From ee06f57f0dc6f02ce590176a0d3d6c479930aa1d Mon Sep 17 00:00:00 2001 From: Sloane Hertel Date: Thu, 29 Mar 2018 16:16:01 -0400 Subject: [PATCH] [ec2_vpc_nacl] revert suboptions for ingress and egress module parameters (#38071) --- .../modules/cloud/amazon/ec2_vpc_nacl.py | 92 +++++-------------- 1 file changed, 23 insertions(+), 69 deletions(-) diff --git a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py index d1f551de30e..d8fad3ec275 100644 --- a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py +++ b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py @@ -43,49 +43,23 @@ options: required: false egress: description: - - A list of rules for outgoing traffic. Each rule must be specified as a list. See examples. - suboptions: - rule_number: - description: an integer from 1 to 32766 - required: true - protocol: - description: the protocol for the rule - required: true - choices: ['tcp', 'udp', 'icmp', '-1', 'all'] - cidr_ipv4: - description: The CIDR of the IPv4 network range to allow or deny - required: true - icmp_type: - description: An integer, the ICMP type if the protocol is icmp. A value of -1 means all types. - icmp_code: - description: An integer, the ICMP code if the protocol is icmp. A value of -1 means all codes. - from_port: - description: An integer, the last port in the range for TCP or UDP protocols. - to_port: - description: An integer, the first port in the range for TCP or UDP protocols. + - A list of rules for outgoing traffic. Each rule must be specified as a list. + Each rule may contain the rule number (integer 1-32766), protocol (one of ['tcp', 'udp', 'icmp', '-1', 'all']), + the rule action ('allow' or 'deny') the CIDR of the IPv4 network range to allow or deny, + the ICMP type (-1 means all types), the ICMP code (-1 means all codes), the last port in the range for + TCP or UDP protocols, and the first port in the range for TCP or UDP protocols. + See examples. + default: [] required: false ingress: description: - - List of rules for incoming traffic. Each rule must be specified as a list. See examples. - suboptions: - rule_number: - description: an integer from 1 to 32766 - required: true - protocol: - description: the protocol for the rule - required: true - choices: ['tcp', 'udp', 'icmp', '-1', 'all'] - cidr_ipv4: - description: The CIDR of the IPv4 network range to allow or deny - required: true - icmp_type: - description: An integer, the ICMP type if the protocol is icmp. A value of -1 means all types. - icmp_code: - description: An integer, the ICMP code if the protocol is icmp. A value of -1 means all codes. - from_port: - description: An integer, the last port in the range for TCP or UDP protocols. - to_port: - description: An integer, the first port in the range for TCP or UDP protocols. + - List of rules for incoming traffic. Each rule must be specified as a list. + Each rule may contain the rule number (integer 1-32766), protocol (one of ['tcp', 'udp', 'icmp', '-1', 'all']), + the rule action ('allow' or 'deny') the CIDR of the IPv4 network range to allow or deny, + the ICMP type (-1 means all types), the ICMP code (-1 means all codes), the last port in the range for + TCP or UDP protocols, and the first port in the range for TCP or UDP protocols. + See examples. + default: [] required: false tags: description: @@ -119,16 +93,14 @@ EXAMPLES = ''' CostCode: CC1234 Project: phoenix Description: production DMZ - ingress: [ + ingress: # rule no, protocol, allow/deny, cidr, icmp_type, icmp_code, # port from, port to - [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22], - [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80], - [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8], - ] - egress: [ - [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null] - ] + - [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22] + - [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80] + - [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8] + egress: + - [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null] state: 'present' - name: "Remove the ingress and egress rules - defaults to deny all" @@ -199,7 +171,7 @@ PROTOCOL_NUMBERS = {'all': -1, 'icmp': 1, 'tcp': 6, 'udp': 17, } # Utility methods def icmp_present(entry): - if entry[1] == 'icmp' or entry[1] == 1: + if len(entry) == 6 and entry[1] == 'icmp' or entry[1] == 1: return True @@ -574,24 +546,6 @@ def subnets_to_associate(nacl, client, module): def main(): - rule_list_options = { - 'required': False, - 'type': 'list', - 'elements': 'list', - 'options': { - 'rule_number': dict(required=True, type='int'), - 'protocol': dict(required=True, choices=['tcp', 'udp', 'icmp', '-1', 'all']), - 'rule_action': dict(required=True, choices=['allow', 'deny']), - 'ipv4_cidr': dict(required=True), - 'icmp_type': dict(type='int'), - 'icmp_code': dict(type='int'), - 'from_port': dict(type='int'), - 'to_port': dict(type='int') - }, - 'required_together': [('from_port', 'to_port'), - ('icmp_type', 'icmp_code')], - 'mutually_exclusive': [('icmp_type', 'from_port')] - } argument_spec = ec2_argument_spec() argument_spec.update(dict( vpc_id=dict(), @@ -599,8 +553,8 @@ def main(): nacl_id=dict(), subnets=dict(required=False, type='list', default=list()), tags=dict(required=False, type='dict'), - ingress=rule_list_options, - egress=rule_list_options, + ingress=dict(required=False, type='list', default=list()), + egress=dict(required=False, type='list', default=list()), state=dict(default='present', choices=['present', 'absent']), ), )