Thanks for replying Benno. I did exactly that with debugging and can see
where the problem is.
First let me say I haven't been completely honest about the way I've been
invoking the ec2_module. I have simplified the call for readability but
from the debug output I can see I shouldn't have since it covers the
problem. In case I do:
- ec2_group:
name: group-{{ ec2_env }}
description: "firewall"
vpc_id: "vpc-xxxxxxxx"
region: "eu-west-1"
...
register: group_sg
then all is fine. The debug message is simple:
ok: [localhost] => {
"msg": "group_id -- {'invocation': {'module_name': u'ec2_group',
'module_args': ''}, 'changed': True, 'group_id': 'sg-xxxxxxxx'}"
}
However my case I'm invoking ec2_group via with_dict loop as given below:
- hosts: localhost
connection: local
gather_facts: false
vars_files:
- group_vars/app_servers
- group_vars/vpcs
tasks:
- name: "Some group"
ec2_group:
name: group-{{ ec2_env }}
description: "group firewall"
vpc_id: "{{ item.key }}"
region: "{{ item.value.region }}"
purge_rules: false
purge_rules_egress: false
rules:
- proto: tcp
from_port: 22
to_port: 22
cidr_ip: 0.0.0.0/0
- proto: tcp
from_port: xxxxx
to_port: xxxxx
cidr_ip: "{{ item.value.cidr }}"
.
.
.
- proto: all
group_name: group-{{ ec2_env }}
rules_egress:
- proto: all
type: all
cidr_ip: 0.0.0.0/0
with_dict: vpc
when: item.value.name == ec2_env
register: group_sg
where the dictionary is a VPC mappings as follows:
vpc:
vpc-xxxxxxxx:
name: nameX
region: ap-southeast-2
cidr: "xxxxxxxx/16"
subnets:
- { zone: "ap-southeast-2a", subnet: "subnet-xxxxxxxx" }
- { zone: "ap-southeast-2b", subnet: "subnet-xxxxxxxx" }
subnets_app:
- { zone: "ap-southeast-2a", subnet: "subnet-xxxxxxxx" }
- { zone: "ap-southeast-2b", subnet: "subnet-xxxxxxxx" }
subnets_db:
- { zone: "ap-southeast-2a", subnet: "subnet-xxxxxxxx" }
- { zone: "ap-southeast-2b", subnet: "subnet-xxxxxxxx" }
.
.
.
vpc-yyyyyyyy:
name: nameY
region: eu-west-1
cidr: "xxxxxxxx/16"
subnets:
- { zone: "eu-west-1a", subnet: "subnet-xxxxxxxx" }
- { zone: "eu-west-1b", subnet: "subnet-xxxxxxxx" }
- { zone: "eu-west-1c", subnet: "subnet-xxxxxxxx" }
subnets_app:
- { zone: "eu-west-1a", subnet: "subnet-xxxxxxxx" }
- { zone: "eu-west-1b", subnet: "subnet-xxxxxxxx" }
- { zone: "eu-west-1c", subnet: "subnet-xxxxxxxx" }
subnets_db:
- { zone: "eu-west-1a", subnet: "subnet-xxxxxxxx" }
- { zone: "eu-west-1b", subnet: "subnet-xxxxxxxx" }
- { zone: "eu-west-1c", subnet: "subnet-xxxxxxxx" }
in which case I get the following complex structure as outout:
TASK: [debug var=group_sg]
***************************************************
ok: [localhost] => {
"var": {
"group_sg": {
"changed": true,
"msg": "All items completed",
"results": [
{
"changed": false,
"skipped": true
},
{
"changed": false,
"skipped": true
},
{
"changed": false,
"skipped": true
},
{
"changed": true,
"group_id": "sg-xxxxxxxx",
"invocation": {
"module_args": "",
"module_name": "ec2_group"
},
"item": {
"key": "vpc-xxxxxxxx",
"value": {
"cidr": "xxxxxxxx/16",
"name": "xxxxxxxx",
"region": "eu-west-1",
"subnets": [
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1a"
},
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1b"
},
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1c"
}
],
"subnets_app": [
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1a"
},
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1b"
},
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1c"
}
],
"subnets_db": [
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1a"
},
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1b"
},
{
"subnet": "subnet-xxxxxxxx",
"zone": "eu-west-1c"
}
]
}
}
},
{
"changed": false,
"skipped": true
}
]
}
}
}
Yeah, I'm trying to make the play generic and apply to any VPC/subnets in
any region.
