chef-provisioning-aws 0.4.0 → 0.5.0

data/lib/chef/provider/aws_key_pair.rb

@@ -1,29 +1,24 @@
 require 'chef/provider/lwrp_base'
-require 'chef/provisioning/aws_driver'
-require 'chef/provider/aws_provider'
+require 'chef/provisioning/aws_driver/aws_provider'
 require 'aws-sdk-v1'
 
 
-class Chef::Provider::AwsKeyPair < Chef::Provider::AwsProvider
-
-  use_inline_resources
-
-  def whyrun_supported?
-    true
-  end
+class Chef::Provider::AwsKeyPair < Chef::Provisioning::AWSDriver::AWSProvider
 
   action :create do
     create_key(:create)
   end
 
-  action :delete do
+  action :destroy do
     if current_resource_exists?
-      new_driver.ec2.key_pairs[new_resource.name].delete
+      converge_by "delete AWS key pair #{new_resource.name} on region #{region}" do
+        driver.ec2.key_pairs[new_resource.name].delete
+      end
     end
   end
 
   def key_description
-    "#{new_resource.name} on #{new_driver.driver_url}"
+    "#{new_resource.name} on #{driver.driver_url}"
   end
 
   @@use_pkcs8 = nil # For Ruby 1.9 and below, PKCS can be run
@@ -79,8 +74,8 @@ class Chef::Provider::AwsKeyPair < Chef::Provider::AwsProvider
       if !new_fingerprints.any? { |f| compare_public_key f }
         if new_resource.allow_overwrite
           converge_by "update #{key_description} to match local key at #{new_resource.private_key_path}" do
-            new_driver.ec2.key_pairs[new_resource.name].delete
-            new_driver.ec2.key_pairs.import(new_resource.name, Cheffish::KeyFormatter.encode(desired_key, :format => :openssh))
+            driver.ec2.key_pairs[new_resource.name].delete
+            driver.ec2.key_pairs.import(new_resource.name, Cheffish::KeyFormatter.encode(desired_key, :format => :openssh))
           end
         else
           raise "#{key_description} with fingerprint #{@current_fingerprint} does not match local key fingerprint(s) #{new_fingerprints}, and allow_overwrite is false!"
@@ -92,12 +87,12 @@ class Chef::Provider::AwsKeyPair < Chef::Provider::AwsProvider
 
       # Create key
       converge_by "create #{key_description} from local key at #{new_resource.private_key_path}" do
-        new_driver.ec2.key_pairs.import(new_resource.name, Cheffish::KeyFormatter.encode(desired_key, :format => :openssh))
+        driver.ec2.key_pairs.import(new_resource.name, Cheffish::KeyFormatter.encode(desired_key, :format => :openssh))
       end
     end
   end
 
-  def new_driver
+  def driver
     run_context.chef_provisioning.driver_for(new_resource.driver)
   end
 
@@ -135,15 +130,11 @@ class Chef::Provider::AwsKeyPair < Chef::Provider::AwsProvider
   end
 
   def existing_keypair
-    @existing_keypair ||= begin
-      new_driver.ec2.key_pairs[fqn]
-    rescue
-      nil
-    end
+    @existing_keypair ||= new_resource.aws_object
   end
 
   def current_resource_exists?
-    @current_resource.action != [ :delete ]
+    @current_resource.action != [ :destroy ]
   end
 
   def compare_public_key(new)
@@ -160,9 +151,9 @@ class Chef::Provider::AwsKeyPair < Chef::Provider::AwsProvider
     private_key_path = new_resource.private_key_path || new_resource.name
     if private_key_path.is_a?(Symbol)
       private_key_path
-    elsif Pathname.new(private_key_path).relative? && new_driver.config[:private_key_write_path]
+    elsif Pathname.new(private_key_path).relative? && driver.config[:private_key_write_path]
       @should_create_directory = true
-      ::File.join(new_driver.config[:private_key_write_path], private_key_path)
+      ::File.join(driver.config[:private_key_write_path], private_key_path)
     else
       private_key_path
     end
@@ -175,11 +166,11 @@ class Chef::Provider::AwsKeyPair < Chef::Provider::AwsProvider
   def load_current_resource
     @current_resource = Chef::Resource::AwsKeyPair.new(new_resource.name, run_context)
 
