Use Boto3 for ec2_group Fixes #23507 (#25340)

* Use Boto3 for ec2_group

Currently boto doesn't support ipv6. To support ipv6 in ec2_group, we need boto3.
boto3 has significant API changes, which caused more re-factoring for ec2_group module.
Added additional integration test to test_ec2_group role.

* Follow the standard for boto3 ansible

Fixed imports. Use boto3 ansible exception with camel_dict_to_snake_dict.
Refactored the call to authorize/revoke  ingress and egress.

* Removed dependancy with module ipaddress

Added new parameter called cidr_ipv6 for specifying
ipv6 addresses inline with how boto3 handles ipv6 addresses.

* Updated integration test

* Added ipv6 integration test for ec2_group

* Set purge_rules to false for integration test

* Fixed import statements

Added example for ipv6.
Removed defining HAS_BOTO3 variable and import HAS_BOTO3 from ec2.
Cleaned up import statements.

* Fixed exception handling

* Add IAM permissions for ec2_group tests

Missing AuthorizeSecurityGroupEgress necessary for latest tests

* Wrapped botocore import in try/except block

Import just botocore to be more similar to other modules

test/integration/targets/ec2_group/tasks/main.yml

@@ -63,21 +63,6 @@
            - 'result.failed'
            - 'result.msg == "Must provide description when state is present."'
 
-    # ============================================================
-    - name: test invalid region parameter
-      ec2_group:
-        name='{{ec2_group_name}}'
-        description='{{ec2_group_description}}'
-        region='asdf querty 1234'
-      register: result
-      ignore_errors: true
-
-    - name: assert invalid region parameter
-      assert:
-        that:
-           - 'result.failed'
-           - 'result.msg.startswith("Region asdf querty 1234 does not seem to be available for aws module boto.ec2. If the region definitely exists, you may need to upgrade boto or extend with endpoints_path")'
-
     # ============================================================
     - name: test valid region parameter
       ec2_group:
@@ -91,7 +76,7 @@
       assert:
         that:
            - 'result.failed'
-           - 'result.msg.startswith("No handler was ready to authenticate.")'
+           - '"Unable to locate credentials" in result.msg'
 
     # ============================================================
     - name: test environment variable EC2_REGION
@@ -107,7 +92,7 @@
       assert:
         that:
            - 'result.failed'
-           - 'result.msg.startswith("No handler was ready to authenticate.")'
+           - '"Unable to locate credentials" in result.msg'
 
     # ============================================================
     - name: test invalid ec2_url parameter
@@ -123,7 +108,7 @@
       assert:
         that:
            - 'result.failed'
-           - 'result.msg.startswith("No handler was ready to authenticate.")'
+           - 'result.msg.startswith("The AWS region must be specified as an environment variable or in the AWS credentials profile")'
 
     # ============================================================
     - name: test valid ec2_url parameter
@@ -139,7 +124,7 @@
       assert:
         that:
            - 'result.failed'
-           - 'result.msg.startswith("No handler was ready to authenticate.")'
+           - 'result.msg.startswith("The AWS region must be specified as an environment variable or in the AWS credentials profile")'
 
     # ============================================================
     - name: test credentials from environment
@@ -157,7 +142,7 @@
       assert:
         that:
            - 'result.failed'
-           - '"Error in get_all_security_groups: AWS was not able to validate the provided access credentials" in result.msg'
+           - '"validate the provided access credentials" in result.msg'
 
     # ============================================================
     - name: test credential parameters
@@ -174,7 +159,7 @@
       assert:
         that:
            - 'result.failed'
-           - '"Error in get_all_security_groups: AWS was not able to validate the provided access credentials" in result.msg'
+           - '"validate the provided access credentials" in result.msg'
 
     # ============================================================
     - name: test state=absent
@@ -243,6 +228,103 @@
            - 'not result.changed'
            - 'result.group_id.startswith("sg-")'
 
+    # ============================================================
+    - name: test state=present for ipv6 (expected changed=true)
+      ec2_group:
+        name: '{{ec2_group_name}}'
+        description: '{{ec2_group_description}}'
+        ec2_region: '{{ec2_region}}'
+        ec2_access_key: '{{ec2_access_key}}'
+        ec2_secret_key: '{{ec2_secret_key}}'
+        security_token: '{{security_token}}'
+        state: present
+        rules:
+        - proto: "tcp"
+          from_port: 8182
+          to_port: 8182
+          cidr_ipv6: "64:ff9b::/96"
+      register: result
+
+    - name: assert state=present (expected changed=true)
+      assert:
+        that:
+           - 'result.changed'
+           - 'result.group_id.startswith("sg-")'
+
+    # ============================================================
+    - name: test rules_egress state=present for ipv6 (expected changed=true)
+      ec2_group:
+        name: '{{ec2_group_name}}'
+        description: '{{ec2_group_description}}'
+        ec2_region: '{{ec2_region}}'
+        ec2_access_key: '{{ec2_access_key}}'
+        ec2_secret_key: '{{ec2_secret_key}}'
+        security_token: '{{security_token}}'
+        state: present
+        rules:
+        - proto: "tcp"
+          from_port: 8182
+          to_port: 8182
+          cidr_ipv6: "64:ff9b::/96"
+        rules_egress:
+        - proto: "tcp"
+          from_port: 8181
+          to_port: 8181
+          cidr_ipv6: "64:ff9b::/96"
+      register: result
+
+    - name: assert state=present (expected changed=true)
+      assert:
+        that:
+           - 'result.changed'
+           - 'result.group_id.startswith("sg-")'
+
+    # ============================================================
+    - name: test state=present for ipv4 (expected changed=true)
+      ec2_group:
+        name: '{{ec2_group_name}}'
+        description: '{{ec2_group_description}}'
+        ec2_region: '{{ec2_region}}'
+        ec2_access_key: '{{ec2_access_key}}'
+        ec2_secret_key: '{{ec2_secret_key}}'
+        security_token: '{{security_token}}'
+        state: present
+        rules:
+        - proto: "tcp"
+          from_port: 8182
+          to_port: 8182
+          cidr_ip: "1.1.1.1/32"
+      register: result
+
+    - name: assert state=present (expected changed=true)
+      assert:
+        that:
+        - 'result.changed'
+        - 'result.group_id.startswith("sg-")'
+
+    # ============================================================
+    - name: add same rule to the existing group  (expected changed=false)
+      ec2_group:
+        name: '{{ec2_group_name}}'
+        description: '{{ec2_group_description}}'
+        ec2_region: '{{ec2_region}}'
+        ec2_access_key: '{{ec2_access_key}}'
+        ec2_secret_key: '{{ec2_secret_key}}'
+        security_token: '{{security_token}}'
+        state: present
+        rules:
+        - proto: "tcp"
+          from_port: 8182
+          to_port: 8182
+          cidr_ip: "1.1.1.1/32"
+      register: result
+
+    - name: assert state=present (expected changed=false)
+      assert:
+        that:
+          - 'not result.changed'
+          - 'result.group_id.startswith("sg-")'
+
     # ============================================================
     - name: test state=absent (expected changed=true)
       ec2_group: