ec2_securitygroup handles 'Name' tag poorly #506
Description
EC2 Security Groups have a dedicated 'group name' attribute which is used for identifying a group and is unique (at least within a given VPC). They also allow tags, including the 'Name' tag.
The ec2_securitygroup resource matches the name parameter against the SG's 'group_name' in AWS. It also fully supports setting arbitrary tags on security groups, including the 'Name' tag. However, when retrieving information from AWS, it unnecessarily filters the 'Name' tag out of the Tags list; thus, if you set the Name tag on an ec2_securitygroup resource, your puppet runs will never show as in sync. For example:
ec2_securitygroup { 'example-sg':
ensure => present,
description => "An example security group demonstrating this issue",
region => "us-east-2",
vpc => "some-vpc",
ingress => [{
protocol => -1,
cidr => '0.0.0.0/0',
from_port => 0,
to_port => 0,
}],
tags => {
'Name' => 'Example Security Group",
}
}
If you run this code, a security group will be created, and it's Name tag will be set to "Example Security Group" as expected. However, on every subsequent puppet run, the message Notice: /Stage[main]/Ec2_securitygroup[example-sg]/tags: tags changed {} to {"Name"=>"Example Security Group"} will display, and if you're watching e.g. PuppetDB reports, it will appear as if this resource is constantly being changed externally and then reverted by puppet.