chef-provisioning-aws 2.2.2 → 3.0.0.pre.rc1

data/lib/chef/provider/aws_nat_gateway.rb

@@ -29,7 +29,7 @@ class Chef::Provider::AwsNatGateway < Chef::Provisioning::AWSDriver::AWSProvider
       }
 
       nat_gateway = new_resource.driver.ec2_resource.create_nat_gateway(options)
-      wait_for_state(nat_gateway, ['available'])
+      wait_for_state(nat_gateway, :available)
       nat_gateway
     end
   end
@@ -51,7 +51,7 @@ class Chef::Provider::AwsNatGateway < Chef::Provisioning::AWSDriver::AWSProvider
   def destroy_aws_object(nat_gateway)
     converge_by "delete nat gateway #{new_resource.name} in region #{region} for subnet #{nat_gateway.subnet_id}" do
       nat_gateway.delete
-      wait_for_state(nat_gateway, ['deleted'])
+      wait_for_state(nat_gateway, :deleted)
     end
   end
 end

data/lib/chef/provider/aws_network_acl.rb

@@ -18,14 +18,14 @@ class Chef::Provider::AwsNetworkAcl < Chef::Provisioning::AWSDriver::AWSProvider
   def create_aws_object
     converge_by "create network ACL #{new_resource.name} in #{region}" do
       options = {}
-      options[:vpc] = new_resource.vpc if new_resource.vpc
+      options[:vpc_id] = new_resource.vpc if new_resource.vpc
       options = AWSResource.lookup_options(options, resource: new_resource)
 
-      Chef::Log.debug("VPC: #{options[:vpc]}")
+      Chef::Log.debug("VPC: #{options[:vpc_id]}")
 
-      network_acl = new_resource.driver.ec2.network_acls.create(options)
-      retry_with_backoff(AWS::EC2::Errors::InvalidNetworkAclID::NotFound) do
-        network_acl.tags['Name'] = new_resource.name
+      network_acl = new_resource.driver.ec2_resource.create_network_acl(options)
+      retry_with_backoff(::Aws::EC2::Errors::InvalidNetworkAclIDNotFound) do
+        network_acl.create_tags({tags: [{key: "Name", value: new_resource.name}]})
       end
       network_acl
     end
@@ -83,6 +83,9 @@ class Chef::Provider::AwsNetworkAcl < Chef::Provisioning::AWSDriver::AWSProvider
         # Anything unhandled will be added
         desired_rules.delete(desired_rule)
 
+        # Converting matching_rule [:rule_action] and [:port_range] to symbol & hash to match correctly with desired_rule
+        matching_rule[:rule_action] = matching_rule[:rule_action].to_sym unless matching_rule[:rule_action].nil?
+        matching_rule[:port_range] = matching_rule[:port_range].to_hash unless matching_rule[:port_range].nil?
         if matching_rule.merge(desired_rule) != matching_rule
           # Replace anything with a matching rule number but different attributes
           replace_rules << desired_rule
@@ -115,7 +118,7 @@ class Chef::Provider::AwsNetworkAcl < Chef::Provisioning::AWSDriver::AWSProvider
   def remove_rules(network_acl, rules)
     rules.each do |rule|
       action_handler.report_progress "  remove #{rule_direction(rule)} rule #{rule[:rule_number]}"
-      network_acl.delete_entry(rule_direction(rule).to_sym, rule[:rule_number])
+      network_acl.delete_entry(egress: rule[:egress], rule_number: rule[:rule_number])
     end
   end
 
@@ -125,8 +128,8 @@ class Chef::Provider::AwsNetworkAcl < Chef::Provisioning::AWSDriver::AWSProvider
 
   def entry_to_hash(entry)
     options = [
-      :rule_number, :action, :protocol, :cidr_block, :egress,
-      :port_range, :icmp_code, :icmp_type
+      :rule_number, :rule_action, :protocol, :cidr_block, :egress,
+      :port_range, :icmp_type_code
     ]
     entry_hash = {}
     options.each { |option| entry_hash.merge!(option => entry.send(option.to_sym)) }

