Circular dependant security groups #150
Description
I am not sure if this is solvable however I am interested in any views on how this could work or if the module can be extended to support this.
I would like to setup two security groups, one for my puppetmasters and one for puppet clients (example puppet manifest below).
Most guides seem to suggest creating empty security groups where you have circular dependencies and than update them both with the rules in a second run. With the way the module is currently setup you cannot re-declare the security group with the rules you would like to apply.
One option (not ideal) is when creating the security group it checks to see if the dependent group is already created and if it is not created create an empty shell, later the empty shell will will be updated with the in and out rules.
Thoughts?
ec2_securitygroup { 'puppetmaster-sg':
ensure => present,
region => hiera('aws_region'),
description => 'Testing security master',
ingress => [{
protocol => 'tcp',
port => 443,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 8140,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'bastion-host-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetagent-sg',
},{
protocol => 'tcp',
port => 22,
security_group => 'bastion-host-sg',
}
}
ec2_securitygroup { 'puppetagent-sg':
ensure => present,
region => hiera('aws_region'),
description => 'Testing security master',
ingress => [{
protocol => 'tcp',
port => 22,
security_group => 'bastion-host-sg',
},{
protocol => 'tcp',
port => 61613,
security_group => 'puppetmaster-sg',
}