change ec2_instance_create_external_sg_rules to list of dicts

roles/ec2_instance_create/README.md

@@ -42,8 +42,8 @@ The following variables can be set in the role to customize EC2 instance creatio
   Whether to create an Elastic IP (EIP) and associate it with the EC2 instance. Default is `false`.
 
 * **ec2_instance_create_associate_igw**: (Optional)
-  Whether to create and associate a internet gateway with the EC2 instance. Default is `false`.
-  If set to `true`, a internet gateway will be created or associated with the instance.
+  Whether to create and associate an internet gateway with the EC2 instance. Default is `false`.
+  If set to `true`, an internet gateway will be created or associated with the instance.
 
 * **ec2_instance_create_associate_external_sg**: (Optional)
   Whether to create and associate a security group with the EC2 instance for external access. Default is `false`.
@@ -58,6 +58,9 @@ The following variables can be set in the role to customize EC2 instance creatio
 * **ec2_instance_create_external_sg_port**: (Optional)
   The port to open in the security group. Default is `22`.
 
+* **ec2_instance_create_external_sg_rules**: (Optional)
+  A list of custom rules to add to the security group. Each rule is a dictionary with `proto`, `ports`, and `cidr_ip` keys. Default is to allow SSH (port 22) from `0.0.0.0/0`.
+
 * **ec2_instance_create_sg_tags**: (Optional)
   Tags to assign to the security group.
 
@@ -87,14 +90,19 @@ Here’s an example of how to use the role in a playbook.
           ec2_instance_create_external_sg_name: my-custom-sg
           ec2_instance_create_external_sg_description: Security group for my custom access
           ec2_instance_create_external_sg_port: 22
+          ec2_instance_create_external_sg_rules:
+            - proto: tcp
+              ports:
+                - 80
+              cidr_ip: "0.0.0.0/0"
           ec2_instance_create_sg_tags:
             Component: my-custom-sg
             Environment: Testing
           # Optionally, enable Elastic IP association
           ec2_instance_create_associate_eip: true
-              ec2_instance_create_eip_tags:
-                Component: my-test-eip
-                Environment: Testing
+          ec2_instance_create_eip_tags:
+            Component: my-test-eip
+            Environment: Testing
 
 License
 -------

roles/ec2_instance_create/defaults/main.yml

@@ -6,3 +6,7 @@ ec2_instance_create_external_sg_description: "Security group for external access
 ec2_instance_create_external_sg_name: "default-external-sg"
 ec2_instance_create_external_sg_port: 22
 ec2_instance_create_wait_for_boot: true
+ec2_instance_create_external_sg_rules:
+  - proto: tcp
+    ports: 22
+    cidr_ip: "0.0.0.0/0"

roles/ec2_instance_create/tasks/main.yml

@@ -19,17 +19,13 @@
     - name: Create security group if enabled
       when: ec2_instance_create_associate_external_sg is true
       block:
-        - name: Define security group with access rules
+        - name: Define security group with default SSH access rule
           amazon.aws.ec2_group:
             name: "{{ ec2_instance_create_external_sg_name | default('default-external-sg') }}"
             description: "{{ ec2_instance_create_external_sg_description | default('Security group for external access') }}"
             vpc_id: "{{ ec2_instance_create_vpc_id }}"
-            rules:
-              - proto: tcp
-                ports:
-                  - "{{ ec2_instance_create_external_sg_port | default(22) }}"
-                cidr_ip: "0.0.0.0/0"
-            tags: "{{ ec2_instance_create_sg_tags | default(omit) }}"
+            rules: "{{ ec2_instance_create_external_sg_rules }}"
+          register: ec2_group_creation
 
         - name: Associate security group with EC2 instance
           amazon.aws.ec2_instance: