Add module to control EC2 security groups
This commit is contained in:
parent
39b0122d37
commit
fad1ba7998
1 changed files with 226 additions and 0 deletions
226
cloud/ec2_group
Normal file
226
cloud/ec2_group
Normal file
|
@ -0,0 +1,226 @@
|
||||||
|
#!/usr/bin/python
|
||||||
|
# -*- coding: utf-8 -*-
|
||||||
|
|
||||||
|
|
||||||
|
DOCUMENTATION = '''
|
||||||
|
---
|
||||||
|
module: ec2_group
|
||||||
|
short_description: maintain an ec2 VPC security group.
|
||||||
|
description:
|
||||||
|
- maintains ec2 security groups. This module has a dependency on python-boto >= 2.5
|
||||||
|
options:
|
||||||
|
name:
|
||||||
|
description:
|
||||||
|
- Name of the security group.
|
||||||
|
required: true
|
||||||
|
description:
|
||||||
|
description:
|
||||||
|
- Description of the security group.
|
||||||
|
required: true
|
||||||
|
vpc_id:
|
||||||
|
description:
|
||||||
|
- ID of the VPC to create the group in.
|
||||||
|
required: true
|
||||||
|
rules:
|
||||||
|
description:
|
||||||
|
- List of firewall rules to enforce in this group (see example).
|
||||||
|
required: true
|
||||||
|
region:
|
||||||
|
description:
|
||||||
|
- the EC2 region to use
|
||||||
|
required: false
|
||||||
|
default: null
|
||||||
|
aliases: []
|
||||||
|
ec2_url:
|
||||||
|
description:
|
||||||
|
- Url to use to connect to EC2 or your Eucalyptus cloud (by default the module will use EC2 endpoints)
|
||||||
|
required: false
|
||||||
|
default: null
|
||||||
|
aliases: []
|
||||||
|
ec2_secret_key:
|
||||||
|
description:
|
||||||
|
- EC2 secret key
|
||||||
|
required: false
|
||||||
|
default: null
|
||||||
|
aliases: []
|
||||||
|
ec2_access_key:
|
||||||
|
description:
|
||||||
|
- EC2 access key
|
||||||
|
required: false
|
||||||
|
default: null
|
||||||
|
aliases: []
|
||||||
|
requirements: [ "boto" ]
|
||||||
|
'''
|
||||||
|
|
||||||
|
EXAMPLES = '''
|
||||||
|
- name: example ec2 group
|
||||||
|
local_action:
|
||||||
|
module: ec2_group
|
||||||
|
name: example
|
||||||
|
description: an example EC2 group
|
||||||
|
vpc_id: 12345
|
||||||
|
region: eu-west-1a
|
||||||
|
ec2_secret_key: SECRET
|
||||||
|
ec2_access_key: ACCESS
|
||||||
|
rules:
|
||||||
|
- proto: tcp
|
||||||
|
from_port: 80
|
||||||
|
to_port: 80
|
||||||
|
cidr_ip: 0.0.0.0/0
|
||||||
|
- proto: tcp
|
||||||
|
from_port: 22
|
||||||
|
to_port: 22
|
||||||
|
cidr_ip: 10.0.0.0/8
|
||||||
|
- proto: udp
|
||||||
|
from_port: 10050
|
||||||
|
to_port: 10050
|
||||||
|
cidr_ip: 10.0.0.0/8
|
||||||
|
- proto: udp
|
||||||
|
from_port: 10051
|
||||||
|
to_port: 10051
|
||||||
|
group_id: abcdef
|
||||||
|
'''
|
||||||
|
|
||||||
|
try:
|
||||||
|
import boto.ec2
|
||||||
|
except ImportError:
|
||||||
|
print "failed=True msg='boto required for this module'"
|
||||||
|
sys.exit(1)
|
||||||
|
|
||||||
|
|
||||||
|
def addRulesToLookup(rules, prefix, dict):
|
||||||
|
for rule in rules:
|
||||||
|
for grant in rule.grants:
|
||||||
|
dict["%s-%s-%s-%s-%s-%s" % (prefix, rule.ip_protocol, rule.from_port, rule.to_port,
|
||||||
|
grant.group_id, grant.cidr_ip)] = rule
|
||||||
|
|
||||||
|
def main():
|
||||||
|
module = AnsibleModule(
|
||||||
|
argument_spec=dict(
|
||||||
|
name=dict(required=True),
|
||||||
|
description=dict(required=True),
|
||||||
|
vpc_id=dict(),
|
||||||
|
rules=dict(),
|
||||||
|
ec2_url=dict(aliases=['EC2_URL']),
|
||||||
|
ec2_secret_key=dict(aliases=['EC2_SECRET_KEY'], no_log=True),
|
||||||
|
ec2_access_key=dict(aliases=['EC2_ACCESS_KEY']),
|
||||||
|
region=dict(choices=['eu-west-1', 'sa-east-1', 'us-east-1', 'ap-northeast-1', 'us-west-2', 'us-west-1', 'ap-southeast-1', 'ap-southeast-2']),
|
||||||
|
),
|
||||||
|
supports_check_mode=True,
|
||||||
|
)
|
||||||
|
name = module.params['name']
|
||||||
|
description = module.params['description']
|
||||||
|
vpc_id = module.params['vpc_id']
|
||||||
|
rules = module.params['rules']
|
||||||
|
ec2_url = module.params.get('ec2_url')
|
||||||
|
ec2_secret_key = module.params.get('ec2_secret_key')
|
||||||
|
ec2_access_key = module.params.get('ec2_access_key')
|
||||||
|
region = module.params.get('region')
|
||||||
|
|
||||||
|
changed = False
|
||||||
|
|
||||||
|
# allow eucarc environment variables to be used if ansible vars aren't set
|
||||||
|
if not ec2_url and 'EC2_URL' in os.environ:
|
||||||
|
ec2_url = os.environ['EC2_URL']
|
||||||
|
if not ec2_secret_key and 'EC2_SECRET_KEY' in os.environ:
|
||||||
|
ec2_secret_key = os.environ['EC2_SECRET_KEY']
|
||||||
|
if not ec2_access_key and 'EC2_ACCESS_KEY' in os.environ:
|
||||||
|
ec2_access_key = os.environ['EC2_ACCESS_KEY']
