CODEWITHSUNDEEP
amazon-ec2ansible
Eldad Assis
Eldad Assis

Reputation: 11045

Ansible AWS EC2 security group not updated

I have a play-book that created VPC security groups.
It works well, but many times, and update to an existing security group (mostly adding or removing ports) is not applied (not detected by Ansible).

Original code: 

- name: create sg_riemann_elb rules
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc.vpc.id }}"
    name: "sg_riemann_elb"
    description: security group for Riemann elb
    rules:
      - proto: tcp
        from_port: 5555
        to_port: 5556
        group_name: "{{ realm }}_sg_base_server"
        group_desc: security group for all servers
    rules_egress:
      - proto: tcp
        from_port: 5555
        to_port: 5556
        group_name: "{{ realm }}_sg_riemann_server"
        group_desc: security group for Riemann servers

New code: (added port 4567) 

- name: create sg_riemann_elb rules
  local_action:
    module: ec2_group
    region: "{{ region }}"
    vpc_id: "{{ vpc.vpc.id }}"
    name: "sg_riemann_elb"
    description: security group for Riemann elb
    rules:
      - proto: tcp
        from_port: 4567
        to_port: 4567
        group_name: "{{ realm }}_sg_base_server"
        group_desc: security group for all servers
    rules:
      - proto: tcp
        from_port: 5555
        to_port: 5556
        group_name: "{{ realm }}_sg_base_server"
        group_desc: security group for all servers
    rules_egress:
      - proto: tcp
        from_port: 5555
        to_port: 5556
        group_name: "{{ realm }}_sg_riemann_server"
        group_desc: security group for Riemann servers

The output from the Ansible run is: 

TASK [vpc : create sg_riemann_server rules] ************************************
ok: [localhost -> localhost] => {"changed": false, "group_id": "sg-ce89bcaa"}

Any idea why it's not updated with new port (4567)?

Upvotes: 2

Views: 904

Answers (1)

Pasi H
Pasi H

Reputation: 2628

There are two items with a key rules in the task create sg_riemann_elb rules and one is overwriting the other. The fix is to define only one rules key with a list of security group rules, like this: 

    ...
    description: security group for Riemann elb
    rules:
      - proto: tcp
        from_port: 4567
        to_port: 4567
        group_name: "{{ realm }}_sg_base_server"
        group_desc: security group for all servers
      - proto: tcp
        from_port: 5555
        to_port: 5556
        group_name: "{{ realm }}_sg_base_server"
        group_desc: security group for all servers
    rules_egress:
    ...

Upvotes: 3

Related Questions