Merge pull request #44 from mandar242/vpc_peering

role: add manage_vpc_peering role
redhat-cop · Jul 11, 2023 · 419e0d3 · 419e0d3
2 parents 86c3135 + 27366c8
commit 419e0d3
Show file tree

Hide file tree

Showing 12 changed files with 330 additions and 0 deletions.
diff --git a/README.md b/README.md
@@ -23,6 +23,7 @@ Name | Description
 [cloud.aws_ops.customized_ami](https://github.com/ansible-collections/cloud.aws_ops/blob/main/roles/customized_ami/README.md)|A role to manage custom AMIs on AWS.
 [cloud.aws_ops.ec2_instance_terminate_by_tag](https://github.com/ansible-collections/cloud.aws_ops/blob/main/roles/ec2_instance_terminate_by_tag/README.md)|A role to terminate the EC2 instances based on a specific tag you specify.
 [cloud.aws_ops.enable_cloudtrail_encryption_with_kms](https://github.com/ansible-collections/cloud.aws_ops/blob/main/roles/enable_cloudtrail_encryption_with_kms/README.md)|A role to encrypt an AWS CloudTrail trail using the AWS Key Management Service (AWS KMS) customer managed key you specify.
+[cloud.aws_ops.manage_vpc_peering](https://github.com/ansible-collections/cloud.aws_ops/blob/main/roles/manage_vpc_peering/README.md)|A role to create, delete and accept existing VPC peering connections.
 
