salt.states.boto_vpc

Manage VPCs

New in version 2015.8.0.

depends

  • boto >= 2.8.0

  • boto3 >= 1.2.6

Create and destroy VPCs. Be aware that this interacts with Amazon's services, and so may incur charges.

This module accepts explicit vpc credentials but can also utilize IAM roles assigned to the instance through Instance Profiles. Dynamic credentials are then automatically obtained from AWS API and no further configuration is necessary. More information available here.

If IAM roles are not used you need to specify them either in a pillar file or in the minion's config file:

vpc.keyid: GKTADJGHEIQSXMKKRBJ08H
vpc.key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

It's also possible to specify key, keyid and region via a profile, either passed in as a dict, or as a string to pull from pillars or minion config:

myprofile:
  keyid: GKTADJGHEIQSXMKKRBJ08H
  key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
  region: us-east-1
aws:
  region:
    us-east-1:
      profile:
        keyid: GKTADJGHEIQSXMKKRBJ08H
        key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs
        region: us-east-1
Ensure VPC exists:
  boto_vpc.present:
    - name: myvpc
    - cidr_block: 10.10.11.0/24
    - dns_hostnames: True
    - region: us-east-1
    - keyid: GKTADJGHEIQSXMKKRBJ08H
    - key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

Ensure subnet exists:
  boto_vpc.subnet_present:
    - name: mysubnet
    - vpc_id: vpc-123456
    - cidr_block: 10.0.0.0/16
    - region: us-east-1
    - profile: myprofile

{% set profile = salt['pillar.get']('aws:region:us-east-1:profile' ) %}
Ensure internet gateway exists:
  boto_vpc.internet_gateway_present:
    - name: myigw
    - vpc_name: myvpc
    - profile: {{ profile }}

Ensure route table exists:
  boto_vpc.route_table_present:
    - name: my_route_table
    - vpc_id: vpc-123456
    - routes:
      - destination_cidr_block: 0.0.0.0/0
        instance_id: i-123456
      - subnet_names:
        - subnet1
        - subnet2
      - region: us-east-1
      - profile:
        keyid: GKTADJGHEIQSXMKKRBJ08H
        key: askdjghsdfjkghWupUjasdflkdfklgjsdfjajkghs

New in version 2016.11.0.

Request, accept and delete VPC peering connections. VPC peering connections can be named allowing the name to be used throughout the state file. Following example shows how to request and accept a VPC peering connection.

accept the vpc peering connection:
  boto_vpc.accept_vpc_peering_connection:
    - conn_name: salt_vpc_peering
    - region: us-west-2
    - require:
      - boto_vpc: request a vpc peering connection

request a vpc peering connection:
  boto_vpc.request_vpc_peering_connection:
    - requester_vpc_id: vpc-4a3d522e
    - peer_vpc_id: vpc-ae81e9ca
    - region: us-west-2
    - conn_name: salt_vpc_peering

VPC peering connections need not be named. In this case the VPC peering connection ID should be used in the state file.

accept the vpc peering connection:
  boto_vpc.accept_vpc_peering_connection:
    - conn_id: pcx-1873c371
    - region: us-west-2

VPC peering connections can be deleted, as shown below.

delete a named vpc peering connection:
  boto_vpc.delete_vpc_peering_connection:
    - conn_name: salt_vpc_peering

Delete also accepts a VPC peering connection id.

delete a vpc peering connection by id:
  boto_vpc.delete_vpc_peering_connection:
    - conn_id: pcx-1873c371
salt.states.boto_vpc.absent(name, tags=None, region=None, key=None, keyid=None, profile=None)

Ensure VPC with passed properties is absent.

name

Name of the VPC.

tags

A list of tags. All tags must match.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.accept_vpc_peering_connection(name=None, conn_id=None, conn_name=None, region=None, key=None, keyid=None, profile=None)

Accept a VPC pending requested peering connection between two VPCs.

name

Name of this state

conn_id

The connection ID to accept. Exclusive with conn_name. String type.

conn_name

The name of the VPC peering connection to accept. Exclusive with conn_id. String type.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

New in version 2016.11.0.

