From 9c4ff92daa53a6d24dac5762708e1359bc0be93d Mon Sep 17 00:00:00 2001 From: Colleen Murphy Date: Tue, 17 Mar 2015 16:59:44 -0700 Subject: [PATCH 1/2] Filter on vpc-id for sec groups in EC2-VPC When adding security_group ingress rules to a security group resource upon creation, a VPC-only account may have multiple groups with the same name, often 'default', to select from. Without this change, the ec2_securitygroup provider will simply select the first that it finds. If the one it selects is not in the VPC to which the security group puppet resource was added, it will raise an error and fail to add the ingress rule. This change ensures that the correct security group for the resource's ingress rule is selected by retrieving the VPC ID of the security group that was added and using it as part of the filter for selecting possible security groups to use for the ingress rule. Paired-with: --- lib/puppet/provider/ec2_securitygroup/v2.rb | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/lib/puppet/provider/ec2_securitygroup/v2.rb b/lib/puppet/provider/ec2_securitygroup/v2.rb index 4e3d8977..6c6943cf 100644 --- a/lib/puppet/provider/ec2_securitygroup/v2.rb +++ b/lib/puppet/provider/ec2_securitygroup/v2.rb @@ -131,9 +131,13 @@ def authorize_ingress(new_rules, existing_rules=[]) to_create.reject(&:nil?).each do |rule| if rule.key? 'security_group' source_group_name = rule['security_group'] - group_response = ec2.describe_security_groups(filters: [ - {name: 'group-name', values: [source_group_name]}, - ]) + filters = [ {name: 'group-name', values: [source_group_name]} ] + if vpc_only_account? + response = ec2.describe_security_groups(group_ids: [@property_hash[:id]]) + vpc_id = response.data.security_groups.first.vpc_id + filters.push( {name: 'vpc-id', values: [vpc_id]} ) + end + group_response = ec2.describe_security_groups(filters: filters) fail("No groups found called #{source_group_name}") if group_response.data.security_groups.count == 0 source_group_id = group_response.data.security_groups.first.group_id Puppet.warning "Multiple groups found called #{source_group_name}, using #{source_group_id}" if group_response.data.security_groups.count > 1 From cc16d406d85d3fec7709f2e1b5a97465871e263e Mon Sep 17 00:00:00 2001 From: Iristyle Date: Tue, 17 Mar 2015 19:12:01 -0700 Subject: [PATCH 2/2] (maint) Improve security_group create error msg - Share count amongst multiple spots, emit the number of matching groups for a given name --- lib/puppet/provider/ec2_securitygroup/v2.rb | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/lib/puppet/provider/ec2_securitygroup/v2.rb b/lib/puppet/provider/ec2_securitygroup/v2.rb index 6c6943cf..414167e5 100644 --- a/lib/puppet/provider/ec2_securitygroup/v2.rb +++ b/lib/puppet/provider/ec2_securitygroup/v2.rb @@ -138,9 +138,10 @@ def authorize_ingress(new_rules, existing_rules=[]) filters.push( {name: 'vpc-id', values: [vpc_id]} ) end group_response = ec2.describe_security_groups(filters: filters) - fail("No groups found called #{source_group_name}") if group_response.data.security_groups.count == 0 + match_count = group_response.data.security_groups.count + fail("No groups found called #{source_group_name}") if match_count == 0 source_group_id = group_response.data.security_groups.first.group_id - Puppet.warning "Multiple groups found called #{source_group_name}, using #{source_group_id}" if group_response.data.security_groups.count > 1 + Puppet.warning "#{match_count} groups found called #{source_group_name}, using #{source_group_id}" if match_count > 1 permissions = ['tcp', 'udp', 'icmp'].collect do |protocol| {