Get changed output from the ec2_group Ansible module

Question

I'm looking for a nice way to show or list security groups in Ansible

Currently I'm using the Ansible module ec2_group that silently changes the security group to match what is defined in Ansible but doesn't show what is changed.

changed: [localhost -> 127.0.0.1] => {"changed": true, "group_id": "sg-8649adee"}

I'm worried that someone may add something in the web console which would get erased when Ansible's ec2_group task is executed. That is okay as long as I can get some information about the previous state (in the output), so in case of an erasing some important but 'undocumented' modification, it can be quickly restored.

Currently the only way I know is run this as local command module:

aws ec2 describe-security-groups [some pattern]

Is there a better way to do this, hopefully entirely within Ansible?

Still not clear. You want to describe security groups using ansible? — helloV, Apr 12 '16 at 23:55

score 2 · Answer 1 · answered Apr 13 '16 at 06:30

Ansible is a tool for performing changes on an environment to configure it so that it looks as has been defined. As such, nearly everything it does is purely for the purpose of enacting said changes and there are very few modules that don't make changes other than for fact gathering to enable other modules to make changes.

As such, I would say that if you are using Ansible to control your estate then you should back it entirely. If someone makes a change outside of Ansible then having Ansible change it back should be a good thing. In the event of some out of hours emergency where someone needs to make a manual change then that person should have some mechanism to prevent Ansible from running until the change is fed back into the automation code (at my company we use Jenkins to drive all of our automation so they can simply disable the relevant job(s)).

If this isn't an option for you then you could always shell out and describe the group before your change and then have a task check if the ec2_group module changed anything and if so output what the security group looked like before:

- hosts: localhost
  connection: local
  vars:
    security_group_name: testing
  tasks:
    - name: describe ec2 security group before change
      shell: "aws ec2 describe-security-groups --group-names {{ security_group_name }}"
      register: before
      changed_when: false

    - name: create ec2 security group
      ec2_group:
        name: "{{ security_group_name }}"
        description: "{{ security_group_name }}"
        rules:
          - proto: tcp
            from_port: 22
            to_port: 22
            cidr_ip: 0.0.0.0/0
          - proto: udp
            from_port: 123
            to_port: 123
            cidr_ip: 10.0.0.0/8
        rules_egress:
          - proto: all
            cidr_ip: 0.0.0.0/0
      register: ec2_group

    - name: security group changed
      debug: var=before
      when: ec2_group.changed

Another option might be to simply use CloudTrail to see what has been changed in your AWS account.

Thanks @ydaetskcoR I see we share the same idea :) I do keep CloudTrail as a 'last resort'. — sirkubax, Apr 13 '16 at 07:56

sirkubax · Answer 2 · 2016-04-13T10:21:10.030

0

I'll just add one update: The

--group-names YourGroupName

works for the default VPC only

For non-default VPC use filters, like:

aws ec2 --region YourRegion describe-security-groups --filters Name=group-name,Values=YourGroupName

http://docs.aws.amazon.com/cli/latest/reference/ec2/describe-security-groups.html

edited Apr 13 '16 at 10:21

answered Apr 13 '16 at 09:44

sirkubax

885
2
10
19

Get changed output from the ec2_group Ansible module

2 Answers2