* ec2_ boilerplate
* Deprecate unused options.
* ec2_vol: Perform explicit type checking on volume_size and iops when parsing the args
Boto would through a type exception if the string couldn't be converted to an int.
* ec2_lc_find: remove duplicate definition of region
It's defined in ec2_argument_spec and ec2 doc fragment
* ec2_lc_info: Move responsibility for type checking/conversion of sort_start and sort_end into arg parser
* General sanity test related doc fixups
* Remove EC2 related sanity/ignore.txt entries
* Add changelog fragment
* Fix TypeError in ec2_group.py for Python3 when sorting dictionary list
* Using json.loads() and dumps() to replace sorting
* Bug fixes for ec2_group.py
* Dictionaries cannot be compared/sorted in Python3
* Diff will occur when the IpPermissions have the same IpRanges but have different ordering
* 'before' will be sorted by 'Type' with high priority than 'IP', but 'boto3.describe_security_groups()' function cannot get 'Type' from Amazon
* Add some basic diff mode testing to exercise the rule-sorting code
* Better cidr_ipv6 validation in ec2_group.py
* Improve warning/error handling, add changelog
* Update unit test for ipv6 validation
* Fix logic that was causing non /128 cidrs with host bits to not be handled
dict.items() in pytho2 returns a list of tuples which can be iterated
while modifying the dict. In python 3 it returns a view which is tied to
the underlying dict, meaning the modifications to the dict while
iterating are unsafe.
This commit generates new list containing the tuples from the iterator
in python 3 which breaks the link to the dict, allowing the dict to be
modified while iterating the list.
In python 2 it would simply copy the list.
Fixes#56902
* Add to_ipv6_subnet function
* Use the correct function for subnet
* Corrected code style and tests
* Corrected testcase assertion
64 bits make 8 octets, or 4 hextets
* Import from correct module directly
AWS uses rule type, protocol, port range, and source as an idempotent identifier.
There can only be one rule with that unique combination. Rules that differ only by description are allowed but overwritten by AWS.
Add a test
Co-authored-by: Will Thames <will@thames.id.au>
* Fix targets that may be a list containing strings and lists which worked prior to 2.6.
* Add ec2_group integration tests for lists of nested targets
* changelog
* Add diff mode support for lists of targets containing strings and lists.
* Add tests to replicate bug #44788
* Handle when userId is same account due to in-account peering
* Module defaults for main.yml
* Turn off VPC peering tests in CI
* Fix spurious `changed=True` when int is passed as tag
* Fix for all AWS module using compare_aws_tags
* Handle improperly stringified protocols and allow inconsistency between None/-1 on non-tcp protocols
* Add integration test that reproduces the same bug
* Return false if the comparsison is not equal
* Add (preview) diff mode support ec2_group
* Add diff mode to some ec2_group integration tests
* Remove unnecessary arguments and add comment to the module notes
* Add changelog
* Add aws/core.py function to check for specific AWS error codes
* Use sys.exc_info to get exception object if it isn't passed in
* Allow catching exceptions with is_boto3_error_code
* Replace from_code with is_boto3_error_code
* Return a type that will never be raised to support stricter type comparisons in Python 3+
* Use is_boto3_error_code in aws_eks_cluster
* Add duplicate-except to ignores when using is_boto3_error_code
* Add is_boto3_error_code to module development guideline docs
* Refactor ec2_group
Replace nested for loops with list comprehensions
Purge rules before adding new ones in case sg has maximum permitted rules
* Add check mode tests for ec2_group
* add tests
* Remove dead code
* Fix integration test assertions for old boto versions
* Add waiter for security group that is autocreated
* Add support for in-account group rules
* Add common util to get AWS account ID
Fixes#31383
* Fix protocol number and add separate tests for egress rule handling
* Return egress rule treatment to be backwards compatible
* Remove functions that were obsoleted by `Rule` namedtuple
* IP tests
* Move description updates to a function
* Fix string formatting missing index
* Add tests for auto-creation of the same group in quick succession
* Resolve use of brand-new group in a rule without a description
* Clean up duplicated get-security-group function
* Add reverse cleanup in case of dependency issues
* Add crossaccount ELB group support
* Deal with non-STS calls to account API
* Add filtering of owner IDs that match the current account
SGs created when a VPC ID was not specified would not necessarily
get the default egress rule, even when no explicit egress rules
were set.
Add some checks for egress rules in results from existing tests
* Add test for unexpected egress rule in default VPC
When passing rules_egress to ec2_group, the default
egress rule shouldn't be created (if `purge_rules_egress`)
is set. Test this.
* Respect egress rule defintions for default VPC groups
When passing rules_egress and purge_rules_egress, the
default egress rule should not be created
Fixes#34429
* Change AWS credential passing to be YAML anchors
Vastly simplify the AWS tasks by reducing the credentials to a YAML
block
* WIP adds network subnetting functions
* adds functions to convert between netmask and masklen
* adds functions to verify netmask and masklen
* adds function to dtermine network and subnet from address / mask pair
* network_common: add a function to get the first 48 bits in a IPv6 address.
ec2_group: only use network bits of a CIDR.
* Add tests for CIDRs with host bits set.
* ec2_group: add warning if CIDR isn't the networking address.
* Fix pep8.
* Improve wording.
