[chef] Re: Re: Re: Re: Re: Re: Re: Managing an ec2 instance and security group together with chef?

[Peter Norton < >]

It seems that John Vincent / lusis sets a reply-to on his emails to
the chef list and the list honors it, so I'm forwarding this to the
list.  Is this setting on the list deliberate?

-Peter

On Mon, Sep 19, 2011 at 11:41 AM, Peter Norton 
<
 >
 wrote:
> Here are some thoughts:
>
> 1) We may want to move at some point, but I think that it may be
> off-topic.  To me, managing aws security groups with chef is
> orthogonal to managing firewall rules on another platform since it
> doesn't make sense to e.g. default to using a security group for
> everything that allows connections from everywhere to all ports.
> Someone else may disagree, but that just adds complexity to this
> environment.
>
> Someone else may want to do this differently, but either way, we want
> to centralize the configuration and apply it to groups of hosts.  I'm
> asking this question to be able to control policy, that's all.
>
> 2) Regarding boto vs. knife + fog, I'm trying to be agnostic and do
> this within knife so we only need one tool.  However, I don't see an
> example of how this is supposed to work.  This doesn't seem to create
> a group, for instance (it's based on the pieces I think I need from
> ec2_create_server.rb):
>
>      def run
>        $stdout.sync = true
>
>        secgroup_def = { :name => config[:name], :description =>
> config[:description], :ip_permissions => nil, :owner_id => nil }
>
>
>        conn = Fog::Compute.new(
>            :provider => 'AWS',
>            :aws_access_key_id => Chef::Config[:knife][:aws_access_key_id],
>            :aws_secret_access_key =>
> Chef::Config[:knife][:aws_secret_access_key],
>            :region => locate_config_value(:region)
>          )
>        # conn = connection.create()
>        secgroup = conn.security_groups.new(secgroup_def)
>
> Does anyone know of a place I can look for an example of how to do
> this?  I don't want to spend much more time on this now, and I'm
> pretty sure I can do this in python+boto in about an hour, but I'd
> prefer to not have to write yet another tool.
>
> Thanks,
>
> -Peter
>
> On Fri, Sep 16, 2011 at 9:51 PM, John E. Vincent (lusis)
> <
 >
>  wrote:
>> On Fri, Sep 16, 2011 at 8:20 PM, James 
>> <
 >
>>  wrote:
>>> Just want to point out that instead of working around all of these issues,
>>> you could simply use something other than security groups. This approach
>>> would be vendor agnostic, and allow you to transition off of EC2 if you 
>>> ever
>>> need to.
>>>
>>> James
>>>
>>
>> I was considering doing an EC2 security-group LWRP till I heard
>> rumblings of a firewall cookbook that managed not only iptables but
>> security groups and other forms of "firewall"ing.
>>
>> For what it's worth, all this talk of jclouds and boto and shelling
>> out is confusing. Amazon has a perfectly good ruby AWS SDK. Fog
>> exists. You'll get +9000x greater flexibility doing it in an LWRP or
>> as a knife plugin than trying to add yet another tool to the mix.
>>
>> Am I missing something here?
>>
>