Modifying CIDR of an existing EC2 Security Groups using Ansible

[Naveen NK]

Can we modify existing EC2 Security group using Ansible by accepting new input parameter through jenkins job?

Scenario - I have to update users public IP to Ec2 security groups everyday Whenever their Public ip changes. This become repetitive tasks as Public IP is dynamic and changes everyday. I tried to automate this by creating ansible playbook with jenkins job by passing input parameter "{{ newpublicip }}" for new public ip and let user provide his IP and run the job and it updates the security groups. Below is the code

- hosts: localhost

connection: local

gather_facts: false

vars:

- newpublicip: "{{ newpublicip }}"

- name: "{{ name }}"

tasks:

- name: boto3

pip:

name: "boto3"

state: present

- name: modiying security group

ec2_group:

name: "{{ name }}"

description: An example ec2 group

vpc_id: xxxx

region: "{{ region }}"

aws_access_key: "{{ access_key }}"

aws_secret_key: "{{ secret_key }}"

rules:

- proto: tcp

from_port: 80

to_port: 80

cidr_ip: "0.0.0.0/0"

- proto: tcp

from_port: 22

to_port: 22

cidr_ip: "{{ newpublicip }}"

rule_desc: user1

- proto: tcp

from_port: 22

to_port: 22

cidr_ip: "{{ newpublicip }}"

rule_desc: user2

But the problem here is it updates whole existing security group with passed value, Here we will have different users assigned same port numbers with their public IP as source to access, so based on matching the rule_desc ex., user1 it should update the CIDR ip with input value provided "{{ newpublicip }}" Or please suggest some options to improvise this?

Thank you !

[Komal Suthar]

In this ec2_group module i don't think that we can solve this use case 

--
You received this message because you are subscribed to the Google Groups "Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email to ansible-proje...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/7a7674af-d06c-4043-a67f-51532da62c38n%40googlegroups.com.

[Naveen NK]

Is there any other options to achieve this ? I have been stuck here since week :(

[Dick Visser]

Hi

On Mon, 26 Apr 2021 at 07:34, Naveen NK <navee...@gmail.com> wrote:

Can we modify existing EC2 Security group using Ansible by accepting new input parameter through jenkins job?

Scenario - I have to update users public IP to Ec2 security groups everyday Whenever their Public ip changes. This become repetitive tasks as Public IP is dynamic and changes everyday. I tried to automate this by creating ansible playbook with jenkins job by passing input parameter "{{ newpublicip }}" for new public ip and let user provide his IP and run the job and it updates the security groups.

So you want your users to be able to update an IP ACL themselves, because they're on dynamic networks?

--

Sent from a mobile device - please excuse the brevity, spelling and punctuation.

[Naveen NK]

Yes right !

[Dick Visser]

On Tue, 27 Apr 2021 at 12:41, Naveen NK <navee...@gmail.com> wrote:

Yes right !

Ok, but this updating by those users, is that done through the publicly accessible api.

I'm not sure about the security benefits of this setup. 

What about setting up some vpn or something if you insist on IP acls 

[Naveen NK]

We couldn't  go for VPN due to high pricing. So trying some workaround

This updating IP would go through jenkins job so there shouldn't be security problems.

[Naveen NK]

Does anyone got some idea on this?