[ansible-project] Re: ec2_group with a rule opening a port to other nodes of the same group

Sat, 16 May 2015 12:05:48 -0700 

I've faced this, with an elasticsearch sg being one of my requirements (in 
my setup I'd have to make a directed acylic graph of the security groups in 
order to have them all created in a single run).

Resorted to a playbook with two plays, one that creates my security groups 
(no rules), tagged create, and another that populates them, tagged 
configure (or whatever you like).

---
  - name: create security groups
    tags:
      - create
    # some tasks that create my set of security groups

  - name: populate security groups
    tags:
      - configure
    # tasks that add rules. so that when I refer to a sg, it's there.



If I've just made changes in the group config, I use --skip-tag=create. For 
fresh infrastructure, I go with the whole playbook.

But this method has its caveats. If I want to add a completely new security 
group, i need to add it using ansible ad-hoc (without rules) and then run 
the skip-tags variant. If I go with adding the create task in the play, and 
running the entire playbook, the sgs that existed from before get wiped 
clean of rules by play #1 for a brief period. That is not acceptable.

I'd like to be able to somehow detect if a sg already exists, and if so, 
just update its rules. If not, initialize it and add the rules listed. *with 
support for references to the security group itself, in its rules*.

:/

On Saturday, 21 December 2013 12:19:32 UTC+5:30, Alexey Verkhovsky wrote:
>
> I need to define an EC2 security group that opens a port to other nodes of 
> the same group. The use case is Elastic Search cluster autodiscovery. Which 
> looks legitimate enough to me :) 
>
> As far as I can tell, there is no way to do it with the current 
> implementation of ec2_group module. I could pretty easily write a one-liner 
> patch for that module so that group_id: self (or some other magic word) 
> makes it so. Is that a good way to do this?
>
> --Alex
>

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/b625860d-3898-4f1c-b046-ca322af42143%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Reply via email to