data/lib/chef/provider/aws_network_interface.rb

@@ -33,9 +33,12 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
   def create_aws_object
     eni = nil
     converge_by "create new #{new_resource} in #{region}" do
-      eni = new_resource.driver.ec2.network_interfaces.create(options)
-      retry_with_backoff(AWS::EC2::Errors::InvalidNetworkInterfaceID::NotFound) do
-        eni.tags['Name'] = new_resource.name
+      ec2_resource = ::Aws::EC2::Resource.new(new_resource.driver.ec2)
+      # we require all the parameter from options except :device_index so deleted & then passed.
+      option_without_device_index = options.dup.tap { |h| h.delete(:device_index) }
+      eni = ec2_resource.create_network_interface(option_without_device_index)
+      retry_with_backoff(::Aws::EC2::Errors::InvalidNetworkInterfaceIDNotFound) do
+        ec2_resource.create_tags(resources: [eni.id], tags: [{ key: "Name", value: new_resource.name }])
       end
       eni
     end
@@ -47,8 +50,8 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
   end
 
   def update_aws_object(eni)
-    if options.has_key?(:subnet)
-      if Chef::Resource::AwsSubnet.get_aws_object(options[:subnet], resource: new_resource) != eni.subnet
+    if options.has_key?(:subnet_id)
+      if Chef::Resource::AwsSubnet.get_aws_object(options[:subnet_id], resource: new_resource).id != eni.subnet.id
         raise "#{new_resource} subnet is #{new_resource.subnet}, but actual network interface has subnet set to #{eni.subnet_id}.  Cannot be modified!"
       end
     end
@@ -65,20 +68,21 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
         converge_by "set #{new_resource} description to #{new_resource.description}" do
           eni.client.modify_network_interface_attribute(:network_interface_id => eni.network_interface_id,
                                                         :description => {
-                                                            :value => new_resource.description
-                                                        })
+                                                            :value => new_resource.description })
         end
       end
     end
 
-    if options.has_key?(:security_groups)
-      groups = new_resource.security_groups.map { |sg|
-        Chef::Resource::AwsSecurityGroup.get_aws_object(sg, resource: new_resource)
-      }
-      if groups.sort != eni.security_groups.sort
+    if options.has_key?(:groups)
+      groups = new_resource.security_groups
+      eni_security_groups = []
+      eni.groups.each do |group|
+        eni_security_groups.push(group.group_id)
+      end
+
+      if groups.sort != eni_security_groups.sort
         converge_by "set #{new_resource} security groups to #{groups}" do
-          eni.set_security_groups(groups)
-          eni
+          eni.client.modify_network_interface_attribute(:network_interface_id => eni.network_interface_id, :groups => groups)
         end
       end
     end
@@ -87,7 +91,7 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
   end
 
   def destroy_aws_object(eni)
-    detach(eni) if eni.status == :in_use
+    detach(eni) if eni.status == "in-use"
     delete(eni)
   end
 
@@ -105,10 +109,10 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
   def options
     @options ||= begin
       options = {}
-      options[:subnet] = new_resource.subnet if !new_resource.subnet.nil?
+      options[:subnet_id] = new_resource.subnet if !new_resource.subnet.nil?
       options[:private_ip_address] = new_resource.private_ip_address if !new_resource.private_ip_address.nil?
       options[:description] = new_resource.description if !new_resource.description.nil?
-      options[:security_groups] = new_resource.security_groups if !new_resource.security_groups.nil?
+      options[:groups] = new_resource.security_groups if !new_resource.security_groups.nil?
       options[:device_index] = new_resource.device_index if !new_resource.device_index.nil?
 
       AWSResource.lookup_options(options, resource: new_resource)
@@ -116,18 +120,18 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
   end
 
   def update_eni(eni)
-    status = eni.status
+    status = new_resource.driver.ec2_resource.network_interface(eni.id).status
     #
     # If we were told to attach the network interface to a machine, do so
     #
-    if expected_instance.is_a?(AWS::EC2::Instance) || expected_instance.is_a?(::Aws::EC2::Instance)
+    if expected_instance.is_a?(::Aws::EC2::Instance) || expected_instance.is_a?(::Aws::EC2::Instance)
       case status
-      when :available
+      when "available"
         attach(eni)
-      when :in_use
+      when "in-use"
         # We don't want to attempt to reattach to the same instance or device index
         attachment = current_attachment(eni)
-        if attachment.instance.id != expected_instance.id || (options[:device_index] && attachment.device_index != new_resource.device_index)
+        if attachment.instance_id != expected_instance.id || (options[:device_index] && attachment.device_index != new_resource.device_index)
           detach(eni)
           attach(eni)
         end
@@ -144,7 +148,7 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
       case status
       when nil
         Chef::Log.warn NetworkInterfaceNotFoundError.new(new_resource)
-      when :in_use
+      when "in-use"
         detach(eni)
       end
     end
@@ -152,10 +156,9 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
   end
 
   def detach(eni)
-    attachment   = current_attachment(eni)
-    instance     = attachment.instance
+    attachment = current_attachment(eni)
 
