aws-security-group-role

This is an Ansible role that makes it easier to create and remove EC2 Security Groups in an AWS account.

For more information on creating EC2 Security Groups using Ansible, check the official documentation here: Ansible EC2 Group Module.

Requirements

You need the latest Ansible EC2 modules and Boto installed. Also, you'll need to set up your Ansible environment to work with AWS. You can find more details here: Ansible Guide for AWS.

Role Variables

Defaults:

• security_group_resource_tags: By default, this uses the security group's name.
• ec2_inbound_group_state: Defaults to present for inbound security groups.
• ec2_internal_inbound_group_state: Defaults to present for internal inbound security groups.
• ec2_outbound_group_state: Defaults to present for outbound security groups.

Required Variables:

• vpc_region: Specify the VPC region, e.g., eu-west-1.
• vpc_id: Specify the VPC ID where you want to create security groups, e.g., vpc-xxxxxxxx.
• ec2_group_inbound_sg: List of inbound security groups to create. See the example playbook below for more details.
• ec2_group_internal_inbound_sg_file: Must be a file listing internal inbound security groups. It will be included after creating inbound groups.
• ec2_group_outbound_sg: List of outbound security groups to create. Refer to the example playbook for guidance.

Inbound security groups are for public-facing services, like a load balancer. Internal inbound security groups are for instances behind a load balancer or within the VPC. Outbound security groups allow services to communicate out from the network.

Outputs:

• ec2_group_inbound_sg: The AWS EC2 Group created from the inbound variables.
• ec2_group_internal_inbound_sg: The AWS EC2 Group created from the internal inbound variables.
• ec2_group_outbound_sg: The AWS EC2 Group created from the outbound variables.

The role processes security groups in this order: inbound, internal inbound, and outbound. This means you can reference inbound security groups when creating internal inbound lists, making it useful for routing traffic.

Dependencies

No dependencies on other roles. However, a VPC must exist or be created before applying this role.

Example Playbook

Before using this role, install it with:

ansible-galaxy install daniel-rhoades.aws-security-group-role

The example playbook below provisions an EC2 Security Group in AWS. It checks if a matching one exists; if not, it creates a new one. It also creates a VPC for the security groups using the role: daniel-rhoades.aws-vpc.

- name: My System | Provision all required infrastructure
  hosts: localhost
  connection: local
  gather_facts: no
  vars:
    my_vpc_name: "my_example_vpc"
    my_vpc_region: "eu-west-1"
    my_vpc_cidr: "172.40.0.0/16"
    everywhere_cidr: "0.0.0.0/0"

    # Subnets within the VPC
    my_vpc_subnets:
      - cidr: "172.40.10.0/24"
        az: "{{ my_vpc_region }}a"
      - cidr: "172.40.20.0/24"
        az: "{{ my_vpc_region }}b"

    # Allow the subnets to connect to the outside world
    my_public_subnet_routes:
      - subnets:
          - "{{ my_vpc_subnets[0].cidr }}"
          - "{{ my_vpc_subnets[1].cidr }}"
        routes:
          - dest: "{{ everywhere_cidr }}"
            gw: igw

    # Inbound security groups for public services like a load balancer
    my_inbound_security_groups:
      - sg_name: inbound-web
        sg_description: allow http and https access (public)
        sg_rules:
          - proto: tcp
            from_port: 80
            to_port: 80
            cidr_ip: "{{ everywhere_cidr }}"
          - proto: tcp
            from_port: 443
            to_port: 443
            cidr_ip: "{{ everywhere_cidr }}"
      - sg_name: inbound-ssh
        sg_description: allow SSH access
        sg_rules:
          - proto: tcp
            from_port: 22
            to_port: 22
            cidr_ip: "{{ my_vpc_cidr }}"

    # Internal inbound security groups for services behind a load balancer
    my_internal_inbound_security_groups_file: "internal-securitygroups.yml"