-    current_key_pair = new_driver.ec2.key_pairs[new_resource.name]
-    if current_key_pair && current_key_pair.exists?
+    current_key_pair = new_resource.aws_object
+    if current_key_pair
       @current_fingerprint = current_key_pair ? current_key_pair.fingerprint : nil
     else
-      current_resource.action :delete
+      current_resource.action :destroy
     end
 
     if new_private_key_path && ::File.exist?(new_private_key_path)

data/lib/chef/provider/aws_launch_configuration.rb

@@ -0,0 +1,50 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+require 'chef/resource/aws_image'
+
+class Chef::Provider::AwsLaunchConfiguration < Chef::Provisioning::AWSDriver::AWSProvider
+  protected
+
+  def create_aws_object
+    image = Chef::Resource::AwsImage.get_aws_object_id(new_resource.image, resource: new_resource)
+    instance_type = new_resource.instance_type || new_resource.driver.default_instance_type
+    options = AWSResource.lookup_options(new_resource.options || options, resource: new_resource)
+
+    converge_by "Creating new Launch Configuration #{new_resource.name} in #{region}" do
+      new_resource.driver.auto_scaling.launch_configurations.create(
+        new_resource.name,
+        image,
+        instance_type,
+        options
+      )
+    end
+  end
+
+  def update_aws_object(launch_configuration)
+    if new_resource.image
+      image = Chef::Resource::AwsImage.get_aws_object_id(new_resource.image, resource: new_resource)
+      if image != launch_configuration.image_id
+        raise "#{new_resource.to_s}.image = #{new_resource.image} (#{image.id}), but actual launch configuration has image set to #{launch_configuration.image_id}.  Cannot be modified!"
+      end
+    end
+    if new_resource.instance_type
+      if new_resource.instance_type != launch_configuration.instance_type
+        raise "#{new_resource.to_s}.instance_type = #{new_resource.instance_type}, but actual launch configuration has instance_type set to #{launch_configuration.instance_type}.  Cannot be modified!"
+      end
+    end
+    # TODO compare options
+  end
+
+  def destroy_aws_object(launch_configuration)
+    converge_by "delete Launch Configuration #{new_resource.name} in #{region}" do
+      # TODO add a timeout here.
+      # TODO is InUse really a status guaranteed to go away??
+      begin
+        launch_configuration.delete
+      rescue AWS::AutoScaling::Errors::ResourceInUse
+        sleep 5
+        retry
+      end
+    end
+  end
+
+end

