--- - block: - name: set up aws connection info set_fact: aws_connection_info: &aws_connection_info aws_access_key: "{{ aws_access_key }}" aws_secret_key: "{{ aws_secret_key }}" security_token: "{{ security_token }}" region: "{{ aws_region }}" no_log: yes - name: Create a group with only the default rule ec2_group: name: '{{ec2_group_name}}-egress-tests' vpc_id: '{{ vpc_result.vpc.id }}' description: '{{ec2_group_description}}' <<: *aws_connection_info state: present register: result - name: assert default rule is in place (expected changed=true) assert: that: - result is changed - result.ip_permissions|length == 0 - result.ip_permissions_egress|length == 1 - result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0' - name: Create a group with only the default rule ec2_group: name: '{{ec2_group_name}}-egress-tests' vpc_id: '{{ vpc_result.vpc.id }}' description: '{{ec2_group_description}}' purge_rules_egress: false <<: *aws_connection_info state: present register: result - name: assert default rule is not purged (expected changed=false) assert: that: - result is not changed - result.ip_permissions|length == 0 - result.ip_permissions_egress|length == 1 - result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0' - name: Pass empty egress rules without purging, should leave default rule in place ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' vpc_id: '{{ vpc_result.vpc.id }}' purge_rules_egress: false rules_egress: [] <<: *aws_connection_info state: present register: result - name: assert default rule is not purged (expected changed=false) assert: that: - result is not changed - result.ip_permissions|length == 0 - result.ip_permissions_egress|length == 1 - result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0' - name: Purge rules, including the default ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' vpc_id: '{{ vpc_result.vpc.id }}' purge_rules_egress: true rules_egress: [] <<: *aws_connection_info state: present register: result - name: assert default rule is not purged (expected changed=false) assert: that: - result is changed - result.ip_permissions|length == 0 - result.ip_permissions_egress|length == 0 - name: Add a custom egress rule ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' vpc_id: '{{ vpc_result.vpc.id }}' rules_egress: - proto: tcp ports: - 1212 cidr_ip: 1.2.1.2/32 <<: *aws_connection_info state: present register: result - name: assert first rule is here assert: that: - result.ip_permissions_egress|length == 1 - name: Add a second custom egress rule ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' purge_rules_egress: false vpc_id: '{{ vpc_result.vpc.id }}' rules_egress: - proto: tcp ports: - 2323 cidr_ip: 2.3.2.3/32 <<: *aws_connection_info state: present register: result - name: assert the first rule is not purged assert: that: - result.ip_permissions_egress|length == 2 - name: Purge the second rule (CHECK MODE) (DIFF MODE) ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' vpc_id: '{{ vpc_result.vpc.id }}' rules_egress: - proto: tcp ports: - 1212 cidr_ip: 1.2.1.2/32 <<: *aws_connection_info state: present register: result check_mode: True diff: True - name: assert first rule will be left assert: that: - result.changed - result.diff.0.after.ip_permissions_egress|length == 1 - result.diff.0.after.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32' - name: Purge the second rule ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' vpc_id: '{{ vpc_result.vpc.id }}' rules_egress: - proto: tcp ports: - 1212 cidr_ip: 1.2.1.2/32 <<: *aws_connection_info state: present register: result - name: assert first rule is here assert: that: - result.ip_permissions_egress|length == 1 - result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32' - name: add a rule for all TCP ports ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' rules_egress: - proto: tcp ports: 0-65535 cidr_ip: 0.0.0.0/0 <<: *aws_connection_info state: present vpc_id: '{{ vpc_result.vpc.id }}' register: result - name: Re-add the default rule ec2_group: name: '{{ec2_group_name}}-egress-tests' description: '{{ec2_group_description}}' rules_egress: - proto: -1 cidr_ip: 0.0.0.0/0 <<: *aws_connection_info state: present vpc_id: '{{ vpc_result.vpc.id }}' register: result always: - name: tidy up egress rule test security group ec2_group: name: '{{ec2_group_name}}-egress-tests' state: absent vpc_id: '{{ vpc_result.vpc.id }}' <<: *aws_connection_info ignore_errors: yes