 
 ### Playbooks

diff --git a/roles/manage_vpc_peering/README.md b/roles/manage_vpc_peering/README.md
@@ -0,0 +1,111 @@
+# manage_vpc_peering
+
+A role to create, delete and accept existing VPC peering connections.
+
+## Specify following values in role vars
+
+- region - Region of the requester VPC.
+
+- requester_vpc - ID of the VPC requesting the peering connection.
+
+- accepter_vpc - ID of the VPC accepting the peering connection.
+
+- accepter_vpc_region - Region of the accepter VPC (Required if requester and accepter VPCs are in different regions or performing cross-account peering.)
+
+- accepter_vpc_account_id - The AWS account ID of accepter VPC account for cross-account peering.
+
+- accepter_account_profile - A Named AWS profile of accepter VPC account for cross-account peering.
+
+- vpc_peering_operation - Choices include 'create', 'delete', and 'accept'.
+
+- vpc_peering_conn_id - ID of the VPC peering connection request (only provide to delete a VPC peering connection).
+
+Return Value
+------------
+On successful creation of peering connection request, the peering connection ID can be accessed using the variable `manage_vpc_peering_req_id` set during the role execution.
+
+Dependencies
+------------
+
+- role: [aws_setup_credentials](../aws_setup_credentials/README.md)
+
+## Example:
+```
+---
+- name: Playbook for managing VPC peering connections using cloud.aws_ops.manage_vpc_peering role
+  hosts: localhost
+  gather_facts: false
+  tasks:
+    - name: Peer VPCs in same account and region (local)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: us-west-1
+        requester_vpc: vpc-12345
+        accepter_vpc: vpc-98765
+        vpc_peering_operation: create
+
+    - name: Set variable for peering connection ID for above task
+      ansible.builtin.set_fact:
+        peering_id_1: "{{ manage_vpc_peering_req_id }}"
+
+    - name: Peer VPCs in same account and different region (local cross-region)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: us-west-1
+        requester_vpc: vpc-12345
+        accepter_vpc: vpc-98765
+        accepter_vpc_region: ap-northeast-3
+        vpc_peering_operation: create
+
+    - name: Peer VPCs in different accounts and different region (cross-account)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: us-west-1
+        requester_vpc: vpc-12345
+        accepter_vpc: vpc-98765
+        accepter_vpc_region: ap-northeast-3
+        accepter_vpc_account_id: 1234567890
+        accepter_account_profile: my-account-profile
+        vpc_peering_operation: create
+
+    - name: Delete VPC peering request
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: us-west-1
+        vpc_peering_conn_id: pcx-1234567890
+        vpc_peering_operation: delete
+
+    - name: Accept existing VPC peering request (local account)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: us-west-1
+        vpc_peering_conn_id: pcx-1234567890
+        vpc_peering_operation: accept
+
+    - name: Accept existing VPC peering request (another account)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: us-west-1
+        vpc_peering_conn_id: pcx-1234567890
+        vpc_peering_operation: accept
+        accepter_vpc_account_id: 1234567890
+        accepter_account_profile: my-account-profile
+```
+
+License
+-------
+
+GNU General Public License v3.0 or later
+
+See [LICENCE](https://github.com/ansible-collections/cloud.aws_ops/blob/main/LICENSE) to see the full text.
+
+Author Information
+------------------
+
+- Ansible Cloud Content Team
diff --git a/roles/manage_vpc_peering/defaults/main.yaml b/roles/manage_vpc_peering/defaults/main.yaml
@@ -0,0 +1 @@
+---
diff --git a/roles/manage_vpc_peering/meta/main.yaml b/roles/manage_vpc_peering/meta/main.yaml
@@ -0,0 +1,3 @@
+---
+dependencies:
+  - role: cloud.aws_ops.aws_setup_credentials
diff --git a/roles/manage_vpc_peering/tasks/accept.yaml b/roles/manage_vpc_peering/tasks/accept.yaml
@@ -0,0 +1,27 @@
+---
+- name: Fail when required parameters are not provided
+  ansible.builtin.fail:
+    msg: Please provide required parameters to create VPC peering (refer documentation for more information)
+  when: region is not defined or vpc_peering_conn_id is not defined
+
+- name: Accept VPC peering connection request
+  block:
+    - name: Ensure VPC peering connection request exists before moving forward
+      community.aws.ec2_vpc_peering_info:
+        peer_connection_ids:
+          - "{{ vpc_peering_conn_id }}"
+        region: "{{ region }}"
+        profile: "{{ accepter_account_profile | default(omit) }}"
+      register: manage_vpc_peering_peering_info
+      retries: 3
+      delay: 5
+      until: manage_vpc_peering_peering_info.vpc_peering_connections[0].vpc_peering_connection_id is defined
+
+    - name: Accept VPC peering request
+      community.aws.ec2_vpc_peer:
+        region: "{{ region }}"
+        peering_id: "{{ vpc_peering_conn_id }}"
+        peer_owner_id: "{{ accepter_vpc_account_id | default(omit) }}"
+        profile: "{{ accepter_account_profile | default(omit) }}"
+        state: accept
+      register: manage_vpc_peering_accept_peering_request
diff --git a/roles/manage_vpc_peering/tasks/create.yaml b/roles/manage_vpc_peering/tasks/create.yaml
@@ -0,0 +1,50 @@
+---
+- name: Fail when required parameters are not provided
+  ansible.builtin.fail:
+    msg: Please provide required parameters to create VPC peering (refer documentation for more information)
+  when: region is not defined or requester_vpc is not defined or accepter_vpc is not defined
+
+- name: Create VPC peering
+  block:
+    - name: Create VPC peering request
+      community.aws.ec2_vpc_peer:
+        region: "{{ region }}"
+        peer_region: "{{ accepter_vpc_region | default(region, true) }}"
+        vpc_id: "{{ requester_vpc }}"
+        peer_vpc_id: "{{ accepter_vpc }}"
+        peer_owner_id: "{{ accepter_vpc_account_id | default(omit) }}"
+        state: present
+      register: manage_vpc_peering_vpc_peering_request
+
+    - name: Ensure VPC peering connection request exists before moving forward
+      community.aws.ec2_vpc_peering_info:
+        peer_connection_ids:
+          - "{{ manage_vpc_peering_vpc_peering_request.peering_id }}"
