---
- block:
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: yes
- name: Create a group with only the default rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
vpc_id: '{{ vpc_result.vpc.id }}'
description: '{{ec2_group_description}}'
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is in place (expected changed=true)
assert:
that:
- result is changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
- name: Create a group with only the default rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
vpc_id: '{{ vpc_result.vpc.id }}'
description: '{{ec2_group_description}}'
purge_rules_egress: false
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is not purged (expected changed=false)
assert:
that:
- result is not changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
- name: Pass empty egress rules without purging, should leave default rule in place
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: false
rules_egress: []
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is not purged (expected changed=false)
assert:
that:
- result is not changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '0.0.0.0/0'
- name: Purge rules, including the default
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
purge_rules_egress: true
rules_egress: []
<<: *aws_connection_info
state: present
register: result
- name: assert default rule is not purged (expected changed=false)
assert:
that:
- result is changed
- result.ip_permissions|length == 0
- result.ip_permissions_egress|length == 0
- name: Add a custom egress rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 1212
cidr_ip: 1.2.1.2/32
<<: *aws_connection_info
state: present
register: result
- name: assert first rule is here
assert:
that:
- result.ip_permissions_egress|length == 1
- name: Add a second custom egress rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
purge_rules_egress: false
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 2323
cidr_ip: 2.3.2.3/32
<<: *aws_connection_info
state: present
register: result
- name: assert the first rule is not purged
assert:
that:
- result.ip_permissions_egress|length == 2
- name: Purge the second rule (CHECK MODE) (DIFF MODE)
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 1212
cidr_ip: 1.2.1.2/32
<<: *aws_connection_info
state: present
register: result
check_mode: True
diff: True
- name: assert first rule will be left
assert:
that:
- result.changed
- result.diff.0.after.ip_permissions_egress|length == 1
- result.diff.0.after.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
- name: Purge the second rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
vpc_id: '{{ vpc_result.vpc.id }}'
rules_egress:
- proto: tcp
ports:
- 1212
cidr_ip: 1.2.1.2/32
<<: *aws_connection_info
state: present
register: result
- name: assert first rule is here
assert:
that:
- result.ip_permissions_egress|length == 1
- result.ip_permissions_egress[0].ip_ranges[0].cidr_ip == '1.2.1.2/32'
- name: add a rule for all TCP ports
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
rules_egress:
- proto: tcp
ports: 0-65535
cidr_ip: 0.0.0.0/0
<<: *aws_connection_info
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
register: result
- name: Re-add the default rule
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
description: '{{ec2_group_description}}'
rules_egress:
- proto: -1
cidr_ip: 0.0.0.0/0
<<: *aws_connection_info
state: present
vpc_id: '{{ vpc_result.vpc.id }}'
register: result
always:
- name: tidy up egress rule test security group
ec2_group:
name: '{{ec2_group_name}}-egress-tests'
state: absent
vpc_id: '{{ vpc_result.vpc.id }}'
<<: *aws_connection_info
ignore_errors: yes