The purge functionality is actually quite nice for my use case, however.
I'm dynamically gathering a list of hosts with a particular tag, then
creating security group ingress rules to allow only those IPs (oh, the joys
of VPC / public cloud inter-networking). So if a host is stopped/started, I
need to get rid of the old IP and replace it with the new one when I run my
playbook.
I solved this problem via the template method linked to previously. I'm not
sure if updated Ansible code to loop through a list and create individual
rules would be appropriate or not (I'm guessing not), so this may be the
best method anyway.
Thanks for your help.
-Aaron
On Friday, September 5, 2014 1:36:31 PM UTC-6, James Cammarata wrote:
>
> I ask, because as far as I can tell from looking at the source code, we do
> not check that the cidr_ip may be a list of IPs rather than a single item.
> That means for things like this (where ip is the cidr_ip from the parsed
> rule data structure):
>
> ruleId = "%s-%s-%s-%s-%s-%s" % ('out', rule['proto'], rule['from_port'],
> rule['to_port'], group_id, ip)
>
> The ruleId would seemingly be invalid, and the lookups/creation would not
> work as expected.
>
> Alternatively to the template/include idea, 1.8 has added the params
> purge_rules and purge_rules_egrees, which when set to "no" means you should
> be able to add the rules in a loop without removing old rules.
>
>
> On Fri, Sep 5, 2014 at 10:38 AM, Aaron Mills <[email protected]
> <javascript:>> wrote:
>
>> It's valid. When you run a playbook that passes a list of IPs, it'll
>> generate a rule for each IP in the list. However, when you run the playbook
>> a second time, AWS throw's an error that those SG entries already exist.
>>
>> I was cribbing from Michael DeHaan's solution here
>> <https://groups.google.com/forum/#!searchin/ansible-project/ec2_group/ansible-project/5wvplmni_-A/bSqml4aNx0YJ>.
>>
>> Looks like others have solved this with a template
>> <https://groups.google.com/forum/#!searchin/ansible-project/ec2_group$20template/ansible-project/a8y1v2-R8Zw/DJY1J4XaZpAJ>
>> .
>>
>>
>> On Thursday, September 4, 2014 9:30:50 PM UTC-6, James Cammarata wrote:
>>>
>>> Hi Aaron, is it valid to specify a list of IPs for the cidr_ip value in
>>> the rules (or was this a cut/paste mistake)?
>>>
>>>
>>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/81de221d-ee22-41f3-b22c-91e9db3b961a%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/81de221d-ee22-41f3-b22c-91e9db3b961a%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/e8213f29-1b4d-47f0-81bc-67daeb806a4d%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
