elb_application_lb - treat empty security group as VPC default (ansib…

…le-collections#971) elb_application_lb - treat empty security group as VPC default SUMMARY Fixes idempotency issue when security_groups = [] by treating [] as using the VPC's default security group (like it does on creation). Fixes ansible-collections#28 Used same logic as amazon.aws.ec2_vpc_route_table does for using default igw Added integration tests ISSUE TYPE Bugfix Pull Request COMPONENT NAME elb_application_lb Reviewed-by: Jill R <None> Reviewed-by: Mark Woolley <[email protected]>
abikouo · Mar 14, 2022 · b6f1d2f · b6f1d2f
1 parent 17c3f9b
commit b6f1d2f
Showing 1 changed file with 36 additions and 2 deletions.
diff --git a/elb_application_lb.py b/elb_application_lb.py
@@ -144,7 +144,7 @@
     description:
       - A list of the names or IDs of the security groups to assign to the load balancer.
       - Required if I(state=present).
-    default: []
+      - If C([]), the VPC's default security group will be used.
     type: list
     elements: str
   scheme:
@@ -494,10 +494,16 @@
     type: bool
     sample: false
 '''
+try:
+    import botocore
+except ImportError:
+    pass  # caught by AnsibleAWSModule
 
 from ansible_collections.amazon.aws.plugins.module_utils.core import AnsibleAWSModule
-from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
+from ansible_collections.amazon.aws.plugins.module_utils.ec2 import ansible_dict_to_boto3_filter_list
+from ansible_collections.amazon.aws.plugins.module_utils.ec2 import AWSRetry
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import boto3_tag_list_to_ansible_dict
+from ansible_collections.amazon.aws.plugins.module_utils.ec2 import camel_dict_to_snake_dict
 from ansible_collections.amazon.aws.plugins.module_utils.ec2 import compare_aws_tags
 from ansible_collections.amazon.aws.plugins.module_utils.elbv2 import (
     ApplicationLoadBalancer,
@@ -509,6 +515,29 @@
 from ansible_collections.amazon.aws.plugins.module_utils.elb_utils import get_elb_listener_rules
 
 
+@AWSRetry.jittered_backoff()
+def describe_sgs_with_backoff(connection, **params):
+    paginator = connection.get_paginator('describe_security_groups')
+    return paginator.paginate(**params).build_full_result()['SecurityGroups']
+
+
+def find_default_sg(connection, module, vpc_id):
+    """
+    Finds the default security group for the given VPC ID.
+    """
+    filters = ansible_dict_to_boto3_filter_list({'vpc-id': vpc_id, 'group-name': 'default'})
+    try:
+        sg = describe_sgs_with_backoff(connection, Filters=filters)
+    except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e:
+        module.fail_json_aws(e, msg='No default security group found for VPC {0}'.format(vpc_id))
+    if len(sg) == 1:
+        return sg[0]['GroupId']
+    elif len(sg) == 0:
+        module.fail_json(msg='No default security group found for VPC {0}'.format(vpc_id))
+    else:
+        module.fail_json(msg='Multiple security groups named "default" found for VPC {0}'.format(vpc_id))
+
+
 def create_or_update_alb(alb_obj):
     """Create ALB or modify main attributes. json_exit here"""
     if alb_obj.elb:
@@ -738,6 +767,11 @@ def main():
 
     alb = ApplicationLoadBalancer(connection, connection_ec2, module)
 
+    # Update security group if default is specified
+    if alb.elb and module.params.get('security_groups') == []:
+        module.params['security_groups'] = [find_default_sg(connection_ec2, module, alb.elb['VpcId'])]
+        alb = ApplicationLoadBalancer(connection, connection_ec2, module)
+
     if state == 'present':
         create_or_update_alb(alb)
     elif state == 'absent':