Open
Description
We need to ensure that we push updates to firewall rules whenever the rules or an affected instance is modified. Specifically, check that we compile and send to the relevant sled-agents updated rules when:
- A firewall is modified
- An instance is created (This is almost certainly done)
- An instance is deleted
- An instance is migrated (tracked by Gather and send instance information on migration #1783)
There are a few other events that technically require updating the rules as well, but I believe they're either not applicable because of the way we've currently structured things, or just lower priority in that things will continue to function even if they'll be less-than-perfect. These are:
- When an instance has a NIC added, deleted, or modified (say, moved to a different subnet). This handled by instance-creation, because we can currently only perform these operations when the instance is stopped, which means we'll resend the creation request to the sled agent anyway.
- When a VPC or VPC Subnet is added, modified, or deleted. For example, when we delete a VPC Subnet, any instances with a firewall rule that refers to that subnet should have that rule removed. Same for VPCs.
There are likely others I'm forgetting.