Remove a rule from AWS EC2 Security group using Ansible

Question

I have an Ansible script to create EC2 security group. It looks like this:

- name: Create HTTP Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
  register: sg_http

However this created a security group with inbound http access but also full outbound access. I would like to write a task which deletes the egress rule automatically added by AWS allowing all outgoing traffic but not the whole security group. I tried using the state as present, but it doesn't seem to work as expected:

- name: Delete HTTP Rule
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    egress_rules:
      - proto: all
        from_port: 0
        to_port: 65535
        cidr_ip: 0.0.0.0/0
        state: absent
  register: sg_http

What would be the better way to do this?

Answer 1

If you don't specify rules, then a default 'allow all' rule is created. If you create an empty list, then no rules are created. This does what you want.

- name: Create HTTP Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
    rules_egress: []
  register: sg_http

Answer 2

By default, the ec2_groups module will idempotently set the rules specified for any present groups as the purge_rules and purge_rules_egress both default to true.

If you had previously had a task to create an EC2 secruity group that looked like:

- name: Create HTTP and HTTPS Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP(S) access
    rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        cidr_ip: 0.0.0.0/0
      - proto: tcp
        from_port: 443
        to_port: 443
        cidr_ip: 0.0.0.0/0
  register: sg_http

Or you had otherwise created the security group with the above rules and then decide that you wan't to block all non SSL traffic you can simply change the task to the following:

- name: Create HTTPS only Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTPS access
    rules:
      - proto: tcp
        from_port: 443
        to_port: 443
        cidr_ip: 0.0.0.0/0
  register: sg_http

To specify outbound/egress rules you must use rules_egress (added in Ansible 1.6). As with rules, if this is not specified anywhere then it defaults to allowing all traffic.

So to combine this, we might want to lock a box down to only being able to communicate out on 3306 to talk to a MySQL database box but also serve HTTPS only traffic coming in:

- name: Create web server security group (HTTPS only inbound and MySQL only outbound)
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTPS access
    rules:
      - proto: tcp
        from_port: 443
        to_port: 443
        cidr_ip: 0.0.0.0/0
    rules_egress:
      - proto: tcp
        from_port: 3306
        to_port: 3306
        cidr_ip: 0.0.0.0/0
  register: sg_http

Setting the state (ie. absent or present) is only supported on the security group itself rather than their child rules.

So the following task would make sure that there is no sg_http security group:

- name: Remove sg_http Security Group
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc }}"
    name: sg_http
    description: Security group for HTTP(S) access
    state: absent
  register: sg_http