cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Adds support for purge_rules. Similar to how ec2_elb_lb does with zones

Browse source
This commit is contained in:
Mike Buzzetti 2014-05-28 14:19:29 -04:00 committed by Michael DeHaan
parent d0205b2878
commit bc1ad708dd
1 changed files with 43 additions and 22 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

65
library/cloud/ec2_group
View file

@ -45,6 +45,20 @@ options:
default: 'present' default: 'present'
choices: [ "present", "absent" ] choices: [ "present", "absent" ]
aliases: [] aliases: []
purge_rules:
version_added: "1.7"
description:
- Purge existing rules on security group that are not found in rules
required: false
default: 'true'
aliases: []
purge_rules_egress:
version_added: "1.7"
description:
- Purge existing rules_egree on security group that are not found in rules_egress
required: false
default: 'true'
aliases: []
extends_documentation_fragment: aws extends_documentation_fragment: aws
@ -164,6 +178,9 @@ def main():
rules=dict(), rules=dict(),
rules_egress=dict(), rules_egress=dict(),
state = dict(default='present', choices=['present', 'absent']), state = dict(default='present', choices=['present', 'absent']),
purge_rules=dict(default=True, required=False, type='bool'),
purge_rules_egress=dict(default=True, required=False, type='bool'),
) )
) )
module = AnsibleModule( module = AnsibleModule(
@ -177,6 +194,8 @@ def main():
rules = module.params['rules'] rules = module.params['rules']
rules_egress = module.params['rules_egress'] rules_egress = module.params['rules_egress']
state = module.params.get('state') state = module.params.get('state')
purge_rules = module.params['purge_rules']
purge_rules_egress = module.params['purge_rules_egress']
changed = False changed = False
@ -274,14 +293,15 @@ def main():
changed = True changed = True
# Finally, remove anything left in the groupRules -- these will be defunct rules # Finally, remove anything left in the groupRules -- these will be defunct rules
for rule in groupRules.itervalues(): if purge_rules:
for grant in rule.grants: for rule in groupRules.itervalues() :
grantGroup = None for grant in rule.grants:
if grant.group_id: grantGroup = None
grantGroup = groups[grant.group_id] if grant.group_id:
if not module.check_mode: grantGroup = groups[grant.group_id]
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup) if not module.check_mode:
changed = True group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
changed = True
# Manage egress rules # Manage egress rules
groupRules = {} groupRules = {}
@ -338,20 +358,21 @@ def main():
del groupRules[default_egress_rule] del groupRules[default_egress_rule]
# Finally, remove anything left in the groupRules -- these will be defunct rules # Finally, remove anything left in the groupRules -- these will be defunct rules
for rule in groupRules.itervalues(): if purge_rules_egress:
for grant in rule.grants: for rule in groupRules.itervalues():
grantGroup = None for grant in rule.grants:
if grant.group_id: grantGroup = None
grantGroup = groups[grant.group_id].id if grant.group_id:
if not module.check_mode: grantGroup = groups[grant.group_id].id
ec2.revoke_security_group_egress( if not module.check_mode:
group_id=group.id, ec2.revoke_security_group_egress(
ip_protocol=rule.ip_protocol, group_id=group.id,
from_port=rule.from_port, ip_protocol=rule.ip_protocol,
to_port=rule.to_port, from_port=rule.from_port,
src_group_id=grantGroup, to_port=rule.to_port,
cidr_ip=grant.cidr_ip) src_group_id=grantGroup,
changed = True cidr_ip=grant.cidr_ip)
changed = True
if group: if group:
module.exit_json(changed=changed, group_id=group.id) module.exit_json(changed=changed, group_id=group.id)