AWS Security Group and VPC Peering

[Justin Seiser]

I am trying to allow a security group from a VPC peer, access to resources on another security group.  Exactly what is described here. I am using ansible 2.5

https://github.com/ansible/ansible/pull/28876

My VPC is active.

(venv) [ec2-user@ip-10-99-200-10 deployment]$ aws ec2 describe-vpc-peering-connections
{
    "VpcPeeringConnections": [
        {
            "Status": {
                "Message": "Active",
                "Code": "active"
            },
            "Tags": [
                {
                    "Value": "MGR-CLOUD",
                    "Key": "Name"
                }
            ],
            "AccepterVpcInfo": {
                "PeeringOptions": {
                    "AllowEgressFromLocalVpcToRemoteClassicLink": false,
                    "AllowDnsResolutionFromRemoteVpc": true,
                    "AllowEgressFromLocalClassicLinkToRemoteVpc": false
                },
                "OwnerId": "xxxxx0107728",
                "CidrBlockSet": [
                    {
                        "CidrBlock": "10.99.100.0/24"
                    }
                ],
                "CidrBlock": "10.99.100.0/24",
                "VpcId": "vpc-7abd281f"
            },
            "VpcPeeringConnectionId": "pcx-8e51c0e7",
            "RequesterVpcInfo": {
                "PeeringOptions": {
                    "AllowEgressFromLocalVpcToRemoteClassicLink": false,
                    "AllowDnsResolutionFromRemoteVpc": true,
                    "AllowEgressFromLocalClassicLinkToRemoteVpc": false
                },
                "OwnerId": "xxxxx0107728",
                "CidrBlockSet": [
                    {
                        "CidrBlock": "10.99.200.0/24"
                    }
                ],
                "CidrBlock": "10.99.200.0/24",
                "VpcId": "vpc-55f36730"
            }
        }
    ]
}

(venv) [ec2-user@ip-10-99-200-10 deployment]$ 

The security groups do exist.

(venv) [ec2-user@ip-10-99-200-10 deployment]$ aws ec2 describe-security-groups --query 'SecurityGroups[*].{VPCID:VpcId,Account:OwnerId,NAME:GroupName,ID:GroupId}'
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-ccfa6ea9",
        "NAME": "default",
        "ID": "sg-2c777549"
    },
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-7abd281f",
        "NAME": "secgrp-cloudmfa-appliance-prd",
        "ID": "sg-35848450"
    },
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-55f36730",
        "NAME": "secgrp-mfamgr-bastion-prd",
        "ID": "sg-8f6567ea"
    },
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-ccfa6ea9",
        "NAME": "secgrp-mfacloud-appliance-prd",
        "ID": "sg-b8797bdd"
    },
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-55f36730",
        "NAME": "default",
        "ID": "sg-da6567bf"
    },
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-8e7daceb",
        "NAME": "default",
        "ID": "sg-de0c8cbb"
    },
    {
        "Account": "xxxxx0107728",
        "VPCID": "vpc-7abd281f",
        "NAME": "default",
        "ID": "sg-f5848490"
    }
]

Yet no matter what I try to put in for 'group_name' or group_id i get the same error.

I have tried.

group_id: xxxxx0107728/sg-8f6567ea/secgrp-mfacloud-appliance-prd

group_id: sg-8f6567ea

group_name: secgrp-mfacloud-appliance-prd

Here is the relevant portion of my task.

- name: SECURITY GROUP | Ensure MFA Appliance Security Group Exists
  ec2_group:
    name: secgrp-{{ vpc_name }}-appliance-{{vpc_environment_tag }}
    description: Security Group For MFA Cloud Appliances
    vpc_id: "{{ vpc_id }}"
    region: "{{ vpc_region }}"
    rules:
      - proto: tcp
        ports:
          - 80
          - 443
          - 2195
          - 5228-52230
        cidr_ip: 0.0.0.0/0
      - proto: udp
        ports:
          - 5228-52230
          - 2195
        cidr_ip: 0.0.0.0/0
      - proto: tcp
        ports:
          - 5985
          - 5986
          - 1433
        group_name: secgrp-mfamgr-bastion-prd
    tags:
      Name: "secgrp-{{ vpc_name }}-appliance-{{vpc_environment_tag }}"
      Environment: "{{ vpc_environment_tag }}"
      Customer: "{{ vpc_customer_tag }}"
  register: mfa_secgrp_appliance


- name: SECURITY GROUP | Set MFA Appliance Security Group ID
  set_fact:
    secgrp_appliance_id: "{{ mfa_secgrp_appliance.group_id }}"

and the error

fa_aws : SECURITY GROUP | Ensure MFA Appliance Security Group Exists] **************************************************************************************************************************************

An exception occurred during task execution. To see the full traceback, use -vvv. The error was: ClientError: An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: You have specified two resources that belong to different networks.

fatal: [localhost]: FAILED! => {"changed": false, "error": {"code": "InvalidGroup.NotFound", "message": "You have specified two resources that belong to different networks."}, "failed": true, "msg": "Unable to authorize ingress for group sg-8f6567ea security group 'secgrp-mfacloud-appliance-prd' - An error occurred (InvalidGroup.NotFound) when calling the AuthorizeSecurityGroupIngress operation: You have specified two resources that belong to different networks.", "response_metadata": {"http_headers": {"connection": "close", "date": "Fri, 26 Jan 2018 17:47:20 GMT", "server": "AmazonEC2", "transfer-encoding": "chunked"}, "http_status_code": 400, "request_id": "ad5bb10a-fe5c-48a1-9c1f-832de0d6a0af", "retry_attempts": 0}}