Has anyone made any further progress on this yet?
On Monday, March 23, 2015 at 4:41:24 PM UTC-7, Steven Truong wrote:
>
> Thanks for the tips. I tried this and this worked but to only some
> extents.
>
> What do I meant by that and here are the steps that you can repeat to see
> the potential issue of this ec2_group module.
>
> 1. I started out with a vars yml file that has about 9 different IP
> addresses/32
>
> ---
> aws_vpc_id: vpc-...
> aws_secret_key: zUxxx....xxx
> aws_access_key: Axx....xxx
> sg_group_name_ssh: ext-ssh-prod
>
> allowed_ssh_hosts:
> -
> -
> -
> -
> -
> -
> -
> -
> -
>
> 2. Created the modules tasks/main.yml
> - name: generate rules
> template: src=security_rules.j2 dest={{ ansible_path
> }}/roles/aws_sg_ext_ssh/vars/ext_ssh_prod.rules
> when: aws_vpc_id == 'vpc-....'
>
> - name: load vars
> include_vars: ext_ssh_prod.rules
> when: aws_vpc_id == 'vpc-.......'
>
> - name: ssh access rules
> ec2_group:
> name: "{{ sg_group_name_ssh | mandatory }}"
> description: Allow ssh access from outside of AWS
> vpc_id: "{{ aws_vpc_id | mandatory }}"
> region: us-east-1
> aws_secret_key: "{{ aws_secret_key | mandatory }}"
> aws_access_key: "{{ aws_access_key | mandatory }}"
> purge_rules: true
> rules: "{{ ext_ssh_prod_rules }}"
> when: aws_vpc_id == 'vpc-.....'
>
> 3. Created the template:
> ext_ssh_prod_rules:
> {% for host in allowed_ssh_hosts %}
> -
> proto: tcp
> from_port: 22
> to_port: 22
> cidr_ip: {{ host }}
> {% endfor %}
>
> 4. Created the playbook
> - hosts: localhost
> vars_files:
> - vars/vpc_prod_east.yml
> roles:
> - aws_sg_ext_ssh
>
> 5. Applied the playbook and things worked as expected. I saw 9 rules
> created in the security group
> 6. Added 8.8.8.8/32 to the end of the ext_ssh_prod_rules
> 7. Applied the playbook again and a rule was added for 8.8.8.8/32
> 8. Removed 8.8.8.8/32 from ext_ssh_prod_rules
> 9. Applied the playbook again and now the rule for 8.8.8.8/32 was not
> there but 3 more rules also were not there either. So for some reasons the
> 3 rules got deleted.
>
> I checked the intermediate roles/vars/ext_ssh_prod.rules every single time
> and the output has always been correct with either 9 or 10 entries (when
> 8.8.8.8/32 was addeded).
>
> So in order for us to use this reliably I must apply the playbook again
> TWICE after removing an IP address.
>
> I consider this as a bug and will look at the src codes to see what is the
> situation there.
>
> Cheers and Ansible rocks.
>
>
> On Monday, June 9, 2014 at 1:50:33 PM UTC-7, Jaime Gago wrote:
>
>> Hey there,
>> I'm trying to write a playbook that gets the latest Pingdom probe servers
>> IPs and add updates an EC2 Security groups rules with those IPs, but I'm
>> failing are iterating the IPs in the rule and only the latest IPs is added
>> (I'm replacing instead of appending). I opened an ticket on github (1) but
>> because I hadn't detailed out the whole use case it got closed without
>> really answering the issue; so I thought I'd post here see what others are
>> thinking.
>> I'm not sure whether I'm trying to hard to fit this into a playbook as I
>> have this working via a script, now of course I could call the script
>> itself but that IMHO would defeat the purpose of using Ansible in the first
>> place.
>> I understand why the playbook fails to append the rules but I haven't
>> been able to figure out a way around other than modifying the ec2_group
>> module itself.
>>
>> J.
>> (1) https://github.com/ansible/ansible/issues/7584
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b342e5ea-c070-41d8-8128-96724c4aec1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
