redhat-cop · hakbailey · Dec 5, 2024 · Dec 4, 2024 · Dec 4, 2024 · Dec 4, 2024
diff --git a/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml b/changelogs/fragments/2024-12-04_ec2_networking_role_add_options.yml
@@ -0,0 +1,2 @@
+minor_changes:
+- ec2_networking_resources - Add optional networking resources and ability to delete resources created by role. (https://github.com/redhat-cop/cloud.aws_ops/pull/126)
diff --git a/roles/ec2_networking_resources/README.md b/roles/ec2_networking_resources/README.md
@@ -26,24 +26,28 @@ An AWS account with the following permissions:
 Role Variables
 --------------
 
-* **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create.
-* **ec2_networking_resources_vpc_cidr_block**: (Required) The CIDR block to use for the VPC being created.
-* **ec2_networking_resources_subnet_cidr_block**: (Required) The CIDR block to use for subnet being created.
-* **ec2_networking_resources_sg_internal_name**: (Required) The name of the security group to create.
-* **ec2_networking_resources_sg_internal_description**: (Required) The description of the security group being created.
-* **ec2_networking_resources_sg_internal_rules**: (Optional) List of rules to apply to the security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys:
-    * **proto** (str): The IP protocol name.
-    * **ports** (str): A list of ports traffic is going to. Can be a single port, or a range of ports, for example, 8000-8010.
-    * **cidr_ip** (str): The CIDR block traffic is coming from.
+* **ec2_networking_resources_operation**: (Optional) Target operation for the networking resources role. Choices are ["create", "delete"]. Defaults to "create".
+* **ec2_networking_resources_vpc_name**: (Required) The name of the VPC to create or delete.
+* **ec2_networking_resources_vpc_cidr_block**: (Optional) The CIDR block to use for the VPC being created. Required if `ec2_networking_resources_operation` is "create".
+* **ec2_networking_resources_subnet_cidr_block**: (Optional) The CIDR block to use for subnet being created. Required if `ec2_networking_resources_operation` is "create".
+* **ec2_networking_resources_sg_name**: (Optional) The name of the security group to create. Required if `ec2_networking_resources_operation` is "create".
+* **ec2_networking_resources_sg_description**: (Optional) The description of the security group being created. Defaults to "Security group for EC2 instance".
+* **ec2_networking_resources_sg_rules**: (Optional) List of rules to apply to the security group being created. By default, a rule allowing SSH access from within the VPC will be added. A rule should contain the following keys:
+  * **proto** (str): The IP protocol name.
+  * **ports** (list): A list of ports traffic is going to. Can be a single port or a range of ports, for example 8000-8010.
+  * **cidr_ip** (str): The CIDR block traffic is coming from.
+* **ec2_networking_resources_create_igw**: (Optional) Whether to create an internet gateway and route traffic to it. Defaults to `false`.
 
 Dependencies
 ------------
 
 - role: [aws_setup_credentials](../aws_setup_credentials/README.md)
 
-Example Playbook
+Examples
 ----------------
 
+Create networking resources with an internet gateway and allow HTTP/HTTPS traffic:
+
 ```yaml
 - hosts: localhost
   roles:
@@ -52,15 +56,30 @@ Example Playbook
         ec2_networking_resources_vpc_name: my-vpn
         ec2_networking_resources_vpc_cidr_block: 10.0.1.0/16
         ec2_networking_resources_subnet_cidr_block: 10.0.1.0/26
-        ec2_networking_resources_sg_internal_name: my-sg
-        ec2_networking_resources_sg_internal_description: My internal security group
-        ec2_networking_resources_sg_internal_rules:
+        ec2_networking_resources_sg_name: my-sg
+        ec2_networking_resources_sg_description: My security group
+        ec2_networking_resources_sg_rules:
           - proto: tcp
             ports: 22
             cidr_ip: 10.0.1.0/16
           - ports: tcp
-            ports: 8000-8010
-            cidr_ip: 10.0.1.0/16
+            ports: 80
+            cidr_ip: 0.0.0.0/0
+          - proto: tcp
+            ports: 443
+            cidr_ip: 0.0.0.0/0
+        ec2_networking_resources_create_igw: true
+```
+
+Delete networking resources:
+
+```yaml
+- hosts: localhost
+  roles:
+    - role: cloud.aws_ops.ec2_networking_resources
+      vars:
+        ec2_networking_resources_operation: delete
+        ec2_networking_resources_vpc_name: my-vpn
 ```
 