Example:

boto_vpc.accept_vpc_peering_connection:
  - conn_name: salt_peering_connection

# usage with vpc peering connection id and region
boto_vpc.accept_vpc_peering_connection:
  - conn_id: pbx-1873d472
  - region: us-west-2
salt.states.boto_vpc.delete_vpc_peering_connection(name, conn_id=None, conn_name=None, region=None, key=None, keyid=None, profile=None)
name

Name of the state

conn_id

ID of the peering connection to delete. Exclusive with conn_name.

conn_name

The name of the peering connection to delete. Exclusive with conn_id.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

New in version 2016.11.0.

Example:

delete a vpc peering connection:
  boto_vpc.delete_vpc_peering_connection:
    - region: us-west-2
    - conn_id: pcx-4613b12e

Connection name can be specified (instead of ID). Specifying both conn_name and conn_id will result in an error.

delete a vpc peering connection:
  boto_vpc.delete_vpc_peering_connection:
    - conn_name: salt_vpc_peering
salt.states.boto_vpc.dhcp_options_absent(name=None, dhcp_options_id=None, region=None, key=None, keyid=None, profile=None)

Ensure a set of DHCP options with the given settings exist.

name

(string) Name of the DHCP options set.

dhcp_options_id

(string) Id of the DHCP options set.

region

(string) Region to connect to.

key

(string) Secret key to be used.

keyid

(string) Access key to be used.

profile

(various) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

New in version 2016.3.0.

salt.states.boto_vpc.dhcp_options_present(name, dhcp_options_id=None, vpc_name=None, vpc_id=None, domain_name=None, domain_name_servers=None, ntp_servers=None, netbios_name_servers=None, netbios_node_type=None, tags=None, region=None, key=None, keyid=None, profile=None)

Ensure a set of DHCP options with the given settings exist. Note that the current implementation only SETS values during option set creation. It is unable to update option sets in place, and thus merely verifies the set exists via the given name and/or dhcp_options_id param.

name

(string) Name of the DHCP options.

vpc_name

(string) Name of a VPC to which the options should be associated. Either vpc_name or vpc_id must be provided.

vpc_id

(string) Id of a VPC to which the options should be associated. Either vpc_name or vpc_id must be provided.

domain_name

(string) Domain name to be assiciated with this option set.

domain_name_servers

(list of strings) The IP address(es) of up to four domain name servers.

ntp_servers

(list of strings) The IP address(es) of up to four desired NTP servers.

netbios_name_servers

(list of strings) The IP address(es) of up to four NetBIOS name servers.

netbios_node_type

(string) The NetBIOS node type (1, 2, 4, or 8). For more information about the allowed values, see RFC 2132. The recommended is 2 at this time (broadcast and multicast are currently not supported).

tags

(dict of key:value pairs) A set of tags to be added.

region

(string) Region to connect to.

key

(string) Secret key to be used.

keyid

(string) Access key to be used.

profile

(various) A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

New in version 2016.3.0.

salt.states.boto_vpc.internet_gateway_absent(name, detach=False, region=None, key=None, keyid=None, profile=None)

Ensure the named internet gateway is absent.

name

Name of the internet gateway.

detach

First detach the internet gateway from a VPC, if attached.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.internet_gateway_present(name, vpc_name=None, vpc_id=None, tags=None, region=None, key=None, keyid=None, profile=None)

Ensure an internet gateway exists.

name

Name of the internet gateway.

vpc_name

Name of the VPC to which the internet gateway should be attached.

vpc_id

Id of the VPC to which the internet_gateway should be attached. Only one of vpc_name or vpc_id may be provided.

tags

A list of tags.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.nat_gateway_absent(name=None, subnet_name=None, subnet_id=None, region=None, key=None, keyid=None, profile=None, wait_for_delete_retries=0)

Ensure the nat gateway in the named subnet is absent.

