AWS: Allow the deployment of a subset of edges (#43)

ppiwowa-csco · web-flow · commit 76bc177f3e47 · 2025-05-09T12:04:44.000+02:00
diff --git a/roles/aws_edges/README.md b/roles/aws_edges/README.md
@@ -45,6 +45,7 @@ The `aws_edges` role is an essential component of the `cisco.sdwan_deployment` c
 - `results_dir`: Directory where deployment results will be stored.
 - `aws_deployed_edges_data`: File to store data of deployed edge devices.
 - `userdata_cedge_path`: Path to the user data configuration for cEdge devices.
+- `wan_edges`: Optional list of edge devices that will be deployed. By default all missing devices are deployed.
 
 ### Required variables
 
diff --git a/roles/aws_edges/tasks/aws_cedge_nsg.yml b/roles/aws_edges/tasks/aws_cedge_nsg.yml
@@ -0,0 +1,26 @@
+# Copyright 2024 Cisco Systems, Inc. and its affiliates
+# GNU General Public License v3.0+ (see LICENSE or https://www.gnu.org/licenses/gpl-3.0.txt)
+
+---
+
+- name: Allow traffic outside VPC for cEdge IP addresses
+  amazon.aws.ec2_security_group:
+    name: "{{ aws_discovered_security_group.group_name }}"
+    description: "Security Group for SD-WAN instances"
+    vpc_id: "{{ aws_vpc_config.id }}"
+    region: "{{ aws_region }}"
+    purge_rules: false
+    purge_tags: false
+    purge_rules_egress: false
+    rules:
+      - proto: all  # proto all means: `ports: all`
+        cidr_ip: "{{ instance_item['mgmt_public_ip'] }}/32"
+        rule_desc: "{{ instance_item['hostname'] }} - mgmt (VPN 512)"
+      - proto: all
+        cidr_ip: "{{ instance_item['transport_public_ip'] }}/32"
+        rule_desc: "{{ instance_item['hostname'] }} - transport (VPN 0)"
+    rules_egress: []
+  register: allow_traffic
+  retries: 3
+  delay: 3
+  until: allow_traffic is succeeded
diff --git a/roles/aws_edges/tasks/main.yml b/roles/aws_edges/tasks/main.yml
@@ -66,7 +66,22 @@
   loop: "{{ edge_instances }}"
   loop_control:
     loop_var: instance_item
-  when: edge_instances is defined and (instance_item.hostname not in instances_info or not instances_info[instance_item.hostname])
+  when:
+    - edge_instances is defined
+    - instance_item.hostname not in instances_info or not instances_info[instance_item.hostname]
+    - >
+      wan_edges is not defined
+      or wan_edges | json_query('[?uuid==`'~instance_item['uuid']~'`] | [?!contains(keys(@), `foreign`) || !foreign]')
+
+- name: Add NSG rules for foreign Edges
+  ansible.builtin.include_tasks: aws_cedge_nsg.yml
+  loop: "{{ wan_edges }}"
+  loop_control:
+    loop_var: instance_item
+  when:
+    - wan_edges is defined
+    - instance_item['mgmt_public_ip'] is defined
+    - instance_item['transport_public_ip'] is defined
 
 - name: Extract deployment facts
   ansible.builtin.include_role:
