Commit graph

24 commits

Author SHA1 Message Date
Jill R
ee413fe414 Allow updating of ec2_group rules with EC2 classic ELB targets (#62374)
* Allow updating of ec2_group rules with EC2 classic ELB targets

Fix regression introduced in #45296 with EC2 Classic SGs

Fixes: #57247

Also add (unsupported) ec2 classic test suite with test case for this scenario

* move ec2 classic tests to conditional within ec2_group target

* clean up ec2_classic tests

* ec2_classic account can't run most ec2_group tests
2019-11-26 11:29:03 -05:00
robertchung
caa5abdfc9 Fix TypeError in ec2_group.py for Python3 when sorting dictionary list (#59844)
* Fix TypeError in ec2_group.py for Python3 when sorting dictionary list

* Using json.loads() and dumps() to replace sorting

* Bug fixes for ec2_group.py

* Dictionaries cannot be compared/sorted in Python3

* Diff will occur when the IpPermissions have the same IpRanges but have different ordering

* 'before' will be sorted by 'Type' with high priority than 'IP', but 'boto3.describe_security_groups()' function cannot get 'Type' from Amazon

* Add some basic diff mode testing to exercise the rule-sorting code
2019-08-28 16:28:42 -07:00
Sloane Hertel
54a2f21f93 Fix comparison of determining which rules to purge by ignoring descriptions (#48443)
AWS uses rule type, protocol, port range, and source as an idempotent identifier.
There can only be one rule with that unique combination. Rules that differ only by description are allowed but overwritten by AWS.
Add a test

Co-authored-by: Will Thames <will@thames.id.au>
2018-11-21 08:04:10 +10:00
Sloane Hertel
d7ca3f2bd3 ec2_group: fix regression for targets that are a list containing strings and lists (#45594)
* Fix targets that may be a list containing strings and lists which worked prior to 2.6.

* Add ec2_group integration tests for lists of nested targets

* changelog

* Add diff mode support for lists of targets containing strings and lists.
2018-09-17 14:31:41 -04:00
Ryan Brown
079299db4d
[aws] ec2_group multi-account and peered VPC bugfix (#45296)
* Add tests to replicate bug #44788 

* Handle when userId is same account due to in-account peering

* Module defaults for main.yml

* Turn off VPC peering tests in CI
2018-09-06 15:06:03 -04:00
Ryan Brown
20f21779d3
Fix ec2_group for numbered protocols (GRE) (#42765)
* Fix spurious `changed=True` when int is passed as tag

* Fix for all AWS module using compare_aws_tags

* Handle improperly stringified protocols and allow inconsistency between None/-1 on non-tcp protocols

* Add integration test that reproduces the same bug

* Return false if the comparsison is not equal
2018-09-05 13:34:26 -04:00
Sloane Hertel
79ecb4c41f
Add diff mode for ec2_group (#44533)
* Add (preview) diff mode support ec2_group

* Add diff mode to some ec2_group integration tests

* Remove unnecessary arguments and add comment to the module notes

* Add changelog
2018-08-23 19:43:18 -04:00
Ryan Brown
858a1b09bb EC2_group module refactor (formerly pr/37255) (#38678)
* Refactor ec2_group

Replace nested for loops with list comprehensions

Purge rules before adding new ones in case sg has maximum permitted rules

* Add check mode tests for ec2_group

* add tests

* Remove dead code

* Fix integration test assertions for old boto versions

* Add waiter for security group that is autocreated

* Add support for in-account group rules

* Add common util to get AWS account ID

Fixes #31383

* Fix protocol number and add separate tests for egress rule handling

* Return egress rule treatment to be backwards compatible

* Remove functions that were obsoleted by `Rule` namedtuple

* IP tests

* Move description updates to a function

* Fix string formatting missing index

* Add tests for auto-creation of the same group in quick succession

* Resolve use of brand-new group in a rule without a description

* Clean up duplicated get-security-group function

* Add reverse cleanup in case of dependency issues

* Add crossaccount ELB group support

* Deal with non-STS calls to account API

* Add filtering of owner IDs that match the current account
2018-05-24 11:53:21 -04:00
Will Thames
98b29f8ad6 [cloud]Ensure SGs in default VPCs get default egress rule (#38018)
SGs created when a VPC ID was not specified would not necessarily
get the default egress rule, even when no explicit egress rules
were set.

