Fixes issue 697 -- only purge the grants that need to be purged

2015-01-24 00:52:37 -05:00 · 2015-01-24 00:52:37 -05:00 · 01c4ff922f
commit 01c4ff922f
parent 1ff9c64b30
1 changed files with 21 additions and 23 deletions
--- a/cloud/amazon/ec2_group.py
+++ b/cloud/amazon/ec2_group.py
@ -128,7 +128,7 @@ def make_rule_key(prefix, rule, group_id, cidr_ip):
 def addRulesToLookup(rules, prefix, dict):
    for rule in rules:
        for grant in rule.grants:
-            dict[make_rule_key(prefix, rule, grant.group_id, grant.cidr_ip)] = rule
+            dict[make_rule_key(prefix, rule, grant.group_id, grant.cidr_ip)] = (rule, grant)
 def get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id):
@ -304,14 +304,13 @@ def main():
        # Finally, remove anything left in the groupRules -- these will be defunct rules
        if purge_rules:
-            for rule in groupRules.itervalues() :
+            for (rule, grant) in groupRules.itervalues() :
-                for grant in rule.grants:
+                grantGroup = None
-                    grantGroup = None
+                if grant.group_id:
-                    if grant.group_id:
+                    grantGroup = groups[grant.group_id]
-                        grantGroup = groups[grant.group_id]
+                if not module.check_mode:
-                    if not module.check_mode:
+                    group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
-                        group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
+                changed = True
                    changed = True
        # Manage egress rules
        groupRules = {}
@ -369,20 +368,19 @@ def main():
        # Finally, remove anything left in the groupRules -- these will be defunct rules
        if purge_rules_egress:
-            for rule in groupRules.itervalues():
+            for (rule, grant) in groupRules.itervalues():
-                for grant in rule.grants:
+                grantGroup = None
-                    grantGroup = None
+                if grant.group_id:
-                    if grant.group_id:
+                    grantGroup = groups[grant.group_id].id
-                        grantGroup = groups[grant.group_id].id
+                if not module.check_mode:
-                    if not module.check_mode:
+                    ec2.revoke_security_group_egress(
-                        ec2.revoke_security_group_egress(
+                            group_id=group.id,
-                                group_id=group.id,
+                            ip_protocol=rule.ip_protocol,
-                                ip_protocol=rule.ip_protocol,
+                            from_port=rule.from_port,
-                                from_port=rule.from_port,
+                            to_port=rule.to_port,
-                                to_port=rule.to_port,
+                            src_group_id=grantGroup,
-                                src_group_id=grantGroup,
+                            cidr_ip=grant.cidr_ip)
-                                cidr_ip=grant.cidr_ip)
+                changed = True
                    changed = True
    if group:
        module.exit_json(changed=changed, group_id=group.id)