Can't update a machine's security group after it's created

[tpetchel]

You specify a machine resources's security group through bootstrap options. For example:

with_machine_options :bootstrap_options => {
    :security_group_ids => ['sg-12345678']
  }

machine 'webserver-1'

That sets the initial SG, but you can't use Chef to reassign the SG later.

One use case is that you would use an initial one to enable the server to set itself up (e.g. download software, etc.) and later switch over to one that is more locked down.

One option might be to enable placement of the security_group_ids field on the machine resource itself, and then inject this value into the bootstrap_options. If you specify it in both places, I'm not sure what the best behavior should be (have machine overwrite, take union, intersection, etc.)

This issue could be generalized to other things that you may want to change later (none come to mind at the moment.)

[nathenharvey]

I'm pretty sure Amazon does not allow you to change the security group of an instance once it's been provisioned.

[dblessing]

@nathanharvey security groups can be modified for an instance in a vpc at any time. EC2 Classic instances outside of a vpc cannot be changed, though.

[erikvanbrakel]

It does. You can change it whenever you want. You might be confusing security groups with subnets. Those are permanent.

[jkeiser]

I'd love to do a general review of the idempotence of each machine option and see if there is something we can do generically. This is very worth doing.

[nukepuppy]

super bump :) it's been a while for this but hopefully with some activity soon we can get this one going.. its a bit of annoying hair puller when you forget this doesn't update SGs