puppetlabs-aws
puppetlabs-aws copied to clipboard
security_groups not updated on running ec2_instance, only during provisioning
I'm seeing a behavior that prevents me from using this module from updating the security group membership of existing ec2 instances. Here's how I reproduce it:
- Provision an ec2 instance using ec2_instance resource, with the
security groups
parameter set to['group1']
- Apply the same puppet manifest from the first step, but with the
security groups
parameter set to['group2', 'group3']
At this point, I would expect that the ec2 instance would be associated with security groups group2 and group3, and not group1. The behavior I'm seeing is that it's a member of group1.
However, if I destroy the ec2 instance and then re-run the manifest from step 2, the instance is created belonging to group2 and group3 as expected. Since this works, I don't think my manifest is in error.
Mm, so security_groups
should be read-only: https://github.com/puppetlabs/puppetlabs-aws/blob/master/lib/puppet/provider/ec2_instance/v2.rb#L32
In EC2 Classic you can't change security groups of a instance after it boots.
I've just checked and you can now change security groups of a booted instance in VPC.
So the module is behaving as designed, but we should support modifying security groups for VPC instances.
Interesting. Thanks for clarifying. I'll work around it with manual changes for now, since our security group requirements don't change very frequently.
I would be very happy if VPC instance security groups was enabled. To me it represents a great first step to using the plugin to manage infrastructure.
+1
Since Amazon is deprecating EC2 classic, Can we assume now that all things will be done within VPCs now?
Also, +1