update logic to handle security group association

redhat-cop · Nov 25, 2024 · e464689 · e464689
1 parent 5c272d9
commit e464689
Show file tree

Hide file tree

Showing 3 changed files with 19 additions and 30 deletions.
diff --git a/roles/ec2_instance_create/README.md b/roles/ec2_instance_create/README.md
@@ -37,10 +37,6 @@ The following variables can be set in the role to customize EC2 instance creatio
 * **ec2_instance_create_vpc_subnet_id**: (Required)
   The ID of the VPC subnet in which the instance will be launched.
 
-* **ec2_instance_create_external_sg_id**: (Optional)
-  The ID or name of the existing security group to be associated with EC2 instance.
-  Mutually exclusive with `ec2_instance_create_associate_external_sg`.
-
 * **ec2_instance_create_tags**: (Optional)
   A dictionary of tags to assign to the EC2 instance.
 
@@ -74,9 +70,8 @@ The following variables can be set in the role to customize EC2 instance creatio
 #### External Security Group
 
 * **ec2_instance_create_associate_external_sg**: (Optional)
-  Whether to create and associate a security group with the EC2 instance for external access. Default is `false`.
-  If set to `true`, a security group will be created or associated with the instance.
-  Mutually exclusive with `ec2_instance_create_external_sg_id`.
+  Whether to associate existing or a new security group with the EC2 instance for external access. Default is `false`.
+  If set to `true`, existing security group provided with `ec2_instance_create_external_sg_name` or a new security group created by role will be associated with the instance.
 
 * **ec2_instance_create_external_sg_name**: (Optional)
   The name of the security group to create. Default is `ec2_instance_create-default-external-sg`.

diff --git a/roles/ec2_instance_create/meta/argument_specs.yml b/roles/ec2_instance_create/meta/argument_specs.yml
@@ -63,7 +63,7 @@ argument_specs:
         type: bool
       ec2_instance_create_associate_external_sg:
         description:
-          - Whether to create and associate a security group for external access.
+          - Whether to associate an existing or a new security group for external access.
         required: false
         default: false
         type: bool
@@ -96,11 +96,6 @@ argument_specs:
           - This is required when `ec2_instance_create_associate_external_sg` or `ec2_instance_create_associate_igw` is `true`.
         required: false
         type: str
-      ec2_instance_create_external_sg_id:
-        description:
-          - The ID or name of the security group to be associated with EC2 instance.
-        required: false
-        type: str
       ec2_instance_create_eip_tags:
         description:
           - Tags to assign to the Elastic IP.

diff --git a/roles/ec2_instance_create/tasks/ec2_instance_create_operations.yml b/roles/ec2_instance_create/tasks/ec2_instance_create_operations.yml
@@ -1,12 +1,4 @@
 ---
-- name: Verify exclusive parameters
-  block:
-    - name: Check for security group ID
-      ansible.builtin.fail:
-        msg: "ec2_instance_create_external_sg_id and ec2_instance_create_associate_external_sg are mutually exlcusive.
-              Please provide only one to either associate existing or create new sg."
-      when: ec2_instance_create_external_sg_id is defined and ec2_instance_create_associate_external_sg is defined and ec2_instance_create_external_sg_id != None and ec2_instance_create_associate_external_sg is true
-
 - name: Verify that an instance with same name does not exist
   block:
     - name: Get instane info with provided name
@@ -46,31 +38,38 @@
     image_id: "{{ ec2_instance_create_ami_id }}"
     key_name: "{{ ec2_instance_create_key_name }}"
     vpc_subnet_id: "{{ ec2_instance_create_vpc_subnet_id }}"
-    security_group: "{{ ec2_instance_create_external_sg_id | default(omit) }}"
     tags: "{{ ec2_instance_create_tags | default(omit) }}"
     wait: "{{ ec2_instance_create_wait_for_boot }}"
   register: ec2_instance
 
 - name: Create security group if enabled
   when: ec2_instance_create_associate_external_sg is true
   block:
-    - name: Define security group
+    - name: Get SG info
+      amazon.aws.ec2_security_group_info:
+        region: "{{ ec2_instance_create_aws_region }}"
+        filters:
+          group-name: "{{ ec2_instance_create_sg_name }}"
+      register: sg_info_result
+
+    - name: Create a new SG if it does not exist
       amazon.aws.ec2_security_group:
-        name: "{{ ec2_instance_create_external_sg_name }}"
-        description: "{{ ec2_instance_create_external_sg_description }}"
+        name: "{{ ec2_instance_create_sg_name }}"
+        description: "{{ ec2_instance_create_sg_description }}"
         vpc_id: "{{ ec2_instance_create_vpc_id }}"
-        rules: "{{ ec2_instance_create_external_sg_rules }}"
+        rules: "{{ ec2_instance_create_sg_rules }}"
         tags: "{{ ec2_instance_create_sg_tags | default(omit) }}"
-      register: ec2_group_creation
+      when: sg_info_result.security_groups | length == 0
+      register: sg_creation
 
-    - name: Associate security group with EC2 instance
+    - name: Associate the SG to EC2 Instance(existing or newly created)
       amazon.aws.ec2_instance:
         instance_ids:
           - "{{ ec2_instance.instance_ids[0] }}"
         security_groups:
-          - "{{ ec2_instance_create_external_sg_name }}"
+          - "{{ ec2_instance_create_sg_name }}"
         vpc_subnet_id: "{{ ec2_instance_create_vpc_subnet_id }}"
-      register: ec2_instance_associate_external_sg
+      register: ec2_instance_associate_sg
 
 - name: Create and Attach Internet Gateway if enabled
   when: ec2_instance_create_associate_igw is true