Allow setting ingress rules for default security groups in VPC

Due to default security groups all being named default we couldn't
reference them previously due to unique resouce naming conflicts. This
patch allows for a composite namevar only in the case of the default
group. Note that the composite name populates the VPC field
automatically, so you don't have to duplicate the information in a
separate property.

Author: garethr

examples/vpc-example/init.pp

@@ -14,6 +14,19 @@
   }],
 }
 
+ec2_securitygroup { 'sample-vpc::default':
+  ensure      => present,
+  region      => 'sa-east-1',
+  description => 'default VPC security group',
+  ingress     => [{
+    protocol => 'tcp',
+    port     => 22,
+    cidr     => '0.0.0.0/0'
+  },{
+    security_group => 'default',
+  }],
+}
+
 ec2_vpc_subnet { 'sample-subnet':
   ensure            => present,
   region            => 'sa-east-1',

lib/puppet/provider/ec2_securitygroup/v2.rb

@@ -69,9 +69,12 @@ def self.security_group_to_hash(region, group)
         vpc_name_tag ? vpc_name_tag.value : nil
       end
     end
+    name = group[:group_name]
+    name = "#{vpc_name}::#{name}" if vpc_name && name == 'default'
     {
       id: group.group_id,
-      name: group[:group_name],
+      name: name,
+      group_name: group[:group_name],
       id: group[:group_id],
       description: group[:description],
       ensure: :present,

lib/puppet/type/ec2_securitygroup.rb

@@ -5,13 +5,19 @@
 
   ensurable
 
-  newparam(:name, namevar: true) do
-    desc 'the name of the security group'
+  newparam(:name) do
+    desc 'the name of the security group resource'
+    isnamevar
     validate do |value|
       fail Puppet::Error, 'Security groups must have a name' if value == ''
     end
   end
 
+  newparam(:group_name) do
+    desc 'the name of the security group'
+    isnamevar
+  end
+
   newproperty(:region) do
     desc 'the region in which to launch the security group'
     validate do |value|
@@ -53,6 +59,7 @@ def stringify_values(rules)
 
   newproperty(:vpc) do
     desc 'A VPC to which the group should be associated'
+    isnamevar
   end
 
   def should_autorequire?(rule)
@@ -70,4 +77,25 @@ def should_autorequire?(rule)
   autorequire(:ec2_vpc) do
     self[:vpc]
   end
+
+  # When you create a VPC you automatically get a security group called default. You can't change the name.
+  # This lack of uniqueness makes managing these default security groups difficult. Enter a composite namevar.
+  # We support two name formats:
+  #
+  #   1. {some-security-group}
+  #   2. {some-vpc-name}::default
+  #
+  # Note that we only support prefixing a security group name with the vpc name for the default security group
+  # at this point. This avoids the issue of otherwise needing to store the resources in two places for non-default
+  # VPC secueity groups.
+  #
+  # In the case of a a default security group, we maintain the full name (including the VPC name) in the name property
+  # as otherwise it won't be unique and uniqueness and composite namevars are fun.
+  def self.title_patterns
+    [
+      [ /^(([\w\-]+)::(default))$/, [ [ :name, lambda {|x| x} ], [ :vpc, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ],
+      [ /^(([\w\-]+))$/, [ [ :name, lambda {|x| x} ], [ :group_name, lambda {|x| x} ] ] ]
+    ]
+  end
+
 end