data/lib/chef/provider/aws_route_table.rb

@@ -0,0 +1,122 @@
+require 'chef/provisioning/aws_driver/aws_provider'
+
+class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
+
+  def action_create
+    route_table = super
+
+    if !new_resource.routes.nil?
+      update_routes(vpc, route_table)
+    end
+  end
+
+  protected
+
+  def create_aws_object
+    options = {}
+    options[:vpc] = new_resource.vpc
+    options = AWSResource.lookup_options(options, resource: new_resource)
+    self.vpc = Chef::Resource::AwsVpc.get_aws_object(options[:vpc], resource: new_resource)
+
+    converge_by "create new route table #{new_resource.name} in VPC #{new_resource.vpc} (#{vpc.id}) and region #{region}" do
+      route_table = new_resource.driver.ec2.route_tables.create(options)
+      route_table.tags['Name'] = new_resource.name
+      route_table
+    end
+  end
+
+  def update_aws_object(route_table)
+    self.vpc = route_table.vpc
+
+    if new_resource.vpc
+      desired_vpc = Chef::Resource::AwsVpc.get_aws_object(new_resource.vpc, resource: new_resource)
+      if vpc != desired_vpc
+        raise "VPC of route table #{new_resource.name} (#{route_table.id}) is #{route_table.vpc.id}, but desired vpc is #{new_resource.vpc}!  Moving (or rather, recreating) a route table is not yet supported."
+      end
+    end
+  end
+
+  def destroy_aws_object(route_table)
+    converge_by "delete route table #{new_resource.name} (#{route_table.id}) in #{region}" do
+      route_table.delete
+    end
+  end
+
+  private
+
+  attr_accessor :vpc
+
+  def update_routes(vpc, route_table)
+    # Collect current routes
+    current_routes = {}
+    route_table.routes.each do |route|
+      # Ignore the automatic local route
+      next if route.target.id == 'local'
+      current_routes[route.destination_cidr_block] = route
+    end
+
+    # Add or replace routes from `routes`
+    new_resource.routes.each do |destination_cidr_block, route_target|
+      options = get_route_target(vpc, route_target)
+      target = options.values.first
+      # If we already have a route to that CIDR block, replace it.
+      if current_routes[destination_cidr_block]
+        current_route = current_routes.delete(destination_cidr_block)
+        if current_route.target != target
+          action_handler.perform_action "reroute #{destination_cidr_block} to #{route_target} (#{target.id}) instead of #{current_route.target.id}" do
+            current_route.replace(options)
+          end
+        end
+      else
+        action_handler.perform_action "route #{destination_cidr_block} to #{route_target} (#{target.id})" do
+          route_table.create_route(destination_cidr_block, options)
+        end
+      end
+    end
+
+    # Delete anything that's left (that wasn't replaced)
+    current_routes.values.each do |current_route|
+      action_handler.perform_action "remove route sending #{current_route.destination_cidr_block} to #{current_route.target.id}" do
+        current_route.delete
+      end
+    end
+  end
+
+  def get_route_target(vpc, route_target)
+    case route_target
+    when :internet_gateway
+      route_target = { internet_gateway: vpc.internet_gateway }
+      if !route_target[:internet_gateway]
+        raise "VPC #{new_resource.vpc} (#{vpc.id}) does not have an internet gateway to route to!  Use `internet_gateway true` on the VPC itself to create one."
+      end
+    when /^igw-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsInternetGateway, AWS::EC2::InternetGateway
+      route_target = { internet_gateway: route_target }
+    when /^eni-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsNetworkInterface, AWS::EC2::NetworkInterface
+      route_target = { network_interface: route_target }
+    when String, Chef::Resource::AwsInstance
+      route_target = { instance: route_target }
+    when Chef::Resource::Machine
+      route_target = { instance: route_target.name }
+    when AWS::EC2::Instance
+      route_target = { instance: route_target.id }
+    when Hash
+      if route_target.size != 1
+        raise "Route target #{route_target} must have exactly one key, either :internet_gateway, :instance or :network_interface!"
+      end
+      route_target = route_target.dup
+    else
+      raise "Unrecognized route destination #{route_target.inspect}"
+    end
+    route_target.each do |name, value|
+      case name
+      when :instance
+        route_target[name] = Chef::Resource::AwsInstance.get_aws_object(value, resource: new_resource)
+      when :network_interface
+        route_target[name] = Chef::Resource::AwsNetworkInterface.get_aws_object(value, resource: new_resource)
+      when :internet_gateway
+        route_target[name] = Chef::Resource::AwsInternetGateway.get_aws_object(value, resource: new_resource)
+      end
+    end
+    route_target
+  end
+end

data/lib/chef/provider/aws_s3_bucket.rb

@@ -1,81 +1,74 @@
-require 'chef/provider/aws_provider'
+require 'chef/provisioning/aws_driver/aws_provider'
 require 'date'
 
