diff --git a/library/cloud/ec2_group b/library/cloud/ec2_group index ac0389acca..0a6b2a251e 100644 --- a/library/cloud/ec2_group +++ b/library/cloud/ec2_group @@ -317,7 +317,8 @@ def main(): # when using a vpc, but no egress rules are specified, # we add in a default allow all out rule, which was the # default behavior before egress rules were added - if 'out--1-None-None-None-0.0.0.0/0' not in groupRules: + default_egress_rule = 'out--1-None-None-None-0.0.0.0/0' + if default_egress_rule not in groupRules: ec2.authorize_security_group_egress( group_id=group.id, ip_protocol=-1, @@ -327,6 +328,9 @@ def main(): cidr_ip='0.0.0.0/0' ) changed = True + else: + # make sure the default egress rule is not removed + del groupRules[default_egress_rule] # Finally, remove anything left in the groupRules -- these will be defunct rules for rule in groupRules.itervalues():