ec2_group fails if security group already exists

318 views
Skip to first unread message

Gonzalo Fernandez

unread,
Jun 5, 2015, 9:02:09 AM6/5/15
to ansible...@googlegroups.com
Hi

I am having the following.
Given the following Variable rule:

ec2_security_groups_test:
    - sg_name: test-group
      sg_description: test-group
      vpc_id: "vpc-XXXXXX"
      region: "{{ region }}"
      sg_rules:
       - proto: 50
         from_port: -1
         to_port: -1
         cidr_ip: 12.12.12.12/32
       - proto: 50
         from_port: -1
         to_port: -1
         cidr_ip: 13.13.13.13/32
       - proto: 50
         from_port: -1
         to_port: -1
         group_name: test-group

it will work on the 1st run, but on the second I will have:

<Response><Errors><Error><Code>InvalidPermission.Duplicate</Code><Message>the specified rule "peer: 12.12.12.12/32, protocol: 50, ALLOW" already exists</Message></Error></Errors><RequestID>e890595b-9609-4c31-a611-87da7b5de7ae</RequestID></Response>


I have tried specifying Ports, also "-1".. Nothing seems to work.
If I say TCP or UDP it works fine, but when I specify a numeric port as above I got the issue:


Any possible workaround/tips?

Thanks!

Gonzalo Fernandez

unread,
Jun 5, 2015, 9:02:10 AM6/5/15
to ansible...@googlegroups.com
Hi

 I am having the following problem

If I try to run the following Sec_Rule it works ok, but if I re-run it it fails


ec2_security_groups_test:
    - sg_name: test-grup
      sg_description: test-group

      vpc_id: "vpc-XXXXXX"
      region: "{{ region }}"
      sg_rules:
       - proto: 50
         from_port: -1
         to_port: -1

         cidr_ip: 54.67.116.112/32

       - proto: 50
         from_port: -1
         to_port: -1

         cidr_ip: 54.183.92.78/32

       - proto: 50
         from_port: -1
         to_port: -1

         group_name: vpn-ap-northeast-1-production


I have tried a number of different options : -1/all.. etc... but it always fails
if I use TCP/UDP it seems to work no problem, but I need to define that sort of PROTOCOL..

I am using ansible 1.7.1

Any workaround for this??

Thanks!

benno joy

unread,
Jun 5, 2015, 9:24:58 AM6/5/15
to ansible...@googlegroups.com
added a pr which migh fix this https://github.com/ansible/ansible-modules-core/pull/1472 , maybe you can give it a try.


--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
 To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b6857902-92ff-4eb0-b525-98282a245062%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

Gonzalo Fernandez

unread,
Jun 5, 2015, 4:27:54 PM6/5/15
to ansible...@googlegroups.com
Hi 

This patch seems to have fixed the problem.
I am working on some more rules topping up and they seem to get through all right.
So far as I am using protocols 50 and 51 and ALL for all ports it works.

Thanks you so much for helping out on this
Reply all
Reply to author
Forward
0 new messages