Fixes issue 697 -- only purge the grants that need to be purged

This commit is contained in:
Joel Thompson 2015-01-24 00:52:37 -05:00
parent 1ff9c64b30
commit 01c4ff922f

View file

@ -128,7 +128,7 @@ def make_rule_key(prefix, rule, group_id, cidr_ip):
def addRulesToLookup(rules, prefix, dict): def addRulesToLookup(rules, prefix, dict):
for rule in rules: for rule in rules:
for grant in rule.grants: for grant in rule.grants:
dict[make_rule_key(prefix, rule, grant.group_id, grant.cidr_ip)] = rule dict[make_rule_key(prefix, rule, grant.group_id, grant.cidr_ip)] = (rule, grant)
def get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id): def get_target_from_rule(module, ec2, rule, name, group, groups, vpc_id):
@ -304,14 +304,13 @@ def main():
# Finally, remove anything left in the groupRules -- these will be defunct rules # Finally, remove anything left in the groupRules -- these will be defunct rules
if purge_rules: if purge_rules:
for rule in groupRules.itervalues() : for (rule, grant) in groupRules.itervalues() :
for grant in rule.grants: grantGroup = None
grantGroup = None if grant.group_id:
if grant.group_id: grantGroup = groups[grant.group_id]
grantGroup = groups[grant.group_id] if not module.check_mode:
if not module.check_mode: group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup) changed = True
changed = True
# Manage egress rules # Manage egress rules
groupRules = {} groupRules = {}
@ -369,20 +368,19 @@ def main():
# Finally, remove anything left in the groupRules -- these will be defunct rules # Finally, remove anything left in the groupRules -- these will be defunct rules
if purge_rules_egress: if purge_rules_egress:
for rule in groupRules.itervalues(): for (rule, grant) in groupRules.itervalues():
for grant in rule.grants: grantGroup = None
grantGroup = None if grant.group_id:
if grant.group_id: grantGroup = groups[grant.group_id].id
grantGroup = groups[grant.group_id].id if not module.check_mode:
if not module.check_mode: ec2.revoke_security_group_egress(
ec2.revoke_security_group_egress( group_id=group.id,
group_id=group.id, ip_protocol=rule.ip_protocol,
ip_protocol=rule.ip_protocol, from_port=rule.from_port,
from_port=rule.from_port, to_port=rule.to_port,
to_port=rule.to_port, src_group_id=grantGroup,
src_group_id=grantGroup, cidr_ip=grant.cidr_ip)
cidr_ip=grant.cidr_ip) changed = True
changed = True
if group: if group:
module.exit_json(changed=changed, group_id=group.id) module.exit_json(changed=changed, group_id=group.id)