Dear Citizens of Ansible Project, I may have a need to export large numbers of security groups from VPCs and import them into new VPCs; basically I want to clone all the security groups from one VPC, and import them to another.
Naturally, I thought of doing this using Ansible. I have found scripts that dump ec2_group_facts or similar and migrate them to new regions for example: https://github.com/Suncatcher/aws_sg_migrate To my mind, it would be preferable to have a copy of the security groups in ec2_group format, so that I can use Ansible to make the changes. Going forward, people who edit the Ansible ec2_group rules should commit changes to Git first, so we can track who makes changes to security rules for auditing purposes. It seems preferable to use Ansible as tool of choice, but maybe there is a better way? My initial impression is that it makes sense to maintain Ansible playbooks using ec2_group to maintain Security Groups. There are a fairly large number of Security Groups that need to be maintained, so if there's a script out there that exports from ec2_group_facts and imports into ec2_group it would save a lot of time Ec2_group_facts output looks like this: =============================================== "security_groups": [ { "description": "SecGrp for DB server", "group_id": "sg-1234567a", "group_name": "DBServer-SecGrp", "ip_permissions": [ { "from_port": 1433, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 1433, "user_id_group_pairs": [] }, { "from_port": 80, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" }, { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 80, "user_id_group_pairs": [] }, { "from_port": 0, "ip_protocol": "tcp", "ip_ranges": [ { "cidr_ip": "x.x.x.x/xx" } ], "ipv6_ranges": [], "prefix_list_ids": [], "to_port": 65535, "user_id_group_pairs": [] }, =================================================== # tasks file for security_groups2 - name: AWS SG - New Environment ec2_group: name: DBServer-SecGrp description: SecGrp for DB Server vpc_id: "{{ vpc_id }}" state: present region: us-east-1 rules: - proto: tcp ports: - 1443 cidr_ip: x.x.x.x/xx - proto: tcp ports: - 80 cidr_ip: x.x.x.x/xx - proto: tcp ports: - 80 cidr_ip: x.x.x.x/xx - proto: tcp from_port: 0 to_port: 65535 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/44d85b65-c4e9-4db8-ade0-fd9afebc0dfa%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.
