Upon a second run, the default egress rule will be removed when a
vpc is specified but no other egress rules were set. This patch
corrects that behavior by removing the default egress rule from the
list of unmatched outbound rules.
Fixes#7309
Created common module doc fragment, and applied to all
modules that use ec2_connect or connect_to_aws as
they definitely share the common doc fragments
When a group is created, an egress_rule ALLOW ALL to 0.0.0.0/0 is added
automatically but it's not reflected in the object returned by the AWS API
call. After creation we re-read the group for getting an updated object.
Suppose a pair of groups, A and B, depending on each other. One solution
for breaking the circular dependency at playbook level:
- declare group A without dependencies
- declare group B depending on A
- declare group A depending on B
This patch breaks the dependency at module level. Whenever a depended-on
group is missing it's first created. This approach requires only two tasks:
- declare group A depending on B (group B will be auto created)
- declare group B depending on A
When creating a group EC2 requires you to pass the group description. In
order to fullfil this, rules now accept the `group_desc` param. Note
that group description can't be changed once the group is created so
it's nice to keep descriptions in sync.
Concrete example:
- ec2_group:
name: mysql-client
description: MySQL Client
rules_egress:
- proto: tcp
from_port: 3306
to_port: 3306
group_name: mysql-server
group_desc: MySQL Server
- ec2_group:
name: mysql-server
description: MySQL Server
rules:
- proto: tcp
from_port: 3306
to_port: 3306
group_name: mysql-client
Allow security tokens and profiles to be used as arguments
to the 'common' ec2 modules
Mostly refactoring to provide two new methods,
`get_aws_connection_info`, which results in a dict that can be
passed through to the boto `connect_to_region` calls, and
`connect_to_aws` that can pass that dict through to the
`connect_to_region` method of the appropriate module.
Tidied up some variable names
Works around boto/boto#2100
profiles don't work with boto < 2.24, but this detects for that
and fails with an appropriate message. It is designed to work
if profile is not passed but boto < 2.24 is installed.
Modifications to allow empty aws auth variables to be passed
(this is useful if wanting to have the keys as an optional
parameter in ec2 calls - if set, use this value, if not set,
use boto config or env variables)
Reworked validate_certs improvements to work with refactoring
Added documentation for profile and security_token to affected modules
When disabled, the boto connection will be instantiated without validating
the SSL certificate from the target endpoint. This allows the modules to connect
to Eucalyptus instances running with self-signed certs without errors.
Fixes#3978
Refactor the currently well-factored ec2 modules (i.e. those that already use ec2_connect) to
have a common argument spec. The idea is that new modules can use this spec without duplication
of code, and that new functionality can be added to the ec2 connection code (e.g. security
token argument)
James Cammarata