[chef] Re: Re: Re: Re: Re: Re: Re: Managing an ec2 instance and security group together with chef?

[Peter Norton < >]

I'm going to try to get this thread back on-track.  Here are some
notes (not in a forwarded bit so people using gmail will see it by
default):

Here are some thoughts:

1) We may want to move [to another service than AWS] at some point, but I
think that it may be off-topic.  To me, managing aws security groups
with chef is
orthogonal to managing firewall rules on another platform since it
doesn't make sense to e.g. default to using a security group for
everything that allows connections from everywhere to all ports.
Someone else may disagree, but that just adds complexity to this
environment.

Someone else may want to do this differently, but either way, we want
to centralize the configuration and apply it to groups of hosts.  I'm
asking this question to be able to control policy, that's all.

2) Regarding boto vs. knife + fog, I'm trying to be agnostic and do
this within knife so we only need one tool.  However, I don't see an
example of how this is supposed to work.  This doesn't seem to create
a group, for instance (it's based on the pieces I think I need from
ec2_create_server.rb):

     def run
       $stdout.sync = true

       secgroup_def = { :name => config[:name], :description =>
config[:description], :ip_permissions => nil, :owner_id => nil }


       conn = Fog::Compute.new(
           :provider => 'AWS',
           :aws_access_key_id => Chef::Config[:knife][:aws_access_key_id],
           :aws_secret_access_key =>
Chef::Config[:knife][:aws_secret_access_key],
           :region => locate_config_value(:region)
         )
       # conn = connection.create()
       secgroup = conn.security_groups.new(secgroup_def)

Does anyone know of a place I can look for an example of how to do
this?  I don't want to spend much more time on this now, and I'm
pretty sure I can do this in python+boto in about an hour, but I'd
prefer to not have to write yet another tool.

-Peter


> On Fri, Sep 16, 2011 at 9:51 PM, John E. Vincent (lusis)
> <
 >
>  wrote:
>> On Fri, Sep 16, 2011 at 8:20 PM, James 
>> <
 >
>>  wrote:
>>> Just want to point out that instead of working around all of these issues,
>>> you could simply use something other than security groups. This approach
>>> would be vendor agnostic, and allow you to transition off of EC2 if you 
>>> ever
>>> need to.
>>>
>>> James
>>>
>>
>> I was considering doing an EC2 security-group LWRP till I heard
>> rumblings of a firewall cookbook that managed not only iptables but
>> security groups and other forms of "firewall"ing.
>>
>> For what it's worth, all this talk of jclouds and boto and shelling
>> out is confusing. Amazon has a perfectly good ruby AWS SDK. Fog
>> exists. You'll get +9000x greater flexibility doing it in an LWRP or
>> as a knife plugin than trying to add yet another tool to the mix.
>>
>> Am I missing something here?
>>
>