-    converge_by "detach #{new_resource} from #{instance.id}" do
+    converge_by "detach #{new_resource} from #{attachment.instance_id}" do
       eni.detach
     end
 
@@ -167,7 +170,7 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
 
   def attach(eni)
     converge_by "attach #{new_resource} to #{new_resource.machine} (#{expected_instance.id})" do
-      eni.attach(expected_instance.id, options)
+      eni.attach(instance_id: expected_instance.id, device_index: options[:device_index])
     end
 
     converge_by "wait for #{new_resource} to attach" do
@@ -187,13 +190,15 @@ class Chef::Provider::AwsNetworkInterface < Chef::Provisioning::AWSDriver::AWSPr
 
     converge_by "wait for #{new_resource} in #{region} to delete" do
       log_callback = proc {
-        Chef::Log.info('waiting for network interface to delete...')
+        Chef::Log.info("waiting for network interface to delete...")
       }
 
       Retryable.retryable(:tries => 30, :sleep => 2, :on => NetworkInterfaceStatusTimeoutError, :ensure => log_callback) do
-        raise NetworkInterfaceStatusTimeoutError.new(new_resource, 'exists', 'deleted') if eni.exists?
+        result = new_resource.driver.ec2_resource.network_interface(eni.id) if eni.id
+		raise NetworkInterfaceStatusTimeoutError.new(new_resource, "exists", "deleted") if new_resource.exists?(result)
       end
       eni
     end
   end
+
 end

data/lib/chef/provider/aws_rds_parameter_group.rb

@@ -122,6 +122,6 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
   end
   
   def driver
-    new_resource.driver.rds.client
+    new_resource.driver.rds
   end
 end

data/lib/chef/provider/aws_rds_subnet_group.rb

@@ -84,6 +84,6 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
   end
 
   def driver
-    new_resource.driver.rds.client
+    new_resource.driver.rds
   end
 end

data/lib/chef/provider/aws_route_table.rb

@@ -135,15 +135,15 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
   def get_route_target(vpc, route_target)
     case route_target
     when :internet_gateway
-      route_target = { internet_gateway: vpc.internet_gateways.first.id }
-      if !route_target[:internet_gateway]
-        raise "VPC #{new_resource.vpc} (#{vpc.id}) does not have an internet gateway to route to!  Use `internet_gateway true` on the VPC itself to create one."
+      if vpc.internet_gateways.first.nil?
+        raise "VPC #{new_resource.vpc} (#{vpc.id}) does not have an internet gateway to route to! Use `internet_gateway true` on the VPC itself to create one."
       end
-    when /^igw-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsInternetGateway, AWS::EC2::InternetGateway
+      route_target = { internet_gateway: vpc.internet_gateways.first.id }
+    when /^igw-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsInternetGateway, ::Aws::EC2::InternetGateway
       route_target = { internet_gateway: route_target }
-    when /^nat-[A-Fa-f0-9]{17}$/, Chef::Resource::AwsNatGateway, Aws::EC2::NatGateway
+    when /^nat-[A-Fa-f0-9]{17}$/, Chef::Resource::AwsNatGateway, ::Aws::EC2::NatGateway
       route_target = { nat_gateway: route_target }
-    when /^eni-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsNetworkInterface, AWS::EC2::NetworkInterface
+    when /^eni-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsNetworkInterface, ::Aws::EC2::NetworkInterface
       route_target = { network_interface: route_target }
     when /^pcx-[A-Fa-f0-9]{8}$/, Chef::Resource::AwsVpcPeeringConnection, ::Aws::EC2::VpcPeeringConnection
       route_target = { vpc_peering_connection: route_target }
@@ -153,7 +153,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
       route_target = { instance: route_target }
     when Chef::Resource::Machine
       route_target = { instance: route_target.name }
-    when AWS::EC2::Instance, ::Aws::EC2::Instance
+    when ::Aws::EC2::Instance, ::Aws::EC2::Instance
       route_target = { instance: route_target.id }
     when Hash
       if route_target.size != 1

data/lib/chef/provider/aws_s3_bucket.rb

@@ -26,21 +26,19 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
     bucket = super
 
