我有一本创建VPC安全组的剧本。
它运行良好,但是很多次,并且未应用对现有安全组的更新(主要是添加或删除端口)(Ansible未检测到)。
原始代码:
- name: create sg_riemann_elb rules
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc.vpc.id }}"
name: "sg_riemann_elb"
description: security group for Riemann elb
rules:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules_egress:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_riemann_server"
group_desc: security group for Riemann servers
新代码:(添加了端口4567)
- name: create sg_riemann_elb rules
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc.vpc.id }}"
name: "sg_riemann_elb"
description: security group for Riemann elb
rules:
- proto: tcp
from_port: 4567
to_port: 4567
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules_egress:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_riemann_server"
group_desc: security group for Riemann servers
Ansible运行的输出为:
TASK [vpc : create sg_riemann_server rules] ************************************
ok: [localhost -> localhost] => {"changed": false, "group_id": "sg-ce89bcaa"}
知道为什么不使用新端口(4567)更新吗?
有两个项目有一个关键rules的任务create sg_riemann_elb rules,一个是覆盖等。解决方法是只定义一个rules带有安全组规则列表的密钥,如下所示:
...
description: security group for Riemann elb
rules:
- proto: tcp
from_port: 4567
to_port: 4567
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules_egress:
...
本文收集自互联网,转载请注明来源。
如有侵权,请联系[email protected] 删除。
我来说两句