puppetlabs-aws
puppetlabs-aws copied to clipboard
puppetlabs-toy-chest
Circular dependant security groups
I am not sure if this is solvable however I am interested in any views on how this could work or if the module can be extended to support this.
I would like to setup two security groups, one for my puppetmasters and one for puppet clients (example puppet manifest below).
Most guides seem to suggest creating empty security groups where you have circular dependencies and than update them both with the rules in a second run. With the way the module is currently setup you cannot re-declare the security group with the rules you would like to apply.
One option (not ideal) is when creating the security group it checks to see if the dependent group is already created and if it is not created create an empty shell, later the empty shell will will be updated with the in and out rules.
Thoughts?
ec2_securitygroup { 'puppetmaster-sg':
ensure => present,
region => hiera('aws_region'),
description => 'Testing security master',
ingress => [{
protocol => 'tcp',
port => 443,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 8140,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'bastion-host-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 22,
security_group => 'bastion-host-sg',
}
}
ec2_securitygroup { 'puppetagent-sg':
ensure => present,
region => hiera('aws_region'),
description => 'Testing security master',
ingress => [{
protocol => 'tcp',
port => 22,
security_group => 'bastion-host-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetmaster-sg',
}
Apologies for taking an age to get to these issues, I've been busy with other work.
This is definitely an issue and I don't have a definite answer at the moment unfortunately. I will try and make some time to have a think.
I think this can be solved by moving ingress rules into own resource or adding extra resource just for this edge case. Something like: ec2_securitygroup { 'puppetmaster-sg': ensure => present, region => hiera('aws_region'), description => 'Testing security master' }
ec2_securitygroup { 'puppetagent-sg': ensure => present, region => hiera('aws_region'), description => 'Testing security master' }
ec2_securitygroup_ingres { 'puppetmaster-sg-rules':
security_group => 'puppetmaster-sg',
require => [ Ec2_securitygroup[ 'puppetmaster-sg'], Ec2_securitygroup['puppetagent-sg']],
ingress => [{
protocol => 'tcp',
port => 443,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 8140,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'bastion-host-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 22,
security_group => 'bastion-host-sg',
} ]
}
ec2_securitygroup_ingres { 'puppetagent-sg-rules':
security_group => 'puppetagent-sg',
require => [ Ec2_securitygroup[ 'puppetmaster-sg'], Ec2_securitygroup['puppetagent-sg']],
ingress => [{
protocol => 'tcp',
port => 22,
security_group => 'bastion-host-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetmaster-sg',
}]
}
@garethr , I tried a few things with this module, however I also ran into the DAG issues. I'm trying to setup a daily audit with a manifest generated from "puppet apply ec2_securitygoups" However I have about 50 Groups, and several interdependencies. I'll have to make it work by splitting the SG's in to separate manifests, and doing some shell routines. Any thoughts on how one could overcome this issue?
Is this something that can be fixed within this module, or an issue that is inherently within puppet? I'm having a rough time convincing my company to use puppet to manage SG's because of this issue.