search

NixOS / nixops-aws

GNU Lesser General Public License v3.0
53 stars 37 forks source link

Better documentation for EC2 securityGroups and securityGroupIds #44

Open nh2 opened 5 years ago

nh2 commented 5 years ago

Right now we have:

    deployment.ec2.securityGroups = mkOption {
      default = [ "default" ];
      example = [ "my-group" "my-other-group" ];
      type = types.listOf (types.either types.str (resource "ec2-security-group"));
      apply = map (x: if builtins.isString x then x else x.name);
      description = ''
        Security groups for the instance.  These determine the
        firewall rules applied to the instance.
      '';
    };

    deployment.ec2.securityGroupIds = mkOption {
      default = [ "default" ];
      type = types.listOf types.str;
      description = ''
        Security Group IDs for the instance. Necessary if starting
        an instance inside a VPC/subnet. In the non-default VPC, security
        groups needs to be specified by ID and not name.
      '';
    };

This is hard to understand. In which cases should I used securityGroups, and in which securityGroupIds?

RaitoBezarius commented 4 years ago

Hi, I agree, I had some problems with this, the key is:

If you don't attach a VPC, you won't see the issue. Once a VPC is attached, securityGroups will cease to work, you'll have to use securityGroupIds with a properly referenced resource or ID.

For example: deployment.ec2.securityGroupIds = [ resources.ec2SecurityGroups.some-group ] is the approach where you use the resource type, it'll automatically put the sg-stuff for you.

I think there are examples in the repo, but those are not enough put in the website docs alas.