This function requires boto3.

New in version 2016.11.0.

name

Name of the state.

subnet_name

Name of the subnet within which the nat gateway should exist

subnet_id

Id of the subnet within which the nat gateway should exist. Either subnet_name or subnet_id must be provided.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

wait_for_delete_retries

NAT gateway may take some time to be go into deleted or failed state. During the deletion process, subsequent release of elastic IPs may fail; this state will automatically retry this number of times to ensure the NAT gateway is in deleted or failed state before proceeding. Default is set to 0 for backward compatibility.

salt.states.boto_vpc.nat_gateway_present(name, subnet_name=None, subnet_id=None, region=None, key=None, keyid=None, profile=None, allocation_id=None)

Ensure a nat gateway exists within the specified subnet

This function requires boto3.

New in version 2016.11.0.

Example:

boto_vpc.nat_gateway_present:
  - subnet_name: my-subnet
name

Name of the state

subnet_name

Name of the subnet within which the nat gateway should exist

subnet_id

Id of the subnet within which the nat gateway should exist. Either subnet_name or subnet_id must be provided.

allocation_id

If specified, the elastic IP address referenced by the ID is associated with the gateway. Otherwise, a new allocation_id is created and used.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.present(name, cidr_block, instance_tenancy=None, dns_support=None, dns_hostnames=None, tags=None, region=None, key=None, keyid=None, profile=None)

Ensure VPC exists.

name

Name of the VPC.

cidr_block

The range of IPs in CIDR format, for example: 10.0.0.0/24. Block size must be between /16 and /28 netmask.

instance_tenancy

Instances launched in this VPC will be ingle-tenant or dedicated hardware.

dns_support

Indicates whether the DNS resolution is supported for the VPC.

dns_hostnames

Indicates whether the instances launched in the VPC get DNS hostnames.

tags

A list of tags.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.request_vpc_peering_connection(name, requester_vpc_id=None, requester_vpc_name=None, peer_vpc_id=None, peer_vpc_name=None, conn_name=None, peer_owner_id=None, peer_region=None, region=None, key=None, keyid=None, profile=None)
name

Name of the state

requester_vpc_id

ID of the requesting VPC. Exclusive with requester_vpc_name. String type.

requester_vpc_name

Name tag of the requesting VPC. Exclusive with requester_vpc_id. String type.

peer_vpc_id

ID of the VPC tp crete VPC peering connection with. This can be a VPC in another account. Exclusive with peer_vpc_name. String type.

peer_vpc_name

Name tag of the VPC tp crete VPC peering connection with. This can only be a VPC the same account and region. Exclusive with peer_vpc_id. String type.

conn_name

The (optional) name to use for this VPC peering connection. String type.

peer_owner_id

ID of the owner of the peer VPC. String type. If this isn't supplied AWS uses your account ID. Required if peering to a different account.

peer_region

Region of peer VPC. For inter-region vpc peering connections. Not required for intra-region peering connections.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

New in version 2016.11.0.

Example:

request a vpc peering connection:
  boto_vpc.request_vpc_peering_connection:
    - requester_vpc_id: vpc-4b3522e
    - peer_vpc_id: vpc-ae83f9ca
    - conn_name: salt_peering_connection
salt.states.boto_vpc.route_table_absent(name, region=None, key=None, keyid=None, profile=None)

Ensure the named route table is absent.

name

Name of the route table.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.route_table_present(name, vpc_name=None, vpc_id=None, routes=None, subnet_ids=None, subnet_names=None, tags=None, region=None, key=None, keyid=None, profile=None)

Ensure route table with routes exists and is associated to a VPC.

This function requires boto3 to be installed if nat gatewyas are specified.

