Add Security Group Rule

This task allows the user add an inbound TCP rule to an existing Security Group in AWS.

It requires an AWS API key that has permissions to read & update security groups in EC2.

Playbook Files

# The task was built to work with these plugin versions.
plugins:
  aws: ~3.4
  ppa: ~6
  ppa_tools: ~6
  hashicorp_vault: ~5


# Steps allow you to group actions together into named sub-tasks.
steps:
  - name: Introduction
    actions:
      - ppa.ui.output_markdown:
          doc: >
            {{ globals.icons.aws.full }}


            ### Add Security Group Inbound TCP Rule


            Use this task to add an inbound TCP rule to an existing Security Group in AWS.


            You will need to:

            - Select an EC2 region and Security Group

            - Select a destination port

            - Provide a valid CIDR address to allow

            - Provide a rule description

      - ppa.ui.input_accept:
          text: Start


  - name: Get AWS Secrets
    actions:
      - hashicorp_vault.key_value.read_secret_keys:
          secret: aws
          keys:
            - name: aws_access_key_id
            - name: aws_secret_access_key
              sensitive: true
          create_missing: true
        save: aws_secrets


  - name: Get region
    actions:

      - aws.ec2.regions.select:
          text: Select an EC2 Region
        save: region


  - name: Find security groups
    actions:

      - ppa.ui.output_progress:
          text: Finding all Security Groups...
          element_id: get_groups

      - aws.ec2.security_groups.get_all:
        load:
          region_name: region
          aws_client: aws_secrets
        save: groups

      - ppa_tools.dictionaries.filter_from_list:
          # Remove any "default" security groups
          filters:
            - key: name
              type: equal
              value: default
        load:
          dictionaries: groups
        save: groups

      - ppa.ui.output_progress:
          text: Found {{ groups | length }} Security Groups
          percent: 100
          element_id: get_groups


  - name: Exit If No Security Groups
    when: not groups
    actions:

      - ppa.ui.output_info:
          text: No non-default security groups were found in region {{ region }}.

      - exit:
          exit_code: 0


  - name: Configure New Rule
    actions:

      - aws.ec2.security_groups.input_table:
          text: Select a Security Group
          minimum: 1
          maximum: 1
        load:
          groups: groups
        save: chosen_group

      - aws.ec2.security_groups.output_inbound_rule_table:
          text: Current Inbound Rules
        load:
          group: chosen_group[0]

      - ppa.ui.input_confirm:
          text: Do you want to create a new rule or exit?
          confirm: Create
          cancel: Exit
        save: confirm_create


  - name: Exit
    when: not confirm_create
    actions:

      - exit:
          exit_code: 0


  - name: Create rule
    when: confirm_create
    until: rule_confirmed
    actions:
      - ppa.ui.input_choice:
          text: Select a Port
          options:
            HTTP (80):
              order: 1
              value: 80
            HTTPS (443):
              order: 2
              value: 443
            LDAP (389):
              order: 3
              value: 389
            LDAPS (636):
              order: 4
              value: 636
            RDP (3389):
              order: 5
              value: 3389
            SSH (22):
              order: 6
              value: 22
          element_id: input_port
        save: port

      - ppa.ui.input_ipv4_cidr:
          text: Supply an IPv4 CIDR
          element_id: input_address
        save: cidr

      - ppa.ui.input_text:
          text: Supply a Rule Description
          required: true
          element_id: input_description
        save: rule_description

      - ppa.ui.output_markdown:
          doc: >
            ### New Inbound Rule

            __Security Group:__ {{ chosen_group.0.name }}

            __Protocol:__ TCP

            __Port:__ {{ port }}

            __Allowed CIDR:__ {{ cidr }}

            __Rule Description:__ {{ rule_description }}
          element_id: rule_summary

      - ppa.ui.input_confirm:
          text: Create Inbound Rule or Start Over?
          confirm: Create Rule
          cancel: Start Over
          element_id: input_confirm
        save: rule_confirmed


  - name: Create Rule
    actions:

      - ppa.ui.output_progress:
          text: Creating new Security Group inbound rule...
          element_id: create_rule

      - aws.ec2.security_groups.create_inbound_rule:
          protocol: tcp
        load:
          region_name: region
          group_id: chosen_group.0.group_id
          from_port: port
          to_port: port
          rule_description: rule_description
          cidr: cidr
          aws_client: aws_secrets

      - ppa.ui.output_progress:
          text: Created new Security Group inbound rule
          percent: 100
          element_id: create_rule

      - ppa.ui.input_confirm:
          text: View Updated Rules?
        save: view_updated_rules


  - name: View Updated Rules
    when: view_updated_rules
    actions:

      - aws.ec2.security_groups.get_by_name:
        load:
          region_name: region
          name: chosen_group.0.name
          aws_client: aws_secrets
        save: updated_group

      - aws.ec2.security_groups.output_inbound_rule_table:
          text: Updated Inbound Rules
        load:
          group: updated_group

Running this Playbook

Click download playbook
Import the downloaded file via the Playbooks page on PPA
Build the playbook from the Edit & Build tab
Run the playbook from the Preview & Deploy tab

* Requires PPA v2.9.x or newer

Integrations

PPA User Interface & Events
Hashicorp Vault Key-Value engine
AWS EC2 Security Groups

Required Vault Details

AWS

Access key ID
Secret access key

The key must have permissions to read & update security groups in EC2.

Vault Configuration Wizard

The first time you run a task built from this playbook, PPA will check the required Vault details exist.

If they don't exist, PPA will ask you to supply the details at the start of the task.

Below you can see a user providing details the first time they run an Active Directory task.

vault-config-wizard

Once the details are added to Vault, the task won't ask for them again.

If you don't know the required details, ask an administrator to run the task or configure Vault manually.

What the Task Does

Once started this task will:

Ask user to provide AWS access credentials
Ask user to select an EC2 region and Security Group
Show details of the existing security rules
Ask user if they want to create a new rule or exit
Ask user to provide details for the new security rule
Create the new inbound TCP rule
Show details of the updated security rules

See our other playbooks

Get PPA for free!

Start automating your estate with a free 30 day trial today. No signup required!

Get PPA Express

Documentation

Installation Guide
See how easy it is to get started with our installation guide
Playbooks
View our task writing reference guide
Plugins
See how to integrate with different systems using our plugins reference guide.