Add some checks for egress rules in results from existing tests
2018-03-28 12:53:35 -04:00
Kim Blomqvist
63639abb01 [cloud] Improve ipv6 and EC2 classic support in ec2_group integration tests (#32976)
* ec2_group: fix ipv6 tests to use an explicit VPC

* otherwise would fail on old AWS accounts supporting EC2-classic

* ec2_group: fix tests to use an explicit VPC

* Only run some tests if there is a default vpc associated with the account
2018-01-31 08:00:54 -05:00
Will Thames
39af276639 Respect egress rule definitions when creating security groups in default VPC (#34626)
* Add test for unexpected egress rule in default VPC

When passing rules_egress to ec2_group, the default
egress rule shouldn't be created (if `purge_rules_egress`)
is set. Test this.

* Respect egress rule defintions for default VPC groups

When passing rules_egress and purge_rules_egress, the
default egress rule should not be created

Fixes #34429

* Change AWS credential passing to be YAML anchors

Vastly simplify the AWS tasks by reducing the credentials to a YAML
block
2018-01-09 13:44:13 -05:00
Sloane Hertel
d877c146ab [cloud] ec2_group fix CIDR with host bits set - fixes #25403 (#29605)
* WIP adds network subnetting functions

* adds functions to convert between netmask and masklen
* adds functions to verify netmask and masklen
* adds function to dtermine network and subnet from address / mask pair

* network_common: add a function to get the first 48 bits in a IPv6 address.

ec2_group: only use network bits of a CIDR.

* Add tests for CIDRs with host bits set.

* ec2_group: add warning if CIDR isn't the networking address.

* Fix pep8.

* Improve wording.

* fix import for network utils

* Update tests to use pytest instead of unittest

* add test for to_ipv6_network()

* Fix PEP8
2017-12-20 14:57:47 -05:00
Will Thames
c93ddf5473 Move profile and region checking to module_utils.ec2 (#31921)
* Move profile and region checking to module_utils.ec2

Remove ProfileNotFound checking from individual modules

There are plenty of `if not region:` checks that could be removed,
once more thorough testing of this change has occured

The ec2_asg, iam_managed_policy and ec2_vpc_subnet_facts modules
would also benefit from this change but as they do not have tests
and are marked stableinterface, they do not get this change.
2017-11-07 13:56:17 -05:00
Toshio Kuratomi
638de22b35 Update tests for required_if changes
These tests are doing string matches on the error condition.  Update
them to match the new strings.  This is probably okay to push out to old
releases even though it's technically backwards incompatible because
production playbooks won't be checking that a parameter was missing.
Param missing is something detected and fixed while writing the playbook.
2017-10-26 17:37:11 -07:00
Sloane Hertel
1dd55acbc2 ec2_group: add rule description support - fixes #29040 (#30273)
* ec2_group: add support for rule descriptions.

* Document rule description feature and add an example using it.

* Fix removing rule descriptions.

* Add integration tests to verify adding/modifying/removing rule descriptions works as expected.

* Add permissions to hacking/aws_config/testing_policies/ec2-policy.json for updating ingress and egress rule descriptions.

* ec2_group: add backwards compatibility with older versions of botocore for rule descriptions.

* Add compatibility with older version of botocore for ec2_group integration tests.

* ec2_group: move HAS_RULE_DESCRIPTION to be checked first.

* Make requested change

* Pass around a variable instead of client

* Make sure has_rule_description defaults to None

* Fail if rule_desc is in any ingress/egress rules and the the botocore version < 1.7.2

* Remove unnecessary variable

* Fix indentation for changed=True when updating rule descriptions.

