S3 endpoints are not accepted in security group rules

[PeterHiggins]

S3 endpoints cannot be added as a source/destination using the puppetlabs-aws module.

as an example running puppet resource against a security group with only a rule allowing egress to a s3 endpoint results in:

root@testymctesttest ~ # puppet resource ec2_securitygroup S3Test
ec2_securitygroup { 'S3Test':
ensure => 'present',
description => 'Test for S3 Endpoint',
egress => [{'from_port' => '443', 'protocol' => 'tcp', 'to_port' => '443'}],
id => 'sg-abc123',
region => 'ap-southeast-2',
vpc => 'TEST VPC',
}

note that the destination is entirely missing from the egress rule.

[prozach]

May we get a sanitized output of aws ec2 describe-security-groups for the securitygroup please? I've not seen this use case.

[gederian]

S3 endpoints? Hmm sockeye attached

…

On Jan 5, 2017 9:42 AM, "zleslie" ***@***.***> wrote: May we get a sanitized output of aws ec2 describe-security-groups for the securitygroup please? I've not seen this use case. — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#393 (comment)>, or mute the thread <https://github.com/notifications/unsubscribe-auth/AThRIHwYCjt65GvRnmq3FJOfyKPkOjGOks5rPSuNgaJpZM4LbQuy> .

[daveseff]

@PeterHiggins had explained this to me recently ( we work together ). Because our company insists on defining egress rules for our SGs, We have to account for S3 enpoints. I think what the module is missing is logic for PrefixListIds.