Hi Aaron, is it valid to specify a list of IPs for the cidr_ip value in the rules (or was this a cut/paste mistake)?
On Thu, Sep 4, 2014 at 6:46 PM, Aaron Mills <[email protected]> wrote: > Hi all, > > I'm using Ansible 1.7 and trying to populate an ec2_group with a list of > allowed IPs inbound. My playbook looks like so: > > --- > - name: Allow specific hosts to talk to my instance > hosts: localhost > connection: local > vars: > ec2_region: us-east-1 > vpc_id: vpc-12345 > sg_name: very-secure-group > sg_description: A very secure group > ips: > - 1.2.3.4/32 > - 1.2.3.5/32 > - 1.2.3.6/32 > - 1.2.3.7/32 > tasks: > - name: Create a very secure group > local_action: > module: ec2_group > name: "{{ sg_name }}" > description: "{{ sg_description }}" > region: "{{ ec2_region }}" > vpc_id: "{{ vpc_id }}" > rules: > - proto: tcp > from_port: 443 > to_port: 443 > cidr_ip: "{{ ips }}" > - proto: tcp > from_port: 22 > to_port: 22 > cidr_ip: 6.7.8.9/32 > rules_egress: > - proto: tcp > from_port: 22 > to_port: 22 > cidr_ip: 6.7.8.9/32 > > > The security group creates just fine when I run this playbook. However, > on subsequent runs, I get the following error from AWS/boto: > > <Response><Errors><Error><Code>InvalidPermission.Duplicate</Code><Message>the > specified rule "peer: 1.2.3.4/32, TCP, from port: 443, to port: 443, > ALLOW" already > exists</Message></Error></Errors><RequestID>blahblah</RequestID></Response> > > So I can't re-run the playbook to add/remove rules. I know this is an AWS > issue, but I'd prefer not to have to write a rule for each and every IP. I > tried to do a "with_items" loop to generate the rules, but that also fails > - it just adds a new rule over the top of the old one over and over > (presumably because it calls the ec2_group module for every item?) > > Is there another way to specify a rather lengthy list of IPs without > having to create a rule for each one? > > Many thanks. > > -- > You received this message because you are subscribed to the Google Groups > "Ansible Project" group. > To unsubscribe from this group and stop receiving emails from it, send an > email to [email protected]. > To post to this group, send email to [email protected]. > To view this discussion on the web visit > https://groups.google.com/d/msgid/ansible-project/fe92790b-8ca5-4331-8d61-7a6e6a39a73e%40googlegroups.com > <https://groups.google.com/d/msgid/ansible-project/fe92790b-8ca5-4331-8d61-7a6e6a39a73e%40googlegroups.com?utm_medium=email&utm_source=footer> > . > For more options, visit https://groups.google.com/d/optout. > -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/CAMFyvFg7%2BEOcN9mmabh-z8iGYZLp0xp1jahR5VBFnAS6SspUCg%40mail.gmail.com. For more options, visit https://groups.google.com/d/optout.