Example:

boto_vpc.route_table_present:
  - name: my_route_table
  - vpc_id: vpc-123456
  - routes:
    - destination_cidr_block: 0.0.0.0/0
      internet_gateway_name: InternetGateway
    - destination_cidr_block: 10.10.11.0/24
      instance_id: i-123456
    - destination_cidr_block: 10.10.12.0/24
      interface_id: eni-123456
    - destination_cidr_block: 10.10.13.0/24
      instance_name: mygatewayserver
  - subnet_names:
    - subnet1
    - subnet2
name

Name of the route table.

vpc_name

Name of the VPC with which the route table should be associated.

vpc_id

Id of the VPC with which the route table should be associated. Either vpc_name or vpc_id must be provided.

routes

A list of routes. Each route has a cidr and a target.

subnet_ids

A list of subnet ids to associate

subnet_names

A list of subnet names to associate

tags

A list of tags.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.subnet_absent(name=None, subnet_id=None, region=None, key=None, keyid=None, profile=None)

Ensure subnet with passed properties is absent.

name

Name of the subnet.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.subnet_present(name, cidr_block, vpc_name=None, vpc_id=None, availability_zone=None, tags=None, region=None, key=None, keyid=None, profile=None, route_table_id=None, route_table_name=None, auto_assign_public_ipv4=False)

Ensure a subnet exists.

name

Name of the subnet.

cidr_block

The range if IPs for the subnet, in CIDR format. For example: 10.0.0.0/24. Block size must be between /16 and /28 netmask.

vpc_name

Name of the VPC in which the subnet should be placed. Either vpc_name or vpc_id must be provided.

vpc_id

Id of the VPC in which the subnet should be placed. Either vpc_name or vpc_id must be provided.

availability_zone

AZ in which the subnet should be placed.

tags

A list of tags.

route_table_id

A route table ID to explicitly associate the subnet with. If both route_table_id and route_table_name are specified, route_table_id will take precedence.

New in version 2016.11.0.

route_table_name

A route table name to explicitly associate the subnet with. If both route_table_id and route_table_name are specified, route_table_id will take precedence.

New in version 2016.11.0.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

salt.states.boto_vpc.vpc_peering_connection_absent(name, conn_id=None, conn_name=None, region=None, key=None, keyid=None, profile=None)
salt.states.boto_vpc.vpc_peering_connection_present(name, requester_vpc_id=None, requester_vpc_name=None, peer_vpc_id=None, peer_vpc_name=None, conn_name=None, peer_owner_id=None, peer_region=None, region=None, key=None, keyid=None, profile=None)
name

Name of the state

requester_vpc_id

ID of the requesting VPC. Exclusive with requester_vpc_name.

requester_vpc_name

Name tag of the requesting VPC. Exclusive with requester_vpc_id.

peer_vpc_id

ID of the VPC tp crete VPC peering connection with. This can be a VPC in another account. Exclusive with peer_vpc_name.

peer_vpc_name

Name tag of the VPC tp crete VPC peering connection with. This can only be a VPC in the same account, else resolving it into a vpc ID will fail. Exclusive with peer_vpc_id.

conn_name

The name to use for this VPC peering connection.

peer_owner_id

ID of the owner of the peer VPC. Defaults to your account ID, so a value is required if peering with a VPC in a different account.

peer_region

Region of peer VPC. For inter-region vpc peering connections. Not required for intra-region peering connections.

region

Region to connect to.

key

Secret key to be used.

keyid

Access key to be used.

profile

A dict with region, key and keyid, or a pillar key (string) that contains a dict with region, key and keyid.

New in version 2016.11.0.

Example:

ensure peering twixt local vpc and the other guys:
  boto_vpc.vpc_peering_connection_present:
    - requester_vpc_name: my_local_vpc
    - peer_vpc_name: some_other_guys_vpc
    - conn_name: peering_from_here_to_there
    - peer_owner_id: 012345654321