Dear Citizens of Ansible Project, I may have a need to export large numbers of security groups from VPCs and import them into new VPCs; basically I want to clone all the security groups from one VPC, and import them to another.
Naturally, I thought of doing this using Ansible. I have found scripts that dump ec2_group_facts or similar and migrate them to new regions for example: https://github.com/Suncatcher/aws_sg_migrate To my mind, it would be preferable to have a copy of the security groups in ec2_group format, so that I can use Ansible to make the changes. Going forward, people who edit the Ansible ec2_group rules should commit changes to Git first, so we can track who makes changes to security rules for auditing purposes. It seems preferable to use Ansible as tool of choice, but maybe there is a better way? My initial impression is that it makes sense to maintain Ansible playbooks using ec2_group to maintain Security Groups. There are a fairly large number of Security Groups that need to be maintained, so if there's a script out there that exports from ec2_group_facts and imports into ec2_group it would save a lot of time. Ec2_group_facts output looks like this: =============================================== "security_groups": [ { "description": "SecGrp for DB server", "group_id": "sg-1234567a", "group_name": "DBServer-SecGrp", "ip_permissions": [ { "from_port": 1433, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 1433, "user_id_group_pairs": [] }, { "from_port": 80, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" }, { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 80, "user_id_group_pairs": [] }, { "from_port": 0, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 65535, "user_id_group_pairs": [] }, ===================================== The same snippet in ec2_group looks like this: "security_groups": [ { "description": "SecGrp for DB server", "group_id": "sg-1234567a", "group_name": "DBServer-SecGrp", "ip_permissions": [ { "from_port": 1433, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 1433, "user_id_group_pairs": [] }, { "from_port": 80, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" }, { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 80, "user_id_group_pairs": [] }, { "from_port": 0, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 65535, "user_id_group_pairs": [] }, ================================== Thanks for any feedback, Simon -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/af4e0f1c-fa12-456d-9001-09d63c055b09%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
