6

I am developing a simple python script to add rules to securitygroups, and I am wondering what is the difference between the two methods available within boto3: authorize_security_group_ingress(**kwargs) and authorize_ingress(**kwargs)?

The descriptions are the same: "Adds one or more ingress rules to a security group"

Tom
  • 616
  • 8
  • 13
  • if downvoting, could you please add a comment to specify why, so that I can adapt it or find another place to ask? – Tom Oct 16 '15 at 14:45

2 Answers2

11

The 2 different classes are about different levels of abstraction.

  • Client classes are low level wrappers around each API action. ie. AuthorizeSecurityGroupIngress
  • Resource classes are object oriented, you instantiate an object to represent the group and interact with it that way. It provides a higher level of abstraction that decouples you from the individual API calls and provides some persistence

to show the difference, lets create a security group and open port 80 to the internet.

with client

    ec2 = boto3.client('ec2')
    response = ec2.create_security_group(GroupName='testgroup2',Description='testme')
    ec2.authorize_security_group_ingress(GroupId=response['GroupId'],IpProtocol="tcp",CidrIp="0.0.0.0/0",FromPort=80,ToPort=80)

with resource:

    ec2 = boto3.resource('ec2')
    mysg = ec2.create_security_group(GroupName="testgroup",Description='testme')
    mysg.authorize_ingress(IpProtocol="tcp",CidrIp="0.0.0.0/0",FromPort=80,ToPort=80) 

The key difference here is that resource object eliminates the need for a "response" variable and takes care of remembering the Security group for later use. It doesn't seem like a big difference but it makes your code cleaner and more object oriented
see the boto docs: https://boto3.readthedocs.org/en/latest/guide/resources.html for more detail on them.

Nath
  • 1,282
  • 9
  • 10
1

The only difference that I can see between the two functions is that they belong to different classes. The function authorize_security_group_ingress resides in EC2.Client and authorize_ingress resides in EC2.SecurityGroup. They do the same thing.

Bazze
  • 1,511
  • 9
  • 10
  • yep i don't see any other difference either from my side... thanks for confirming this, I don't know why boto implemented those two different ways – Tom Oct 19 '15 at 09:21