-class Chef::Provider::AwsS3Bucket < Chef::Provider::AwsProvider
-  action :create do
-    if existing_bucket == nil
-      converge_by "Creating new S3 bucket #{fqn}" do
-        bucket = new_driver.s3.buckets.create(fqn)
-        bucket.tags['Name'] = new_resource.name
-      end
-    end
-    
-    if modifies_website_configuration?
-      if new_resource.enable_website_hosting
-        converge_by "Setting website configuration for bucket #{fqn}" do
-          existing_bucket.website_configuration = AWS::S3::WebsiteConfiguration.new(
+class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
+  def action_create
+    bucket = super
+
+    if new_resource.enable_website_hosting
+      if !bucket.website?
+        converge_by "Enabling website configuration for bucket #{new_resource.name}" do
+          bucket.website_configuration = AWS::S3::WebsiteConfiguration.new(
             new_resource.website_options)
         end
-      else
-        converge_by "Disabling website configuration for bucket #{fqn}" do
-          existing_bucket.website_configuration = nil
+      elsif modifies_website_configuration?(bucket)
+        converge_by "Reconfiguring website configuration for bucket #{new_resource.name} to #{new_resource.website_options}" do
+          bucket.website_configuration = AWS::S3::WebsiteConfiguration.new(
+            new_resource.website_options)
+        end
+      end
+    else
+      if bucket.website?
+        converge_by "Disabling website configuration for bucket #{new_resource.name}" do
+          bucket.website_configuration = nil
         end
       end
     end
-    new_resource.endpoint "#{fqn}.s3-website-#{s3_website_endpoint_region}.amazonaws.com"
-    new_resource.save
   end
 
-  action :delete do
-    if existing_bucket
-      converge_by "Deleting S3 bucket #{fqn}" do
-        existing_bucket.delete
-      end
+  protected
+
+  def create_aws_object
+    converge_by "create new S3 bucket #{new_resource.name}" do
+      bucket = new_resource.driver.s3.buckets.create(new_resource.name)
+      bucket.tags['Name'] = new_resource.name
+      bucket
     end
+  end
 
-    new_resource.delete
+  def update_aws_object(bucket)
   end
 
-  def existing_bucket
-    Chef::Log.debug("Checking for S3 bucket #{fqn}")
-    @existing_bucket ||= new_driver.s3.buckets[fqn] if new_driver.s3.buckets[fqn].exists?
+  def destroy_aws_object(bucket)
+    converge_by "delete S3 bucket #{new_resource.name}" do
+      bucket.delete
+    end
   end
 
-  def modifies_website_configuration?
+  private
+
+  def modifies_website_configuration?(aws_object)
     # This is incomplete, routing rules have many optional values, so its
     # possible aws will put in default values for those which won't be in
     # the requested config.
-    new_web_config = new_resource.website_options
-    current_web_config = current_website_configuration
+    new_web_config = new_resource.website_options || {}
 
-    !!existing_bucket.website_configuration != new_resource.enable_website_hosting || 
-      (current_web_config[:index_document] != new_web_config.fetch(:index_document, {}) ||
-      current_web_config[:error_document] != new_web_config.fetch(:error_document, {}) ||
-      current_web_config[:routing_rules] != new_web_config.fetch(:routing_rules, []))
-  end
+    current_web_config = (aws_object.website_configuration || {}).to_hash
 
-  def current_website_configuration
-    if existing_bucket.website_configuration
-      existing_bucket.website_configuration.to_hash
-    else
-      {}
-    end
+    (current_web_config[:index_document] != new_web_config.fetch(:index_document, {}) ||
+    current_web_config[:error_document] != new_web_config.fetch(:error_document, {}) ||
+    current_web_config[:routing_rules] != new_web_config.fetch(:routing_rules, []))
   end
 
   def s3_website_endpoint_region
     # ¯\_(ツ)_/¯
-    case existing_bucket.location_constraint
+    case aws_object.location_constraint
     when nil, 'US'
       'us-east-1'
     when 'EU'
       'eu-west-1'
     else
-      existing_bucket.location_constraint
+      aws_object.location_constraint
     end
   end
-
-  # Fully qualified bucket name (i.e resource_region unless otherwise specified)
-  def id
-    new_resource.bucket_name || new_resource.name
-  end
 end

data/lib/chef/provider/aws_security_group.rb

@@ -1,89 +1,282 @@
-require 'chef/provider/aws_provider'
+require 'chef/provisioning/aws_driver/aws_provider'
 require 'date'
+require 'ipaddr'
+require 'set'
 
