summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
-rwxr-xr-x[-rw-r--r--]inventory/aws/ec2.py10
-rw-r--r--roles/os_firewall/tasks/firewall/firewalld.yml45
-rw-r--r--roles/os_firewall/tasks/firewall/iptables.yml33
3 files changed, 54 insertions, 34 deletions
diff --git a/inventory/aws/ec2.py b/inventory/aws/ec2.py
index f4e029553..1a863d8a8 100644..100755
--- a/inventory/aws/ec2.py
+++ b/inventory/aws/ec2.py
@@ -215,8 +215,14 @@ class Ec2Inventory(object):
# Destination addresses
self.destination_variable = config.get('ec2', 'destination_variable')
self.vpc_destination_variable = config.get('ec2', 'vpc_destination_variable')
- self.destination_format = config.get('ec2', 'destination_format')
- self.destination_format_tags = config.get('ec2', 'destination_format_tags', '').split(',')
+
+ if config.has_option('ec2', 'destination_format') and \
+ config.has_option('ec2', 'destination_format_tags'):
+ self.destination_format = config.get('ec2', 'destination_format')
+ self.destination_format_tags = config.get('ec2', 'destination_format_tags').split(',')
+ else:
+ self.destination_format = None
+ self.destination_format_tags = None
# Route53
self.route53_enabled = config.getboolean('ec2', 'route53')
diff --git a/roles/os_firewall/tasks/firewall/firewalld.yml b/roles/os_firewall/tasks/firewall/firewalld.yml
index f6d5fe2eb..469cfab6f 100644
--- a/roles/os_firewall/tasks/firewall/firewalld.yml
+++ b/roles/os_firewall/tasks/firewall/firewalld.yml
@@ -4,6 +4,22 @@
name: firewalld
state: present
+- name: Check if iptables-services is installed
+ command: rpm -q iptables-services
+ register: pkg_check
+ failed_when: pkg_check.rc > 1
+ changed_when: no
+
+- name: Ensure iptables services are not enabled
+ service:
+ name: "{{ item }}"
+ state: stopped
+ enabled: no
+ with_items:
+ - iptables
+ - ip6tables
+ when: pkg_check.rc == 0
+
- name: Start and enable firewalld service
service:
name: firewalld
@@ -15,23 +31,14 @@
pause: seconds=10
when: result | changed
-- name: Ensure iptables services are not enabled
- service:
- name: "{{ item }}"
- state: stopped
- enabled: no
- with_items:
- - iptables
- - ip6tables
-
- name: Mask iptables services
command: systemctl mask "{{ item }}"
register: result
- failed_when: result.rc != 0
- changed_when: False
+ changed_when: "'iptables' in result.stdout"
with_items:
- iptables
- ip6tables
+ when: pkg_check.rc == 0
# TODO: Ansible 1.9 will eliminate the need for separate firewalld tasks for
# enabling rules and making them permanent with the immediate flag
@@ -40,29 +47,29 @@
port: "{{ item.port }}"
permanent: false
state: enabled
- with_items: allow
- when: allow is defined
+ with_items: os_firewall_allow
+ when: os_firewall_allow is defined
- name: Persist firewalld allow rules
firewalld:
port: "{{ item.port }}"
permanent: true
state: enabled
- with_items: allow
- when: allow is defined
+ with_items: os_firewall_allow
+ when: os_firewall_allow is defined
- name: Remove firewalld allow rules
firewalld:
port: "{{ item.port }}"
permanent: false
state: disabled
- with_items: deny
- when: deny is defined
+ with_items: os_firewall_deny
+ when: os_firewall_deny is defined
- name: Persist removal of firewalld allow rules
firewalld:
port: "{{ item.port }}"
permanent: true
state: disabled
- with_items: deny
- when: deny is defined
+ with_items: os_firewall_deny
+ when: os_firewall_deny is defined
diff --git a/roles/os_firewall/tasks/firewall/iptables.yml b/roles/os_firewall/tasks/firewall/iptables.yml
index 24c87d5e3..87e77c083 100644
--- a/roles/os_firewall/tasks/firewall/iptables.yml
+++ b/roles/os_firewall/tasks/firewall/iptables.yml
@@ -7,6 +7,19 @@
- iptables
- iptables-services
+- name: Check if firewalld is installed
+ command: rpm -q firewalld
+ register: pkg_check
+ failed_when: pkg_check.rc > 1
+ changed_when: no
+
+- name: Ensure firewalld service is not enabled
+ service:
+ name: firewalld
+ state: stopped
+ enabled: no
+ when: pkg_check.rc == 0
+
- name: Start and enable iptables services
service:
name: "{{ item }}"
@@ -21,18 +34,12 @@
pause: seconds=10
when: result | changed
-- name: Ensure firewalld service is not enabled
- service:
- name: firewalld
- state: stopped
- enabled: no
-
+# TODO: submit PR upstream to add mask/unmask to service module
- name: Mask firewalld service
command: systemctl mask firewalld
register: result
- failed_when: result.rc != 0
- changed_when: False
- ignore_errors: yes
+ changed_when: "'firewalld' in result.stdout"
+ when: pkg_check.rc == 0
- name: Add iptables allow rules
os_firewall_manage_iptables:
@@ -40,8 +47,8 @@
action: add
protocol: "{{ item.port.split('/')[1] }}"
port: "{{ item.port.split('/')[0] }}"
- with_items: allow
- when: allow is defined
+ with_items: os_firewall_allow
+ when: os_firewall_allow is defined
- name: Remove iptables rules
os_firewall_manage_iptables:
@@ -49,5 +56,5 @@
action: remove
protocol: "{{ item.port.split('/')[1] }}"
port: "{{ item.port.split('/')[0] }}"
- with_items: deny
- when: deny is defined
+ with_items: os_firewall_deny
+ when: os_firewall_deny is defined