 License

diff --git a/roles/ec2_networking_resources/defaults/main.yml b/roles/ec2_networking_resources/defaults/main.yml
@@ -1,5 +1,9 @@
 ---
-ec2_networking_resources_sg_internal_rules:
+ec2_networking_resources_operation: create
+ec2_networking_resources_vpc_cidr_block: "{{ ec2_networking_resources_operation == 'delete' | ternary('', omit) }}"
+ec2_networking_resources_sg_description: Security group for EC2 instance
+ec2_networking_resources_sg_rules:
   - proto: tcp
     ports: 22
     cidr_ip: "{{ ec2_networking_resources_vpc_cidr_block }}"
+ec2_networking_resources_create_igw: false
diff --git a/roles/ec2_networking_resources/meta/argument_specs.yml b/roles/ec2_networking_resources/meta/argument_specs.yml
@@ -4,31 +4,39 @@ argument_specs:
     short_description: A role to create a basic networking environment for an EC2 instance.
     description:
       - A role to create a basic networking environment for an EC2 instance.
-      - Creates a VPC, subnet, route table and security groups.
+      - Creates a VPC, subnet, route table, and security group.
+      - Can optionally create an internet gateway.
+      - Can also delete networking resources created by this role using the "delete" operation.
     options:
+      ec2_networking_resources_operation:
+        description:
+          - Whether to create or delete the resources.
+        choices: [create, delete]
+        default: create
       ec2_networking_resources_vpc_name:
         description:
-          - The name of the VPC to create.
+          - The name of the VPC to create or delete.
         required: true
       ec2_networking_resources_vpc_cidr_block:
         description:
-          - The CIDR block for the VPC being created.
-        required: true
+          - The CIDR block for the VPC being created. Required when creating resources.
+        required: false
       ec2_networking_resources_subnet_cidr_block:
         description:
-          - The CIDR block for the subnet being created.
-        required: true
-      ec2_networking_resources_sg_internal_name:
+          - The CIDR block for the subnet being created. Required when creating resources.
+        required: false
+      ec2_networking_resources_sg_name:
         description:
-          - The name of the security group to create for internal access to the EC2 instance.
-        required: true
-      ec2_networking_resources_sg_internal_description:
+          - The name of the security group to create. Required when creating resources.
+        required: false
+      ec2_networking_resources_sg_description:
         description:
-          - The description of the security group for internal access to the EC2 instance.
-        required: true
-      ec2_networking_resources_sg_internal_rules:
+          - The description of the security group.
+        required: false
+        default: Security group for EC2 instance
+      ec2_networking_resources_sg_rules:
         description:
-          - A list of security group rules to apply to the security group for internal access.
+          - A list of security group rules to apply to the security group.
           - By default, will add a rule to allow SSH access from within the VPC created by the role.
         required: false
         type: list
@@ -49,3 +57,9 @@ argument_specs:
             elements: str
           cidr_ip:
             description: The CIDR range traffic is coming from.
+      ec2_networking_resources_create_igw:
+        description:
+          - Whether to create an internet gateway and route traffic to it.
+        required: false
+        type: bool
+        default: false
diff --git a/roles/ec2_networking_resources/tasks/create.yml b/roles/ec2_networking_resources/tasks/create.yml
@@ -0,0 +1,47 @@
+---
+- name: Validate options
+  ansible.builtin.fail:
+    msg: "When creating resources, all of the following options must be provided: ec2_networking_resources_vpc_cidr_block, ec2_networking_resources_subnet_cidr_block, ec2_networking_resources_sg_name"
+  when: ec2_networking_resources_vpc_cidr_block | default("", true) == "" or
+    ec2_networking_resources_subnet_cidr_block | default("", true) == "" or
+    ec2_networking_resources_sg_name | default("", true) == ""
+
+- name: Create VPC
+  amazon.aws.ec2_vpc_net:
+    name: "{{ ec2_networking_resources_vpc_name }}"
+    cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}"
+  register: ec2_networking_resources_vpc_result
+
+- name: Create VPC subnet
+  amazon.aws.ec2_vpc_subnet:
+    vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+    cidr: "{{ ec2_networking_resources_subnet_cidr_block }}"
+  register: ec2_networking_resources_subnet_result
