ec2_securitygroup handles 'Name' tag poorly

[philomory]

EC2 Security Groups have a dedicated 'group name' attribute which is used for identifying a group and is unique (at least within a given VPC). They also allow tags, including the 'Name' tag.

The ec2_securitygroup resource matches the name parameter against the SG's 'group_name' in AWS. It also fully supports setting arbitrary tags on security groups, including the 'Name' tag. However, when retrieving information from AWS, it unnecessarily filters the 'Name' tag out of the Tags list; thus, if you set the Name tag on an ec2_securitygroup resource, your puppet runs will never show as in sync. For example:

ec2_securitygroup { 'example-sg':
  ensure      => present,
  description => "An example security group demonstrating this issue",
  region      => "us-east-2",
  vpc         => "some-vpc",
  ingress     => [{
    protocol  => -1,
    cidr      => '0.0.0.0/0',
    from_port => 0,
    to_port   => 0,
  }],
  tags        => {
    'Name' => 'Example Security Group",
  }
}

If you run this code, a security group will be created, and it's Name tag will be set to "Example Security Group" as expected. However, on every subsequent puppet run, the message Notice: /Stage[main]/Ec2_securitygroup[example-sg]/tags: tags changed {} to {"Name"=>"Example Security Group"} will display, and if you're watching e.g. PuppetDB reports, it will appear as if this resource is constantly being changed externally and then reverted by puppet.