Remove a rule from AWS EC2 Security group using Ansible

[Rahul Mehrotra]

I have an Ansible script to create EC2 security group. It looks like this

- name: Create HTTP Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
  register: sg_http

I would like to write a task which deletes the rule but not security group. I tried using the state as present, but it doesn't work

- name: Delete HTTP Rule
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
        state: absent
  register: sg_http

What would be the better way to do this. Regards

[Brent Langston]

remove the rule from the list.

rules: []

--------
Brent
--------

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4f8fbfa1-1f22-44a2-9c4e-bfdaeff2d2e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Rahul Mehrotra]

Hi,

Can you please provide an example. I am specifically interested in removing egress rules allowing everything automatically added by AWS when security groups are created. Thank you

----------------------------------------------------------------------------------------------------------------------------

Rahul Mehrotra  

Cloud & DevOps Engineer, Nokia USA

email: rahul.me...@gmail.com

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/5AkZ6-PlBRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.

To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABta7G0EiYqHrSUDVwT43aD7D68XJCTgHV8R--1vEvn1%2BjSsrA%40mail.gmail.com.

[Brent Langston]

the security group module will just make your list of rules look like whatever you have currently defined in yml. If you remove a rule from the list, and run the task again, the rule will be removed from the security group at aws. This hold true for both ingress and egress. 

In other words, for this module don't think "state: present" or "state: absent" -- that is determined by the rule being defined or not. 

--------
Brent
--------

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABddCmAQFj2py-MoEXrqHJg%2B2yLwdWG_SjN7CJLi%2BhDiaeoNMw%40mail.gmail.com.

[Rahul Mehrotra]

Thanks Brent that does explain a good detail about how security groups are handled by Ansible.

I would still appreciate if you can answer this question.

I am creating a security group using 

- name: Create HTTP Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
  register: sg_http

However this created a security group with inbound http access but also full outbound (egress) access automatically. I do not want those egress rules to be present, how should I remove them. 

----------------------------------------------------------------------------------------------------------------------------

Rahul Mehrotra  

Cloud & DevOps Engineer, Nokia USA

email: rahul.me...@gmail.com

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABta7G3DDTUWurVxZbxVtEP4xxu4cfX1JTEUDWqb-ueeSaASrA%40mail.gmail.com.

[Brent Langston]

Create an egress_rules: list that is empty.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABddCmBevz67_S7M%2B9gEtzkFayJ7QdmoLjwz0hOnhuhfdZkfjg%40mail.gmail.com.

[Rahul Mehrotra]

Hi,

I have tried your suggestion of having an empty egress_rules list. However for some reason an all access egress rules are always enabled in all the security groups. 

[Barry Kaplan]

I think removing the global rule is broken:

https://groups.google.com/forum/#!topic/ansible-project/9FiCbvUR_Cs

[benno joy]

Seems to work fine in the devel branch, could you please give it a try

On Tue, May 19, 2015 at 8:42 AM, Barry Kaplan <mem...@gmail.com> wrote:

I think removing the global rule is broken:

https://groups.google.com/forum/#!topic/ansible-project/9FiCbvUR_Cs

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/80f9a5f6-2b6e-49c6-a3e3-31f97551e190%40googlegroups.com.