Re: [ansible-project] Ansible - AWS - Security Group

[Pshem Kowalczyk]

This looks like a definition of a role, not a play. If you want this to be a play you have to turn this into the 'tasks' section of the yaml file and specify at least hosts you want this ran against.

kind regards

Pshem

On Sun, 14 Jan 2018 at 19:17 Reddy Myyb <redd...@gmail.com> wrote:

The script to create aws security group is not working anymore. I have ansible 2.3.1.0, my script as below.

- name: Bstar ec2 group

  ec2_group:

    name: bright_star

    description: an example EC2 group

    vpc_id: vpc-1ab4e

    region: ap-southeast-2a

    aws_secret_key: SKEY

    aws_access_key: AKEY

    rules:

      - proto: tcp

        from_port: 80

        to_port: 80

        cidr_ip: 0.0.0.0/0

      - proto: tcp

        from_port: 22

        to_port: 22

        cidr_ip: 10.0.0.0/8

      - proto: tcp

        from_port: 443

        to_port: 443

        group_id: amazon-elb/sg-87654321/amazon-elb-sg

      - proto: tcp

        from_port: 3306

        to_port: 3306

        group_id: 123412341234/sg-87654321/exact-name-of-sg

      - proto: udp

        from_port: 10050

        to_port: 10050

        cidr_ip: 10.0.0.0/8

      - proto: udp

        from_port: 10051

        to_port: 10051

        group_id: sg-12345678

      - proto: icmp

        from_port: 8 # icmp type, -1 = any type

        to_port:  -1 # icmp subtype, -1 = any subtype

        cidr_ip: 10.0.0.0/8

      - proto: all

        # the containing group name may be specified here

        group_name: Bstar_SecurityGroups

    rules_egress:

      - proto: tcp

        from_port: 80

        to_port: 80

        cidr_ip: 0.0.0.0/0

        cidr_ipv6: 64:ff9b::/96

        group_name: example-other

        # description to use if example-other needs to be created

        group_desc: other example EC2 group

Please provide the correct module for security group.

Below is the error message:

ERROR! 'ec2_group' is not a valid attribute for a Play

The error appears to have been in '/home/devopsadmin/dev/security.yml': line 1, column 3, but may

be elsewhere in the file depending on the exact syntax problem.

The offending line appears to be:

- name: Bstar ec2 group

  ^ here

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To post to this group, send email to ansible...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/b1709fe2-99ae-416e-a941-661cb3e3e9f4%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

[Pshem Kowalczyk]

It seems like you have any tasks in your playbook. Could you show the content of the playbook?

kind regards

Pshem

On Tue, 16 Jan 2018 at 16:58 Reddy Myyb <redd...@gmail.com> wrote:

Hi Pshem,

I have made it as a task and able to run. The play runs successfully, but I can't see the security group in my aws console. The out put says changed=0. I'm running teh play frm one VPC and the creation is on other VPC. My output below. PLease let me know if there's anything I need to change.

PLAY [localhost] *************************************************************************************************************

TASK [Gathering Facts] *******************************************************************************************************

ok: [localhost]

PLAY RECAP *******************************************************************************************************************

localhost                  : ok=1    changed=0    unreachable=0    failed=0

Regards,

Reddy

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/9d267838-d933-4473-9e20-2248c854bf97%40googlegroups.com.

[Pshem Kowalczyk]

Hi,

Firstly - please regenerate access keys used for that account, as now the whole internet can access your account.

Secondly - can you run the playbook with -vv to see what's actually going on.

kind regards

Pshem

On Wed, 17 Jan 2018 at 14:08 Reddy Myyb <redd...@gmail.com> wrote:

Hi Pshem,

Please  find below the content of my playbook.

---

 - hosts: localhost

   become: yes

   become_method: sudo

   vars_files:

      - ec2-vars/sam.yml

   roles:

      - { role: security }

Below is my role.

- name: Bstar ec2 group

- ec2_group:

    name: bright_pedda

    description: an example EC2 group

    vpc_id: vpc-1ab4277e

    region: ap-southeast-2a

    aws_secret_key: AKIAJ2H25HM333T2WEIQ

    aws_access_key: 30uio86RAQssiOUUAGFpTcQ4UOEHvWlPTAJ++pA8

Regards,

Reddy

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a2040d9b-51b0-482f-afea-b45beb034178%40googlegroups.com.

[Reddy Myyb]

Hi Pshem,

Please find below error details with -vvv.

Using module file /usr/lib/python2.7/site-packages/ansible/modules/cloud/amazon/ec2_group.py

<127.0.0.1> ESTABLISH LOCAL CONNECTION FOR USER: devopsadmin

<127.0.0.1> EXEC /bin/sh -c 'echo ~ && sleep 0'

<127.0.0.1> EXEC /bin/sh -c '( umask 77 && mkdir -p "` echo /home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163 `" && echo ansible-tmp-1516336698.6-150169371339163="` echo /home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163 `" ) && sleep 0'

<127.0.0.1> PUT /tmp/tmplD4zPE TO /home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163/ec2_group.py

<127.0.0.1> EXEC /bin/sh -c 'chmod u+x /home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163/ /home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163/ec2_group.py && sleep 0'

