Describe the bug
When deploying to ec2-cloud, and the ipsec_enabled parameter
is false a new EC2 external firewall Security Group is created
with two unnecessary ingress firewalls rules. The two inbound ipsec
ports are 500 and 4500. Since the ipsec strongswan role is exlcuded,
there is no strongswan VPN deployed on the new hosted instance, so
no need for these open ports.

To Reproduce

Steps to reproduce the behavior:

1. Change the config.cfg ipsec_enabled parameter to false
2. Run the Algo ansible script and choose EC2 as the cloud provider
3. After Algo completes the deployment, note the public IPv4 shown in
   the final lines of "PLAY RECAP"

• If AWS SDK is installed, run this describe-security-groups and
  describe-instances cli command using the public IP to see the
  ingress rules which were created:

   EC2IP=nn.nn.nn.nn && aws ec2 describe-security-groups --filters \
    Name=group-id,Values=$(aws ec2 describe-instances --filters \
    Name=network-interface.association.public-ip,Values=$EC2IP \
    --query 'Reservations[*].Instances[*].SecurityGroups[*].[GroupId]' \
    --output text) \
    --query 'SecurityGroups[*].[IpPermissions]'
  

• Another way to view the rules is in the AWS Dashboard->AWS Services
  ->CloudFormation->Stacks page. Examine the Stack Details->Resources
  to find the InstanceSecurityGroup which was created. Open the Physical
  ID of the SG to view the Inbound Rules

  

Expected behavior

When ipsec_enabled = false, there should only be two security group
rules. One for SSH and one for Wireguard.

Additional context

Perhaps consider the case when wireguard_enabled = false as well.
Do not open that port when not enabled.