[aws] ec2_group multi-account and peered VPC bugfix (#45296)

* Add tests to replicate bug #44788 * Handle when userId is same account due to in-account peering * Module defaults for main.yml * Turn off VPC peering tests in CI
2025-07-22 21:00:22 -07:00 · 2018-09-06 15:06:03 -04:00 · 2018-09-06 15:06:03 -04:00 · 079299db4d
commit 079299db4d
parent 12e2d6d01f
3 changed files with 145 additions and 12 deletions
--- a/lib/ansible/modules/cloud/amazon/ec2_group.py
+++ b/lib/ansible/modules/cloud/amazon/ec2_group.py
@ -356,10 +356,10 @@ def to_permission(rule):
            pair = {}
            if rule.target[0]:
                pair['UserId'] = rule.target[0]
-            # groupid/groupname are mutually exclusive
-            if rule.target[1] and not rule.target[2]:
+            # group_id/group_name are mutually exclusive - give group_id more precedence as it is more specific
+            if rule.target[1]:
                pair['GroupId'] = rule.target[1]
-            if rule.target[2]:
+            elif rule.target[2]:
                pair['GroupName'] = rule.target[2]
            perm['UserIdGroupPairs'] = [pair]
        else:
@ -405,12 +405,6 @@ def rule_from_group_permission(perm):
    if 'UserIdGroupPairs' in perm and perm['UserIdGroupPairs']:
        for pair in perm['UserIdGroupPairs']:
            target = pair['GroupId']
-            if pair.get('UserId') and pair['UserId'] != current_account_id:
-                target = (
-                    pair.get('UserId', None),
-                    pair.get('GroupId', None),
-                    pair.get('GroupName', None),
-                )
            if pair.get('UserId', '').startswith('amazon-'):
                # amazon-elb and amazon-prefix rules don't need
                # group-id specified, so remove it when querying
@ -420,6 +414,12 @@ def rule_from_group_permission(perm):
                    None,
                    target[2],
                )
+            elif 'VpcPeeringConnectionId' in pair or pair['UserId'] != current_account_id:
+                target = (
+                    pair.get('UserId', None),
+                    pair.get('GroupId', None),
+                    pair.get('GroupName', None),
+                )

            yield Rule(
                ports_from_permission(perm),
@ -492,14 +492,15 @@ def get_target_from_rule(module, client, rule, name, group, groups, vpc_id):
    target_group_created = False

    validate_rule(module, rule)
-    if rule.get('group_id') and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']) and current_account_id not in rule['group_id']:
+    if rule.get('group_id') and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']):
        # this is a foreign Security Group. Since you can't fetch it you must create an instance of it
        owner_id, group_id, group_name = re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']).groups()
        group_instance = dict(UserId=owner_id, GroupId=group_id, GroupName=group_name)
        groups[group_id] = group_instance
        groups[group_name] = group_instance
+        # group_id/group_name are mutually exclusive - give group_id more precedence as it is more specific
        if group_id and group_name:
-            group_id = None
+            group_name = None
        return 'group', (owner_id, group_id, group_name), False
    elif 'group_id' in rule:
        return 'group', rule['group_id'], False