    # Outbound rules for what services the web servers can access
    my_outbound_security_groups:
      - sg_name: outbound-all
        sg_description: allows outbound traffic to any IP
        sg_rules:
          - proto: all
            cidr_ip: "{{ everywhere_cidr }}"
        
  roles:
    # Create networking
    - {
        role: daniel-rhoades.aws-vpc,
        vpc_name: "{{ my_vpc_name }}",
        vpc_region: "{{ my_vpc_region }}",
        vpc_cidr_block: "{{ my_vpc_cidr }}",
        vpc_subnets: "{{ my_vpc_subnets }}",
        public_subnet_routes: "{{ my_public_subnet_routes }}"
      }

    # Create security groups
    - {
        role: daniel-rhoades.aws-security-groups,
        vpc_region: "{{ my_vpc_region }}",
        vpc_id: "{{ vpc.vpc_id }}",
        ec2_group_inbound_sg: "{{ my_inbound_security_groups }}",
        ec2_group_internal_inbound_sg_file: "{{ my_internal_inbound_security_groups_file }}",
        ec2_group_outbound_sg: "{{ my_outbound_security_groups }}"
      }

Example internal-securitygroups.yml:

ec2_group_internal_inbound_sg:
  - sg_name: inbound-web-internal
    sg_description: allow http and https access (from load balancer only)
    sg_rules:
      - proto: tcp
        from_port: 80
        to_port: 80
        group_id: "{{ ec2_group_inbound_sg.results[0].group_id }}"

To Remove Groups:

- name: My System | Decommission all required infrastructure
  hosts: localhost
  connection: local
  gather_facts: no
  vars:
    my_vpc_name: "my_example_vpc"
    my_vpc_region: "eu-west-1"
    my_vpc_cidr: "172.40.0.0/16"
    everywhere_cidr: "0.0.0.0/0"

    # Subnets within the VPC
    my_vpc_subnets:
      - cidr: "172.40.10.0/24"
        az: "{{ my_vpc_region }}a"
      - cidr: "172.40.20.0/24"
        az: "{{ my_vpc_region }}b"

    # Allow subnets to access the outside world
    my_public_subnet_routes:
      - subnets:
          - "{{ my_vpc_subnets[0].cidr }}"
          - "{{ my_vpc_subnets[1].cidr }}"
        routes:
          - dest: "{{ everywhere_cidr }}"
            gw: igw

    # Inbound security groups for public services
    my_inbound_security_groups:
      - sg_name: inbound-web
        sg_description: allow http and https access (public)
        sg_rules:
          - proto: tcp
            from_port: 80
            to_port: 80
            cidr_ip: "{{ everywhere_cidr }}"
          - proto: tcp
            from_port: 443
            to_port: 443
            cidr_ip: "{{ everywhere_cidr }}"
      - sg_name: inbound-ssh
        sg_description: allow SSH access
        sg_rules:
          - proto: tcp
            from_port: 22
            to_port: 22
            cidr_ip: "{{ my_vpc_cidr }}"

    # Internal inbound security groups
    my_internal_inbound_security_groups_file: "internal-securitygroups.yml"

    # Outbound rules for web servers
    my_outbound_security_groups:
      - sg_name: outbound-all
        sg_description: allows outbound traffic to any IP
        sg_rules:
          - proto: all
            cidr_ip: "{{ everywhere_cidr }}"
    
  roles:
    # Create networking
    - {
        role: daniel-rhoades.aws-vpc,
        vpc_name: "{{ my_vpc_name }}",
        vpc_region: "{{ my_vpc_region }}",
        vpc_cidr_block: "{{ my_vpc_cidr }}",
        vpc_subnets: "{{ my_vpc_subnets }}",
        public_subnet_routes: "{{ my_public_subnet_routes }}"
      }

    # Remove security groups
    - {
        role: daniel-rhoades.aws-security-groups,
        vpc_region: "{{ my_vpc_region }}",
        vpc_id: "{{ vpc.vpc_id }}",
        ec2_group_inbound_sg: "{{ my_inbound_security_groups }}",
        ec2_group_internal_inbound_sg_file: "{{ my_internal_inbound_security_groups_file }}",
        ec2_group_outbound_sg: "{{ my_outbound_security_groups }}",
        
        ec2_inbound_group_state: "absent",
        ec2_internal_inbound_group_state: "absent",
        ec2_outbound_group_state: "absent"
      }

License

MIT

Author Information

Daniel Rhoades (GitHub)