ec2_vpc_nacl fails when the VPC is configured with IPv6 (#49979)

* Issue #41079. Failed to apply rule if there is a default IPv6 NACL

* Issue #41079. Failed to apply rule if there is a default IPv6 NACL

* Issue #41079. Failed to apply rule if there is a default IPv6 NACL

* Simplify logic to skip default deny-all rules

* Simplify logic to skip default deny-all rules

* Remove unnecessary tmp variables
This commit is contained in:
Sebastien Rosset 2019-01-23 15:36:49 -08:00 committed by ansibot
parent a20d0d1afb
commit 1ec782900d

View file

@ -154,17 +154,6 @@ from ansible.module_utils.basic import AnsibleModule
from ansible.module_utils.ec2 import boto3_conn, ec2_argument_spec, get_aws_connection_info from ansible.module_utils.ec2 import boto3_conn, ec2_argument_spec, get_aws_connection_info
# Common fields for the default rule that is contained within every VPC NACL.
DEFAULT_RULE_FIELDS = {
'RuleNumber': 32767,
'RuleAction': 'deny',
'CidrBlock': '0.0.0.0/0',
'Protocol': '-1'
}
DEFAULT_INGRESS = dict(list(DEFAULT_RULE_FIELDS.items()) + [('Egress', False)])
DEFAULT_EGRESS = dict(list(DEFAULT_RULE_FIELDS.items()) + [('Egress', True)])
# VPC-supported IANA protocol numbers # VPC-supported IANA protocol numbers
# http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml # http://www.iana.org/assignments/protocol-numbers/protocol-numbers.xhtml
PROTOCOL_NUMBERS = {'all': -1, 'icmp': 1, 'tcp': 6, 'udp': 17, } PROTOCOL_NUMBERS = {'all': -1, 'icmp': 1, 'tcp': 6, 'udp': 17, }
@ -236,10 +225,8 @@ def nacls_changed(nacl, client, module):
nacl_id = nacl['NetworkAcls'][0]['NetworkAclId'] nacl_id = nacl['NetworkAcls'][0]['NetworkAclId']
nacl = describe_network_acl(client, module) nacl = describe_network_acl(client, module)
entries = nacl['NetworkAcls'][0]['Entries'] entries = nacl['NetworkAcls'][0]['Entries']
tmp_egress = [entry for entry in entries if entry['Egress'] is True and DEFAULT_EGRESS != entry] egress = [rule for rule in entries if rule['Egress'] is True and rule['RuleNumber'] < 32767]
tmp_ingress = [entry for entry in entries if entry['Egress'] is False] ingress = [rule for rule in entries if rule['Egress'] is False and rule['RuleNumber'] < 32767]
egress = [rule for rule in tmp_egress if DEFAULT_EGRESS != rule]
ingress = [rule for rule in tmp_ingress if DEFAULT_INGRESS != rule]
if rules_changed(egress, params['egress'], True, nacl_id, client, module): if rules_changed(egress, params['egress'], True, nacl_id, client, module):
changed = True changed = True
if rules_changed(ingress, params['ingress'], False, nacl_id, client, module): if rules_changed(ingress, params['ingress'], False, nacl_id, client, module):