Skip to content
This repository has been archived by the owner on Jun 5, 2020. It is now read-only.

Commit

Permalink
Allow setting ingress rules for default security groups in VPC
Browse files Browse the repository at this point in the history
Due to default security groups all being named default we couldn't
reference them previously due to unique resouce naming conflicts. This
patch allows for a composite namevar only in the case of the default
group. Note that the composite name populates the VPC field
automatically, so you don't have to duplicate the information in a
separate property.
  • Loading branch information
garethr committed Mar 23, 2015
1 parent 722ccfa commit ff56d68
Show file tree
Hide file tree
Showing 3 changed files with 47 additions and 3 deletions.
13 changes: 13 additions & 0 deletions examples/vpc-example/init.pp
Original file line number Diff line number Diff line change
Expand Up @@ -14,6 +14,19 @@
}],
}

ec2_securitygroup { 'sample-vpc::default':
ensure => present,
region => 'sa-east-1',
description => 'default VPC security group',
ingress => [{
protocol => 'tcp',
port => 22,
cidr => '0.0.0.0/0'
},{
security_group => 'default',
}],
}

ec2_vpc_subnet { 'sample-subnet':
ensure => present,
region => 'sa-east-1',
Expand Down
5 changes: 4 additions & 1 deletion lib/puppet/provider/ec2_securitygroup/v2.rb
Original file line number Diff line number Diff line change
Expand Up @@ -69,9 +69,12 @@ def self.security_group_to_hash(region, group)
vpc_name_tag ? vpc_name_tag.value : nil
end
end
name = group[:group_name]
name = "#{vpc_name}::#{name}" if vpc_name && name == 'default'
{
id: group.group_id,
name: group[:group_name],
name: name,
group_name: group[:group_name],
id: group[:group_id],
description: group[:description],
ensure: :present,
Expand Down
32 changes: 30 additions & 2 deletions lib/puppet/type/ec2_securitygroup.rb
Original file line number Diff line number Diff line change
Expand Up @@ -5,13 +5,19 @@

ensurable

newparam(:name, namevar: true) do
desc 'the name of the security group'
newparam(:name) do
desc 'the name of the security group resource'
isnamevar
validate do |value|
fail Puppet::Error, 'Security groups must have a name' if value == ''
end
end

newparam(:group_name) do
desc 'the name of the security group'
isnamevar
end

newproperty(:region) do
desc 'the region in which to launch the security group'
validate do |value|
Expand Down Expand Up @@ -53,6 +59,7 @@ def stringify_values(rules)

newproperty(:vpc) do
desc 'A VPC to which the group should be associated'
isnamevar
end

def should_autorequire?(rule)
Expand All @@ -70,4 +77,25 @@ def should_autorequire?(rule)
autorequire(:ec2_vpc) do
self[:vpc]
end

# When you create a VPC you automatically get a security group called default. You can't change the name.
# This lack of uniqueness makes managing these default security groups difficult. Enter a composite namevar.
# We support two name formats:
#
# 1. {some-security-group}
# 2. {some-vpc-name}::default
#
# Note that we only support prefixing a security group name with the vpc name for the default security group
# at this point. This avoids the issue of otherwise needing to store the resources in two places for non-default
# VPC security groups.
#
# In the case of a a default security group, we maintain the full name (including the VPC name) in the name property
# as otherwise it won't be unique and uniqueness and composite namevars are fun.
def self.title_patterns
[
[ /^(([\w\-]+)::(default))$/, [ [ :name, lambda {|x| x} ], [ :vpc, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ],
[ /^((.*))$/, [ [ :name, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ]
]
end

end

0 comments on commit ff56d68

Please sign in to comment.