[aws] ec2_group multi-account and peered VPC bugfix (#45296)

* Add tests to replicate bug #44788 

* Handle when userId is same account due to in-account peering

* Module defaults for main.yml

* Turn off VPC peering tests in CI
This commit is contained in:
Ryan Brown 2018-09-06 15:06:03 -04:00 committed by GitHub
commit 079299db4d
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
3 changed files with 145 additions and 12 deletions

View file

@ -356,10 +356,10 @@ def to_permission(rule):
pair = {}
if rule.target[0]:
pair['UserId'] = rule.target[0]
# groupid/groupname are mutually exclusive
if rule.target[1] and not rule.target[2]:
# group_id/group_name are mutually exclusive - give group_id more precedence as it is more specific
if rule.target[1]:
pair['GroupId'] = rule.target[1]
if rule.target[2]:
elif rule.target[2]:
pair['GroupName'] = rule.target[2]
perm['UserIdGroupPairs'] = [pair]
else:
@ -405,12 +405,6 @@ def rule_from_group_permission(perm):
if 'UserIdGroupPairs' in perm and perm['UserIdGroupPairs']:
for pair in perm['UserIdGroupPairs']:
target = pair['GroupId']
if pair.get('UserId') and pair['UserId'] != current_account_id:
target = (
pair.get('UserId', None),
pair.get('GroupId', None),
pair.get('GroupName', None),
)
if pair.get('UserId', '').startswith('amazon-'):
# amazon-elb and amazon-prefix rules don't need
# group-id specified, so remove it when querying
@ -420,6 +414,12 @@ def rule_from_group_permission(perm):
None,
target[2],
)
elif 'VpcPeeringConnectionId' in pair or pair['UserId'] != current_account_id:
target = (
pair.get('UserId', None),
pair.get('GroupId', None),
pair.get('GroupName', None),
)
yield Rule(
ports_from_permission(perm),
@ -492,14 +492,15 @@ def get_target_from_rule(module, client, rule, name, group, groups, vpc_id):
target_group_created = False
validate_rule(module, rule)
if rule.get('group_id') and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']) and current_account_id not in rule['group_id']:
if rule.get('group_id') and re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']):
# this is a foreign Security Group. Since you can't fetch it you must create an instance of it
owner_id, group_id, group_name = re.match(FOREIGN_SECURITY_GROUP_REGEX, rule['group_id']).groups()
group_instance = dict(UserId=owner_id, GroupId=group_id, GroupName=group_name)
groups[group_id] = group_instance
groups[group_name] = group_instance
# group_id/group_name are mutually exclusive - give group_id more precedence as it is more specific
if group_id and group_name:
group_id = None
group_name = None
return 'group', (owner_id, group_id, group_name), False
elif 'group_id' in rule:
return 'group', rule['group_id'], False