|
# if the group doesn't exist, create it now
|
|
|
|
# Ensure requested group is present
|
|
|
|
if not group:
|
|
|
|
elif state == 'present':
|
|
|
|
if not module.check_mode:
|
|
|
|
if group:
|
|
|
|
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
|
|
|
|
'''existing group found'''
|
|
|
|
changed = True
|
|
|
|
# check the group parameters are correct
|
|
|
|
|
|
|
|
group_in_use = False
|
|
|
|
|
|
|
|
rs = ec2.get_all_instances()
|
|
|
|
|
|
|
|
for r in rs:
|
|
|
|
|
|
|
|
for i in r.instances:
|
|
|
|
|
|
|
|
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if group.description != description:
|
|
|
|
|
|
|
|
if group_in_use:
|
|
|
|
|
|
|
|
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# if the group doesn't exist, create it now
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
'''no match found, create it'''
|
|
|
|
|
|
|
|
if not module.check_mode:
|
|
|
|
|
|
|
|
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
|
|
|
|
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
else:
|
|
|
|
|
|
|
|
module.fail_json(msg="Unsupported state requested: %s" % state)
|
|
|
|
|
|
|
|
|
|
|
|
# create a lookup for all existing rules on the group
|
|
|
|
# create a lookup for all existing rules on the group
|
|
|
|
groupRules = {}
|
|
|
|
|
|
|
|
if group:
|
|
|
|
if group:
|
|
|
|
|
|
|
|
groupRules = {}
|
|
|
|
addRulesToLookup(group.rules, 'in', groupRules)
|
|
|
|
addRulesToLookup(group.rules, 'in', groupRules)
|
|
|
|
|
|
|
|
|
|
|
|
# Now, go through all the defined rules and ensure they are there.
|
|
|
|
# Now, go through all provided rules and ensure they are there.
|
|
|
|
if rules:
|
|
|
|
if rules:
|
|
|
|
for rule in rules:
|
|
|
|
for rule in rules:
|
|
|
|
group_id = None
|
|
|
|
group_id = None
|
|
|
|
ip = None
|
|
|
|
ip = None
|
|
|
|
if 'group_id' in rule and 'cidr_ip' in rule:
|
|
|
|
if 'group_id' in rule and 'cidr_ip' in rule:
|
|
|
|
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
|
|
|
|
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
|
|
|
|
elif 'group_id' in rule:
|
|
|
|
elif 'group_id' in rule:
|
|
|
|
group_id = rule['group_id']
|
|
|
|
group_id = rule['group_id']
|
|
|
|
elif 'cidr_ip' in rule:
|
|
|
|
elif 'cidr_ip' in rule:
|
|
|
|
ip = rule['cidr_ip']
|
|
|
|
ip = rule['cidr_ip']
|
|
|
|
|
|
|
|
|
|
|
|
if rule['proto'] == 'all':
|
|
|
|
|
|
|
|
rule['proto'] = -1
|
|
|
|
|
|
|
|
rule['from_port'] = None
|
|
|
|
|
|
|
|
rule['to_port'] = None
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
|
|
|
|
|
|
|
|
if ruleId in groupRules:
|
|
|
|
|
|
|
|
del groupRules[ruleId]
|
|
|
|
|
|
|
|
continue
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
grantGroup = None
|
|
|
|
|
|
|
|
if group_id:
|
|
|
|
|
|
|
|
grantGroup = groups[group_id]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if not module.check_mode:
|
|
|
|
if rule['proto'] == 'all':
|
|
|
|
group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
|
|
|
|
rule['proto'] = -1
|
|
|
|
changed = True
|
|
|
|
rule['from_port'] = None
|
|
|
|
|
|
|
|
rule['to_port'] = None
|
|
|
|
|
|
|
|
|
|
|
|
# Finally, remove anything left in the groupRules -- these will be defunct rules
|
|
|
|
# If rule already exists, don't later delete it
|
|
|
|
for rule in groupRules.itervalues():
|
|
|
|
ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
|
|
|
|
for grant in rule.grants:
|
|
|
|
if ruleId in groupRules:
|
|
|
|
grantGroup = None
|
|
|
|
del groupRules[ruleId]
|
|
|
|
if grant.group_id:
|
|
|
|
# Otherwise, add new rule
|
|
|
|
grantGroup = groups[grant.group_id]
|
|
|
|
else:
|
|
|
|
if not module.check_mode:
|
|
|
|
grantGroup = None
|
|
|
|
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
|
|
|
|
if group_id:
|
|
|
|
changed = True
|
|
|
|
grantGroup = groups[group_id]
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
if not module.check_mode:
|
|
|
|
|
|
|
|
group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
|
|
|
|
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# Finally, remove anything left in the groupRules -- these will be defunct rules
|
|
|
|
|
|
|
|
for rule in groupRules.itervalues():
|
|
|
|
|
|
|
|
for grant in rule.grants:
|
|
|
|
|
|
|
|
grantGroup = None
|
|
|
|
|
|
|
|
if grant.group_id:
|
|
|
|
|
|
|
|
grantGroup = groups[grant.group_id]
|
|
|
|
|
|
|
|
if not module.check_mode:
|
|
|
|
|
|
|
|
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
|
|
|
|
|
|
|
|
changed = True
|
|
|
|
|
|
|
|
|
|
|
|
if not group:
|
|
|
|
if group:
|
|
|
|
|
|
|
|
module.exit_json(changed=changed, group_id=group.id)
|
|
|
|
|
|
|
|
else:
|
|
|
|
module.exit_json(changed=changed, group_id=None)
|
|
|
|
module.exit_json(changed=changed, group_id=None)
|
|
|
|
module.exit_json(changed=changed, group_id=group.id)
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
# this is magic, see lib/ansible/module_common.py
|
|
|
|
# this is magic, see lib/ansible/module_common.py
|
|
|
|
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
|
|
|
|
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
|
|
|
|