diff --git a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl_facts.py b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl_facts.py index fe29d5d7e4..732fd7785c 100644 --- a/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl_facts.py +++ b/lib/ansible/modules/cloud/amazon/ec2_vpc_nacl_facts.py @@ -60,7 +60,7 @@ EXAMPLES = ''' ''' RETURN = ''' -nacl: +nacls: description: Returns an array of complex objects as described below. returned: success type: complex @@ -86,20 +86,29 @@ nacl: returned: always type: list of string ingress: - description: A list of NACL ingress rules. + description: + - A list of NACL ingress rules with the following format. + - [rule no, protocol, allow/deny, v4 or v6 cidr, icmp_type, icmp_code, port from, port to] returned: always type: list of list + sample: [[100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22]] egress: - description: A list of NACL egress rules. + description: + - A list of NACL egress rules with the following format. + - [rule no, protocol, allow/deny, v4 or v6 cidr, icmp_type, icmp_code, port from, port to] returned: always type: list of list + sample: [[100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]] ''' +import traceback + try: - from botocore.exceptions import ClientError, NoCredentialsError + from botocore.exceptions import ClientError, BotoCoreError except ImportError: pass # caught by imported HAS_BOTO3 +from ansible.module_utils._text import to_native from ansible.module_utils.basic import AnsibleModule from ansible.module_utils.ec2 import (ec2_argument_spec, boto3_conn, get_aws_connection_info, ansible_dict_to_boto3_filter_list, HAS_BOTO3, @@ -116,10 +125,17 @@ def list_ec2_vpc_nacls(connection, module): nacl_ids = module.params.get("nacl_ids") filters = ansible_dict_to_boto3_filter_list(module.params.get("filters")) + if nacl_ids is None: + nacl_ids = [] + try: nacls = connection.describe_network_acls(NetworkAclIds=nacl_ids, Filters=filters) - except (ClientError, NoCredentialsError) as e: - module.fail_json(msg=e.message, **camel_dict_to_snake_dict(e.response)) + except ClientError as e: + module.fail_json(msg="Unable to describe network ACLs {0}: {1}".format(nacl_ids, to_native(e)), + exception=traceback.format_exc(), **camel_dict_to_snake_dict(e.response)) + except BotoCoreError as e: + module.fail_json(msg="Unable to describe network ACLs {0}: {1}".format(nacl_ids, to_native(e)), + exception=traceback.format_exc()) # Turn the boto3 result in to ansible_friendly_snaked_names snaked_nacls = [] @@ -132,9 +148,9 @@ def list_ec2_vpc_nacls(connection, module): nacl['tags'] = boto3_tag_list_to_ansible_dict(nacl['tags'], 'key', 'value') if 'entries' in nacl: nacl['egress'] = [nacl_entry_to_list(entry) for entry in nacl['entries'] - if entry['rule_number'] != 32767 and entry['egress']] + if entry['rule_number'] < 32767 and entry['egress']] nacl['ingress'] = [nacl_entry_to_list(entry) for entry in nacl['entries'] - if entry['rule_number'] != 32767 and not entry['egress']] + if entry['rule_number'] < 32767 and not entry['egress']] del nacl['entries'] if 'associations' in nacl: nacl['subnets'] = [a['subnet_id'] for a in nacl['associations']] @@ -148,21 +164,36 @@ def list_ec2_vpc_nacls(connection, module): def nacl_entry_to_list(entry): - elist = [entry['rule_number'], - PROTOCOL_NAMES[entry['protocol']], - entry['rule_action'], - entry['cidr_block'] - ] - if entry['protocol'] == '1': - elist = elist + [-1, -1] + # entry list format + # [ rule_num, protocol name or number, allow or deny, ipv4/6 cidr, icmp type, icmp code, port from, port to] + elist = [] + + elist.append(entry['rule_number']) + + if entry.get('protocol') in PROTOCOL_NAMES: + elist.append(PROTOCOL_NAMES[entry['protocol']]) else: - elist = elist + [None, None, None, None] + elist.append(entry.get('protocol')) - if 'icmp_type_code' in entry: - elist[4] = entry['icmp_type_code']['type'] - elist[5] = entry['icmp_type_code']['code'] + elist.append(entry['rule_action']) - if 'port_range' in entry: + if entry.get('cidr_block'): + elist.append(entry['cidr_block']) + elif entry.get('ipv6_cidr_block'): + elist.append(entry['ipv6_cidr_block']) + else: + elist.append(None) + + elist = elist + [None, None, None, None] + + if entry['protocol'] in ('1', '58'): + elist[4] = entry.get('icmp_type_code', {}).get('type') + elist[5] = entry.get('icmp_type_code', {}).get('code') + + if entry['protocol'] not in ('1', '6', '17', '58'): + elist[6] = 0 + elist[7] = 65535 + elif 'port_range' in entry: elist[6] = entry['port_range']['from'] elist[7] = entry['port_range']['to'] @@ -179,19 +210,14 @@ def main(): ) ) - module = AnsibleModule(argument_spec=argument_spec, - mutually_exclusive=[['nacl_ids', 'filters']]) + module = AnsibleModule(argument_spec=argument_spec, supports_check_mode=True) if not HAS_BOTO3: module.fail_json(msg='boto3 required for this module') region, ec2_url, aws_connect_params = get_aws_connection_info(module, boto3=True) - - if region: - connection = boto3_conn(module, conn_type='client', resource='ec2', - region=region, endpoint=ec2_url, **aws_connect_params) - else: - module.fail_json(msg="region must be specified") + connection = boto3_conn(module, conn_type='client', resource='ec2', + region=region, endpoint=ec2_url, **aws_connect_params) list_ec2_vpc_nacls(connection, module)