ec2_group with a rule opening a port to other nodes of the same group
71 views
Skip to first unread message
Alexey Verkhovsky
Dec 21, 2013, 1:49:32 AM12/21/13
to ansible...@googlegroups.com
I need to define an EC2 security group that opens a port to other nodes of the same group. The use case is Elastic Search cluster autodiscovery. Which looks legitimate enough to me :)
As far as I can tell, there is no way to do it with the current implementation of ec2_group module. I could pretty easily write a one-liner patch for that module so that group_id: self (or some other magic word) makes it so. Is that a good way to do this?
As far as I can tell, there is no way to do it with the current implementation of ec2_group module. I could pretty easily write a one-liner patch for that module so that group_id: self (or some other magic word) makes it so. Is that a good way to do this?
--Alex
Sankalp Khare
May 16, 2015, 3:05:01 PM5/16/15
to ansible...@googlegroups.com, alexey.v...@gmail.com
I've faced this, with an elasticsearch sg being one of my requirements (in my setup I'd have to make a directed acylic graph of the security groups in order to have them all created in a single run).
Resorted to a playbook with two plays, one that creates my security groups (no rules), tagged create, and another that populates them, tagged configure (or whatever you like).
---
- name: create security groups tags:
- create
# some tasks that create my set of security groups
- name: populate security groups
tags:
- configure
# tasks that add rules. so that when I refer to a sg, it's there.
If I've just made changes in the group config, I use --skip-tag=create. For fresh infrastructure, I go with the whole playbook.
But this method has its caveats. If I want to add a completely new security group, i need to add it using ansible ad-hoc (without rules) and then run the skip-tags variant. If I go with adding the create task in the play, and running the entire playbook, the sgs that existed from before get wiped clean of rules by play #1 for a brief period. That is not acceptable.
I'd like to be able to somehow detect if a sg already exists, and if so, just update its rules. If not, initialize it and add the rules listed. with support for references to the security group itself, in its rules.
:/
Sankalp Khare
May 17, 2015, 5:33:27 AM5/17/15
to ansible...@googlegroups.com, alexey.v...@gmail.com
Just after posting here I found this post in the group. It does what I want. All I need to do is make sure I add group_desc with group_name everywhere. And then I can just do a single play, with rules in the calls to ec2_group.
:D #happy
Reply all
Reply to author
Forward
0 new messages