Add security group info and example to AWS guide (#55783)

* expand documentation on how to use lookup plugin aws_service_ip_ranges with ec2_group module

* fix rst syntax error
pull/55819/head
Alicia Cozine 6 years ago committed by GitHub
parent cef536fd51
commit bb5059f2c7
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23

@ -132,6 +132,37 @@ With the host group now created, a second play at the bottom of the same provisi
- name: Check NTP service - name: Check NTP service
service: name=ntpd state=started service: name=ntpd state=started
.. _aws_security_groups:
Security Groups
```````````````
Security groups on AWS are stateful. The response of a request from your instance is allowed to flow in regardless of inbound security group rules and vice-versa.
In case you only want allow traffic with AWS S3 service, you need to fetch the current IP ranges of AWS S3 for one region and apply them as an egress rule.::
- name: fetch raw ip ranges for aws s3
set_fact:
raw_s3_ranges: "{{ lookup('aws_service_ip_ranges', region='eu-central-1', service='S3', wantlist=True) }}"
- name: prepare list structure for ec2_group module
set_fact:
s3_ranges: "{{ s3_ranges | default([]) + [{'proto': 'all', 'cidr_ip': item, 'rule_desc': 'S3 Service IP range'}] }}"
with_items: "{{ raw_s3_ranges }}"
- name: set S3 IP ranges to egress rules
ec2_group:
name: aws_s3_ip_ranges
description: allow outgoing traffic to aws S3 service
region: eu-central-1
state: present
vpc_id: vpc-123456
purge_rules: true
purge_rules_egress: true
rules: []
rules_egress: "{{ s3_ranges }}"
tags:
Name: aws_s3_ip_ranges
.. _aws_host_inventory: .. _aws_host_inventory:
Host Inventory Host Inventory

Loading…
Cancel
Save