diff --git a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py
index ef8a1f436e2..d1f551de30e 100644
--- a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py
+++ b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl.py
@@ -43,13 +43,49 @@ options:
required: false
egress:
description:
- - A list of rules for outgoing traffic.
- - Each rule must be specified as a list.
+ - A list of rules for outgoing traffic. Each rule must be specified as a list. See examples.
+ suboptions:
+ rule_number:
+ description: an integer from 1 to 32766
+ required: true
+ protocol:
+ description: the protocol for the rule
+ required: true
+ choices: ['tcp', 'udp', 'icmp', '-1', 'all']
+ cidr_ipv4:
+ description: The CIDR of the IPv4 network range to allow or deny
+ required: true
+ icmp_type:
+ description: An integer, the ICMP type if the protocol is icmp. A value of -1 means all types.
+ icmp_code:
+ description: An integer, the ICMP code if the protocol is icmp. A value of -1 means all codes.
+ from_port:
+ description: An integer, the last port in the range for TCP or UDP protocols.
+ to_port:
+ description: An integer, the first port in the range for TCP or UDP protocols.
required: false
ingress:
description:
- - List of rules for incoming traffic.
- - Each rule must be specified as a list.
+ - List of rules for incoming traffic. Each rule must be specified as a list. See examples.
+ suboptions:
+ rule_number:
+ description: an integer from 1 to 32766
+ required: true
+ protocol:
+ description: the protocol for the rule
+ required: true
+ choices: ['tcp', 'udp', 'icmp', '-1', 'all']
+ cidr_ipv4:
+ description: The CIDR of the IPv4 network range to allow or deny
+ required: true
+ icmp_type:
+ description: An integer, the ICMP type if the protocol is icmp. A value of -1 means all types.
+ icmp_code:
+ description: An integer, the ICMP code if the protocol is icmp. A value of -1 means all codes.
+ from_port:
+ description: An integer, the last port in the range for TCP or UDP protocols.
+ to_port:
+ description: An integer, the first port in the range for TCP or UDP protocols.
required: false
tags:
description:
@@ -163,7 +199,7 @@ PROTOCOL_NUMBERS = {'all': -1, 'icmp': 1, 'tcp': 6, 'udp': 17, }
# Utility methods
def icmp_present(entry):
- if len(entry) == 6 and entry[1] == 'icmp' or entry[1] == 1:
+ if entry[1] == 'icmp' or entry[1] == 1:
return True
@@ -538,6 +574,24 @@ def subnets_to_associate(nacl, client, module):
def main():
+ rule_list_options = {
+ 'required': False,
+ 'type': 'list',
+ 'elements': 'list',
+ 'options': {
+ 'rule_number': dict(required=True, type='int'),
+ 'protocol': dict(required=True, choices=['tcp', 'udp', 'icmp', '-1', 'all']),
+ 'rule_action': dict(required=True, choices=['allow', 'deny']),
+ 'ipv4_cidr': dict(required=True),
+ 'icmp_type': dict(type='int'),
+ 'icmp_code': dict(type='int'),
+ 'from_port': dict(type='int'),
+ 'to_port': dict(type='int')
+ },
+ 'required_together': [('from_port', 'to_port'),
+ ('icmp_type', 'icmp_code')],
+ 'mutually_exclusive': [('icmp_type', 'from_port')]
+ }
argument_spec = ec2_argument_spec()
argument_spec.update(dict(
vpc_id=dict(),
@@ -545,8 +599,8 @@ def main():
nacl_id=dict(),
subnets=dict(required=False, type='list', default=list()),
tags=dict(required=False, type='dict'),
- ingress=dict(required=False, type='list', default=list()),
- egress=dict(required=False, type='list', default=list(),),
+ ingress=rule_list_options,
+ egress=rule_list_options,
state=dict(default='present', choices=['present', 'absent']),
),
)