[cloud]Ensure SGs in default VPCs get default egress rule (ansible#38018

) SGs created when a VPC ID was not specified would not necessarily get the default egress rule, even when no explicit egress rules were set. Add some checks for egress rules in results from existing tests
mgu · Mar 28, 2018 · 98b29f8 · 98b29f8
1 parent 9dfb665
commit 98b29f8
Show file tree

Hide file tree

Showing 2 changed files with 7 additions and 1 deletion.
diff --git a/lib/ansible/modules/cloud/amazon/ec2_group.py b/lib/ansible/modules/cloud/amazon/ec2_group.py
@@ -941,7 +941,7 @@ def main():
                     # If rule already exists, don't later delete it
                     changed, ip_permission = authorize_ip("out", changed, client, group, groupRules, ipv6,
                                                           ip_permission, module, rule, "ipv6")
-        elif vpc_id is not None:
+        elif 'VpcId' in group:
             # when no egress rules are specified and we're in a VPC,
             # we add in a default allow all out rule, which was the
             # default behavior before egress rules were added

diff --git a/test/integration/targets/ec2_group/tasks/main.yml b/test/integration/targets/ec2_group/tasks/main.yml
@@ -422,6 +422,8 @@
         that:
         - 'result.changed'
         - 'result.group_id.startswith("sg-")'
+        - 'result.ip_permissions|length == 1'
+        - 'result.ip_permissions_egress|length == 1'
 
     # ============================================================
     - name: add same rule to the existing group  (expected changed=false)
@@ -464,6 +466,7 @@
           - result.ip_permissions|length == 2
           - result.ip_permissions[0].user_id_group_pairs or
             result.ip_permissions[1].user_id_group_pairs
+          - 'result.ip_permissions_egress[0].ip_protocol == "-1"'
 
     # ============================================================
     - name: test ip rules convert port numbers from string to int (expected changed=true)
@@ -489,6 +492,9 @@
         that:
            - 'result.changed'
            - 'result.group_id.startswith("sg-")'
+           - 'result.ip_permissions|length == 1'
+           - 'result.ip_permissions_egress[0].ip_protocol == "tcp"'
+
 
     # ============================================================
     - name: test group rules convert port numbers from string to int (expected changed=true)