security_groups not updated on running ec2_instance, only during provisioning

[danieldreier]

I'm seeing a behavior that prevents me from using this module from updating the security group membership of existing ec2 instances. Here's how I reproduce it:

1. Provision an ec2 instance using ec2_instance resource, with the security groups parameter set to ['group1']
2. Apply the same puppet manifest from the first step, but with the security groups parameter set to ['group2', 'group3']

At this point, I would expect that the ec2 instance would be associated with security groups group2 and group3, and not group1. The behavior I'm seeing is that it's a member of group1.

However, if I destroy the ec2 instance and then re-run the manifest from step 2, the instance is created belonging to group2 and group3 as expected. Since this works, I don't think my manifest is in error.

[garethr]

Mm, so security_groups should be read-only: https://github.com/puppetlabs/puppetlabs-aws/blob/master/lib/puppet/provider/ec2_instance/v2.rb#L32

In EC2 Classic you can't change security groups of a instance after it boots.

I've just checked and you can now change security groups of a booted instance in VPC.

So the module is behaving as designed, but we should support modifying security groups for VPC instances.

[danieldreier]

Interesting. Thanks for clarifying. I'll work around it with manual changes for now, since our security group requirements don't change very frequently.

[cole-christensen]

I would be very happy if VPC instance security groups was enabled. To me it represents a great first step to using the plugin to manage infrastructure.

[earsdown]

+1

[daveseff]

Since Amazon is deprecating EC2 classic, Can we assume now that all things will be done within VPCs now?

Also, +1