Adding a security group to running ec2 instance

[Louis Garman]

Is there a way to update the properties of a running ec2 instance? Specifically, I'd like to add security groups to a running VPC instance.

I've used the ec2 module to create an instance, but once it's running, adding a security group to the 'group' parameter and re-running the playbook has no effect. The exceptions are the count_tag and exact_count parameters, which create/destroy instances accordingly.

[Brian Coca]

aws doesn't allow you to change the security group association of a  instance once created, you CAN change the rules of the existing security group. Ansible cannot give you something that aws itself doesn't support.​

[Brent Langston]

Whoa. Maybe I'm misunderstanding you but I add and remove security groups on instances while running all the time. It would be cool to do that via ansible.

On Jun 4, 2014 7:41 AM, "Brian Coca" <bria...@gmail.com> wrote:

aws doesn't allow you to change the security group association of a  instance once created, you CAN change the rules of the existing security group. Ansible cannot give you something that aws itself doesn't support.

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CADn%2BHswMJ-wJ4ZkOaXurn3zpYK3h19F1p%3D%2BTYh1kSe3S9LdY8Q%40mail.gmail.com.
For more options, visit https://groups.google.com/d/optout.

[Brian Coca]

this might have changed, I have not even tried in a good while. This used to be a restriction, I stand corrected and happy to hear, it was a major pain.

[Brian Coca]

just double checked aws documentation:

"After you launch an instance in EC2-Classic, you can't change its security groups. However, you can add rules to or remove rules from a security group, and those changes are automatically applied to all instances that are associated with the security group."

​

will try this later to confirm, not sure what 'classic' means either

[Brian Coca]

ah, VPC instances have different rules, 'classic' is non VPC from what I can see.​

[Brent Langston]

Yep. that must be the difference. I'm all VPC.

--------
Brent
--------

On Wed, Jun 4, 2014 at 11:28 AM, Brian Coca <bria...@gmail.com> wrote:

ah, VPC instances have different rules, 'classic' is non VPC from what I can see.

--

You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CADn%2BHsxWHtgdmYzFQX7cqhNn4tCi%2BiosqmhyvaY1t%2BWhXxnWrg%40mail.gmail.com.

[Louis Garman]

Yes, you can update an instance's list of security groups if that instance is in a VPC:

http://docs.aws.amazon.com/AmazonVPC/latest/UserGuide/VPC_SecurityGroups.html (see "Differences Between Security Groups for EC2-Classic and EC2-VPC")

[Louis Garman]

I'll create a pull request.

As an aside, updating *any* of the ec2 module parameters will not update the instance. Which is often in practice is undesirable or impossible, because most of the parameters would require a restart (think instance_type, etc). However, 'volumes' is one such parameter that could be updatable (but isn't, I tried). I worked around that by creating a 'ec2_vol', and specifying the instance_id in there.

[iain wright]

Hi Louis et. all,

This just bit us (performing modifications of security groups/volumes of running instances using ec2 module in the context of a VPC)

Did you ever end up modifying the module to support these mutations in a VPC based enviornment? We'd love to use them if so!

Thank you,

iain

[iain wright]

Ah, i see this is possible in ec2_vol, we are going to pursue that route. Hopefully we can get ec2 module modified to support security group mutations when in a VPC and will submit a pull request if we do!

Thank you,

iain