+        region: "{{ accepter_vpc_region | default(region, true) }}"
+        profile: "{{ accepter_account_profile | default(omit) }}"
+      register: manage_vpc_peering_peering_info
+      retries: 3
+      delay: 5
+      until: manage_vpc_peering_peering_info.vpc_peering_connections[0].vpc_peering_connection_id is defined
+
+    - name: Wait for peering request to be created
+      ansible.builtin.pause:
+        seconds: 5
+
+    - name: Accept VPC peering request
+      community.aws.ec2_vpc_peer:
+        region: "{{ accepter_vpc_region | default(region, true) }}"
+        peering_id: "{{ manage_vpc_peering_vpc_peering_request.peering_id }}"
+        peer_owner_id: "{{ accepter_vpc_account_id | default(omit) }}"
+        profile: "{{ accepter_account_profile | default(omit) }}"
+        state: accept
+      register: manage_vpc_peering_accept_peering_request
+
+    - name: Set fact for peering connection ID to use in playbook
+      ansible.builtin.set_fact:
+        manage_vpc_peering_req_id: "{{ manage_vpc_peering_vpc_peering_request.peering_id }}"
+
+    - name: Print peering connection request ID
+      ansible.builtin.debug:
+        msg:
+          - "Peering connection request ID: {{ manage_vpc_peering_req_id }}"
diff --git a/roles/manage_vpc_peering/tasks/delete.yaml b/roles/manage_vpc_peering/tasks/delete.yaml
@@ -0,0 +1,18 @@
+---
+- name: Fail when required parameters are not provided
+  ansible.builtin.fail:
+    msg: Please provide required parameters to delete VPC peering (refer documentation for more information)
+  when: region is not defined or vpc_peering_conn_id is not defined
+
+- name: Delete vpc peering connection request
+  block:
+    - name: Delete a local VPC peering connection
+      community.aws.ec2_vpc_peer:
+        region: "{{ region }}"
+        peering_id: "{{ vpc_peering_conn_id }}"
+        state: absent
+      register: manage_vpc_peering_vpc_peer
+
+    - name: Wait for VPC peering connection to be deleted
+      ansible.builtin.pause:
+        seconds: 5
diff --git a/roles/manage_vpc_peering/tasks/main.yaml b/roles/manage_vpc_peering/tasks/main.yaml
@@ -0,0 +1,8 @@
+---
+- name: Run 'manage_vpc_peering' role
+  module_defaults:
+    group/aws: "{{ aws_role_credentials }}"
+
+  block:
+    - name: Include file
+      ansible.builtin.include_tasks: "{{ vpc_peering_operation }}.yaml"
diff --git a/tests/integration/targets/test_manage_vpc_peering/defaults/main.yml b/tests/integration/targets/test_manage_vpc_peering/defaults/main.yml
@@ -0,0 +1,10 @@
+---
+# defaults file for manage_vpc_peering role
+
+test_vpc_name_1_1: role_test_vpc_1_1
+test_vpc_name_1_2: role_test_vpc_1_2
+test_vpc_name_2: role_test_vpc_2
+
+test_vpc_cidr_1_1: 172.10.0.0/16
+test_vpc_cidr_1_2: 192.168.0.0/28
+test_vpc_cidr_2_1: 192.168.64.0/26
diff --git a/tests/integration/targets/test_manage_vpc_peering/tasks/main.yml b/tests/integration/targets/test_manage_vpc_peering/tasks/main.yml
@@ -0,0 +1,53 @@
+---
+- name: Test 'manage_vpc_peering' role
+  module_defaults:
+    group/aws:
+      aws_access_key: "{{ aws_access_key }}"
+      aws_secret_key: "{{ aws_secret_key }}"
+      security_token: "{{ security_token | default(omit) }}"
+      region: "{{ aws_region }}"
+
+  block:
+    - name: Include 'setup.yml' file
+      ansible.builtin.include_tasks: setup.yml
+
+    # VPC Peering (same region)
+    - name: Create VPC peering (same region)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        requester_vpc: "{{ eu_central_1_vpc_1.vpc.id }}"
+        accepter_vpc: "{{ eu_central_1_vpc_2.vpc.id }}"
+        region: eu-central-1
+        vpc_peering_operation: create
+
+    - name: Delete VPC peering connection req
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: eu-central-1
+        vpc_peering_conn_id: "{{ manage_vpc_peering_req_id }}"
+        vpc_peering_operation: delete
+
+    #  VPC Peering (cross region)
+    - name: Create VPC peering (cross region)
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: eu-central-1
+        accepter_vpc_region: us-west-1
+        requester_vpc: "{{ eu_central_1_vpc_1.vpc.id }}"
+        accepter_vpc: "{{ us_west_1_vpc_1.vpc.id }}"
+        vpc_peering_operation: create
+
+    - name: Delete VPC peering connection req
+      ansible.builtin.include_role:
+        name: cloud.aws_ops.manage_vpc_peering
+      vars:
+        region: eu-central-1
+        vpc_peering_conn_id: "{{ manage_vpc_peering_req_id }}"
+        vpc_peering_operation: delete
+
+  always:
+    - name: Include 'teardown.yml' file
+      ansible.builtin.include_tasks: teardown.yml
diff --git a/tests/integration/targets/test_manage_vpc_peering/tasks/setup.yml b/tests/integration/targets/test_manage_vpc_peering/tasks/setup.yml
@@ -0,0 +1,21 @@
+---
+- name: Create first VPC in eu-central-1
+  amazon.aws.ec2_vpc_net:
+    cidr_block: "{{ test_vpc_cidr_1_1 }}"
+    name: "{{ test_vpc_name_1_1 }}"
+    region: eu-central-1
+  register: eu_central_1_vpc_1
+
+- name: Create second VPC in eu-central-1
+  amazon.aws.ec2_vpc_net:
+    cidr_block: "{{ test_vpc_cidr_1_2 }}"
+    name: "{{ test_vpc_name_1_2 }}"
+    region: eu-central-1
+  register: eu_central_1_vpc_2
+
+- name: Create VPC in us-west-1
+  amazon.aws.ec2_vpc_net:
+    cidr_block: "{{ test_vpc_cidr_2_1 }}"
+    name: "{{ test_vpc_name_2 }}"
+    region: us-west-1
+  register: us_west_1_vpc_1
diff --git a/tests/integration/targets/test_manage_vpc_peering/tasks/teardown.yml b/tests/integration/targets/test_manage_vpc_peering/tasks/teardown.yml
@@ -0,0 +1,27 @@
+---
+- name: Delete first VPC in eu-central-1
+  amazon.aws.ec2_vpc_net:
+    cidr_block: "{{ test_vpc_cidr_1_1 }}"
+    name: "{{ test_vpc_name_1_1 }}"
+    state: absent
+    region: eu-central-1
+  register: eu_central_1_vpc_1
+  ignore_errors: true
+
+- name: Delete second VPC in eu-central-1
+  amazon.aws.ec2_vpc_net:
+    cidr_block: "{{ test_vpc_cidr_1_2 }}"
+    name: "{{ test_vpc_name_1_2 }}"
+    state: absent
+    region: eu-central-1
+  register: eu_central_1_vpc_2
+  ignore_errors: true
+
+- name: Delete VPC in us-west-1
+  amazon.aws.ec2_vpc_net:
+    cidr_block: "{{ test_vpc_cidr_2_1 }}"
+    name: "{{ test_vpc_name_2 }}"
+    state: absent
+    region: us-west-1
+  register: us_west_1_vpc_1
+  ignore_errors: true