Amazon Web Services Amazon Web Services: EC2 - Security Groups

Summary

This module contains actions for viewing & managing EC2 security groups.

Actions

aws.ec2.security_groups.

create

Create a new security group.

Minimum Plugin Version: 2.0.0

Idempotent Action

This action will do nothing if a security group already exists with the same name.

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • name: the new security group name

  • description: a description for the new security group

  • vpc_id: the VPC ID to create the group in (defaults to the region's default VPC)

Output
  • true if the security group was created
  • false if a security group with the same name already exists
Example
1
2
3
4
5
6
- aws.ec2.security_groups.create:
    region_name: eu-west-2
    name: LDAPS
    description: LDAPS access over port 636 for Domain Controllers
  load:
    aws_client: aws_secrets

aws.ec2.security_groups.

create_inbound_rule

Create an inbound rule in a security group.

Minimum Plugin Version: 2.0.0

Idempotent Action

This action will do nothing if a matching inbound rule already exists in the security group.

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • group_id: the ID of the security group

  • protocol: the inbound rule protocol (tcp, udp, or -1 for any)

  • from_port: the start of the rule port range

  • to_port: the end of the rule port range

  • cidr: the CIDR address for permitted traffic

  • rule_description: a description for the rule (defaults to empty)

Output
  • true if the inbound rule was created
  • false if a matching inbound rule already exists
Example
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
- aws.ec2.security_groups.create_inbound_rule:
    region_name: eu-west-2
    group_id: sg-04cd36d28fe84e079
    protocol: tcp
    from_port: 22
    to_port: 22
    cidr: 1.2.3.4/5
    rule_description: SSH Access from Corporate Office
  load:
    aws_client: aws_secrets

aws.ec2.security_groups.

delete

Delete a security group.

Minimum Plugin Version: 2.0.0

Idempotent Action

This action will do nothing if the supplied group doesn't exist.

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • group_id: the ID of the group to delete

Output
  • true if the security group was deleted
  • false if it does not exist
Example

Finding a group with get_by_name, saving it as group, & deleting it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
- aws.ec2.security_groups.get_by_name:
    region_name: eu-west-2
    name: Redis Access (retired)
  load:
    aws_client: aws_secrets
  save: group

- aws.ec2.security_groups.delete:
    region_name: eu-west-2
    group_id:
  load:
    group_id: group.group_id
    aws_client: aws_secrets

aws.ec2.security_groups.

get_all

Get all security groups.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A list of SecurityGroup dictionaries.

Example
1
2
3
4
5
- aws.ec2.security_groups.get_all:
    region_name: eu-west-2
  load:
    aws_client: aws_secrets
  save: all_security_groups

aws.ec2.security_groups.

get_by_id

Get a security group with a specific group ID.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • group_id: the security group ID to search for

Output

A single SecurityGroup dictionary.

Example
1
2
3
4
5
6
- aws.ec2.security_groups.get_by_id:
    region_name: eu-west-2
    group_id: sg-04cd36d28fe84e079
  load:
    aws_client: aws_secrets
  save: security_group

aws.ec2.security_groups.

get_by_inbound_cidr

Get all security groups that have inbound rules for the supplied CIDR address.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • cidr: the source CIDR address

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A list of SecurityGroup dictionaries.

Example
1
2
3
4
5
6
- aws.ec2.security_groups.get_by_inbound_cidr:
    region_name: eu-west-2
    cidr: 1.2.3.4/5
  load:
    aws_client: aws_secrets
  save: public_access_groups

aws.ec2.security_groups.

get_by_inbound_port

Get all security groups that have inbound rules for the supplied port.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • port: the inbound port

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A list of SecurityGroup dictionaries.

Example
1
2
3
4
5
6
- aws.ec2.security_groups.get_by_inbound_port:
    region_name: eu-west-2
    port: 22
  load:
    aws_client: aws_secrets
  save: ssh_enabled_groups

aws.ec2.security_groups.

get_by_inbound_protocol

Get all security groups that have inbound rules for the supplied protocol.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • protocol: the inbound rule protocol (tcp, udp, or -1 for any)

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A list of SecurityGroup dictionaries.

Example
1
2
3
4
5
6
- aws.ec2.security_groups.get_by_inbound_protocol:
    region_name: eu-west-2
    protocol: tcp
  load:
    aws_client: aws_secrets
  save: tcp_groups

aws.ec2.security_groups.

get_by_name

Get a security group with a specific name.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • name: the security group name to search for

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A single SecurityGroup dictionary.

Example
1
2
3
4
5
6
- aws.ec2.security_groups.get_by_name:
    region_name: eu-west-2
    name: Ubuntu SSH Access
  load:
    aws_client: aws_secrets
  save: ubuntu_ssh_group

aws.ec2.security_groups.

get_no_instance

Get all security groups that are not associated with an instance.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A list of SecurityGroup dictionaries.

Example
1
2
3
4
5
- aws.ec2.security_groups.get_no_instance:
    region_name: eu-west-2
  load:
    aws_client: aws_secrets
  save: groups_with_no_instance

aws.ec2.security_groups.

get_no_network_interface

Get all security groups that are not associated with a network interface.

Minimum Plugin Version: 2.0.0

Input
  • aws_client: an AWSClient dictionary

  • region_name: the EC2 region name

  • vpc_id: the VPC ID to look in (defaults to all VPCs for the supplied region)

Output

A list of SecurityGroup dictionaries.

Example
1
2
3
4
5
- aws.ec2.security_groups.get_no_network_interface:
    region_name: eu-west-2
  load:
    aws_client: aws_secrets
  save: groups_with_no_interface

aws.ec2.security_groups.

input_table

Display a list of security groups in a table, & allow the task operator to make a selection.

The table will have the following columns:

  • Name
  • ID
  • Description
  • Inbound Rule Count
  • Outbound Rule Count
  • VPC ID

Minimum Plugin Version: 2.0.0

Input
  • text: the title of the table

  • groups: a list of SecurityGroup dictionaries to display in the table

  • minimum: The minimum number of acceptable selections

  • maximum: The maximum number of acceptable selections

Output

A list of SecurityGroup dictionaries.

Tip
  • If neither a minimum or maximum is provided, the task operator will be able to submit 0 selections.

  • If minimum or maximum are provided, the operation will repeat until a valid number of selections is made.

Example

Finding security groups with get_all, saving them as groups, & waiting for a single selection:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
- aws.ec2.security_groups.get_all:
    region_name: eu-west-2
  load:
    aws_client: aws_secrets
  save: groups

- aws.ec2.security_groups.input_table:
    text: Choose a security group
    minimum: 1
    maximum: 1
  load:
    groups: groups
  save: selected_group

aws.ec2.security_groups.

output_inbound_rule_table

Display the inbound rules for a security groups in a table.

The table will have the following columns:

  • Protocol
  • From Port
  • To Port
  • Allowed IPv4 CIDR
  • Description

Minimum Plugin Version: 2.0.0

Input
  • text: the title of the table

  • group: a single SecurityGroup dictionary

Output

Nothing is outputted by this action.

Example

Finding a security group with get_by_name, saving it as group, & displaying the inbound rules:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
- aws.ec2.security_groups.get_by_name:
    region_name: eu-west-2
    name: SSH
  load:
    aws_client: aws_secrets
  save: group

- aws.ec2.security_groups.output_inbound_rule_table:
    text: Inbound Rules for {{ group.name }}
  load:
    group: group

aws.ec2.security_groups.

output_table

Display a list of security groups in a table.

The table will have the following columns:

  • Name
  • ID
  • Description
  • Inbound Rule Count
  • Outbound Rule Count
  • VPC ID

Minimum Plugin Version: 2.0.0

Input
  • text: the title of the table

  • groups: a single or list of SecurityGroup dictionaries

Output

Nothing is outputted by this action.

Single Group

Finding a security group with get_by_name, saving it as group, & displaying it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
- aws.ec2.security_groups.get_by_name:
    region_name: eu-west-2
    name: SSH Access
  load:
    aws_client: aws_secrets
  save: group

- aws.ec2.security_groups.output_table:
    text: {{ group.name }}
  load:
    groups: group
Multiple Groups

Finding all security groups with get_all, saving them as groups, & displaying them:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
- aws.ec2.security_groups.get_all:
    region_name: eu-west-2
  load:
    aws_client: aws_secrets
  save: groups

- aws.ec2.security_groups.output_table:
    text: All Security Groups
  load:
    groups: groups