Remove a rule from AWS EC2 Security group using Ansible
551 views
Skip to first unread message
Rahul Mehrotra
May 15, 2015, 1:32:37 PM5/15/15
to ansible...@googlegroups.com
I have an Ansible script to create EC2 security group. It looks like this
- name: Create HTTP Security Group
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc }}"
name: sg_http
description: Security group for HTTP access
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
register: sg_http
I would like to write a task which deletes the rule but not security group. I tried using the state as present, but it doesn't work
- name: Delete HTTP Rule
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc }}"
name: sg_http
description: Security group for HTTP access
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
state: absent
register: sg_http
What would be the better way to do this. Regards
Brent Langston
May 15, 2015, 1:50:09 PM5/15/15
to ansible...@googlegroups.com
remove the rule from the list.
rules: []
--------
Brent
--------
Brent
--------
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/4f8fbfa1-1f22-44a2-9c4e-bfdaeff2d2e5%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
Rahul Mehrotra
May 15, 2015, 1:58:09 PM5/15/15
to ansible...@googlegroups.com
Hi,
Can you please provide an example. I am specifically interested in removing egress rules allowing everything automatically added by AWS when security groups are created. Thank you
----------------------------------------------------------------------------------------------------------------------------
Rahul Mehrotra
Cloud & DevOps Engineer, Nokia USA
--
You received this message because you are subscribed to a topic in the Google Groups "Ansible Project" group.
To unsubscribe from this topic, visit https://groups.google.com/d/topic/ansible-project/5AkZ6-PlBRk/unsubscribe.
To unsubscribe from this group and all its topics, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABta7G0EiYqHrSUDVwT43aD7D68XJCTgHV8R--1vEvn1%2BjSsrA%40mail.gmail.com.
Brent Langston
May 15, 2015, 2:01:20 PM5/15/15
to ansible...@googlegroups.com
the security group module will just make your list of rules look like whatever you have currently defined in yml. If you remove a rule from the list, and run the task again, the rule will be removed from the security group at aws. This hold true for both ingress and egress.
In other words, for this module don't think "state: present" or "state: absent" -- that is determined by the rule being defined or not.
--------
Brent
--------
Brent
--------
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABddCmAQFj2py-MoEXrqHJg%2B2yLwdWG_SjN7CJLi%2BhDiaeoNMw%40mail.gmail.com.
Rahul Mehrotra
May 15, 2015, 2:18:59 PM5/15/15
to ansible...@googlegroups.com
Thanks Brent that does explain a good detail about how security groups are handled by Ansible.
I would still appreciate if you can answer this question.
I am creating a security group using
- name: Create HTTP Security Group
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc }}"
name: sg_http
description: Security group for HTTP access
rules:
- proto: tcp
from_port: 80
to_port: 80
cidr_ip: 0.0.0.0/0
register: sg_http
However this created a security group with inbound http access but also full outbound (egress) access automatically. I do not want those egress rules to be present, how should I remove them.
----------------------------------------------------------------------------------------------------------------------------
Rahul Mehrotra
Cloud & DevOps Engineer, Nokia USATo view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABta7G3DDTUWurVxZbxVtEP4xxu4cfX1JTEUDWqb-ueeSaASrA%40mail.gmail.com.
Brent Langston
May 15, 2015, 10:37:26 PM5/15/15
to ansible...@googlegroups.com
Create an egress_rules: list that is empty.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CABddCmBevz67_S7M%2B9gEtzkFayJ7QdmoLjwz0hOnhuhfdZkfjg%40mail.gmail.com.
Rahul Mehrotra
May 18, 2015, 1:16:22 PM5/18/15
to ansible...@googlegroups.com
Hi,
I have tried your suggestion of having an empty egress_rules list. However for some reason an all access egress rules are always enabled in all the security groups.
Barry Kaplan
May 18, 2015, 11:12:21 PM5/18/15
to ansible...@googlegroups.com
I think removing the global rule is broken:
benno joy
May 18, 2015, 11:21:38 PM5/18/15
to ansible...@googlegroups.com
Seems to work fine in the devel branch, could you please give it a try
On Tue, May 19, 2015 at 8:42 AM, Barry Kaplan <mem...@gmail.com> wrote:
I think removing the global rule is broken:
--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/80f9a5f6-2b6e-49c6-a3e3-31f97551e190%40googlegroups.com.
Reply all
Reply to author
Forward
0 new messages