ec2_group (as of Ansible 2.4) doesn't support usage of pl-xxxxx (prefix lists) typically employed by VPC endpoints.
So I went down the rabbit hole of doing this via a command module. The command works on the prompt. How do I get this to work? ERROR! Syntax Error while loading YAML. The error appears to have been in '/Users/dgirard/Documents/kraken/git/Ansible-aws-security/EC2-Security-Groups/SG-uat.yml' : line 2384, column 150, but may be elsewhere in the file depending on the exact syntax problem. The offending line appears to be: # aws ec2 authorize-security-group-egress --group-id "{{ sg_id }}" --region "{{ region }}" --profile "{{ profile }}" --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "PrefixListIds": [{"PrefixListId": "pl-63a5400a"}]}]' command: aws ec2 authorize-security-group-egress --group-id "{{ sg_id }}" --region us-east-1 --profile utility --ip-permissions '[{"IpProtocol": "tcp", "FromPort": 443, "ToPort": 443, "PrefixListIds": [{"PrefixListId": "pl-63a5400a"}]}]' ^ here We could be wrong, but this one looks like it might be an issue with missing quotes. Always quote template expression brackets when they start a value. For instance: with_items: - {{ foo }} Should be written as: with_items: - "{{ foo }}" exception type: <class 'yaml.scanner.ScannerError'> exception: mapping values are not allowed in this context in "<unicode string>", line 2384, column 150 -- You received this message because you are subscribed to the Google Groups "Ansible Project" group. To unsubscribe from this group and stop receiving emails from it, send an email to ansible-project+unsubscr...@googlegroups.com. To post to this group, send email to ansible-project@googlegroups.com. To view this discussion on the web visit https://groups.google.com/d/msgid/ansible-project/55d2a210-4798-4677-a66c-be1f2b148bff%40googlegroups.com. For more options, visit https://groups.google.com/d/optout.