ec2_securitygroup ensure minimal

[s4mur4i]

trafficstars

Hello,

I would have a possible enhancement for ec2 security groups. It is nice we can define ensure present or absent, but it would also be nice to define minimal, making sure only rules in puppet will be present in ec2.

thanks

[garethr]

Hi @s4mur4i, could you explain in more detail? Maybe with an example of how you see the Puppet DSL looking and exactly what you're trying to achieve? Thanks

[s4mur4i]

Hello @garethr ,

First one correction. Minimum is not the correct term but inclusive (https://docs.puppetlabs.com/references/latest/type.html#group-attribute-attribute_membership)

In Puppet hiera I would have a default landscape layout, which would describe the security groups and their rules. If any modification would be needed then it would be done from puppet, and if puppet see's any changes that are not present in it's config then it would drop it. This would make sure there are no local changes from admins that have not been documented or not allowed.

For example:

aws::security_groups:

• test:
  • test-1: description: "test security group from puppet" region: us-east-1 vpc: "x-test" ensure: present ingress:
    • security_group: test-1
    • protocol: tcp port: 22 cidr: 0.0.0.0/0
  • test-2: description: "test security group from puppet" region: us-east-1 vpc: "x-test" ensure: present ingress:
    • security_group: test-2
    • protocol: tcp port: 2222 cidr: 0.0.0.0/0
• prod:
  • test-prod: description: "test security group from puppet" region: us-east-1 vpc: "x-prod" ensure: present ingress:
    • security_group: test-prod
    • protocol: tcp port: 22 cidr: 1.2.3.0/24

I would like to ensure that only these rules are present and configured. the values are just made up for testing. But it would be nice to have ensure => inclusive, or membership => inclusive.

[garethr]

@s4mur4i ah, good idea. So you could say "These groups must have these rules but they can have other ones too". Thanks for the suggestion.