-class Chef::Provider::AwsSecurityGroup < Chef::Provider::AwsProvider
-
-  action :create do
-    if existing_sg == nil
-      converge_by "Creating new SG #{new_resource.name} in #{new_driver.aws_config.region}" do
-        opts = {
-            :description => new_resource.description,
-            :vpc => nil
-        }
-        # Use VPC ID if provided, otherwise lookup VPC by name
-        if new_resource.vpc_id
-          opts[:vpc] = new_resource.vpc_id
-        elsif new_resource.vpc_name
-          existing_vpc = new_driver.ec2.vpcs.with_tag('Name', new_resource.vpc_name).first
-          Chef::Log.debug("Existing VPC: #{existing_vpc.inspect}")
-          if existing_vpc
-            opts[:vpc] = existing_vpc
-          end
-        end
+class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvider
+
+  def action_create
+    sg = super
+
+    apply_rules(sg)
+  end
+
+  protected
+
+  def create_aws_object
+    converge_by "Creating new SG #{new_resource.name} in #{region}" do
+      options = { description: new_resource.description }
+      options[:vpc] = new_resource.vpc if new_resource.vpc
+      options = AWSResource.lookup_options(options, resource: new_resource)
+      Chef::Log.debug("VPC: #{options[:vpc]}")
+
+      sg = new_resource.driver.ec2.security_groups.create(new_resource.name, options)
+    end
+  end
 
-        sg = new_driver.ec2.security_groups.create(new_resource.name, opts)
-        new_resource.security_group_id sg.group_id
-        new_resource.save
+  def update_aws_object(sg)
+    if !new_resource.description.nil? && new_resource.description != sg.description
+      raise "Security Group descriptions cannot be changed after being created!  Desired description for #{new_resource.name} (#{sg.id}) was \"#{new_resource.description}\" and actual description is \"#{sg.description}\""
+    end
+    if !new_resource.vpc.nil?
+      desired_vpc = Chef::Resource::AwsVpc.get_aws_object_id(new_resource.vpc, resource: new_resource)
+      if desired_vpc != sg.vpc_id
+        raise "Security Group VPC cannot be changed after being created!  Desired VPC for #{new_resource.name} (#{sg.id}) was #{new_resource.vpc} (#{desired_vpc}) and actual VPC is #{sg.vpc_id}"
       end
     end
+    apply_rules(sg)
+  end
 
-    # Update rules
-    apply_rules(existing_sg)
+  def destroy_aws_object(sg)
+    converge_by "Deleting SG #{new_resource.name} in #{region}" do
+      sg.delete
+    end
   end
 
-  action :delete do
-    if existing_sg
-      converge_by "Deleting SG #{new_resource.name} in #{new_driver.aws_config.region}" do
-        existing_sg.delete
-      end
+  private
+
+  def apply_rules(sg)
+    vpc = sg.vpc
+    if !new_resource.outbound_rules.nil?
+      update_outbound_rules(sg, vpc)
     end
 
-    new_resource.delete
+    if !new_resource.inbound_rules.nil?
+      update_inbound_rules(sg, vpc)
+    end
   end
 
-  # TODO check existing rules and compare / remove?
-  def apply_rules(security_group)
-    # Incoming
-    if new_resource.inbound_rules
+  def update_inbound_rules(sg, vpc)
+    #
+    # Get desired rules
+    #
+    desired_rules = {}
+
+    case new_resource.inbound_rules
+    when Hash
+      new_resource.inbound_rules.each do |sources_spec, port_spec|
+        add_rule(desired_rules, get_port_ranges(port_spec), get_actors(vpc, sources_spec))
+      end
+
+    when Array
+      # [ { port: X, protocol: Y, sources: [ ... ]}]
       new_resource.inbound_rules.each do |rule|
-        begin
-          converge_by "Updating SG #{new_resource.name} in #{new_driver.aws_config.region} to allow inbound #{rule[:protocol]}/#{rule[:ports]} from #{rule[:sources]}" do
-            security_group.authorize_ingress(rule[:protocol], rule[:ports], *rule[:sources])
-          end
-        rescue AWS::EC2::Errors::InvalidPermission::Duplicate
-          Chef::Log.debug 'Duplicate rule, ignoring.'
-        end
+        port_ranges = get_port_ranges(port_range: rule[:port], protocol: rule[:protocol])
+        add_rule(desired_rules, port_ranges, get_actors(vpc, rule[:sources]))
       end
+
+    else
+      raise ArgumentError, "inbound_rules must be a Hash or Array (was #{new_resource.inbound_rules.inspect})"
     end
 
