# ============================================================ - name: create ingress and egress rules using subnet IDs ec2_vpc_nacl: vpc_id: "{{ vpc_id }}" name: "{{ resource_prefix }}-acl" subnets: "{{ subnet_ids }}" tags: Created_by: "Ansible test {{ resource_prefix }}" ingress: - [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22] - [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80] - [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8] egress: - [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null] state: 'present' register: nacl - set_fact: nacl_id: "{{ nacl.nacl_id }}" - name: assert the network acl was created assert: that: - nacl.changed - nacl.nacl_id.startswith('acl-') - name: get network ACL facts ec2_vpc_nacl_info: nacl_ids: - "{{ nacl_id }}" register: nacl_facts - name: assert the nacl has the correct attributes assert: that: - nacl_facts.nacls | length == 1 - nacl_facts.nacls[0].nacl_id == nacl_id - nacl_facts.nacls[0].subnets | length == 4 - nacl_facts.nacls[0].subnets | sort == subnet_ids | sort - nacl_facts.nacls[0].ingress | length == 3 - nacl_facts.nacls[0].egress | length == 1 - "'{{ nacl_facts.nacls[0].tags.Name }}' == '{{ resource_prefix }}-acl'" # ============================================================ - name: test idempotence ec2_vpc_nacl: vpc_id: "{{ vpc_id }}" name: "{{ resource_prefix }}-acl" subnets: "{{ subnet_ids }}" tags: Created_by: "Ansible test {{ resource_prefix }}" ingress: - [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22] - [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80] - [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8] egress: - [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null] state: 'present' register: nacl - name: assert the network acl already existed assert: that: - not nacl.changed - nacl.nacl_id == nacl_id - nacl.nacl_id.startswith('acl-') - name: get network ACL facts ec2_vpc_nacl_info: nacl_ids: - "{{ nacl.nacl_id }}" register: nacl_facts_idem - name: assert the facts are the same as before assert: that: - nacl_facts_idem == nacl_facts # ============================================================ - name: remove a subnet from the network ACL ec2_vpc_nacl: vpc_id: "{{ vpc_id }}" name: "{{ resource_prefix }}-acl" subnets: - "{{ subnet_ids[0] }}" - "{{ subnet_ids[1] }}" - "{{ subnet_ids[2] }}" tags: Created_by: "Ansible test {{ resource_prefix }}" ingress: - [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22] - [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80] - [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8] egress: - [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null] state: 'present' register: nacl - name: assert the network ACL changed assert: that: - nacl.changed - nacl.nacl_id.startswith('acl-') - nacl.nacl_id == nacl_id - name: get network ACL facts ec2_vpc_nacl_info: nacl_id: - "{{ nacl.nacl_id }}" register: nacl_facts - name: assert the nacl has the correct attributes assert: that: - nacl_facts.nacls | length == 1 - nacl_facts.nacls[0].nacl_id == nacl_id - nacl_facts.nacls[0].subnets | length == 3 - subnet_ids[3] not in nacl_facts.nacls[0].subnets - nacl_facts.nacls[0].ingress | length == 3 - nacl_facts.nacls[0].egress | length == 1 - "'{{ nacl_facts.nacls[0].tags.Name }}' == '{{ resource_prefix }}-acl'" # ============================================================ - name: remove the network ACL ec2_vpc_nacl: vpc_id: "{{ vpc_id }}" name: "{{ resource_prefix }}-acl" state: absent register: nacl until: nacl is success ignore_errors: yes retries: 5 delay: 5 - name: assert nacl was removed assert: that: - nacl.changed