+
+- name: Create security group
+  amazon.aws.ec2_security_group:
+    vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+    name: "{{ ec2_networking_resources_sg_name }}"
+    description: "{{ ec2_networking_resources_sg_description }}"
+    rules: "{{ ec2_networking_resources_sg_rules }}"
+  register: ec2_networking_resources_sg_result
+
+- name: Create internet gateway and route traffic to it
+  when: ec2_networking_resources_create_igw is true
+  block:
+    - name: Create internet gateway
+      amazon.aws.ec2_vpc_igw:
+        state: present
+        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+      register: ec2_networking_resources_internet_gateway_result
+
+    - name: Create route table
+      amazon.aws.ec2_vpc_route_table:
+        state: present
+        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
+        subnets:
+          - "{{ ec2_networking_resources_subnet_result.subnet.id }}"
+        routes:
+          - dest: "0.0.0.0/0"
+            gateway_id: "{{ ec2_networking_resources_internet_gateway_result.gateway_id }}"
+      register: ec2_networking_resources_route_table_result
diff --git a/roles/ec2_networking_resources/tasks/delete.yml b/roles/ec2_networking_resources/tasks/delete.yml
@@ -0,0 +1,61 @@
+---
+- name: Get VPC info
+  amazon.aws.ec2_vpc_net_info:
+    filters:
+      "tag:Name": "{{ ec2_networking_resources_vpc_name }}"
+  register: vpc_info
+
+- name: Set VPC ID
+  ansible.builtin.set_fact:
+    vpc_id: "{{ vpc_info.vpcs[0].vpc_id }}"
+
+- name: Get VPC security groups
+  amazon.aws.ec2_security_group_info:
+    filters:
+      vpc-id: "{{ vpc_id }}"
+  register: vpc_security_groups
+
+- name: Delete VPC security groups
+  amazon.aws.ec2_security_group:
+    state: absent
+    group_id: "{{ item.group_id }}"
+  loop: "{{ vpc_security_groups.security_groups }}"
+  when: item.group_name != "default"
+
+- name: Get VPC subnets
+  amazon.aws.ec2_vpc_subnet_info:
+    filters:
+      vpc-id: "{{ vpc_id }}"
+  register: vpc_subnets
+
+- name: Delete VPC subnets
+  amazon.aws.ec2_vpc_subnet:
+    state: absent
+    vpc_id: "{{ vpc_id }}"
+    cidr: "{{ item.cidr_block }}"
+  loop: "{{ vpc_subnets.subnets }}"
+
+- name: Delete VPC internet gateways
+  amazon.aws.ec2_vpc_igw:
+    state: absent
+    vpc_id: "{{ vpc_id }}"
+
+- name: Get VPC route tables
+  amazon.aws.ec2_vpc_route_table_info:
+    filters:
+      vpc-id: "{{ vpc_id }}"
+  register: vpc_route_tables
+
+- name: Delete VPC route tables
+  amazon.aws.ec2_vpc_route_table:
+    state: absent
+    vpc_id: "{{ vpc_id }}"
+    lookup: id
+    route_table_id: "{{ item.id }}"
+  loop: "{{ vpc_route_tables.route_tables }}"
+  when: item.associations | length == 0 or true not in item.associations | map(attribute='main')
+
+- name: Delete VPC
+  amazon.aws.ec2_vpc_net:
+    vpc_id: "{{ vpc_id }}"
+    state: absent
diff --git a/roles/ec2_networking_resources/tasks/main.yml b/roles/ec2_networking_resources/tasks/main.yml
@@ -3,27 +3,10 @@
   module_defaults:
     group/aws: "{{ aws_setup_credentials__output }}"
   block:
-    - name: Create VPC
-      amazon.aws.ec2_vpc_net:
-        name: "{{ ec2_networking_resources_vpc_name }}"
-        cidr_block: "{{ ec2_networking_resources_vpc_cidr_block }}"
-      register: ec2_networking_resources_vpc_result
+    - name: Include create operations
+      ansible.builtin.include_tasks: create.yml
+      when: ec2_networking_resources_operation == 'create'
 
-    - name: Create VPC subnet
-      amazon.aws.ec2_vpc_subnet:
-        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
-        cidr: "{{ ec2_networking_resources_subnet_cidr_block }}"
-      register: ec2_networking_resources_subnet_result
-
-    - name: Create route table
-      amazon.aws.ec2_vpc_route_table:
-        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
-        subnets:
-          - "{{ ec2_networking_resources_subnet_result.subnet.id }}"
-
-    - name: Create security group for internal access
-      amazon.aws.ec2_security_group:
-        vpc_id: "{{ ec2_networking_resources_vpc_result.vpc.id }}"
-        name: "{{ ec2_networking_resources_sg_internal_name }}"
-        description: "{{ ec2_networking_resources_sg_internal_description }}"
-        rules: "{{ ec2_networking_resources_sg_internal_rules }}"
+    - name: Include delete operations
+      ansible.builtin.include_tasks: delete.yml
+      when: ec2_networking_resources_operation == 'delete'
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		minor_changes:
		- ec2_networking_resources - Add optional networking resources and ability to delete resources created by role. (https://github.com/redhat-cop/cloud.aws_ops/pull/126)