Merge pull request #4338 from jlaska/ec2_group_idempotency

Add idempotency support to ec2_group
reviewable/pr18780/r1
Michael DeHaan 11 years ago
commit a42d45872b

@ -49,6 +49,14 @@ options:
required: false required: false
default: null default: null
aliases: [] aliases: []
state:
version_added: "1.4"
description:
- create or delete security group
required: false
default: 'present'
aliases: []
requirements: [ "boto" ] requirements: [ "boto" ]
''' '''
@ -105,6 +113,7 @@ def main():
ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True), ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True),
ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']), ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']),
region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']), region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']),
state = dict(default='present', choices=['present', 'absent']),
), ),
supports_check_mode=True, supports_check_mode=True,
) )
@ -116,6 +125,7 @@ def main():
ec2_secret_key = module.params.get('ec2_secret_key') ec2_secret_key = module.params.get('ec2_secret_key')
ec2_access_key = module.params.get('ec2_access_key') ec2_access_key = module.params.get('ec2_access_key')
region = module.params.get('region') region = module.params.get('region')
state = module.params.get('state')
changed = False changed = False
@ -152,74 +162,94 @@ def main():
if curGroup.name == name and curGroup.vpc_id == vpc_id: if curGroup.name == name and curGroup.vpc_id == vpc_id:
group = curGroup group = curGroup
# if found, check the group parameters are correct # Ensure requested group is absent
if group: if state == 'absent':
group_in_use = False if group:
rs = ec2.get_all_instances() '''found a match, delete it'''
for r in rs: try:
for i in r.instances: group.delete()
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False) except Exception, e:
module.fail_json(msg="Unable to delete security group '%s' - %s" % (group, e))
if group.description != description: else:
if group_in_use: group = None
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.") changed = True
group.delete() else:
group = None '''no match found, no changes required'''
# if the group doesn't exist, create it now # Ensure requested group is present
if not group: elif state == 'present':
if not module.check_mode: if group:
group = ec2.create_security_group(name, description, vpc_id=vpc_id) '''existing group found'''
changed = True # check the group parameters are correct
group_in_use = False
rs = ec2.get_all_instances()
for r in rs:
for i in r.instances:
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
if group.description != description:
if group_in_use:
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
# if the group doesn't exist, create it now
else:
'''no match found, create it'''
if not module.check_mode:
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
changed = True
else:
module.fail_json(msg="Unsupported state requested: %s" % state)
# create a lookup for all existing rules on the group # create a lookup for all existing rules on the group
groupRules = {}
if group: if group:
groupRules = {}
addRulesToLookup(group.rules, 'in', groupRules) addRulesToLookup(group.rules, 'in', groupRules)
# Now, go through all the defined rules and ensure they are there. # Now, go through all provided rules and ensure they are there.
if rules: if rules:
for rule in rules: for rule in rules:
group_id = None group_id = None
ip = None ip = None
if 'group_id' in rule and 'cidr_ip' in rule: if 'group_id' in rule and 'cidr_ip' in rule:
module.fail_json(msg="Specify group_id OR cidr_ip, not both") module.fail_json(msg="Specify group_id OR cidr_ip, not both")
elif 'group_id' in rule: elif 'group_id' in rule:
group_id = rule['group_id'] group_id = rule['group_id']
elif 'cidr_ip' in rule: elif 'cidr_ip' in rule:
ip = rule['cidr_ip'] ip = rule['cidr_ip']
if rule['proto'] == 'all':
rule['proto'] = -1
rule['from_port'] = None
rule['to_port'] = None
ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
if ruleId in groupRules:
del groupRules[ruleId]
continue
grantGroup = None
if group_id:
grantGroup = groups[group_id]
if not module.check_mode: if rule['proto'] == 'all':
group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup) rule['proto'] = -1
changed = True rule['from_port'] = None
rule['to_port'] = None
# Finally, remove anything left in the groupRules -- these will be defunct rules # If rule already exists, don't later delete it
for rule in groupRules.itervalues(): ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
for grant in rule.grants: if ruleId in groupRules:
grantGroup = None del groupRules[ruleId]
if grant.group_id: # Otherwise, add new rule
grantGroup = groups[grant.group_id] else:
if not module.check_mode: grantGroup = None
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup) if group_id:
changed = True grantGroup = groups[group_id]
if not module.check_mode:
group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
changed = True
# Finally, remove anything left in the groupRules -- these will be defunct rules
for rule in groupRules.itervalues():
for grant in rule.grants:
grantGroup = None
if grant.group_id:
grantGroup = groups[grant.group_id]
if not module.check_mode:
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
changed = True
if not group: if group:
module.exit_json(changed=changed, group_id=group.id)
else:
module.exit_json(changed=changed, group_id=None) module.exit_json(changed=changed, group_id=None)
module.exit_json(changed=changed, group_id=group.id)
# this is magic, see lib/ansible/module_common.py # this is magic, see lib/ansible/module_common.py
#<<INCLUDE_ANSIBLE_MODULE_COMMON>> #<<INCLUDE_ANSIBLE_MODULE_COMMON>>

Loading…
Cancel
Save