与循环一起使用时不可见的覆盖安全组规则
与循环一起使用时不可见的覆盖安全组规则
提问于 2021-07-05 10:24:12
我正在试图为安全组添加规则。运行时没有错误,但在成功运行后,安全组中只添加了最后一个CIDR。
- name: Edit security group to accept connections from other sg groups in other availability zones
amazon.aws.ec2_group:
name: nodes-sg
description: nodes security group
vpc_id: "{{vpc_id}}"
region: "{{aws_region}}"
tags:
Name: nodes-sg
rules:
- proto: udp
ports:
- 30303
cidr_ip: "{{item.cidr}}"
rule_desc: "{{item.desc}}"
- proto: tcp
ports:
- 30303
- 26656
cidr_ip: "{{item.cidr}}"
rule_desc: "{{item.desc}}"
- proto: icmp
from_port: 8 # icmp type, -1 = any type
to_port: -1 # icmp subtype, -1 = any subtype
cidr_ip: "{{item.cidr}}"
rule_desc: "{{item.desc}}"
when: vpc_cidr != item.cidr
loop:
- { cidr: '10.92.0.0/16', desc: 'peering ap-northeast-2 mainnet-v1-1' }
- { cidr: '10.115.0.0/16', desc: 'peering sa-east-1 mainnet-v1-1'}
- { cidr: '172.98.0.0/16', desc: 'peering eu-north-1 mainnet-v1-1'}
- { cidr: '10.212.0.0/16', desc: 'peering ca-central-1 mainnet-v1-1'}
- { cidr: '172.112.0.0/16', desc: 'peering ap-southeast-2 mainnet-v1-1'}
- { cidr: '10.159.0.0/16', desc: 'peering eu-west-2 mainnet-v1-1'}回答 1
Stack Overflow用户
回答已采纳
发布于 2021-07-06 02:49:44
是的,ansible实际上是“最后一次提交胜利”,除非您在ec2_group:中插入一个ec2_group_info:并手动合并结果,否则ansible认为您已经掌握了整个故事,并且不会单独合并。
您想要的是在vars:块或单独的set_fact:中完成所有的过滤业务,然后在最后一刻将其分配给ec2_group:的rules: param
tasks:
- name: declare ec2_group rules for not my vpc_cidr
set_fact:
ec2_group_rules: '{{ ec2_group_rules_yaml | from_yaml }}'
vars:
cidrs:
- { cidr: '10.92.0.0/16', desc: 'peering ap-northeast-2 mainnet-v1-1' }
- { cidr: '10.115.0.0/16', desc: 'peering sa-east-1 mainnet-v1-1'}
- { cidr: '172.98.0.0/16', desc: 'peering eu-north-1 mainnet-v1-1'}
- { cidr: '10.212.0.0/16', desc: 'peering ca-central-1 mainnet-v1-1'}
- { cidr: '172.112.0.0/16', desc: 'peering ap-southeast-2 mainnet-v1-1'}
- { cidr: '10.159.0.0/16', desc: 'peering eu-west-2 mainnet-v1-1'}
ec2_group_rules_yaml: |
{% for item in cidrs | rejectattr("cidr", "eq", vpc_cidr) | list %}
- proto: udp
ports:
- 30303
cidr_ip: "{{item.cidr}}"
rule_desc: "{{item.desc}}"
- proto: tcp
ports:
- 30303
- 26656
cidr_ip: "{{item.cidr}}"
rule_desc: "{{item.desc}}"
- proto: icmp
from_port: 8 # icmp type, -1 = any type
to_port: -1 # icmp subtype, -1 = any subtype
cidr_ip: "{{item.cidr}}"
rule_desc: "{{item.desc}}"
{% endfor %}ec2_group_rules_yaml:业务是保持参数化版本可读性的一种让步,但人们不能(很容易)使用set_fact:和loop:而不存在一些愚蠢之处。
正如我提到的,跳过set_fact:并将这些vars:放在ec2_group:上也是完全可能的,这样做:
amazon.aws.ec2_group:
name: nodes-sg
description: nodes security group
vpc_id: "{{vpc_id}}"
region: "{{aws_region}}"
tags:
Name: nodes-sg
rules: '{{ ec2_group_rules_yaml | from_yaml }}'但是这个表格对我来说很难在本地测试:-D
页面原文内容由Stack Overflow提供。腾讯云小微IT领域专用引擎提供翻译支持
原文链接:
https://stackoverflow.com/questions/68254495
复制相关文章
相似问题
腾讯云开发者
Copyright © 2013 - 2026 Tencent Cloud. All Rights Reserved. 腾讯云 版权所有
深圳市腾讯计算机系统有限公司 ICP备案/许可证号:粤B2-20090059 
粤公网安备44030502008569号
腾讯云计算(北京)有限责任公司 京ICP证150476号 | 京ICP备11018762号