Hi Josh, On Sunday, 3 September 2017 13:30:12 UTC+1, Josh Smift wrote:
When you specify 138.68.174.135/20, that gets translated to the arguably > more correct 138.68.160.0/20 when AWS creates the rule, but then Ansible > doesn't do that translation when it checks if the rule already exists -- > it looks for 138.68.174.135/20, sees 138.68.160.0/20, doesn't realize > they're equivalent, tries to add the rule, and gets the error. > Good spot - that's exactly the problem, and stems from the fact that the security group constrains access at subnet level, and has no deeper granularity. If I want to restrict access to a single IP in a subnet, I need to do that with a NACL. In my mind I was thinking that if I specify the IP of the machine I wish to allow, in CIDR notation, the security group would be configured to allow that IP/Netmask, without noticing that in fact it translates it to the network within which the IP sits. Whether Ansible's behaviour is correct (I believe it isn't) is another question, but for my use case, I can just use the network in the security group and then overlay with the ACL. Thanks! S. -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/1432e8fd-7c55-4bba-8b9b-82fcc2505fd9%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
