-
Notifications
You must be signed in to change notification settings - Fork 23.7k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
AWS security group description mismatch causes module ec2_group to fail #31704
Comments
It looks like the fix is targeting 2.5. Is there any chance it'll come to 2.4.x or should we just plan to work around it until 2.5's released? |
source: https://aws.amazon.com/blogs/aws/new-descriptions-for-security-group-rules/ (Aug 31st, 2017) |
Blargh, I totally misread that, those are just for rules (which is awesome BTW), but looks like updating a SG description is still not changeable. |
I am thinking that now with rule descriptions, maybe a best practice is to just not use a SG description at all, and just use rule descriptions since they are updateable. |
I don't think that Ansible should be taking a stance on that. Rule descriptions and group descriptions have different purposes. Rule descriptions are generally used to describe the reason for the ingress/egress rule, where group descriptions tend to be more for the purpose of the group itself. Such as "Group for production webapp servers in the FooBar service". In theory, there isn't a reason to change the purpose of a security group so that's one of the reasons AWS hasn't enabled editing for group descriptions. If the purpose changes, you are "supposed to" create a new group and update your resources to use the new one. We've remedied the immediate problem (the module failing if the group description is mismatched), but the broader issue on the AWS side is out of our control. |
Thank you very much for your interest in Ansible. Ansible has migrated much of the content into separate repositories to allow for more rapid, independent development. We are closing this issue/PR because this content has been moved to one or more collection repositories.
For further information, please see: |
ISSUE TYPE
COMPONENT NAME
ec2_group
ANSIBLE VERSION
CONFIGURATION
ANSIBLE_PIPELINING(/Users/lkostka/devbox/prov/ansible.cfg) = True
ANSIBLE_SSH_ARGS(env: ANSIBLE_SSH_ARGS) =
DEFAULT_CALLBACK_PLUGIN_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/callbacks']
DEFAULT_FILTER_PLUGIN_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/filters']
DEFAULT_FORKS(/Users/lkostka/devbox/prov/ansible.cfg) = 40
DEFAULT_LOOKUP_PLUGIN_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/lookups']
DEFAULT_MODULE_PATH(/Users/lkostka/devbox/prov/ansible.cfg) = [u'/Users/lkostka/devbox/prov/modules']
DEFAULT_SCP_IF_SSH(/Users/lkostka/devbox/prov/ansible.cfg) = true
DEFAULT_TRANSPORT(/Users/lkostka/devbox/prov/ansible.cfg) = ssh
DEPRECATION_WARNINGS(/Users/lkostka/devbox/prov/ansible.cfg) = True
RETRY_FILES_ENABLED(/Users/lkostka/devbox/prov/ansible.cfg) = False
OS / ENVIRONMENT
mac os x. same problem on ubuntu 17.04
SUMMARY
In the case where an ec2 security group configuration is attempted with a description which does not match a currently existing security group with the same name Ansible now aborts where previously it used to ignore the situation. Bug was reported #23602 in a different issue for different version.
STEPS TO REPRODUCE
try on 2.3. - no complaint; try on 2.4 fails.
EXPECTED RESULTS
Module should not fail when description in ansible does not match that in AWS.
ACTUAL RESULTS
Group description does not match existing group. ec2_group does not support this case.
The text was updated successfully, but these errors were encountered: