Merge branch 'aws-ec2-egress-rules' of git://github.com/mmoya/ansible into devel
This commit is contained in:
commit
53ee1ea27c
1 changed files with 132 additions and 23 deletions
|
@ -24,8 +24,12 @@ options:
|
|||
required: false
|
||||
rules:
|
||||
description:
|
||||
- List of firewall rules to enforce in this group (see example).
|
||||
required: true
|
||||
- List of firewall inbound rules to enforce in this group (see example).
|
||||
required: false
|
||||
rules_egress:
|
||||
description:
|
||||
- List of firewall outbound rules to enforce in this group (see example).
|
||||
required: false
|
||||
region:
|
||||
description:
|
||||
- the EC2 region to use
|
||||
|
@ -81,6 +85,11 @@ options:
|
|||
version_added: "1.6"
|
||||
|
||||
requirements: [ "boto" ]
|
||||
|
||||
notes:
|
||||
- If a rule declares a group_name and that group doesn't exist, it will be
|
||||
automatically created. In that case, group_desc should be provided as well.
|
||||
The module will refuse to create a depended-on group without a description.
|
||||
'''
|
||||
|
||||
EXAMPLES = '''
|
||||
|
@ -113,6 +122,13 @@ EXAMPLES = '''
|
|||
- proto: all
|
||||
# the containing group name may be specified here
|
||||
group_name: example
|
||||
rules_egress:
|
||||
- proto: tcp
|
||||
from_port: 80
|
||||
to_port: 80
|
||||
group_name: example-other
|
||||
# description to use if example-other needs to be created
|
||||
group_desc: other example EC2 group
|
||||
'''
|
||||
|
||||
try:
|
||||
|
@ -128,6 +144,55 @@ def addRulesToLookup(rules, prefix, dict):
|
|||
dict["%s-%s-%s-%s-%s-%s" % (prefix, rule.ip_protocol, rule.from_port, rule.to_port,
|
||||
grant.group_id, grant.cidr_ip)] = rule
|
||||
|
||||
|
||||
def get_target_from_rule(rule, name, groups):
|
||||
"""
|
||||
Returns tuple of (group_id, ip) after validating rule params.
|
||||
|
||||
rule: Dict describing a rule.
|
||||
name: Name of the security group being managed.
|
||||
groups: Dict of all available security groups.
|
||||
|
||||
AWS accepts an ip range or a security group as target of a rule. This
|
||||
function validate the rule specification and return either a non-None
|
||||
group_id or a non-None ip range.
|
||||
"""
|
||||
|
||||
group_id = None
|
||||
group_name = None
|
||||
ip = None
|
||||
target_group_created = False
|
||||
if 'group_id' in rule and 'cidr_ip' in rule:
|
||||
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
|
||||
elif 'group_name' in rule and 'cidr_ip' in rule:
|
||||
module.fail_json(msg="Specify group_name OR cidr_ip, not both")
|
||||
elif 'group_id' in rule and 'group_name' in rule:
|
||||
module.fail_json(msg="Specify group_id OR group_name, not both")
|
||||
elif 'group_id' in rule:
|
||||
group_id = rule['group_id']
|
||||
elif 'group_name' in rule:
|
||||
group_name = rule['group_name']
|
||||
if group_name in groups:
|
||||
group_id = groups[group_name].id
|
||||
elif group_name == name:
|
||||
group_id = group.id
|
||||
groups[group_id] = group
|
||||
groups[group_name] = group
|
||||
else:
|
||||
if not rule.get('group_desc', '').strip():
|
||||
module.fail_json(msg="group %s will be automatically created by rule %s and no description was provided" % (group_name, rule))
|
||||
if not module.check_mode:
|
||||
auto_group = ec2.create_security_group(group_name, rule['group_desc'], vpc_id=vpc_id)
|
||||
group_id = auto_group.id
|
||||
groups[group_id] = auto_group
|
||||
groups[group_name] = auto_group
|
||||
target_group_created = True
|
||||
elif 'cidr_ip' in rule:
|
||||
ip = rule['cidr_ip']
|
||||
|
||||
return group_id, ip, target_group_created
|
||||
|
||||
|
||||
def main():
|
||||
argument_spec = ec2_argument_spec()
|
||||
argument_spec.update(dict(
|
||||
|
@ -135,6 +200,7 @@ def main():
|
|||
description=dict(required=True),
|
||||
vpc_id=dict(),
|
||||
rules=dict(),
|
||||
rules_egress=dict(),
|
||||
state = dict(default='present', choices=['present', 'absent']),
|
||||
)
|
||||
)
|
||||
|
@ -147,6 +213,7 @@ def main():
|
|||
description = module.params['description']
|
||||
vpc_id = module.params['vpc_id']
|
||||
rules = module.params['rules']
|
||||
rules_egress = module.params['rules_egress']
|
||||
state = module.params.get('state')
|
||||
|
||||
changed = False
|
||||
|
@ -197,39 +264,29 @@ def main():
|
|||
'''no match found, create it'''
|
||||
if not module.check_mode:
|
||||
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
|
||||
|
||||
# When a group is created, an egress_rule ALLOW ALL
|
||||
# to 0.0.0.0/0 is added automatically but it's not
|
||||
# reflected in the object returned by the AWS API
|
||||
# call. We re-read the group for getting an updated object
|
||||
group = ec2.get_all_security_groups(group_ids=(group.id,))[0]
|
||||
changed = True
|
||||
else:
|
||||
module.fail_json(msg="Unsupported state requested: %s" % state)
|
||||
|
||||
# create a lookup for all existing rules on the group
|
||||
if group:
|
||||
|
||||
# Manage ingress rules
|
||||
groupRules = {}
|
||||
addRulesToLookup(group.rules, 'in', groupRules)
