Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Poor documentation for from_port, to_port in ec2_groups #397

Closed
mcandre opened this issue Jul 7, 2021 · 4 comments · Fixed by #436
Closed

Poor documentation for from_port, to_port in ec2_groups #397

mcandre opened this issue Jul 7, 2021 · 4 comments · Fixed by #436
Labels
bug This issue/PR relates to a bug easyfix Good for new comers and easy to start with contribution needs_info This issue requires further information. Please answer any outstanding questions needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly waiting_on_contributor Needs help. Feel free to engage to get things unblocked

Comments

@mcandre
Copy link

mcandre commented Jul 7, 2021

The documentation for specifying port ranges in security groups is confusing.

  • No given example of actual ranges, only one individual port per security group.
  • No given example of allowing ALL ports.
  • Documentation says to use -1 to indicate no bound. But when you actually try to use -1 in from_port and/or to_port, then you will get errors running your playbook.

As a workaround, you can specify 0, 65535 as the port range bounds.
@ansibullbot
Copy link

Files identified in the description:
None

If these files are inaccurate, please update the component name section of the description or use the !component bot command.

click here for bot help

@ansibullbot
Copy link

@mcandre: Greetings! Thanks for taking the time to open this issue. In order for the community to handle your issue effectively, we need a bit more information.

Here are the items we could not find in your description:

  • issue type
  • ansible version
  • component name

Please set the description of this issue with this template:
https://raw.githubusercontent.com/ansible/ansible/devel/.github/ISSUE_TEMPLATE/bug_report.md

click here for bot help

@ansibullbot ansibullbot added needs_info This issue requires further information. Please answer any outstanding questions needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly needs_triage labels Jul 7, 2021
@markuman
Copy link
Member

markuman commented Jul 8, 2021

-1 value in parameter from_port and to_port is only supported for proto: icmp.

  • FromPort (integer) --

The start of port range for the TCP and UDP protocols, or an ICMP/ICMPv6 type number. A value of -1 indicates all ICMP/ICMPv6 types. If you specify all ICMP/ICMPv6 types, you must specify all codes.

That's a missing part in the module documentation. So yes. for all other proto values, you must specify 0-65535.
Alternativley, you also can specify proto: all, which allows the entire traffic to/from the target.

No given example of actual ranges, only one individual port per security group.

There is an example with multipl ports and ranges.
https://github.com/ansible-collections/amazon.aws/blob/main/plugins/modules/ec2_group.py#L303

    - name: mb
      ec2_group:
        name: mbtest01
        description: mb test 01
        region: eu-central-1
        state: present
        vpc_id: "{{ VPC }}"
        purge_rules_egress : True
        purge_rules: True
        rules:
          - proto: tcp
            ports: 0-65535
            cidr_ip: 10.0.0.0/8
            rule_desc: all port ranges in tcp
          - proto: icmp
            from_port: -1
            to_port: -1
            cidr_ip: 10.0.0.0/8
            rule_desc: only available for icmp
          - proto: all
            cidr_ip:  "{{ lookup('dig', 'osuv.de') }}/32"
            rule_desc: all from osuv.de
        rules_egress: []

@alinabuzachis alinabuzachis added easyfix Good for new comers and easy to start with contribution waiting_on_contributor Needs help. Feel free to engage to get things unblocked and removed needs_triage labels Jul 20, 2021
@alinabuzachis
Copy link
Contributor

Hi @mcandre, thank you for reporting this issue. Would you be willing to open a PR to address this issue? Thank you.

@alinabuzachis alinabuzachis added the bug This issue/PR relates to a bug label Jul 20, 2021
@mandar242 mandar242 mentioned this issue Aug 3, 2021
Merged
ansible-zuul bot pushed a commit that referenced this issue Aug 9, 2021
@mandar242
ec2_group: update documentation for specifying port ranges (#436)
c060264 
ec2_group: update documentation for specifying port ranges

Depends-on: #429
SUMMARY

Added missing part of documentation for specifying port ranges as -1 value in parameter from_port and to_port is only supported for proto:icmp.
Fixes #397

ISSUE TYPE


Docs Pull Request

COMPONENT NAME

ec2_group

Reviewed-by: Jill R <None>
Reviewed-by: Markus Bergholz <git@osuv.de>
Reviewed-by: Alina Buzachis <None>
Reviewed-by: Mark Chappell <None>
Reviewed-by: None <None>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug This issue/PR relates to a bug easyfix Good for new comers and easy to start with contribution needs_info This issue requires further information. Please answer any outstanding questions needs_template This issue/PR has an incomplete description. Please fill in the proposed template correctly waiting_on_contributor Needs help. Feel free to engage to get things unblocked
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

ec2_group: update documentation for specifying port ranges mandar242/amazon.aws
4 participants
@mcandre @markuman @alinabuzachis @ansibullbot