     if new_resource.enable_website_hosting
-      if !bucket.website?
+     if !website_exist?(new_resource,bucket)
         converge_by "enable website configuration for bucket #{new_resource.name}" do
-          bucket.website_configuration = AWS::S3::WebsiteConfiguration.new(
-            new_resource.website_options)
+          create_website(bucket,new_resource )
         end
       elsif modifies_website_configuration?(bucket)
         converge_by "reconfigure website configuration for bucket #{new_resource.name} to #{new_resource.website_options}" do
-          bucket.website_configuration = AWS::S3::WebsiteConfiguration.new(
-            new_resource.website_options)
+          create_website(bucket,new_resource )
         end
       end
     else
-      if bucket.website?
+      if website_exist?(new_resource,bucket)
         converge_by "disable website configuration for bucket #{new_resource.name}" do
-          bucket.website_configuration = nil
+          new_resource.driver.s3_client.delete_bucket_website(bucket: new_resource.name)
         end
       end
     end
@@ -50,7 +48,8 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
 
   def create_aws_object
     converge_by "create S3 bucket #{new_resource.name}" do
-      new_resource.driver.s3.buckets.create(new_resource.name, new_resource.options)
+      options = new_resource.options.merge({bucket: new_resource.name})
+      new_resource.driver.s3_client.create_bucket(options)
       # S3 buckets already have a top level name property so they don't need
       # a 'Name' tag
     end
@@ -74,17 +73,30 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
 
   private
 
+  def website_exist?(new_resource,bucket)
+    return true if new_resource.driver.s3_client.get_bucket_website(bucket: new_resource.name) 
+  rescue Aws::S3::Errors::NoSuchWebsiteConfiguration
+    return false
+  end
+
+  def create_website(bucket,new_resource )
+    website_configuration = Aws::S3::Types::WebsiteConfiguration.new(
+            new_resource.website_options)
+    s3_client = new_resource.driver.s3_client
+    s3_client.put_bucket_website( bucket: new_resource.name,  website_configuration:website_configuration)
+  end
+
   def modifies_website_configuration?(aws_object)
     # This is incomplete, routing rules have many optional values, so its
     # possible aws will put in default values for those which won't be in
     # the requested config.
     new_web_config = new_resource.website_options || {}
 
-    current_web_config = (aws_object.website_configuration || {}).to_hash
+    current_web_config = (aws_object.website.data || {}).to_hash
 
-    (current_web_config[:index_document] != new_web_config.fetch(:index_document, {}) ||
-    current_web_config[:error_document] != new_web_config.fetch(:error_document, {}) ||
-    current_web_config[:routing_rules] != new_web_config.fetch(:routing_rules, []))
+    (current_web_config[:index_document] != new_web_config.fetch(:index_document, nil) ||
+    current_web_config[:error_document] != new_web_config.fetch(:error_document, nil) ||
+    current_web_config[:routing_rules] != new_web_config.fetch(:routing_rules, nil))
   end
 
   def s3_website_endpoint_region

data/lib/chef/provider/aws_security_group.rb

@@ -18,14 +18,18 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
 
   def create_aws_object
     converge_by "create security group #{new_resource.name} in #{region}" do
-      options = { description: new_resource.description }
-      options[:vpc] = new_resource.vpc if new_resource.vpc
+      options = { description: new_resource.description.to_s }
+      options[:vpc_id] = new_resource.vpc if new_resource.vpc
+      options[:group_name] = new_resource.name
+      if options[:description].nil? or options[:description]==""
+        options[:description] = new_resource.name.to_s
+      end
       options = AWSResource.lookup_options(options, resource: new_resource)
-      Chef::Log.debug("VPC: #{options[:vpc]}")
+      Chef::Log.debug("VPC: #{options[:vpc_id]}")
 