|
||||
|
||||
# Now, go through all provided rules and ensure they are there.
|
||||
if rules:
|
||||
for rule in rules:
|
||||
group_id = None
|
||||
group_name = None
|
||||
ip = None
|
||||
if 'group_id' in rule and 'cidr_ip' in rule:
|
||||
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
|
||||
elif 'group_name' in rule and 'cidr_ip' in rule:
|
||||
module.fail_json(msg="Specify group_name OR cidr_ip, not both")
|
||||
elif 'group_id' in rule and 'group_name' in rule:
|
||||
module.fail_json(msg="Specify group_id OR group_name, not both")
|
||||
elif 'group_id' in rule:
|
||||
group_id = rule['group_id']
|
||||
elif 'group_name' in rule:
|
||||
group_name = rule['group_name']
|
||||
if group_name in groups:
|
||||
group_id = groups[group_name].id
|
||||
elif group_name == name:
|
||||
group_id = group.id
|
||||
groups[group_id] = group
|
||||
groups[group_name] = group
|
||||
elif 'cidr_ip' in rule:
|
||||
ip = rule['cidr_ip']
|
||||
group_id, ip, target_group_created = get_target_from_rule(rule, name, groups)
|
||||
if target_group_created:
|
||||
changed = True
|
||||
|
||||
if rule['proto'] == 'all':
|
||||
rule['proto'] = -1
|
||||
|
@ -260,6 +317,58 @@ def main():
|
|||
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
|
||||
changed = True
|
||||
|
||||
# Manage egress rules
|
||||
groupRules = {}
|
||||
addRulesToLookup(group.rules_egress, 'out', groupRules)
|
||||
|
||||
# Now, go through all provided rules and ensure they are there.
|
||||
if rules_egress:
|
||||
for rule in rules_egress:
|
||||
group_id, ip, target_group_created = get_target_from_rule(rule, name, groups)
|
||||
if target_group_created:
|
||||
changed = True
|
||||
|
||||
if rule['proto'] == 'all':
|
||||
rule['proto'] = -1
|
||||
rule['from_port'] = None
|
||||
rule['to_port'] = None
|
||||
|
||||
# If rule already exists, don't later delete it
|
||||
ruleId = "%s-%s-%s-%s-%s-%s" % ('out', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
|
||||
if ruleId in groupRules:
|
||||
del groupRules[ruleId]
|
||||
# Otherwise, add new rule
|
||||
else:
|
||||
grantGroup = None
|
||||
if group_id:
|
||||
grantGroup = groups[group_id].id
|
||||
|
||||
if not module.check_mode:
|
||||
ec2.authorize_security_group_egress(
|
||||
group_id=group.id,
|
||||
ip_protocol=rule['proto'],
|
||||
from_port=rule['from_port'],
|
||||
to_port=rule['to_port'],
|
||||
src_group_id=grantGroup,
|
||||
cidr_ip=ip)
|
||||
changed = True
|
||||
|
||||
# Finally, remove anything left in the groupRules -- these will be defunct rules
|
||||
for rule in groupRules.itervalues():
|
||||
for grant in rule.grants:
|
||||
grantGroup = None
|
||||
if grant.group_id:
|
||||
grantGroup = groups[grant.group_id].id
|
||||
if not module.check_mode:
|
||||
ec2.revoke_security_group_egress(
|
||||
group_id=group.id,
|
||||
ip_protocol=rule.ip_protocol,
|
||||
from_port=rule.from_port,
|
||||
to_port=rule.to_port,
|
||||
src_group_id=grantGroup,
|
||||
cidr_ip=grant.cidr_ip)
|
||||
changed = True
|
||||
|
||||
if group:
|
||||
module.exit_json(changed=changed, group_id=group.id)
|
||||
else:
|
||||
|
|
Loading…
Reference in a new issue