Add EC2 security group - only if it not already exists

[Tzach Livyatan]

newbie Ansible ec2 question:

I'm successfully using ec2_group_module [1]  to create EC2 security group.

However, the operation fail if the group is already there

What is the idiomatic to conditionally skip it if the group is already there?

Thanks

[1] http://docs.ansible.com/ec2_group_module.html

[Dan Vaida]

What is the error that you get when it fails?

[Tzach Livyatan]

On Wednesday, January 14, 2015 at 9:49:05 PM UTC+2, Dan Vaida wrote:

What is the error that you get when it fails?

400 Bad Request

Full capture below

$ ansible-playbook configure-security-group.yaml -e "key_name=$EC2_KEY_NAME"

PLAY [Provision Cassandra cluster security group] ***************************** 

GATHERING FACTS *************************************************************** 
ok: [127.0.0.1]

TASK: [Create security group] ************************************************* 
failed: [127.0.0.1 -> 127.0.0.1] => {"failed": true, "parsed": false}
Traceback (most recent call last):
  File "/home/tzach/.ansible/tmp/ansible-tmp-1421306914.46-15410053363176/ec2_group", line 2145, in <module>
    main()
  File "/home/tzach/.ansible/tmp/ansible-tmp-1421306914.46-15410053363176/ec2_group", line 293, in main
    group.authorize(rule['proto'], rule['from_port'], rule['to_port'], ip, grantGroup)
  File "/usr/lib/python2.7/site-packages/boto-2.28.0-py2.7.egg/boto/ec2/securitygroup.py", line 204, in authorize
    dry_run=dry_run)
  File "/usr/lib/python2.7/site-packages/boto-2.28.0-py2.7.egg/boto/ec2/connection.py", line 3152, in authorize_security_group
    params, verb='POST')
  File "/usr/lib/python2.7/site-packages/boto-2.28.0-py2.7.egg/boto/connection.py", line 1196, in get_status
    raise self.ResponseError(response.status, response.reason, body)
boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
<?xml version="1.0" encoding="UTF-8"?>
<Response><Errors><Error><Code>InvalidPermission.Duplicate</Code><Message>the specified rule "peer: sg-36327b53, TCP, from port: 7000, to port: 7000, ALLOW" already exists</Message></Error></Errors><RequestID>8a36dc12-10e6-400c-8f27-c482a1c32c6e</RequestID></Response>


FATAL: all hosts have already failed -- aborting

PLAY RECAP ******************************************************************** 
           to retry, use: --limit @/home/tzach/configure-security-group.yaml.retry

127.0.0.1                  : ok=1    changed=0    unreachable=0    failed=1   

[Nicolas G]

hi,

I think when I was trying the ec2_group module for some reason it will only fail if the security group already exists but was not created by the module, if you create a new security group using the ec2_group module it wont fail when you run the same playbook again.

[Dan Vaida]

As Nicolas mentioned, you will get an error when you are trying to create the security group through Ansible and that security group already exists and was created manually/by other tool.

If you already created the SG with Ansible and want to update it through Ansible, the task is going to report "changed". If you simply leave it as is, at the next run, it will report "ok" => idempotency

Cheers.

--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/eHKIyOeGFK0/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/c9b008e5-69cd-4a19-8db7-6c3395915bad%40googlegroups.com.

For more options, visit https://groups.google.com/d/optout.

[Tzach Livyatan]

Thanks Nicolas, Dan

This is it.

The group was created manually.

[James Pancoast]

We ran into something similar a few days ago but I haven't had time to dig into the ec2_group code that much to figure it out. 

I'm not sure if this is helpful, but if we had 'TCP' in all caps in the playbook it would behave like this (run fine the first time, create the group, etc., but on second attempt it would give the same error you were seeing). If I just changed it to 'tcp' all lower case the playbook ran fine.