-      sg = new_resource.driver.ec2.security_groups.create(new_resource.name, options)
-      retry_with_backoff(AWS::EC2::Errors::InvalidSecurityGroupsID::NotFound, AWS::EC2::Errors::InvalidGroup::NotFound) do
-        sg.tags['Name'] = new_resource.name
+      sg = new_resource.driver.ec2_resource.create_security_group(options)
+      retry_with_backoff(::Aws::EC2::Errors::InvalidSecurityGroupsIDNotFound, ::Aws::EC2::Errors::InvalidGroupNotFound) do
+        new_resource.driver.ec2_resource.create_tags(resources: [sg.id],tags: [{key: "Name", value: new_resource.name}]) 
       end
       sg
     end
@@ -46,14 +50,14 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
 
   def destroy_aws_object(sg)
     converge_by "delete security group #{new_resource.to_s} in #{region}" do
-      sg.delete
+      sg.delete({ dry_run: false })
     end
   end
 
   private
 
   def apply_rules(sg)
-    vpc = sg.vpc
+    vpc = sg.vpc_id
     if !new_resource.outbound_rules.nil?
       update_outbound_rules(sg, vpc)
     end
@@ -89,19 +93,98 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     #
     # Actually update the rules (remove, add)
     #
-    update_rules(desired_rules, sg.ip_permissions_list,
-
+    update_rules(desired_rules, sg.ip_permissions,
       authorize: proc do |port_range, protocol, actors|
         names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
         converge_by "authorize #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          sg.authorize_ingress(protocol, port_range, *actors)
+          names.each do |iprange|
+           begin
+            if iprange.include?('-')
+              # user_id_group_pairs allows to add inbound rules for source security group
+              sg.authorize_ingress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  user_id_group_pairs: actors
+                }]
+              })
+=begin
+              sg.authorize_ingress({
+                group
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  prefix_list_ids: [{
+                    prefix_list_id: iprange
+                  }]
+                }]
+              })
+=end
+            else
+              sg.authorize_ingress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  ip_ranges: [{
+                    cidr_ip: iprange
+                  }]
+                }]
+              })
+            end
+           rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
+             Chef::Log.debug("Ignoring duplicate permission")
+           end
+          end
         end
       end,
 
       revoke: proc do |port_range, protocol, actors|
         names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
         converge_by "revoke the ability of #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          sg.revoke_ingress(protocol, port_range, *actors)
+          names.each do |iprange|
+           begin
+            if iprange.include?('-')
+              # user_id_group_pairs allows to revoke inbound rules for source security group
+              sg.revoke_ingress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  user_id_group_pairs: actors
+                }]
+              })
+=begin
+              sg.revoke_ingress({
+                group
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  prefix_list_ids: [{
+                    prefix_list_id: iprange
+                  }]
+                }]
+              })
+=end
+            else
+              sg.revoke_ingress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  ip_ranges: [{
+                    cidr_ip: iprange
+                  }]
+                }]
+              })
+            end
+           rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
+             Chef::Log.debug("Ignoring missing permission")
+           end
+          end
         end
       end
     )
@@ -132,19 +215,100 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     #
     # Actually update the rules (remove, add)
     #
-    update_rules(desired_rules, sg.ip_permissions_list_egress,
+    Chef::Log.info("dr: #{desired_rules}")
+    update_rules(desired_rules, sg.ip_permissions_egress,
 
       authorize: proc do |port_range, protocol, actors|
+        Chef::Log.info("proto: #{protocol.inspect}")
+        Chef::Log.info("port_range: #{port_range.inspect}")
         names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
         converge_by "authorize group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          sg.authorize_egress(*actors, ports: port_range, protocol: protocol)
+          names.each do |iprange|
+           begin
+            if iprange.include?('-')
+              sg.authorize_egress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  user_id_group_pairs: actors
+                }]
+              })
+=begin
+              sg.authorize_egress({
+                group
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  prefix_list_ids: [{
+                    prefix_list_id: iprange
+                  }]
+                }]
+              })
+=end
+            else
+              sg.authorize_egress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  ip_ranges: [{
+                    cidr_ip: iprange
+                  }]
+                }]
+              })
+            end
+           rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
+             Chef::Log.debug("Ignoring duplicate permission")
+           end
+          end
         end
       end,
 
