New ec2_group_facts module to be able to get facts from EC2 security groups #2591
Conversation
|
#1939 was closed a while back, so its irrelevant here I wrote it back in the boto2 days then retrofitted it to boto3 for the PR, so if the GroupNames and GroupIds aren't needed, I could simply pull that logic out - but, that hasn't been brought up in past reviews so I've never given it any thought. |
|
Thanks @Sodki for this new module. When this module receives 'shipit' comments from two community members and any 'needs_revision' comments have been resolved, we will mark for inclusion. [This message brought to you by your friendly Ansibull-bot.] |
|
@calamityman Cool, at the time of writing this your PR was still in old boto. Instead of spamming your PR with comments, can I just send a bunch of PRs to your own branch, to try and make it better? Then I can close this one down. |
|
@Sodki of course. I'd be more than happy to work with you on this module if you've got some improvements. |
|
@calamityman Unfortunately it doesn't seem to be possible to send PRs to your branch, since it's a fork. I'll comment straight to your PR. |
|
#2619 is another PR related to this one. |
|
ready_for_review |
|
Any update on this? Seems stalled. |
|
@aairey Well, the module is finished and works, but no one has reviewed it yet. I don't know if there's something else that I need to do to speed things up. |
|
|
||
| # Gather facts about any security group with a tag key Name and value Example | ||
| - ec2_group_facts: | ||
| filters: |
There was a problem hiding this comment.
On this example can you add a comment to the effect of "The quotes around tag:Name are important because of the colon in the value" because not everyone realizes the significance there.
There was a problem hiding this comment.
Your comment was spot on, so I just used it verbatim.
| # Gather facts about a security group by id | ||
| - ec2_group_facts: | ||
| filters: | ||
| group-id: sg-12345678 |
There was a problem hiding this comment.
It would be really nice to be able to do underscore-separated tags as well, since that's typically how folks expect to do params. Do you think that'd be a useful addition?
diff --git a/cloud/amazon/ec2_group_facts.py b/cloud/amazon/ec2_group_facts.py
index 777fc59..bc9a75d 100644
--- a/cloud/amazon/ec2_group_facts.py
+++ b/cloud/amazon/ec2_group_facts.py
@@ -121,9 +121,11 @@ def main():
else:
module.fail_json(msg="region must be specified")
+ sanitized_filters = {k.replace('_', '-'): v for k, v in module.params.get("filters", {}).items() if 'tag:' not in k}
+ sanitized_filters.update({k: v for k, v in module.params.get("filters", {}).items() if 'tag:' in k})
try:
security_groups = connection.describe_security_groups(
- Filters=ansible_dict_to_boto3_filter_list(module.params.get("filters"))
+ Filters=ansible_dict_to_boto3_filter_list(sanitized_filters)
)
except ClientError as e:
module.fail_json(msg=e.message)There was a problem hiding this comment.
I think it's a good idea. I've implemented it a little bit different from you, but I think it's easier to read. I've also changed the documentation accordingly.
| Filters=ansible_dict_to_boto3_filter_list(module.params.get("filters")) | ||
| ) | ||
| except ClientError as e: | ||
| module.fail_json(msg=e.message) |
There was a problem hiding this comment.
Here can you add the exception to the failure, something like:
import traceback # do this with the other imports, not in the exception
module.fail_json(msg=e.message, exception=traceback.format_exc(e))
There was a problem hiding this comment.
It's done. Let me know if you disagree with the location of the import. I really don't have others like that one and I wanted to keep the boto ones separate.
| short_description: Gather facts about ec2 security groups in AWS. | ||
| description: | ||
| - Gather facts about ec2 security groups in AWS. | ||
| version_added: "2.2" |
There was a problem hiding this comment.
It's been updated to 2.3.
|
Thank you @ryansb for your review. I've implemented all your change requests as separate commits because I think it's easier to understand the flow. If you're happy I can then squash them all before merging. |
| # Gather facts about a security group with multiple filters, also mixing the use of underscores as filter keys | ||
| - ec2_group_facts: | ||
| filters: | ||
| group_id: sg-12345678 |
|
|
||
| sanitized_filters = module.params.get("filters") | ||
| for key in sanitized_filters: | ||
| sanitized_filters[key.replace("_", "-")] = sanitized_filters.pop(key) |
There was a problem hiding this comment.
There's one issue with this: if someone uses a filter such as "tag:my_tag_name": value this code will replace it and make the filter tag:my-tag-name. In the example I gave it skipped replacing _ for any tag: filters.
There was a problem hiding this comment.
Oh, I completely forgot about that edge case. It's fixed now.
|
@Sodki really close, just that last comment on filter underscore-replacement. No worries about squashing this PR, I can do so on merge. Thanks for doing separate commits, makes reviewing much easier. 😄 |
|
Alright, I fixed the last issue. Thanks again for taking the time to review this. |
ISSUE TYPE
COMPONENT NAME
ec2_group_facts
ANSIBLE VERSION
SUMMARY
Ansible doesn't have a way to obtain information from EC2 security groups, which is very useful. This implementation is heavily inspired on ec2_snapshot_facts.
The only option available is
filter. I didn't implement boto3'sGroupNamesandGroupIdsbecause they're a source of major confusion (default vs non-default VPC) andfilterhas that functionality anyway, so I thought it was better to keep it simple.I know there are other PRs for the same module, but they were either broken or had a larger scope than what was intended. I'll list them here for reference:
#1939
#1908
#1352