From 1ec782900da1049f62f409f1b2d883999bbd7aeb Mon Sep 17 00:00:00 2001 From: Sebastien Rosset Date: Wed, 23 Jan 2019 15:36:49 -0800 Subject: [PATCH] ec2_vpc_nacl fails when the VPC is configured with IPv6 (#49979) * Issue #41079. Failed to apply rule if there is a default IPv6 NACL * Issue #41079. Failed to apply rule if there is a default IPv6 NACL * Issue #41079. Failed to apply rule if there is a default IPv6 NACL * Simplify logic to skip default deny-all rules * Simplify logic to skip default deny-all rules * Remove unnecessary tmp variables --- .../modules/cloud/amazon/ec2_vpc_nacl.py | 17 ++--------------- 1 file changed, 2 insertions(+), 15 deletions(-) diff --git a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py index 9a142257aa8..37ce065e5f0 100644 --- a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py +++ b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py @@ -154,17 +154,6 @@ from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ec2 import boto3_conn, ec2_argument_spec, get_aws_connection_info -# Common fields for the default rule that is contained within every VPC NACL. -DEFAULT_RULE_FIELDS = { - 'RuleNumber': 32767, - 'RuleAction': 'deny', - 'CidrBlock': '0.0.0.0/0', - 'Protocol': '-1' -} - -DEFAULT_INGRESS = dict(list(DEFAULT_RULE_FIELDS.items()) + [('Egress', False)]) -DEFAULT_EGRESS = dict(list(DEFAULT_RULE_FIELDS.items()) + [('Egress', True)]) - # VPC-supported IANA protocol numbers # http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml PROTOCOL_NUMBERS = {'all': -1, 'icmp': 1, 'tcp': 6, 'udp': 17, } @@ -236,10 +225,8 @@ def nacls_changed(nacl, client, module): nacl_id = nacl['NetworkAcls'][0]['NetworkAclId'] nacl = describe_network_acl(client, module) entries = nacl['NetworkAcls'][0]['Entries'] - tmp_egress = [entry for entry in entries if entry['Egress'] is True and DEFAULT_EGRESS != entry] - tmp_ingress = [entry for entry in entries if entry['Egress'] is False] - egress = [rule for rule in tmp_egress if DEFAULT_EGRESS != rule] - ingress = [rule for rule in tmp_ingress if DEFAULT_INGRESS != rule] + egress = [rule for rule in entries if rule['Egress'] is True and rule['RuleNumber'] < 32767] + ingress = [rule for rule in entries if rule['Egress'] is False and rule['RuleNumber'] < 32767] if rules_changed(egress, params['egress'], True, nacl_id, client, module): changed = True if rules_changed(ingress, params['ingress'], False, nacl_id, client, module):