Use Prefix Lists to capture IPAddressGroups - Githubissues

hamlet-io / engine

Framework for managing cloud infrastructure via templates. It is part of the broader Hamlet devops framework.

GNU General Public License v3.0

5 stars 5 forks source link

Use Prefix Lists to capture IPAddressGroups #1760

Open ml019 opened 4 years ago

ml019 commented 4 years ago

Expected Behavior

Support the management of IPAddressGroups through prefix lists - https://aws.amazon.com/about-aws/whats-new/2020/06/amazon-virtual-private-cloud-customers-use-prefix-lists-simplify-configuration-security-groups-route-tables/?sc_channel=em&sc_campaign=GLOBAL_CT_NL_global-snapshot-newsletter_20200708_&sc_medium=em_132692&sc_content=PA_nl_la&sc_geo=mult&sc_country=global&sc_outcome=pa&trk=em_132692_()_Velocity_WhatsNewForYou_Compute_2&mkt_tok=eyJpIjoiWlRSbFlUZG1NbVl4WldKbSIsInQiOiI3d2ZSN0Q5akJqdXgrU1NjNlBlOTRvK1FrRmhOSXZQNVpxaVJmY093c1cxT1JyakM1eXZYMGRmYmxmczBKcTgzSlgxU0YwV242c1NhbDNqeTdUeUw4VkpCWG13Y3g4cEpRSEU0Q2dXR0o5Y01yNnJXRE9zXC9vTlZSdE12VG1sVExNSDJVRlpGOWdcLzJYdEJCVXJPYUZwdz09In0%3D

Current Behavior

Currently IPAddressGroups are created each time they are used, meaning that updating them requires re-deployments of any unit that uses them.

Using prefix lists would permit more rapid deployment of change and reduce the overhead of IPAddressGroup CIDR changes.

Possible Solution

Incorporate into the account templates
Support AWS service groups via underscore style rules _* style

roleyfoley commented 3 years ago

This could be defined at the tenant level as well. Usage for broader policies could be questionable