2016-03-16 147 views
2

我有一本創建VPC安全組的遊戲手冊。
它運行良好,但很多次,並且更新到現有安全組(主要是添加或刪除端口)未應用(未由Ansible檢測到)。Ansible AWS EC2安全組未更新

原始代碼:

- name: create sg_riemann_elb rules 
    local_action: 
    module: ec2_group 
    region: "{{ region }}" 
    vpc_id: "{{ vpc.vpc.id }}" 
    name: "sg_riemann_elb" 
    description: security group for Riemann elb 
    rules: 
     - proto: tcp 
     from_port: 5555 
     to_port: 5556 
     group_name: "{{ realm }}_sg_base_server" 
     group_desc: security group for all servers 
    rules_egress: 
     - proto: tcp 
     from_port: 5555 
     to_port: 5556 
     group_name: "{{ realm }}_sg_riemann_server" 
     group_desc: security group for Riemann servers 

新的代碼:(加入端口)

- name: create sg_riemann_elb rules 
    local_action: 
    module: ec2_group 
    region: "{{ region }}" 
    vpc_id: "{{ vpc.vpc.id }}" 
    name: "sg_riemann_elb" 
    description: security group for Riemann elb 
    rules: 
     - proto: tcp 
     from_port: 4567 
     to_port: 4567 
     group_name: "{{ realm }}_sg_base_server" 
     group_desc: security group for all servers 
    rules: 
     - proto: tcp 
     from_port: 5555 
     to_port: 5556 
     group_name: "{{ realm }}_sg_base_server" 
     group_desc: security group for all servers 
    rules_egress: 
     - proto: tcp 
     from_port: 5555 
     to_port: 5556 
     group_name: "{{ realm }}_sg_riemann_server" 
     group_desc: security group for Riemann servers 

從Ansible運行的輸出是:

TASK [vpc : create sg_riemann_server rules] ************************************ 
ok: [localhost -> localhost] => {"changed": false, "group_id": "sg-ce89bcaa"} 

任何想法爲什麼它不更新與新端口(4567)?

回答

3

在任務create sg_riemann_elb rules中有兩個項目,其中一個項目rules正在覆蓋另一項。修復是隻定義一個帶有安全組規則列表的rules密鑰,如下所示:

... 
    description: security group for Riemann elb 
    rules: 
     - proto: tcp 
     from_port: 4567 
     to_port: 4567 
     group_name: "{{ realm }}_sg_base_server" 
     group_desc: security group for all servers 
     - proto: tcp 
     from_port: 5555 
     to_port: 5556 
     group_name: "{{ realm }}_sg_base_server" 
     group_desc: security group for all servers 
    rules_egress: 
    ... 
+0

好抓!這正是爲什麼這個網站太好了。我也認爲Ansible應該警告這樣的配置錯誤...... –