mirror of
https://github.com/ansible-collections/community.general.git
synced 2025-07-22 21:00:22 -07:00
[aws] ec2_group multi-account and peered VPC bugfix (#45296)
* Add tests to replicate bug #44788 * Handle when userId is same account due to in-account peering * Module defaults for main.yml * Turn off VPC peering tests in CI
This commit is contained in:
parent
12e2d6d01f
commit
079299db4d
3 changed files with 145 additions and 12 deletions
|
@ -356,10 +356,10 @@ def to_permission(rule):
|
|||
pair = {}
|
||||
if rule.target[0]:
|
||||
pair['UserId'] = rule.target[0]
|
||||
# groupid/groupname are mutually exclusive
|
||||
if rule.target[1] and not rule.target[2]:
|
||||
# group_id/group_name are mutually exclusive - give group_id more precedence as it is more specific
|
||||
if rule.target[1]:
|
||||
pair['GroupId'] = rule.target[1]
|
||||
if rule.target[2]:
|
||||
elif rule.target[2]:
|
||||
pair['GroupName'] = rule.target[2]
|
||||
perm['UserIdGroupPairs'] = [pair]
|
||||
else:
|
||||
|
@ -405,12 +405,6 @@ def rule_from_group_permission(perm):
|
|||
if 'UserIdGroupPairs' in perm and perm['UserIdGroupPairs']:
|
||||
for pair in perm['UserIdGroupPairs']:
|
||||
target = pair['GroupId']
|
||||
if pair.get('UserId') and pair['UserId'] != current_account_id:
|
||||
target = (
|
||||
pair.get('UserId', None),
|
||||
pair.get('GroupId', None),
|
||||
pair.get('GroupName', None),
|
||||
)
|
||||
if pair.get('UserId', '').startswith('amazon-'):
|
||||
# amazon-elb and amazon-prefix rules don't need
|
||||
# group-id specified, so remove it when querying
|
||||
|
@ -420,6 +414,12 @@ def rule_from_group_permission(perm):
|
|||
None,
|
||||
target[2],
|
||||
)
|
||||
elif 'VpcPeeringConnectionId' in pair or pair['UserId'] != current_account_id:
|
||||
target = (
|
||||
pair.get('UserId', None),
|
||||
pair.get('GroupId', None),
|
||||
pair.get('GroupName', None),
|
||||
)
|
||||
|
||||
yield Rule(
|
||||
ports_from_permission(perm),
|
||||
|
@ -492,14 +492,15 @@ def get_target_from_rule(module, client, rule, name, group, groups, vpc_id):
|
|||
target_group_created = False
|
||||
|
||||
validate_rule(module, rule)
|
||||
if rule.get('group_id') and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']) and current_account_id not in rule['group_id']:
|
||||
if rule.get('group_id') and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']):
|
||||
# this is a foreign Security Group. Since you can't fetch it you must create an instance of it
|
||||
owner_id, group_id, group_name = re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']).groups()
|
||||
group_instance = dict(UserId=owner_id, GroupId=group_id, GroupName=group_name)
|
||||
groups[group_id] = group_instance
|
||||
groups[group_name] = group_instance
|
||||
# group_id/group_name are mutually exclusive - give group_id more precedence as it is more specific
|
||||
if group_id and group_name:
|
||||
group_id = None
|
||||
group_name = None
|
||||
return 'group', (owner_id, group_id, group_name), False
|
||||
elif 'group_id' in rule:
|
||||
return 'group', rule['group_id'], False
|
||||
|
|
Loading…
Add table
Add a link
Reference in a new issue