From 1ef0402f037b332610e8d4b9c568818f7ec50ea3 Mon Sep 17 00:00:00 2001 From: James Cammarata Date: Thu, 17 Apr 2014 15:24:18 -0500 Subject: [PATCH] Make sure a default allow out rule exists if no other egress rules do Fixes #7027 --- library/cloud/ec2_group | 14 ++++++++++++++ 1 file changed, 14 insertions(+) diff --git a/library/cloud/ec2_group b/library/cloud/ec2_group index 56581ecd77..ac0389acca 100644 --- a/library/cloud/ec2_group +++ b/library/cloud/ec2_group @@ -313,6 +313,20 @@ def main(): src_group_id=grantGroup, cidr_ip=ip) changed = True + elif vpc_id and not module.check_mode: + # when using a vpc, but no egress rules are specified, + # we add in a default allow all out rule, which was the + # default behavior before egress rules were added + if 'out--1-None-None-None-0.0.0.0/0' not in groupRules: + ec2.authorize_security_group_egress( + group_id=group.id, + ip_protocol=-1, + from_port=None, + to_port=None, + src_group_id=None, + cidr_ip='0.0.0.0/0' + ) + changed = True # Finally, remove anything left in the groupRules -- these will be defunct rules for rule in groupRules.itervalues():