Thanks again for your help.
Igor
On Thursday, May 28, 2015 at 3:35:04 PM UTC+10, benno joy wrote:
>
> Hi Igor,
>
> - debug: msg="group_id -- {{ group_sg.group_id }}" should work, can you
> please try
>
> - debug: var=group_sg and see what are the keys that you are getting.
>
> Also for question 2. there were a few fixes added to filter groups in the
> same vpc, can you please try the latest devel branch,
>
>
> - Benno
>
>
>
>
>
> On Thu, May 28, 2015 at 10:26 AM, Igor Cicimov <
> [email protected] <javascript:>> wrote:
>
>> Replying to my self about the second part of my question re:
>>
>> - proto: all
>> group_name: group-name
>>
>> It came up that the group name has to unique in the region otherwise the
>> call will fail. The AWS console on other hand allows creation of security
>> groups with the same name in same region in case they belong to different
>> VPC's.
>>
>>
>>
>> On Thursday, May 28, 2015 at 2:33:51 PM UTC+10, Igor Cicimov wrote:
>>>
>>> I have the following as part of a play:
>>>
>>> - ec2_group:
>>> name: group-name
>>> description: "firewall"
>>> vpc_id: "{{ vpc_id }}"
>>> region: "{{ region }}"
>>> purge_rules: false
>>> purge_rules_egress: false
>>> rules:
>>> - proto: tcp
>>> from_port: 22
>>> to_port: 22
>>> cidr_ip: 0.0.0.0/0
>>> ...
>>> #- proto: all
>>> # group_name: group-name
>>> register: group_sg
>>>
>>> - debug: msg="group_id -- {{ group_sg.group_id }}"
>>>
>>> which fails with the error:
>>>
>>> TASK: [debug msg="group_id -- {{ group_sg.group_id }}"]
>>> **********************
>>> fatal: [localhost] => One or more undefined variables: 'dict object' has
>>> no attribute 'group_id'
>>>
>>> Isn't this the right way of getting this attribute? Or this is not an
>>> option for a SG created inside VPC? The SG is being created fine though for
>>> the specified VPC and region.
>>>
>>> Another thing is that I'm anable to use:
>>>
>>> - proto: all
>>> group_name: group-name
>>>
>>> as in the official Ansible page example in the rules since I'm getting
>>> the following error:
>>>
>>> File "/usr/local/lib/python2.7/dist-packages/boto/connection.py", line
>>> 1226, in get_status
>>> raise self.ResponseError(response.status, response.reason, body)
>>> boto.exception.EC2ResponseError: EC2ResponseError: 400 Bad Request
>>> <?xml version="1.0" encoding="UTF-8"?>
>>> <Response><Errors><Error><Code>InvalidGroup.NotFound</Code><Message>You
>>> have specified two resources that belong to different
>>> networks.</Message></Error></Errors><RequestID>dee577be-...</RequestID></Response>
>>>
>>> Any ideas?
>>>
>>> $ ansible --version
>>> ansible 1.9.1
>>>
>>>
>>> Thanks,
>>> Igor
>>>
>> --
>> You received this message because you are subscribed to the Google Groups
>> "Ansible Project" group.
>> To unsubscribe from this group and stop receiving emails from it, send an
>> email to [email protected] <javascript:>.
>> To post to this group, send email to [email protected]
>> <javascript:>.
>> To view this discussion on the web visit
>> https://groups.google.com/d/msgid/ansible-project/5135d1c1-5d10-40ad-8a4b-22828b94a382%40googlegroups.com
>>
>> <https://groups.google.com/d/msgid/ansible-project/5135d1c1-5d10-40ad-8a4b-22828b94a382%40googlegroups.com?utm_medium=email&utm_source=footer>
>> .
>>
>> For more options, visit https://groups.google.com/d/optout.
>>
>
>
--
You received this message because you are subscribed to the Google Groups
"Ansible Project" group.
To unsubscribe from this group and stop receiving emails from it, send an email
to [email protected].
To post to this group, send email to [email protected].
To view this discussion on the web visit
https://groups.google.com/d/msgid/ansible-project/a14cb730-f026-4f5b-8422-7d463cce6a44%40googlegroups.com.
For more options, visit https://groups.google.com/d/optout.
