我有一个创建VPC安全组的游戏书 它运行良好,但很多时候,并未应用现有安全组(主要是添加或删除端口)的更新(Ansible未检测到)。
原始代码:
- name: create sg_riemann_elb rules
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc.vpc.id }}"
name: "sg_riemann_elb"
description: security group for Riemann elb
rules:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules_egress:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_riemann_server"
group_desc: security group for Riemann servers
新代码:(添加端口 4567 )
- name: create sg_riemann_elb rules
local_action:
module: ec2_group
region: "{{ region }}"
vpc_id: "{{ vpc.vpc.id }}"
name: "sg_riemann_elb"
description: security group for Riemann elb
rules:
- proto: tcp
from_port: 4567
to_port: 4567
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules_egress:
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_riemann_server"
group_desc: security group for Riemann servers
Ansible运行的输出为:
TASK [vpc : create sg_riemann_server rules] ************************************
ok: [localhost -> localhost] => {"changed": false, "group_id": "sg-ce89bcaa"}
知道为什么它没有用新端口更新(4567)?
答案 0 :(得分:3)
任务rules中有两个项create sg_riemann_elb rules,另一项覆盖另一项。修复方法是仅定义一个带有安全组规则列表的rules密钥,如下所示:
...
description: security group for Riemann elb
rules:
- proto: tcp
from_port: 4567
to_port: 4567
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
- proto: tcp
from_port: 5555
to_port: 5556
group_name: "{{ realm }}_sg_base_server"
group_desc: security group for all servers
rules_egress:
...