Closed TheToddLuci0 closed 9 months ago
Via Ansible
VS with the CLI
Note that the CLI does it in one API call, while Ansible uses two. In this case, the second fails since ec2:CreateTag
is restricted to resource creation for this user.
Thanks for taking the time to open this issue.
This is actually a side effect of the fact that when the module was originally written the AWS EC2 APIs didn't support setting tags on creation, it had to be done as a separate API call. (Support for tagging during creation was only added to botocore in mid 2020, general tagging support for this module module was originally written in 2017).
The main change that needs to be made is setting the "ResourceTags" parameter as part of the create_security_group
call. You can see an example of this type of change from ec2_vpc_nacl https://github.com/ansible-collections/community.aws/pull/1189/files would you be interested in creating a Pull Request to make this change? (I suspect most of the EC2 modules in this collection need the change too)
Summary
When passed tags for a new resource, these are not passed with the
CreateSecurityGroup
API call. This causes a number of issues with tag based IAM policies.This also introduces a potential race condition, where the resource exists in an untagged state, causing other tag based automation to trigger (for example, to remove the policy-violating resource) before the tags can be applied.
Issue Type
Bug Report
Component Name
ec2_security_group
Ansible Version
Collection Versions
AWS SDK versions
Configuration
OS / Environment
Linux kali 6.4.0-kali3-amd64 #1 SMP PREEMPT_DYNAMIC Debian 6.4.11-1kali1 (2023-08-21) x86_64 GNU/Linux
Steps to Reproduce
Playbook:
Relevant IAM policy snippet
Expected Results
Security group should be created with valid tags
Actual Results
Code of Conduct