|
||||||
|
|
||||||
|
# If we have a region specified, connect to its endpoint.
|
||||||
|
if region:
|
||||||
|
try:
|
||||||
|
ec2 = boto.ec2.connect_to_region(region, aws_access_key_id=ec2_access_key, aws_secret_access_key=ec2_secret_key)
|
||||||
|
except boto.exception.NoAuthHandlerFound, e:
|
||||||
|
module.fail_json(msg=str(e))
|
||||||
|
# Otherwise, no region so we fallback to the old connection method
|
||||||
|
else:
|
||||||
|
try:
|
||||||
|
if ec2_url: # if we have an URL set, connect to the specified endpoint
|
||||||
|
ec2 = boto.connect_ec2_endpoint(ec2_url, ec2_access_key, ec2_secret_key)
|
||||||
|
else: # otherwise it's Amazon.
|
||||||
|
ec2 = boto.connect_ec2(ec2_access_key, ec2_secret_key)
|
||||||
|
except boto.exception.NoAuthHandlerFound, e:
|
||||||
|
module.fail_json(msg=str(e))
|
||||||
|
|
||||||
|
# find the group if present
|
||||||
|
group = None
|
||||||
|
groups = {}
|
||||||
|
for curGroup in ec2.get_all_security_groups():
|
||||||
|
groups[curGroup.id] = curGroup
|
||||||
|
|
||||||
|
if curGroup.name == name and curGroup.vpc_id == vpc_id:
|
||||||
|
group = curGroup
|
||||||
|
|
||||||
|
# if found, check the group parameters are correct
|
||||||
|
if group:
|
||||||
|
group_in_use = False
|
||||||
|
rs = ec2.get_all_instances()
|
||||||
|
for r in rs:
|
||||||
|
for i in r.instances:
|
||||||
|
group_in_use |= reduce(lambda x, y: x | (y.name == 'public-ssh'), i.groups, False)
|
||||||
|
|
||||||
|
if group.description != description:
|
||||||
|
if group_in_use:
|
||||||
|
module.fail_json(msg="Group description does not match, but it is in use so cannot be changed.")
|
||||||
|
group.delete()
|
||||||
|
group = None
|
||||||
|
|
||||||
|
# if the group doesn't exist, create it now
|
||||||
|
if not group:
|
||||||
|
if not module.check_mode:
|
||||||
|
group = ec2.create_security_group(name, description, vpc_id=vpc_id)
|
||||||
|
changed = True
|
||||||
|
|
||||||
|
# create a lookup for all existing rules on the group
|
||||||
|
groupRules = {}
|
||||||
|
if group:
|
||||||
|
addRulesToLookup(group.rules, 'in', groupRules)
|
||||||
|
|
||||||
|
# Now, go through all the defined rules and ensure they are there.
|
||||||
|
if rules:
|
||||||
|
for rule in rules:
|
||||||
|
group_id = None
|
||||||
|
ip = None
|
||||||
|
if 'group_id' in rule and 'cidr_ip' in rule:
|
||||||
|
module.fail_json(msg="Specify group_id OR cidr_ip, not both")
|
||||||
|
elif 'group_id' in rule:
|
||||||
|
group_id = rule['group_id']
|
||||||
|
elif 'cidr_ip' in rule:
|
||||||
|
ip = rule['cidr_ip']
|
||||||
|
|
||||||
|
if rule['proto'] == 'all':
|
||||||
|
rule['proto'] = -1
|
||||||
|
rule['from_port'] = None
|
||||||
|
rule['to_port'] = None
|
||||||
|
|
||||||
|
ruleId = "%s-%s-%s-%s-%s-%s" % ('in', rule['proto'], rule['from_port'], rule['to_port'], group_id, ip)
|
||||||
|
if ruleId in groupRules:
|
||||||
|
del groupRules[ruleId]
|
||||||
|
continue
|
||||||
|
|
||||||
|
grantGroup = None
|
||||||
|
if group_id:
|
||||||
|
grantGroup = groups[group_id]
|
||||||
|
|
||||||
|
if not module.check_mode:
|
||||||
|
group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
|
||||||
|
changed = True
|
||||||
|
|
||||||
|
# Finally, remove anything left in the groupRules -- these will be defunct rules
|
||||||
|
for rule in groupRules.itervalues():
|
||||||
|
for grant in rule.grants:
|
||||||
|
grantGroup = None
|
||||||
|
if grant.group_id:
|
||||||
|
grantGroup = groups[grant.group_id]
|
||||||
|
if not module.check_mode:
|
||||||
|
group.revoke(rule.ip_protocol, rule.from_port, rule.to_port, grant.cidr_ip, grantGroup)
|
||||||
|
changed = True
|
||||||
|
|
||||||
|
if not group:
|
||||||
|
module.exit_json(changed=changed, group_id=None)
|
||||||
|
module.exit_json(changed=changed, group_id=group.id)
|
||||||
|
|
||||||
|
# this is magic, see lib/ansible/module_common.py
|
||||||
|
#<<INCLUDE_ANSIBLE_MODULE_COMMON>>
|
||||||
|
main()
|
Loading…
Reference in a new issue