From 64f00dddff2bbf0d49a803cefc7048f74ce7ca21 Mon Sep 17 00:00:00 2001 From: Gareth Rushgrove Date: Thu, 19 Mar 2015 10:45:40 +0000 Subject: [PATCH] Allow setting ingress rules for default security groups in VPC Due to default security groups all being named default we couldn't reference them previously due to unique resouce naming conflicts. This patch allows for a composite namevar only in the case of the default group. Note that the composite name populates the VPC field automatically, so you don't have to duplicate the information in a separate property. --- examples/vpc-example/init.pp | 13 +++++++++ lib/puppet/provider/ec2_securitygroup/v2.rb | 5 +++- lib/puppet/type/ec2_securitygroup.rb | 32 +++++++++++++++++++-- 3 files changed, 47 insertions(+), 3 deletions(-) diff --git a/examples/vpc-example/init.pp b/examples/vpc-example/init.pp index dd3c2222..c00dbdff 100644 --- a/examples/vpc-example/init.pp +++ b/examples/vpc-example/init.pp @@ -14,6 +14,19 @@ }], } +ec2_securitygroup { 'sample-vpc::default': + ensure => present, + region => 'sa-east-1', + description => 'default VPC security group', + ingress => [{ + protocol => 'tcp', + port => 22, + cidr => '0.0.0.0/0' + },{ + security_group => 'default', + }], +} + ec2_vpc_subnet { 'sample-subnet': ensure => present, region => 'sa-east-1', diff --git a/lib/puppet/provider/ec2_securitygroup/v2.rb b/lib/puppet/provider/ec2_securitygroup/v2.rb index 414167e5..5874558d 100644 --- a/lib/puppet/provider/ec2_securitygroup/v2.rb +++ b/lib/puppet/provider/ec2_securitygroup/v2.rb @@ -69,9 +69,12 @@ def self.security_group_to_hash(region, group) vpc_name_tag ? vpc_name_tag.value : nil end end + name = group[:group_name] + name = "#{vpc_name}::#{name}" if vpc_name && name == 'default' { id: group.group_id, - name: group[:group_name], + name: name, + group_name: group[:group_name], id: group[:group_id], description: group[:description], ensure: :present, diff --git a/lib/puppet/type/ec2_securitygroup.rb b/lib/puppet/type/ec2_securitygroup.rb index f89c311d..6e37f1db 100644 --- a/lib/puppet/type/ec2_securitygroup.rb +++ b/lib/puppet/type/ec2_securitygroup.rb @@ -5,13 +5,19 @@ ensurable - newparam(:name, namevar: true) do - desc 'the name of the security group' + newparam(:name) do + desc 'the name of the security group resource' + isnamevar validate do |value| fail Puppet::Error, 'Security groups must have a name' if value == '' end end + newparam(:group_name) do + desc 'the name of the security group' + isnamevar + end + newproperty(:region) do desc 'the region in which to launch the security group' validate do |value| @@ -53,6 +59,7 @@ def stringify_values(rules) newproperty(:vpc) do desc 'A VPC to which the group should be associated' + isnamevar end def should_autorequire?(rule) @@ -70,4 +77,25 @@ def should_autorequire?(rule) autorequire(:ec2_vpc) do self[:vpc] end + + # When you create a VPC you automatically get a security group called default. You can't change the name. + # This lack of uniqueness makes managing these default security groups difficult. Enter a composite namevar. + # We support two name formats: + # + # 1. {some-security-group} + # 2. {some-vpc-name}::default + # + # Note that we only support prefixing a security group name with the vpc name for the default security group + # at this point. This avoids the issue of otherwise needing to store the resources in two places for non-default + # VPC secueity groups. + # + # In the case of a a default security group, we maintain the full name (including the VPC name) in the name property + # as otherwise it won't be unique and uniqueness and composite namevars are fun. + def self.title_patterns + [ + [ /^(([\w\-]+)::(default))$/, [ [ :name, lambda {|x| x} ], [ :vpc, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ], + [ /^(([\w\-]+))$/, [ [ :name, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ] + ] + end + end