Saltstack:(boto_secgroup)添加允许所有TRAFFIC到秒组

时间:2015-07-02 03:50:55

标签: amazon-web-services boto salt-stack ec2-api-tools aws-ec2

[使用salt --version:2015.5.0]我想添加允许来自其他安全组的所有TRAFFIC的规则

我的支柱中有这个:

securitygroups:
    groups:
       - name: NFS
         region: us-east-1
         vpc_id: vpc-1234
         description: desc
         rules:
           - ip_protocol: -1
             from_port: -1
             to_port: -1
             ec2_group: sg123456

API建议使用-1来指定所有 IpProtcol 。但是我收到了这个错误:

----------
          ID: secgroups_NFSecurityGroup
    Function: boto_secgroup.present
        Name: NFSecurityGroup
      Result: False
     Comment: An exception occurred in this state: Traceback (most recent call last):
                File "/usr/lib/python2.6/site-packages/salt/state.py", line 1563, in call
                  **cdata['kwargs'])
                File "/usr/lib/python2.6/site-packages/salt/states/boto_secgroup.py", line 140, in present
                  _ret = _rules_present(name, rules, vpc_id, region, key, keyid, profile)
                File "/usr/lib/python2.6/site-packages/salt/states/boto_secgroup.py", line 345, in _rules_present
                  to_delete, to_create = _get_rule_changes(rules, sg['rules'])
                File "/usr/lib/python2.6/site-packages/salt/states/boto_secgroup.py", line 265, in _get_rule_changes
                  raise SaltInvocationError(msg.format(ip_protocol))
              SaltInvocationError: Invalid ip_protocol traffic specified in security group rule.
     Started: 03:09:58.163808
    Duration: 235.323 ms

from_port: -1和 to_port: -1如果指定ip_protocol就可以正常工作:icmp | tcp | udp

1 个答案:

答案 0 :(得分:0)

我认为协议的-1值仅适用于属于VPC的安全组。对于EC2-Classic,我认为你必须添加三个单独的规则,每个协议一个。