[ansible-project] Re: Populating an EC2 Security Group rules (using ec2_group modules) with IPs (Pingdom probe servers) gathered dynamically at playbook runtime

[andreub]

Hi Jaime,

I had the exact same problem. ec2_group modules recreates the rules every 
time you use the it, so if you're running it in a loop, it will create the 
group the rule for the last item only.

A workaround that I implemented is to generate a var.yml with a var defined 
with the rules out of a template, and then source it dynamically:

---
  - name: Create rules
    sudo: False
    local_action:
      module: template src=sg_rules.j2 
dest=./roles/postgres-server/vars/rules.yml

  - name: Load vars
    sudo: False
    include_vars: rules.yml

  - name: Open ports for DB clients
    sudo: False
    local_action:
      module: ec2_group
      aws_access_key: "{{ ofertia_s3_access_key }}"
      aws_secret_key: "{{ ofertia_s3_secret_key }}"
      name: "{{ aws_sg }}"
      description: "{{ aws_sg }} group"
      region: "{{ aws_region }}"
      rules: "{{ security_rules }}"

Where my j2 template is something like:
---
security_rules:
{% for trusted_host in trusted_hosts %}
  -
    proto: tcp
    from_port: 22
    to_port: 22
    cidr_ip: {{ trusted_host.ip }}/32
  -
    proto: icmp
    from_port: -1
    to_port: -1
    cidr_ip: {{ trusted_host.ip }}/32
{% endfor %}


Andreub

El lunes, 9 de junio de 2014 22:50:33 UTC+2, Jaime Gago escribió:
>
> Hey there,
> I'm trying to write a playbook that gets the latest Pingdom probe servers 
> IPs and add updates an EC2 Security groups rules with those IPs, but I'm 
> failing are iterating the IPs in the rule and only the latest IPs is added 
> (I'm replacing instead of appending). I opened an ticket on github (1) but 
> because I hadn't detailed out the whole use case it got closed without 
> really answering the issue; so I thought I'd post here see what others are 
> thinking. 
> I'm not sure whether I'm trying to hard to fit this into a playbook as I 
> have this working via a script, now of course I could call the script 
> itself but that IMHO would defeat the purpose of using Ansible in the first 
> place.
> I understand why the playbook fails to append the rules but I haven't been 
> able to figure out a way around other than modifying the ec2_group module 
> itself.
>
> J.
> (1) https://github.com/ansible/ansible/issues/7584
>
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/8c1f2e91-cc5b-4441-84c7-16f488194b2e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.