* minor refactor to remove duplicate code

* add missing parameter

* Fix pep8

* Update test policy.
2017-10-24 21:18:56 -04:00
Marek Nogacki
b9223cdc89 ec2_group: do not fail on description mismatch (#31704) (#31734)
* ec2_group: do not fail on description mismatch (#31704)

* ec2_group: do not fail on description mismatch (#31704) - fix test case
2017-10-18 09:21:55 -04:00
Brandon Davidson
2ceff476bf [cloud] support tags in ec2_group module (#22472)
* Add tags support to cloud/amazon/ec2_group

* Finish making ec2_group tag support boto3 compatible.

Add integration tests to validate that tags are working as expected.
2017-08-22 11:11:38 -04:00
Sloane Hertel
517c91df18 ec2_group: add integration test for port ranges (#27112)
* fix port ranges for ec2_group and add a test to verify
2017-08-02 13:58:26 +10:00
Jordan Bach
24e393aef1 allow use of jinja2 variables for ec2_group from_port/to_port params (#27145) 2017-08-02 10:26:38 +10:00
Will Thames
f972994662 [cloud] fix VPC behavior for ec2_group module, improve integration tests (#27038)
* Add tests for group in a VPC

* Improve ec2_group output and documentation

Update ec2_group to provide full security group information
Add RETURN documentation to match

* Fix ec2_group creation within a VPC

Ensure VPC ID gets passed when creating security group

* Add test for auto creating SG

* Fix ec2_group auto group creation

* Add backoff to describe_security_groups

Getting LimitExceeded from describe_security_groups is definitely
possible (source: me) so add backoff to increase likelihood of
success.

To ensure that all `describe_security_group` calls are backed off,
remove implicit ones that use `ec2.SecurityGroup`. From there,
the decision to remove the `ec2` boto3 resource and rely on the client
alone makes good sense.

* Tidy up auto created security group

Add resource_prefix to auto created security group and delete
it in the `always` section.
Use YAML argument form for all module parameters
2017-08-01 06:53:43 -04:00
sramakr
b980a5c02a Use Boto3 for ec2_group Fixes #23507 (#25340)
* Use Boto3 for ec2_group

Currently boto doesn't support ipv6. To support ipv6 in ec2_group, we need boto3.
boto3 has significant API changes, which caused more re-factoring for ec2_group module.
Added additional integration test to test_ec2_group role.

* Follow the standard for boto3 ansible

Fixed imports. Use boto3 ansible exception with camel_dict_to_snake_dict.
Refactored the call to authorize/revoke  ingress and egress.

* Removed dependancy with module ipaddress

Added new parameter called cidr_ipv6 for specifying
ipv6 addresses inline with how boto3 handles ipv6 addresses.

* Updated integration test

* Added ipv6 integration test for ec2_group

* Set purge_rules to false for integration test

* Fixed import statements

Added example for ipv6.
Removed defining HAS_BOTO3 variable and import HAS_BOTO3 from ec2.
Cleaned up import statements.

* Fixed exception handling

* Add IAM permissions for ec2_group tests

Missing AuthorizeSecurityGroupEgress necessary for latest tests

* Wrapped botocore import in try/except block

Import just botocore to be more similar to other modules
2017-07-17 12:03:31 +10:00
mihu
6b76bc924f [cloud] New feature for ec2_group: allow deleting groups by id (#26022) 2017-06-26 09:07:29 -04:00
Dag Wieers
0e160d5c7e Ensure exit_json returns failed = False
This is required for modules that may return a non-zero `rc` value for a
successful run, similar to #24865 for Windows fixing **win_chocolatey**.

We also disable the dependency on `rc` value only, even if `failed` was
set.

Adapted unit and integration tests to the new scheme.
Updated raw, shell, script, expect to take `rc` into account.
2017-05-30 14:56:31 -07:00
Matt Clay
17e07a27b2 Enable cloud tests for use with ansible-test. 2017-05-05 21:46:29 +08:00
Renamed from test/integration/roles/test_ec2_group/tasks/main.yml (Browse further)