From f8a830b7819fe150d9653df28a65564a76ae0567 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Mon, 25 Oct 2021 11:21:06 +0200 Subject: [PATCH] ec2_vpc_endpoint - Add vpc_endpint_subnets and vpc_endpoint_security_groups parameters. (#544) ec2_vpc_endpoint - Add vpc_endpint_subnets and vpc_endpoint_security_groups parameters. SUMMARY Add support for setting the subnet and security group used by the Endpoint ISSUE TYPE Feature Pull Request COMPONENT NAME ec2_vpc_endpoint ADDITIONAL INFORMATION Originally submitted as ansible-collections/community.aws#589 Reviewed-by: Alina Buzachis Reviewed-by: None --- ...544-vpc-endpoint-add-subnets-sg-option.yml | 3 ++ plugins/modules/ec2_vpc_endpoint.py | 39 ++++++++++++++++ .../targets/ec2_vpc_endpoint/tasks/main.yml | 45 +++++++++++++++++++ 3 files changed, 87 insertions(+) create mode 100644 changelogs/fragments/544-vpc-endpoint-add-subnets-sg-option.yml diff --git a/changelogs/fragments/544-vpc-endpoint-add-subnets-sg-option.yml b/changelogs/fragments/544-vpc-endpoint-add-subnets-sg-option.yml new file mode 100644 index 00000000000..4c68f502194 --- /dev/null +++ b/changelogs/fragments/544-vpc-endpoint-add-subnets-sg-option.yml @@ -0,0 +1,3 @@ +minor_changes: +- ec2_vpc_endpoint - added ``vpc_endpoint_subnets`` parameter to support defining the subnet attached to an interface or gateway endpoint (https://github.com/ansible-collections/amazon.aws/pull/544). +- ec2_vpc_endpoint - added ``vpc_endpoint_security_groups`` parameter to support defining the security group attached to an interface endpoint (https://github.com/ansible-collections/amazon.aws/pull/544). diff --git a/plugins/modules/ec2_vpc_endpoint.py b/plugins/modules/ec2_vpc_endpoint.py index 79faab053d7..44b72834839 100644 --- a/plugins/modules/ec2_vpc_endpoint.py +++ b/plugins/modules/ec2_vpc_endpoint.py @@ -28,6 +28,22 @@ choices: [ "Interface", "Gateway", "GatewayLoadBalancer" ] type: str version_added: 1.5.0 + vpc_endpoint_subnets: + description: + - The list of subnets to attach to the endpoint. + - Requires I(vpc_endpoint_type=GatewayLoadBalancer) or I(vpc_endpoint_type=Interface). + required: false + type: list + elements: str + version_added: 2.1.0 + vpc_endpoint_security_groups: + description: + - The list of security groups to attach to the endpoint. + - Requires I(vpc_endpoint_type=GatewayLoadBalancer) or I(vpc_endpoint_type=Interface). + required: false + type: list + elements: str + version_added: 2.1.0 service: description: - An AWS supported vpc endpoint service. Use the M(amazon.aws.ec2_vpc_endpoint_info) @@ -301,6 +317,12 @@ def create_vpc_endpoint(client, module): if module.params.get('route_table_ids'): params['RouteTableIds'] = module.params.get('route_table_ids') + if module.params.get('vpc_endpoint_subnets'): + params['SubnetIds'] = module.params.get('vpc_endpoint_subnets') + + if module.params.get('vpc_endpoint_security_groups'): + params['SecurityGroupIds'] = module.params.get('vpc_endpoint_security_groups') + if module.params.get('client_token'): token_provided = True request_time = datetime.datetime.utcnow() @@ -398,6 +420,8 @@ def main(): argument_spec = dict( vpc_id=dict(), vpc_endpoint_type=dict(default='Gateway', choices=['Interface', 'Gateway', 'GatewayLoadBalancer']), + vpc_endpoint_security_groups=dict(type='list', elements='str'), + vpc_endpoint_subnets=dict(type='list', elements='str'), service=dict(), policy=dict(type='json'), policy_file=dict(type='path', aliases=['policy_path']), @@ -428,6 +452,21 @@ def main(): ' will be removed after 2022-12-01', date='2022-12-01', collection_name='amazon.aws') + if module.params.get('vpc_endpoint_type'): + if module.params.get('vpc_endpoint_type') == 'Gateway': + if module.params.get('vpc_endpoint_subnets') or module.params.get('vpc_endpoint_security_groups'): + module.fail_json(msg="Parameter vpc_endpoint_subnets and/or vpc_endpoint_security_groups can't be used with Gateway endpoint type") + + if module.params.get('vpc_endpoint_type') == 'GatewayLoadBalancer': + if module.params.get('vpc_endpoint_security_groups'): + module.fail_json(msg="Parameter vpc_endpoint_security_groups can't be used with GatewayLoadBalancer endpoint type") + + if module.params.get('vpc_endpoint_type') == 'Interface': + if module.params.get('vpc_endpoint_subnets') and not module.params.get('vpc_endpoint_security_groups'): + module.fail_json(msg="Parameter vpc_endpoint_security_groups must be set when endpoint type is Interface and vpc_endpoint_subnets is defined") + if not module.params.get('vpc_endpoint_subnets') and module.params.get('vpc_endpoint_security_groups'): + module.fail_json(msg="Parameter vpc_endpoint_subnets must be set when endpoint type is Interface and vpc_endpoint_security_groups is defined") + try: ec2 = module.client('ec2', retry_decorator=AWSRetry.jittered_backoff()) except (botocore.exceptions.ClientError, botocore.exceptions.BotoCoreError) as e: diff --git a/tests/integration/targets/ec2_vpc_endpoint/tasks/main.yml b/tests/integration/targets/ec2_vpc_endpoint/tasks/main.yml index b3ef4e23315..514912d3ae7 100644 --- a/tests/integration/targets/ec2_vpc_endpoint/tasks/main.yml +++ b/tests/integration/targets/ec2_vpc_endpoint/tasks/main.yml @@ -754,6 +754,51 @@ that: - interface_endpoint_delete_check is changed + - name: Create a subnet + ec2_vpc_subnet: + state: present + vpc_id: '{{ vpc_id }}' + az: "{{ aws_region}}a" + cidr: "{{ vpc_cidr }}" + register: interface_endpoint_create_subnet_check + + - name: Create a security group + ec2_group: + name: securitygroup-prodext + description: "security group for Ansible interface endpoint" + state: present + vpc_id: "{{ vpc.vpc.id }}" + rules: + - proto: tcp + from_port: 1 + to_port: 65535 + cidr_ip: 0.0.0.0/0 + register: interface_endpoint_create_sg_check + + - name: Create interface endpoint attached to a subnet + ec2_vpc_endpoint: + state: present + vpc_id: '{{ vpc_id }}' + service: '{{ endpoint_service_a }}' + vpc_endpoint_type: Interface + vpc_endpoint_subnets: "{{ interface_endpoint_create_subnet_check.subnet.id') }}" + vpc_endpoint_security_groups: "{{ interface_endpoint_create_sg_check.group_id }}" + register: create_interface_endpoint_with_sg_subnets + - name: Check that the interface endpoint was created properly + assert: + that: + - create_interface_endpoint_with_sg_subnets is changed + - create_interface_endpoint_with_sg_subnets.result.vpc_endpoint_type == "Interface" + + - name: Delete interface endpoint + ec2_vpc_endpoint: + state: absent + vpc_endpoint_id: "{{ create_interface_endpoint_with_sg_subnets.result.vpc_endpoint_id }}" + register: create_interface_endpoint_with_sg_subnets_delete_check + - assert: + that: + - create_interface_endpoint_with_sg_subnets_delete_check is changed + # ============================================================ # BEGIN POST-TEST CLEANUP always: