redhat-cop · hakbailey · Dec 5, 2024 · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024
diff --git a/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml b/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- ec2_networking_resources - Add optional networking resources and ability to delete resources created by role. (https://github.com/redhat-cop/cloud.aws_ops/pull/126)
diff --git a/roles/ec2_networking_resources/README.md b/roles/ec2_networking_resources/README.md
@@ -26,24 +26,34 @@ An AWS account with the following permissions:
 Role Variables
 --------------
 
-* **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create.
-* **ec2_networking_resources_vpc_cidr_block**: (Required) The CIDR block to use for the VPC being created.
-* **ec2_networking_resources_subnet_cidr_block**: (Required) The CIDR block to use for subnet being created.
-* **ec2_networking_resources_sg_internal_name**: (Required) The name of the security group to create.
-* **ec2_networking_resources_sg_internal_description**: (Required) The description of the security group being created.
-* **ec2_networking_resources_sg_internal_rules**: (Optional) List of rules to apply to the security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys:
+* **ec2_networking_resources_operation**: (Optional) Target operation for the networking resources role. Choices are ["create", "delete"]. Defaults to "create".
+* **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create or delete.
+* **ec2_networking_resources_vpc_cidr_block**: (Optional) The CIDR block to use for the VPC being created. Required if `ec2_networking_resources_operation` is "create".
+* **ec2_networking_resources_subnet_cidr_block**: (Optional) The CIDR block to use for subnet being created. Required if `ec2_networking_resources_operation` is "create".
+* **ec2_networking_resources_sg_internal_name**: (Optional) The name of the internal security group to create. Required if `ec2_networking_resources_operation` is "create".
+* **ec2_networking_resources_sg_internal_description**: (Optional) The description of the internal security group being created. Defaults to "Security group for internal access".
+* **ec2_networking_resources_sg_internal_rules**: (Optional) List of rules to apply to the internal security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys:
     * **proto** (str): The IP protocol name.
     * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010.
     * **cidr_ip** (str): The CIDR block traffic is coming from.
+* **ec2_networking_resources_sg_external_name**: (Optional) The name of the external security group to create.
+* **ec2_networking_resources_sg_external_description**: (Optional) The description of the external security group being created. Defaults to "Security group for external access". Ignored if ec2_networking_resources_sg_external_name is not provided.
+* **ec2_networking_resources_sg_external_rules**: (Optional) List of rules to apply to the external security group being created. By default, allows all inbound http and https traffic. Ignored if ec2_networking_resources_sg_external_name is not provided. A rule should contain the following keys:
+    * **proto** (str): The IP protocol name.
+    * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010.
+    * **cidr_ip** (str): The CIDR block traffic is coming from.
+* **ec2_networking_resources_create_igw**: (Optional) Whether to create an internet gateway and route traffic to it. Defaults to `false`.
 
 Dependencies
 ------------
 
 - role: [aws_setup_credentials](../aws_setup_credentials/README.md)
 
-Example Playbook
+Examples
 ----------------
 
+Create networking resources:
+
 ```yaml
 - hosts: localhost
   roles:
@@ -52,7 +62,7 @@ Example Playbook
         ec2_networking_resources_vpc_name: my-vpn
         ec2_networking_resources_vpc_cidr_block: 10.0.1.0/16
         ec2_networking_resources_subnet_cidr_block: 10.0.1.0/26
-        ec2_networking_resources_sg_internal_name: my-sg
+        ec2_networking_resources_sg_internal_name: my-internal-sg
         ec2_networking_resources_sg_internal_description: My internal security group
         ec2_networking_resources_sg_internal_rules:
           - proto: tcp
@@ -61,6 +71,27 @@ Example Playbook
           - ports: tcp
             ports: 8000-8010
             cidr_ip: 10.0.1.0/16
+        ec2_networking_resources_sg_external_name: my-external-sg
+        ec2_networking_resources_sg_external_description: My external security group
+        ec2_networking_resources_sg_external_rules:
+          - proto: tcp
+            ports: 80
+            cidr_ip: 0.0.0.0/0
+          - proto: tcp
+            ports: 443
+            cidr_ip: 0.0.0.0/0
+        ec2_networking_resources_create_igw: true
+```
+
+Delete networking resources:
+
+```yaml
+- hosts: localhost
+  roles:
+    - role: cloud.aws_ops.ec2_networking_resources
+      vars:
+        ec2_networking_resources_operation: delete
+        ec2_networking_resources_vpc_name: my-vpn
 ```
 
 License

diff --git a/roles/ec2_networking_resources/defaults/main.yml b/roles/ec2_networking_resources/defaults/main.yml
@@ -1,5 +1,17 @@
 ---
+ec2_networking_resources_operation: create
+ec2_networking_resources_vpc_cidr_block: "{{ ec2_networking_resources_operation == 'delete' | ternary('', omit) }}"
+ec2_networking_resources_sg_internal_description: Security group for internal access
 ec2_networking_resources_sg_internal_rules:
   - proto: tcp
     ports: 22
     cidr_ip: "{{ ec2_networking_resources_vpc_cidr_block }}"
+ec2_networking_resources_sg_external_description: Security group for external access
+ec2_networking_resources_sg_external_rules:
+  - proto: tcp
+    ports: 80
+    cidr_ip: 0.0.0.0/0
+  - proto: tcp
+    ports: 443
+    cidr_ip: 0.0.0.0/0
+ec2_networking_resources_create_igw: false
diff --git a/roles/ec2_networking_resources/meta/argument_specs.yml b/roles/ec2_networking_resources/meta/argument_specs.yml
@@ -4,28 +4,36 @@ argument_specs:
     short_description: A role to create a basic networking environment for an EC2 instance.
     description:
       - A role to create a basic networking environment for an EC2 instance.
-      - Creates a VPC, subnet, route table and security groups.
+      - Creates a VPC, subnet, route table, security groups.
+      - Can optionally create an external security group and/or internet gateway to allow external access.
+      - Can also delete networking resources created by this role using the "delete" operation.
     options:
+      ec2_networking_resources_operation:
+        description:
+          - Whether to create or delete the resources.
+        choices: [create, delete]
+        default: create
       ec2_networking_resources_vpc_name:
         description:
-          - The name of the VPC to create.
+          - The name of the VPC to create or delete.
         required: true
       ec2_networking_resources_vpc_cidr_block:
         description:
-          - The CIDR block for the VPC being created.
-        required: true
+          - The CIDR block for the VPC being created. Required when creating resources.
+        required: false
       ec2_networking_resources_subnet_cidr_block:
         description:
-          - The CIDR block for the subnet being created.
-        required: true
+          - The CIDR block for the subnet being created. Required when creating resources.
+        required: false
       ec2_networking_resources_sg_internal_name:
         description:
-          - The name of the security group to create for internal access to the EC2 instance.
-        required: true
+          - The name of the security group to create for internal access to the EC2 instance. Required when creating resources.
+        required: false
       ec2_networking_resources_sg_internal_description:
         description:
           - The description of the security group for internal access to the EC2 instance.
-        required: true
+        required: false
+        default: Security group for internal access
       ec2_networking_resources_sg_internal_rules:
         description:
           - A list of security group rules to apply to the security group for internal access.
@@ -49,3 +57,43 @@ argument_specs:
             elements: str
           cidr_ip:
             description: The CIDR range traffic is coming from.
+      ec2_networking_resources_sg_external_name:
+        description:
+          - The name of the security group to create for external access to the EC2 instance.
+        required: false
+      ec2_networking_resources_sg_external_description:
+        description:
+          - The description of the security group for external access to the EC2 instance.
+        required: false
+        default: Security group for external access
+      ec2_networking_resources_sg_external_rules:
+        description:
+          - A list of security group rules to apply to the security group for external access.
+          - By default, will add rules to allow all HTTP and HTTPS traffic.
+        required: false
+        type: list
+        elements: dict
+        default:
+          - proto: tcp
+            ports: 80
+            cidr_ip: 0.0.0.0/0
+          - proto: tcp
+            ports: 443
+            cidr_ip: 0.0.0.0/0
+        options:
+          proto:
+            description: The IP protocol name.
+          ports:
+            description:
+              - A list of ports the traffic is going to.
+              - Elements can be a single port, or a range of ports (for example, 8000-8100).
+            type: list
+            elements: str
+          cidr_ip:
+            description: The CIDR range traffic is coming from.
+      ec2_networking_resources_create_igw:
+        description:
+          - Whether to create an internet gateway and route traffic to internet.
+        required: false
+        type: bool
+        default: false
diff --git a/roles/ec2_networking_resources/tasks/create.yml b/roles/ec2_networking_resources/tasks/create.yml
@@ -0,0 +1,80 @@
+---
+- name: Validate options
+  ansible.builtin.fail:
+    msg: "When creating resources, all of the following options must be provided: ec2_networking_resources_vpc_cidr_block, ec2_networking_resources_subnet_cidr_block, ec2_networking_resources_sg_internal_name"
+  when: ec2_networking_resources_vpc_cidr_block | default("", true) == "" or
+    ec2_networking_resources_subnet_cidr_block | default("", true) == "" or
+    ec2_networking_resources_sg_internal_name | default("", true) == ""
+
+- name: Create VPC
+  amazon.aws.ec2_vpc_net:
+    name: "{{ ec2_networking_resources_vpc_name }}"
+    cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}"
+  register: ec2_networking_resources_vpc_result
+
+- name: Set VPC ID
+  ansible.builtin.set_fact:
+    vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+
+- name: Create VPC subnet
+  amazon.aws.ec2_vpc_subnet:
+    vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+    cidr: "{{ ec2_networking_resources_subnet_cidr_block }}"
+  register: ec2_networking_resources_subnet_result
+
+- name: Set subnet ID
+  ansible.builtin.set_fact:
+    subnet_id: "{{ ec2_networking_resources_subnet_result.subnet.id }}"
+
+- name: Create custom route table for subnet
+  amazon.aws.ec2_vpc_route_table:
+    vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+    subnets:
+      - "{{ ec2_networking_resources_subnet_result.subnet.id }}"
+  register: ec2_networking_resources_route_table_result
+
+- name: Create security group for internal access
+  amazon.aws.ec2_security_group:
+    vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+    name: "{{ ec2_networking_resources_sg_internal_name }}"
+    description: "{{ ec2_networking_resources_sg_internal_description }}"
+    rules: "{{ ec2_networking_resources_sg_internal_rules }}"
+  register: ec2_networking_resources_internal_sg_result
+
+- name: Set internal security group ID
+  ansible.builtin.set_fact:
+    internal_sg_id: "{{ ec2_networking_resources_internal_sg_result.group_id }}"
+
+- name: Create security group for external access if provided
+  when: ec2_networking_resources_sg_external_name | default("", true) != ""
+  block:
+    - name: Create security group for external access
+      amazon.aws.ec2_security_group:
+        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+        name: "{{ ec2_networking_resources_sg_external_name }}"
+        description: "{{ ec2_networking_resources_sg_external_description }}"
+        rules: "{{ ec2_networking_resources_sg_external_rules }}"
+      register: ec2_networking_resources_external_sg_result
+
+    - name: Set external security group ID
+      ansible.builtin.set_fact:
+        external_sg_id: "{{ ec2_networking_resources_external_sg_result.group_id }}"
+
+- name: Create internet gateway and route traffic to it
+  when: ec2_networking_resources_create_igw is true
+  block:
+    - name: Create internet gateway
+      amazon.aws.ec2_vpc_igw:
+        state: present
+        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+      register: ec2_networking_resources_internet_gateway_result
+
+    - name: Update route table
+      amazon.aws.ec2_vpc_route_table:
+        state: present
+        lookup: id
+        route_table_id: "{{ ec2_networking_resources_route_table_result.route_table.id }}"
+        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+        routes:
+          - dest: "0.0.0.0/0"
+            gateway_id: "{{ ec2_networking_resources_internet_gateway_result.gateway_id }}"
diff --git a/roles/ec2_networking_resources/tasks/delete.yml b/roles/ec2_networking_resources/tasks/delete.yml
@@ -0,0 +1,61 @@
+---
+- name: Get VPC info
+  amazon.aws.ec2_vpc_net_info:
+    filters:
+      "tag:Name": "{{ ec2_networking_resources_vpc_name }}"
+  register: vpc_info
+
+- name: Set VPC ID
+  ansible.builtin.set_fact:
+    vpc_id: "{{ vpc_info.vpcs[0].vpc_id }}"
+
+- name: Get VPC security groups
+  amazon.aws.ec2_security_group_info:
+    filters:
+      vpc-id: "{{ vpc_id }}"
+  register: vpc_security_groups
+
+- name: Delete VPC security groups
+  amazon.aws.ec2_security_group:
+    state: absent
+    group_id: "{{ item.group_id }}"
+  loop: "{{ vpc_security_groups.security_groups }}"
+  when: item.group_name != "default"
+
+- name: Get VPC subnets
+  amazon.aws.ec2_vpc_subnet_info:
+    filters:
+      vpc-id: "{{ vpc_id }}"
+  register: vpc_subnets
+
+- name: Delete VPC subnets
+  amazon.aws.ec2_vpc_subnet:
+    state: absent
+    vpc_id: "{{ vpc_id }}"
+    cidr: "{{ item.cidr_block }}"
+  loop: "{{ vpc_subnets.subnets }}"
+
+- name: Delete VPC internet gateways
+  amazon.aws.ec2_vpc_igw:
+    state: absent
+    vpc_id: "{{ vpc_id }}"
+
+- name: Get VPC route tables
+  amazon.aws.ec2_vpc_route_table_info:
+    filters:
+      vpc-id: "{{ vpc_id }}"
+  register: vpc_route_tables
+
+- name: Delete VPC route tables
+  amazon.aws.ec2_vpc_route_table:
+    state: absent
+    vpc_id: "{{ vpc_id }}"
+    lookup: id
+    route_table_id: "{{ item.id }}"
+  loop: "{{ vpc_route_tables.route_tables }}"
+  when: item.associations | length == 0 or true not in item.associations | map(attribute='main')
+
+- name: Delete VPC
+  amazon.aws.ec2_vpc_net:
+    vpc_id: "{{ vpc_id }}"
+    state: absent
diff --git a/roles/ec2_networking_resources/tasks/main.yml b/roles/ec2_networking_resources/tasks/main.yml
@@ -3,27 +3,10 @@
   module_defaults:
     group/aws: "{{ aws_setup_credentials__output }}"
   block:
-    - name: Create VPC
-      amazon.aws.ec2_vpc_net:
-        name: "{{ ec2_networking_resources_vpc_name }}"
-        cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}"
-      register: ec2_networking_resources_vpc_result
+    - name: Include create operations
+      ansible.builtin.include_tasks: create.yml
+      when: ec2_networking_resources_operation == 'create'
 
-    - name: Create VPC subnet
-      amazon.aws.ec2_vpc_subnet:
-        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
-        cidr: "{{ ec2_networking_resources_subnet_cidr_block }}"
-      register: ec2_networking_resources_subnet_result
-
-    - name: Create route table
-      amazon.aws.ec2_vpc_route_table:
-        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
-        subnets:
-          - "{{ ec2_networking_resources_subnet_result.subnet.id }}"
-
-    - name: Create security group for internal access
-      amazon.aws.ec2_security_group:
-        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
-        name: "{{ ec2_networking_resources_sg_internal_name }}"
-        description: "{{ ec2_networking_resources_sg_internal_description }}"
-        rules: "{{ ec2_networking_resources_sg_internal_rules }}"
+    - name: Include delete operations
+      ansible.builtin.include_tasks: delete.yml
+      when: ec2_networking_resources_operation == 'delete'
diff --git a/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml b/tests/integration/targets/test_ec2_networking_resources/defaults/main.yml
@@ -4,4 +4,5 @@ aws_security_token: "{{ security_token | default(omit) }}"
 vpc_name: "{{ resource_prefix }}-vpc"
 vpc_cidr_block: "10.0.1.0/24"
 subnet_cidr_block: "10.0.1.0/26"
-sg_name: "{{ resource_prefix }}-sg"
+internal_sg_name: "{{ resource_prefix }}-internal-sg"
+external_sg_name: "{{ resource_prefix }}-external-sg"
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- ec2_networking_resources - Add optional networking resources and ability to delete resources created by role. (https://github.com/redhat-cop/cloud.aws_ops/pull/126)