-    # Outgoing
-    if new_resource.outbound_rules
+    #
+    # Actually update the rules (remove, add)
+    #
+    update_rules(desired_rules, sg.ip_permissions_list,
+
+      authorize: proc do |port_range, protocol, actors|
+        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+        converge_by "authorize #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range} with protocol #{protocol}" do
+          sg.authorize_ingress(protocol, port_range, *actors)
+        end
+      end,
+
+      revoke: proc do |port_range, protocol, actors|
+        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+        converge_by "revoke the ability of #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range} with protocol #{protocol}" do
+          sg.revoke_ingress(protocol, port_range, *actors)
+        end
+      end
+    )
+  end
+
+  def update_outbound_rules(sg, vpc)
+    #
+    # Get desired rules
+    #
+    desired_rules = {}
+
+    case new_resource.outbound_rules
+    when Hash
+      new_resource.outbound_rules.each do |port_spec, sources_spec|
+        add_rule(desired_rules, get_port_ranges(port_spec), get_actors(vpc, sources_spec))
+      end
+
+    when Array
+      # [ { port: X, protocol: Y, sources: [ ... ]}]
       new_resource.outbound_rules.each do |rule|
-        begin
-          converge_by "Updating SG #{new_resource.name} in #{new_driver.aws_config.region} to allow outbound #{rule[:protocol]}/#{rule[:ports]} to #{rule[:destinations]}" do
-            security_group.authorize_egress( *rule[:destinations], :protocol => rule[:protocol], :ports => rule[:ports])
-          end
-        rescue AWS::EC2::Errors::InvalidPermission::Duplicate
-          Chef::Log.debug 'Duplicate rule, ignoring.'
+        port_ranges = get_port_ranges(port_range: rule[:port], protocol: rule[:protocol])
+        add_rule(desired_rules, port_ranges, get_actors(vpc, rule[:destinations]))
+      end
+
+    else
+      raise ArgumentError, "outbound_rules must be a Hash or Array (was #{new_resource.outbound_rules.inspect})"
+    end
+
+    #
+    # Actually update the rules (remove, add)
+    #
+    update_rules(desired_rules, sg.ip_permissions_list_egress,
+
+      authorize: proc do |port_range, protocol, actors|
+        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+        converge_by "authorize group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range} with protocol #{protocol}" do
+          sg.authorize_egress(*actors, ports: port_range, protocol: protocol)
+        end
+      end,
+
+      revoke: proc do |port_range, protocol, actors|
+        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+        converge_by "revoke the ability of group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range} with protocol #{protocol}" do
+          sg.revoke_egress(*actors, ports: port_range, protocol: protocol)
         end
       end
+    )
+  end
+
+  def update_rules(desired_rules, actual_rules_list, authorize: nil, revoke: nil)
+    actual_rules = {}
+    actual_rules_list.each do |rule|
+      port_range = {
+        port_range: rule[:from_port] ? rule[:from_port]..rule[:to_port] : nil,
+        protocol: rule[:ip_protocol].to_s.to_sym
+      }
+      add_rule(actual_rules, [ port_range ], rule[:groups]) if rule[:groups]
+      add_rule(actual_rules, [ port_range ], rule[:ip_ranges].map { |r| r[:cidr_ip] }) if rule[:ip_ranges]
+    end
+
+    #
+    # Get the list of permissions to add and remove
+    #
+    actual_rules.each do |port_range, actors|
+      if desired_rules[port_range]
+        intersection = actors & desired_rules[port_range]
+        # Anything unhandled in desired_rules will be added
+        desired_rules[port_range] -= intersection
+        # Anything unhandled in actual_rules will be removed
+        actual_rules[port_range] -= intersection
+      end
+    end
+
+    #
+    # Add any new rules
+    #
+    desired_rules.each do |port_range, actors|
+      unless actors.empty?
+        authorize.call(port_range[:port_range], port_range[:protocol], actors)
+      end
+    end
+
+    #
+    # Remove any rules no longer in effect
+    #
+    actual_rules.each do |port_range, actors|
+      unless actors.empty?
+        revoke.call(port_range[:port_range], port_range[:protocol], actors)
+      end
+    end
+  end
+
+  def add_rule(rules, port_ranges, actors)
+    unless actors.empty?
+      port_ranges.each do |port_range|
+        rules[port_range] ||= Set.new
+        rules[port_range] += actors
+      end
     end
   end
 
