Piculet
Security GroupsManage EC2 Security Groups as code with a Ruby DSL
- Manages
- Amazon EC2 Security Groups
- Language
- Ruby
- Package
- piculet
- CLI
- piculet
- Config file
- Groupfile
ec2 "vpc-XXXXXXXX" do
security_group "default" do
description "default VPC security group"
ingress do
permission :tcp, 22..22 do
ip_ranges(
"0.0.0.0/0"
)
end
end
end
end
Piculet is a command-line tool that manages Amazon EC2 Security Groups as code. You keep your firewall rules in a Ruby file called a Groupfile, then apply it to update AWS. It exports current rules, shows a dry-run diff, and applies changes idempotently.
What is Piculet?
Piculet manages Amazon EC2 Security Groups as code. You write your firewall rules in a Ruby file called a Groupfile. The piculet command then makes AWS match the file, adding and revoking rules idempotently.
Security group sprawl is a common mess. Rules pile up over the years. Nobody remembers why port 8443 is open to some CIDR, and console edits leave no trail. Piculet turns the whole firewall into a text file you can review. Every opened port now gets a diff and a dry-run first. This is the idea behind codenization.
A Groupfile can hold:
- Ingress rules by protocol, port range, and source
- Egress rules for VPC security groups
- Sources given as IP ranges or other groups
It suits teams that want focused, low-fuss firewall management. It often runs next to Kelbim, which manages the Classic load balancers those groups protect. Note the upstream repo is archived, so pin your versions.
- Manages EC2 Security Groups and their ingress and egress rules.
- All firewall rules live in one Groupfile kept in Git.
- A first export reveals forgotten rules and risky 0.0.0.0/0 access.
- Dry-run shows every rule to be granted or revoked before you apply.
- Re-running the dry-run works as drift detection for hand edits.
- The upstream repo is archived since 2020, so pin your gem versions.
Install and run Piculet
Install
Install the piculet gem (Ruby required).
$ gem install piculetExport current state
Pull the live Security Groups configuration into a Groupfile.
$ piculet -e -o GroupfileDry-run, then apply
Preview the diff, then apply the change for real.
$ piculet -a --dry-runPiculet follows an export, review, apply loop. Start with piculet -e to capture every security group in the region. On big accounts, --split writes one file per group so diffs stay short. Commit it to Git. That first export is often an eye-opener, surfacing forgotten rules and wide-open 0.0.0.0/0 access.
To change a rule, edit the Groupfile in a branch and open a pull request. Run piculet -a --dry-run to preview which permissions would be granted or revoked. Paste that output into the review. Then run piculet -a to apply. A second apply is a no-op, since Piculet is idempotent. Re-running the dry-run later catches console edits made outside the file.
Your very first export is a free security audit. Grep the Groupfile for 0.0.0.0/0 to spot ports open to the whole internet, then close them as a reviewed diff.
What Piculet can do
Export current rules
piculet -e writes your existing groups to a Groupfile. Use --split or --split-more for one file per VPC or per group, which keeps code review clean.
Dry-run before apply
piculet -a --dry-run shows which permissions would be granted or revoked, without touching AWS. Risky firewall changes are visible before they happen.
VPC and EC2-Classic support
The DSL models VPC security groups, including egress rules, and legacy EC2-Classic groups. Each is scoped per VPC with the ec2 block.
Templates for shared rules
Define a common block once, such as standard SSH or monitoring ingress. Then include it across many groups with context variables.
Targeted operations
Filter what Piculet manages with -n for named groups, -x to exclude, and --exclude-tags to skip by tag. This helps in shared accounts.
Ruby DSL or JSON format
The --format option exports and applies config as JSON instead of Ruby. That helps when other systems generate your rules.
| Option | Effect |
|---|---|
-n | Limit work to named groups only |
-x | Exclude specific groups |
--exclude-tags | Skip groups by tag |
--ec2s | Restrict to certain VPCs |
--split | Write one file per group for clean diffs |
When teams reach for Piculet
Firewall changes through pull requests
Opening a port becomes a one-line diff, not an unlogged console edit. Reviewers see the exact CIDR and port range in the pull request, next to the dry-run of what will be granted.
Auditing security group sprawl
One export gives a greppable list of every rule in the account. Teams hunt for 0.0.0.0/0 ingress, duplicate groups, and rules pointing at deleted resources, then remove them as a reviewed diff.
Keeping environments consistent
With templates and context variables, staging and production can share one rule set with different CIDRs. That stops environments from silently drifting apart.