* fix import for network utils
* Update tests to use pytest instead of unittest
* add test for to_ipv6_network()
* Fix PEP8
* Move profile and region checking to module_utils.ec2
Remove ProfileNotFound checking from individual modules
There are plenty of `if not region:` checks that could be removed,
once more thorough testing of this change has occured
The ec2_asg, iam_managed_policy and ec2_vpc_subnet_facts modules
would also benefit from this change but as they do not have tests
and are marked stableinterface, they do not get this change.
* ec2_group: add support for rule descriptions.
* Document rule description feature and add an example using it.
* Fix removing rule descriptions.
* Add integration tests to verify adding/modifying/removing rule descriptions works as expected.
* Add permissions to hacking/aws_config/testing_policies/ec2-policy.json for updating ingress and egress rule descriptions.
* ec2_group: add backwards compatibility with older versions of botocore for rule descriptions.
* Add compatibility with older version of botocore for ec2_group integration tests.
* ec2_group: move HAS_RULE_DESCRIPTION to be checked first.
* Make requested change
* Pass around a variable instead of client
* Make sure has_rule_description defaults to None
* Fail if rule_desc is in any ingress/egress rules and the the botocore version < 1.7.2
* Remove unnecessary variable
* Fix indentation for changed=True when updating rule descriptions.
* minor refactor to remove duplicate code
* add missing parameter
* Fix pep8
* Update test policy.
* ec2_group: Handle name conflict with empty vpc_id.
If several groups exist with the same name (and vpc_id is None) then
treat the group outside the vpc as preferred (same as it would for a vpc
group with vpc_id specified). Also don't run the egress rules code in
that case.
* Handle lack of `IpPermissionsEgress` attribute on EC2 classic groups
In EC2 classic groups, the `while True` loop checking for egress
permissions will continue infinitely.
* Handle incompatible combinations of EC2 Classic + VPC groups
* Fix integration tests in accounts lacking EC2 classic
This change checks against the security group created, instead of the
module parameters, for VPC ID. This means that new accounts with a
default VPC will still wait properly for the first egress rule to
populate.
* Fix conditional for storing described groups with preference for matching VPC IDs
* Revert `vpc_id is None` on conditional to allow for default VPCs
* Add tags support to cloud/amazon/ec2_group
* Finish making ec2_group tag support boto3 compatible.
Add integration tests to validate that tags are working as expected.
* Add tests for group in a VPC
* Improve ec2_group output and documentation
Update ec2_group to provide full security group information
Add RETURN documentation to match
* Fix ec2_group creation within a VPC
Ensure VPC ID gets passed when creating security group
* Add test for auto creating SG
* Fix ec2_group auto group creation
* Add backoff to describe_security_groups
Getting LimitExceeded from describe_security_groups is definitely
possible (source: me) so add backoff to increase likelihood of
success.
To ensure that all `describe_security_group` calls are backed off,
remove implicit ones that use `ec2.SecurityGroup`. From there,
the decision to remove the `ec2` boto3 resource and rely on the client
alone makes good sense.
* Tidy up auto created security group
Add resource_prefix to auto created security group and delete
it in the `always` section.
Use YAML argument form for all module parameters
* Enable the pylint no-name-in-module check. Checks that identifiers in
imports actually exist. When we do this, we also have to ignore
_MovedItems used in our bundled six. This means pylint won't check
for bad imports below ansible.module_utils.six.moves but that's
something that pylint punts on with a system copy of six so this is
still an improvement.
* Remove automatic use of system six. The exec in the six code which
tried to use a system library if available destroyed pylint's ability
to check for imports of identifiers which did not exist (the
no-name-in-module check). That test is important enough that we
should sacrifice the bundling detection in favour of the test.
Distributions that want to unbundle six can replace the bundled six in
ansible/module_utils/six/__init__.py to unbundle. however, be aware
that six is tricky to unbundle. They may want to base their efforts
off the code we were using:
2fff690caa/lib/ansible/module_utils/six/__init__.py
* Update tests for new location of bundled six Several code-smell tests
whitelist the bundled six library. Update the path to the library so
that they work.
* Also check for basestring in modules as the enabled pylint tests will
also point out basestring usage for us.
* Use Boto3 for ec2_group
Currently boto doesn't support ipv6. To support ipv6 in ec2_group, we need boto3.
boto3 has significant API changes, which caused more re-factoring for ec2_group module.
Added additional integration test to test_ec2_group role.
* Follow the standard for boto3 ansible
Fixed imports. Use boto3 ansible exception with camel_dict_to_snake_dict.
Refactored the call to authorize/revoke ingress and egress.
* Removed dependancy with module ipaddress
Added new parameter called cidr_ipv6 for specifying
ipv6 addresses inline with how boto3 handles ipv6 addresses.
* Updated integration test
* Added ipv6 integration test for ec2_group
* Set purge_rules to false for integration test
* Fixed import statements
Added example for ipv6.
Removed defining HAS_BOTO3 variable and import HAS_BOTO3 from ec2.
Cleaned up import statements.
* Fixed exception handling
* Add IAM permissions for ec2_group tests
Missing AuthorizeSecurityGroupEgress necessary for latest tests
* Wrapped botocore import in try/except block
Import just botocore to be more similar to other modules
Mark Chappell