[ansible-project] ec2_group - passing a list to a rule fails on subsequent runs.

[Aaron Mills]

Hi all,

I'm using Ansible 1.7 and trying to populate an ec2_group with a list of 
allowed IPs inbound. My playbook looks like so:

---
- name: Allow specific hosts to talk to my instance
  hosts: localhost
  connection: local
  vars:
    ec2_region: us-east-1
    vpc_id: vpc-12345
    sg_name: very-secure-group
    sg_description: A very secure group
    ips:
      - 1.2.3.4/32
      - 1.2.3.5/32
      - 1.2.3.6/32
      - 1.2.3.7/32
  tasks:
    - name: Create a very secure group
      local_action:
        module: ec2_group
        name: "{{ sg_name }}"
        description: "{{ sg_description }}"
        region: "{{ ec2_region }}"
        vpc_id: "{{ vpc_id }}"
        rules:
          - proto: tcp
            from_port: 443
            to_port: 443
            cidr_ip: "{{ ips }}"
          - proto: tcp
            from_port: 22
            to_port: 22
            cidr_ip: 6.7.8.9/32
        rules_egress:
          - proto: tcp
            from_port: 22
            to_port: 22
            cidr_ip: 6.7.8.9/32


The security group creates  just fine when I run this playbook. However, on 
subsequent runs, I get the following error from AWS/boto:

<Response><Errors><Error><Code>InvalidPermission.Duplicate</Code><Message>the 
specified rule "peer: 1.2.3.4/32, TCP, from port: 443, to port: 443, ALLOW" 
already 
exists</Message></Error></Errors><RequestID>blahblah</RequestID></Response>

So I can't re-run the playbook to add/remove rules. I know this is an AWS 
issue, but I'd prefer not to have to write a rule for each and every IP. I 
tried to do a "with_items" loop to generate the rules, but that also fails 
- it just adds a new rule over the top of the old one over and over 
(presumably because it calls the ec2_group module for every item?)

Is there another way to specify a rather lengthy list of IPs without having 
to create a rule for each one?

Many thanks.

-- 
You received this message because you are subscribed to the Google Groups 
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email 
to ansible-project+unsubscr...@googlegroups.com.
To post to this group, send email to ansible-project@googlegroups.com.
To view this discussion on the web visit 
https://groups.google.com/d/msgid/ansible-project/fe92790b-8ca5-4331-8d61-7a6e6a39a73e%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.