<127.0.0.1> EXEC /bin/sh -c 'sudo -H -S -n -u root /bin/sh -c '"'"'echo BECOME-SUCCESS-wqtfwybgoqhbfezogxxtowkktmtihqlj; /usr/bin/python /home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163/ec2_group.py; rm -rf "/home/devopsadmin/.ansible/tmp/ansible-tmp-1516336698.6-150169371339163/" > /dev/null 2>&1'"'"' && sleep 0'

The full traceback is:

Traceback (most recent call last):

  File "/tmp/ansible_jB7bqT/ansible_module_ec2_group.py", line 487, in <module>

    main()

  File "/tmp/ansible_jB7bqT/ansible_module_ec2_group.py", line 283, in main

    for curGroup in ec2.get_all_security_groups():

  File "/usr/lib/python2.7/site-packages/boto/ec2/connection.py", line 2984, in get_all_security_groups

    [('item', SecurityGroup)], verb='POST')

  File "/usr/lib/python2.7/site-packages/boto/connection.py", line 1186, in get_list

    raise self.ResponseError(response.status, response.reason, body)

boto.exception.EC2ResponseError: EC2ResponseError: 401 Unauthorized

<?xml version="1.0" encoding="UTF-8"?>

<Response><Errors><Error><Code>AuthFailure</Code><Message>Credential must have exactly 5 slash-delimited elements, e.g. keyid/date/region/service/term, got 'Dt4q191m7+gPbrnkQfEZT9QUoIWDVyq0ous/TS76/20180119/ap-southeast-2/ec2/aws4_request,SignedHeaders=host;x-amz-date,Signature=76afdaaa0c55e555680cc35ef200f75d660d90fb98022bd412e216822af4c110'</Message></Error></Errors><RequestID>f8c83e5f-a069-41eb-956a-126440cf0730</RequestID></Response>

fatal: [localhost]: FAILED! => {

    "changed": false,

    "failed": true,

    "module_stderr": "Traceback (most recent call last):\n  File \"/tmp/ansible_jB7bqT/ansible_module_ec2_group.py\", line 487, in <module>\n    main()\n  File \"/tmp/ansible_jB7bqT/ansible_module_ec2_group.py\", line 283, in main\n    for curGroup in ec2.get_all_security_groups():\n  File \"/usr/lib/python2.7/site-packages/boto/ec2/connection.py\", line 2984, in get_all_security_groups\n    [('item', SecurityGroup)], verb='POST')\n  File \"/usr/lib/python2.7/site-packages/boto/connection.py\", line 1186, in get_list\n    raise self.ResponseError(response.status, response.reason, body)\nboto.exception.EC2ResponseError: EC2ResponseError: 401 Unauthorized\n<?xml version=\"1.0\" encoding=\"UTF-8\"?>\n<Response><Errors><Error><Code>AuthFailure</Code><Message>Credential must have exactly 5 slash-delimited elements, e.g. keyid/date/region/service/term, got 'Dt4q191m7+gPbrnkQfEZT9QUoIWDVyq0ous/TS76/20180119/ap-southeast-2/ec2/aws4_request,SignedHeaders=host;x-amz-date,Signature=76afdaaa0c55e555680cc35ef200f75d660d90fb98022bd412e216822af4c110'</Message></Error></Errors><RequestID>f8c83e5f-a069-41eb-956a-126440cf0730</RequestID></Response>\n",

    "module_stdout": "",

    "msg": "MODULE FAILURE",

    "rc": 0

PS: I have chnaged my security creds.

On Sunday, 14 January 2018 19:12:50 UTC+11, Pshem Kowalczyk wrote:

[Reddy Myyb]

Hi Pshem,

Please find below the latest error details.

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (AuthFailure) when calling the DescribeSecurityGroups operation: Credential must have exactly 5 slash-delimited elements, e.g. keyid/date/region/service/term, got 'Dt4q191m7+gPbrnkQfEZT9QUoIWDVyq0ous/TS76/20180119/ap-southeast-2/ec2/aws4_request,'

fatal: [localhost]: FAILED! => {"changed": false, "error": {"code": "AuthFailure", "message": "Credential must have exactly 5 slash-delimited elements, e.g. keyid/date/region/service/term, got 'Dt4q191m7+gPbrnkQfEZT9QUoIWDVyq0ous/TS76/20180119/ap-southeast-2/ec2/aws4_request,'"}, "msg": "Error in describe_security_groups: An error occurred (AuthFailure) when calling the DescribeSecurityGroups operation: Credential must have exactly 5 slash-delimited elements, e.g. keyid/date/region/service/term, got 'Dt4q191m7+gPbrnkQfEZT9QUoIWDVyq0ous/TS76/20180119/ap-southeast-2/ec2/aws4_request,'", "response_metadata": {"http_headers": {"date": "Fri, 19 Jan 2018 06:06:24 GMT", "server": "AmazonEC2", "transfer-encoding": "chunked"}, "http_status_code": 401, "request_id": "096c5f20-ff34-4c4f-b5ff-7e5216ec727d", "retry_attempts": 0}}

Regards,

Reddy

On Sunday, 14 January 2018 19:12:50 UTC+11, Pshem Kowalczyk wrote:

[Pshem Kowalczyk]

Hi,

Looking at your debug it's some sort of authentication issue with AWS:

boto.exception.EC2ResponseError: EC2ResponseError: 401 Unauthorized

This might mean that the keys are not correct or the user that the keys are associated with doesn't have the permission to carry out the operation.

kind regards

Pshem

To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/a34c9849-6748-4206-96a3-8672029a2ecc%40googlegroups.com.