glassresistor · May 17, 2017 22:10
diff --git a/vpc_nacl.yml b/vpc_nacl.yml
 ---
 - hosts: localhost
  connection: local
  gather_facts: no
  vars:
    region: us-west-2
    prefix: staging
    az: us-west-2c
  tasks:
    - name: create vpc
      ec2_vpc:
        region: "{{ region }}"
        cidr_block: 10.0.0.0/16
        resource_tags: '{"Name":"{{ prefix }}_vpc"}'
        subnets:
          - cidr: 10.0.0.0/24
            az: "{{ az }}"
            resource_tags: '{"Name":"{{ prefix }}_subnet_public"}'
          - cidr: 10.0.1.0/24
            az: "{{ az }}"
            resource_tags: '{"Name":"{{ prefix }}_subnet_private"}'
        internet_gateway: yes
        route_tables:
          - subnets:
              - 10.0.0.0/24
            routes:
              - dest: 0.0.0.0/0
                gw: igw
      register: vpc
    - name: write vpc id to {{ prefix }}_vpc_info file
      shell: echo "{{ prefix }}"_vpc":" "{{ vpc.vpc_id }}"
            > "{{ prefix }}"_vpc_info
    - name: write subnets id to {{ prefix }}_vpc_info file
      shell: echo "{{ item.resource_tags.Name }}"":" "{{ item.id }}"
            >> "{{ prefix }}"_vpc_info
      with_items: "{{ vpc.subnets }}"

    - name: "Create and associate production DMZ network ACL with DMZ subnets"
      ec2_vpc_nacl:
        vpc_id: "{{ vpc.vpc_id }}"
        name: "{{ prefix }}"-dmz-nacl
        region: "{{ region }}"
        subnets: ["{{ prefix }}_subnet_public", "{{ prefix }}_subnet_public"]
        tags:
          CostCode: CC1234
          Project: phoenix
          Description: production DMZ
        ingress: [
            # rule no, protocol, allow/deny, cidr, icmp_code, icmp_type,
            #                                             port from, port to
            [100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22],
            [200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80],
            [300, 'icmp', 'allow', '0.0.0.0/0', 0, 8],
        ]
        egress: [
            [100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
        ]
        state: 'present'
	---
	- hosts: localhost
	connection: local
	gather_facts: no
	vars:
	region: us-west-2
	prefix: staging
	az: us-west-2c
	tasks:
	- name: create vpc
	ec2_vpc:
	region: "{{ region }}"
	cidr_block: 10.0.0.0/16
	resource_tags: '{"Name":"{{ prefix }}_vpc"}'
	subnets:
	- cidr: 10.0.0.0/24
	az: "{{ az }}"
	resource_tags: '{"Name":"{{ prefix }}_subnet_public"}'
	- cidr: 10.0.1.0/24
	az: "{{ az }}"
	resource_tags: '{"Name":"{{ prefix }}_subnet_private"}'
	internet_gateway: yes
	route_tables:
	- subnets:
	- 10.0.0.0/24
	routes:
	- dest: 0.0.0.0/0
	gw: igw
	register: vpc
	- name: write vpc id to {{ prefix }}_vpc_info file
	shell: echo "{{ prefix }}"_vpc":" "{{ vpc.vpc_id }}"
	> "{{ prefix }}"_vpc_info
	- name: write subnets id to {{ prefix }}_vpc_info file
	shell: echo "{{ item.resource_tags.Name }}"":" "{{ item.id }}"
	>> "{{ prefix }}"_vpc_info
	with_items: "{{ vpc.subnets }}"

	- name: "Create and associate production DMZ network ACL with DMZ subnets"
	ec2_vpc_nacl:
	vpc_id: "{{ vpc.vpc_id }}"
	name: "{{ prefix }}"-dmz-nacl
	region: "{{ region }}"
	subnets: ["{{ prefix }}_subnet_public", "{{ prefix }}_subnet_public"]
	tags:
	CostCode: CC1234
	Project: phoenix
	Description: production DMZ
	ingress: [
	# rule no, protocol, allow/deny, cidr, icmp_code, icmp_type,
	# port from, port to
	[100, 'tcp', 'allow', '0.0.0.0/0', null, null, 22, 22],
	[200, 'tcp', 'allow', '0.0.0.0/0', null, null, 80, 80],
	[300, 'icmp', 'allow', '0.0.0.0/0', 0, 8],
	]
	egress: [
	[100, 'all', 'allow', '0.0.0.0/0', null, null, null, null]
	]
	state: 'present'