       revoke: proc do |port_range, protocol, actors|
         names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
         converge_by "revoke the ability of group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          sg.revoke_egress(*actors, ports: port_range, protocol: protocol)
+          names.each do |iprange|
+           begin
+            if iprange.include?('-')
+              sg.revoke_egress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  user_id_group_pairs: actors
+                }]
+              })
+=begin
+              sg.revoke_egress({
+                group
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  prefix_list_ids: [{
+                    prefix_list_id: iprange
+                  }]
+                }]
+              })
+=end
+            else
+              sg.revoke_egress({
+                ip_permissions: [{
+                  ip_protocol: protocol,
+                  from_port: port_range.first,
+                  to_port: port_range.last,
+                  ip_ranges: [{
+                    cidr_ip: iprange
+                  }]
+                }]
+              })
+            end
+           rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
+             Chef::Log.debug("Ignoring missing permission")
+           end
+          end
         end
       end
     )
@@ -153,12 +317,13 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
   def update_rules(desired_rules, actual_rules_list, authorize: nil, revoke: nil)
     actual_rules = {}
     actual_rules_list.each do |rule|
+      rule = rule.to_h
       port_range = {
         port_range: rule[:from_port] ? rule[:from_port]..rule[:to_port] : -1..-1,
         protocol: rule[:ip_protocol].to_s.to_sym
       }
-      rule[:groups].map! { |h| h.select{|x| x != :group_name } } if rule[:groups]
-      add_rule(actual_rules, [ port_range ], rule[:groups]) if rule[:groups]
+      rule[:user_id_group_pairs].map! { |h| h.select { |x| x != :group_name} }
+      add_rule(actual_rules, [ port_range ], rule[:user_id_group_pairs]) if rule[:user_id_group_pairs]
       add_rule(actual_rules, [ port_range ], rule[:ip_ranges].map { |r| r[:cidr_ip] }) if rule[:ip_ranges]
     end
 
@@ -244,7 +409,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
   end
 
   #
-  # Turns an actor_spec into a uniform array, containing CIDRs, AWS::EC2::LoadBalancers and AWS::EC2::SecurityGroups.
+  # Turns an actor_spec into a uniform array, containing CIDRs, ::Aws::EC2::LoadBalancers and ::Aws::EC2::SecurityGroups.
   #
   def get_actors(vpc, actor_spec)
     result = case actor_spec
@@ -258,9 +423,11 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
       # The default AWS Ruby SDK form with :user_id, :group_id and :group_name forms
       if actor_spec.keys.all? { |key| [ :user_id, :group_id, :group_name ].include?(key) }
         if actor_spec.has_key?(:group_name)
-          actor_spec[:group_id] ||= vpc.security_groups.filter('group-name', actor_spec[:group_name]).first.id
+          vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
+          actor_spec[:group_id] ||= vpc_object.security_groups({filters: [name: "group-name", values: [actor_spec[:group_name]]]}).first.id
         end
         actor_spec[:user_id] ||= new_resource.driver.account_id
+
         { user_id: actor_spec[:user_id], group_id: actor_spec[:group_id] }
 
       # load_balancer: <load balancer name>
@@ -277,12 +444,22 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
       end
 
     # If a load balancer is specified, grab it and then get its automatic security group
-    when /^elb-[a-fA-F0-9]{8}$/, AWS::ELB::LoadBalancer, Chef::Resource::AwsLoadBalancer
-      lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec, resource: new_resource)
-      get_actors(vpc, lb.source_security_group)
+    when /^elb-[a-fA-F0-9]{8}$/, Aws::ElasticLoadBalancing::Types::LoadBalancerDescription, Chef::Resource::AwsLoadBalancer
+      lb=actor_spec
+      if lb.class != Aws::ElasticLoadBalancing::Types::LoadBalancerDescription
+        lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec, resource: new_resource)
+      end
+      # get secgroup via vpc_id
+      vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
+      results = vpc_object.security_groups.to_a.select { |s| s.group_name == lb.source_security_group.group_name }
+      if results.size == 1  
+        get_actors(vpc, results.first.id)
+      else
+        raise ::Chef::Provisioning::AWSDriver::Exceptions::MultipleSecurityGroupError.new(lb.source_security_group.group_name, results)
+      end
 
     # If a security group is specified, grab it
-    when /^sg-[a-fA-F0-9]{8}$/, AWS::EC2::SecurityGroup, Chef::Resource::AwsSecurityGroup
+    when /^sg-[a-fA-F0-9]{8}$/, ::Aws::EC2::SecurityGroup, Chef::Resource::AwsSecurityGroup
       Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
 
     # If an IP addresses / CIDR are passed, return it verbatim; otherwise, assume it's the
@@ -297,10 +474,10 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
       end
 
     else
-      raise "Unexpected actor #{actor_spec} in rules list"
+      raise "Unexpected actor #{actor_spec} / #{actor_spec.class} in rules list"
     end
 
-    result = { user_id: result.owner_id, group_id: result.id } if result.is_a?(AWS::EC2::SecurityGroup)
+    result = { user_id: result.owner_id, group_id: result.id } if result.is_a?(::Aws::EC2::SecurityGroup)
 
     [ result ].flatten
   end