Add "IT" SG template #18
Add "IT" SG template #18
Conversation
Oh, right, I wrote tests :( |
eda690c
to
25fed47
Compare
rebased with test refactors, too -- it passes tox now. |
Ship it! |
Thanks! I kinda want to hear from @davecurado first though :) |
No pressure :) |
I see what you mean about the IPs... since you have working code I think you should run with that. I don't know the whole picture/story here, but (stating the obvious) it would be good if the list of IPs could be aggregated into a subnet and/or the IPs managed by some external system. Not sure how often that list of IPs will change. If that will be infrequent, I think you can make the argument for leaving it just as it is. HTHs. |
I think the list will be fairly static, but we'll have a very similar list for a half-dozen other security groups, too. So I can land this as-is, but once we introduce those additional security groups, we should have some way to avoid writing the same list multiple times. Is that something you could work on, with this patch in place? |
I'm definitely interested, and would like to give it a shot. On 1/23/15 10:54 AM, Dustin J. Mitchell wrote:
|
I just took this priority off of my Q1 list (because, why promise to do Dustin On Fri, Jan 23, 2015 at 11:09 AM, Dave Curado notifications@github.com
|
perfect! Thanks so much. On 1/23/15 11:53 AM, Dustin J. Mitchell wrote:
|
The IT template really only has to create the security group -- the instance itself isn't cloudy enough to be managed by CloudFormation.
One important bit of security group creation is referencing the VPC to which the SG belongs. So I built out a bit of support for inter-stack references. From what I can tell, the best practice for this is to feed such external resource IDs to CloudFormation manually via template parameters. This is almost the same thing -- I've replaced "manually" with a handy-dandy lookup function, and replaced parameters with the much simpler pyplates feature, "options", which just substitutes the value directly into the template.
@davecurado, what do you think? The missing piece here is that the SG is configured with a list of raw IPs, much of which will need to be repeated for lots of other security groups, so we should find a way to not be so repetitive about it.