-  def existing_sg
-    @existing_sg ||= begin
-      if id != nil
-        new_driver.ec2.security_groups[id]
+  def get_port_ranges(port_spec)
+    case port_spec
+    when Integer
+      [ { port_range: port_spec..port_spec, protocol: :tcp } ]
+    when Range
+      [ { port_range: port_spec, protocol: :tcp } ]
+    when Array
+      port_spec.map { |p| get_port_ranges(p) }.flatten
+    when Hash
+      if port_spec[:protocol]
+        [ { port_range: port_spec[:port_range] || port_spec[:port], protocol: port_spec[:protocol].to_s.to_sym } ]
       else
-        nil
+        get_port_ranges(port_spec[:port_range] || port_spec[:port])
       end
-    rescue
-      nil
+      # The to_s.to_sym dance is because if you specify a protocol number, AWS symbolifies it,
+      # but 26.to_sym doesn't work (so we have to to_s it first).
+    when nil
+      [ { port_range: nil, protocol: :any } ]
     end
   end
 
-  def id
-    new_resource.security_group_id
+  #
+  # Turns an actor_spec into a uniform array, containing CIDRs, AWS::EC2::LoadBalancers and AWS::EC2::SecurityGroups.
+  #
+  def get_actors(vpc, actor_spec)
+    result = case actor_spec
+
+    # An array is always considered a list of actors.  Each one may follow any supported format.
+    when Array
+      actor_spec.map { |a| get_actors(vpc, a) }
+
+    # Hashes come in several forms:
+    when Hash
+      # The default AWS Ruby SDK form with :user_id, :group_id and :group_name forms
+      if actor_spec.keys.all? { |key| [ :user_id, :group_id, :group_name ].include?(key) }
+        if actor_spec.has_key?(:group_name)
+          actor_spec[:group_id] ||= vpc.security_groups.filter('group-name', actor_spec[:group_name]).first.id
+        end
+        actor_spec[:user_id] ||= new_resource.driver.account_id
+        { user_id: actor_spec[:user_id], group_id: actor_spec[:group_id] }
+
+      # load_balancer: <load balancer name>
+      elsif actor_spec.keys == [ :load_balancer ]
+        lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec.values.first, resource: new_resource)
+        get_actors(vpc, lb)
+
+      # security_group: <security group name>
+      elsif actor_spec.keys == [ :security_group ]
+        Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec[:security_group], resource: new_resource)
+
+      else
+        raise "Unable to reference security group with spec #{actor_spec}"
+      end
+
+    # If a load balancer is specified, grab it and then get its automatic security group
+    when /^elb-[a-fA-F0-9]{8}$/, AWS::ELB::LoadBalancer, Chef::Resource::AwsLoadBalancer
+      lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec, resource: new_resource)
+      get_actors(vpc, lb.source_security_group)
+
+    # If a security group is specified, grab it
+    when /^sg-[a-fA-F0-9]{8}$/, AWS::EC2::SecurityGroup, Chef::Resource::AwsSecurityGroup
+      Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
+
+    # If an IP addresses / CIDR are passed, return it verbatim; otherwise, assume it's the
+    # name of a security group.
+    when String
+      begin
+        IPAddr.new(actor_spec)
+        # Add /32 to the end of raw IP addresses
+        actor_spec =~ /\// ? actor_spec : "#{actor_spec}/32"
+      rescue
+        Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
+      end
+
+    else
+      raise "Unexpected actor #{actor_spec} in rules list"
+    end
+
+    result = { user_id: result.owner_id, group_id: result.id } if result.is_a?(AWS::EC2::SecurityGroup)
+
+    [ result ].flatten
   end
 
 end