Any idea how to dig out the sg id out of this? Maybe changing the module to
not be so verbose and print only the needed info would be easier?
On Thursday, May 28, 2015 at 3:59:14 PM UTC+10, Igor Cicimov wrote:
>
> Thanks for replying Benno. I did exactly that with debugging and can see
> where the problem is.
>
> First let me say I haven't been completely honest about the way I've been
> invoking the ec2_module. I have simplified the call for readability but
> from the debug output I can see I shouldn't have since it covers the
> problem. In case I do:
>
> - ec2_group:
> name: group-{{ ec2_env }}
> description: "firewall"
> vpc_id: "vpc-xxxxxxxx"
> region: "eu-west-1"
> ...
> register: group_sg
>
> then all is fine. The debug message is simple:
>
> ok: [localhost] => {
> "msg": "group_id -- {'invocation': {'module_name': u'ec2_group',
> 'module_args': ''}, 'changed': True, 'group_id': 'sg-xxxxxxxx'}"
> }
>
> However my case I'm invoking ec2_group via with_dict loop as given below:
>
> - hosts: localhost
> connection: local
> gather_facts: false
> vars_files:
> - group_vars/app_servers
> - group_vars/vpcs
> tasks:
> - name: "Some group"
> ec2_group:
> name: group-{{ ec2_env }}
> description: "group firewall"
> vpc_id: "{{ item.key }}"
> region: "{{ item.value.region }}"
> purge_rules: false
> purge_rules_egress: false
> rules:
> - proto: tcp
> from_port: 22
> to_port: 22
> cidr_ip: 0.0.0.0/0
> - proto: tcp
> from_port: xxxxx
> to_port: xxxxx
> cidr_ip: "{{ item.value.cidr }}"
> .
> .
> .
> - proto: all
> group_name: group-{{ ec2_env }}
> rules_egress:
> - proto: all
> type: all
> cidr_ip: 0.0.0.0/0
> with_dict: vpc
> when: item.value.name == ec2_env
> register: group_sg
>
>
> where the dictionary is a VPC mappings as follows:
>
> vpc:
> vpc-xxxxxxxx:
> name: nameX
> region: ap-southeast-2
> cidr: "xxxxxxxx/16"
> subnets:
> - { zone: "ap-southeast-2a", subnet: "subnet-xxxxxxxx" }
> - { zone: "ap-southeast-2b", subnet: "subnet-xxxxxxxx" }
> subnets_app:
> - { zone: "ap-southeast-2a", subnet: "subnet-xxxxxxxx" }
> - { zone: "ap-southeast-2b", subnet: "subnet-xxxxxxxx" }
> subnets_db:
> - { zone: "ap-southeast-2a", subnet: "subnet-xxxxxxxx" }
> - { zone: "ap-southeast-2b", subnet: "subnet-xxxxxxxx" }
> .
> .
> .
> vpc-yyyyyyyy:
> name: nameY
> region: eu-west-1
> cidr: "xxxxxxxx/16"
> subnets:
> - { zone: "eu-west-1a", subnet: "subnet-xxxxxxxx" }
> - { zone: "eu-west-1b", subnet: "subnet-xxxxxxxx" }
> - { zone: "eu-west-1c", subnet: "subnet-xxxxxxxx" }
> subnets_app:
> - { zone: "eu-west-1a", subnet: "subnet-xxxxxxxx" }
> - { zone: "eu-west-1b", subnet: "subnet-xxxxxxxx" }
> - { zone: "eu-west-1c", subnet: "subnet-xxxxxxxx" }
> subnets_db:
> - { zone: "eu-west-1a", subnet: "subnet-xxxxxxxx" }
> - { zone: "eu-west-1b", subnet: "subnet-xxxxxxxx" }
> - { zone: "eu-west-1c", subnet: "subnet-xxxxxxxx" }
>
>
> in which case I get the following complex structure as outout:
>
> TASK: [debug var=group_sg]
> ***************************************************
> ok: [localhost] => {
> "var": {
> "group_sg": {
> "changed": true,
> "msg": "All items completed",
> "results": [
> {
> "changed": false,
> "skipped": true
> },
> {
> "changed": false,
> "skipped": true
> },
> {
> "changed": false,
> "skipped": true
> },
> {
> "changed": true,
> "group_id": "sg-xxxxxxxx",
> "invocation": {
> "module_args": "",
> "module_name": "ec2_group"
> },
> "item": {
> "key": "vpc-xxxxxxxx",
> "value": {
> "cidr": "xxxxxxxx/16",
> "name": "xxxxxxxx",
> "region": "eu-west-1",
> "subnets": [
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1a"
> },
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1b"
> },
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1c"
> }
> ],
> "subnets_app": [
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1a"
> },
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1b"
> },
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1c"
> }
> ],
> "subnets_db": [
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1a"
> },
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1b"
> },
> {
> "subnet": "subnet-xxxxxxxx",
> "zone": "eu-west-1c"
> }
> ]
> }
> }
> },
> {
> "changed": false,
> "skipped": true
> }
> ]
> }
> }
> }
>
>
> Yeah, I'm trying to make the play generic and apply to any VPC/subnets in
> any region.
>
> Thanks again for your help.
>
> Igor
>
> On Thursday, May 28, 2015 at 3:35:04 PM UTC+10, benno joy wrote:
>>
>> Hi Igor,
>>
>> - debug: msg="group_id -- {{ group_sg.group_id }}" should work, can you
>> please try
>>
>> - debug: var=group_sg and see what are the keys that you are getting.
>>
>> Also for question 2. there were a few fixes added to filter groups in the
>> same vpc, can you please try the latest devel branch,
>>
>>
>> - Benno
>>
>>
>>
>>
>>
>> On Thu, May 28, 2015 at 10:26 AM, Igor Cicimov <
>> [email protected]> wrote:
>>
>>> Replying to my self about the second part of my question re:
>>>
>>> - proto: all
>>> group_name: group-name
>>>
>>> It came up that the group name has to unique in the region otherwise the
>>> call will fail. The AWS console on other hand allows creation of security
>>> groups with the same name in same region in case they belong to different
>>> VPC's.
>>>
>>>
>>>
>>> On Thursday, May 28, 2015 at 2:33:51 PM UTC+10, Igor Cicimov wrote:
>>>>
>>>> I have the following as part of a play:
>>>>
>>>> - ec2_group:
>>>> name: group-name
>>>> description: "firewall"
>>>> vpc_id: "{{ vpc_id }}"
>>>> region: "{{ region }}"
>>>> purge_rules: false
>>>> purge_rules_egress: false
>>>> rules:
>>>> - proto: tcp
>>>> from_port: 22
>>>> to_port: 22
>>>> cidr_ip: 0.0.0.0/0
>>>> ...
>>>> #- proto: all
>>>> # group_name: group-name
>>>> register: group_sg
>>>>
>>>> - debug: msg="group_id -- {{ group_sg.group_id }}"
>>>>
>>>> which fails with the error:
>>>>
>>>> TASK: [debug msg="group_id -- {{ group_sg.group_id }}"]
>>>> **********************
>>>> fatal: [localhost] => One or more undefined variables: 'dict object'
>>>> has no attribute 'group_id'
>>>>
>>>> Isn't this the right way of getting this attribute? Or this is not an
>>>> option for a SG created inside VPC? The SG is being created fine though
>>>> for
>>>> the specified VPC and region.
>>>>
>>>> Another thing is that I'm anable to use:
>>>>
>>>> - proto: all
>>>> group_name: group-name
>>>>
>>>> as in the official Ansible page example in the rules since I'm getting
>>>> the following error:
>>>>
>>>> File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line
>>>> 1226, in get_status
>>>> raise self.ResponseError(response.status, response.reason, body)
>>>> boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
>>>> <?xml version="1.0" encoding="UTF-8"?>
>>>> <Response><Errors><Error><Code>InvalidGroup.NotFound</Code><Message>You
>>>> have specified two resources that belong to different
>>>> networks.</Message></Error></Errors><RequestID>dee577be-...</RequestID></Response>
>>>>
>>>> Any ideas?
>>>>
>>>> $ ansible --version
>>>> ansible 1.9.1
>>>>
>>>>
>>>> Thanks,
>>>> Igor
>>>>
>>> --
>>> You received this message because you are subscribed to the Google
>>> Groups "Ansible Project" group.
>>> To unsubscribe from this group and stop receiving emails from it, send
>>> an email to [email protected].
>>> To post to this group, send email to [email protected].
>>> To view this discussion on the web visit
>>> https://groups.google.com/d/msgid/ansible-project/5135d1c1-5d10-40ad-8a4b-22828b94a382%40googlegroups.com
>>>
>>> <https://groups.google.com/d/msgid/ansible-project/5135d1c1-5d10-40ad-8a4b-22828b94a382%40googlegroups.com?utm_medium=email&utm_source=footer>
>>> .
>>>
>>> For more options, visit https://groups.google.com/d/optout.
>>>
>>
>>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/b270644f-1949-4155-a283-68977dc12d1b%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
