AWS Bootstrap with predefined Security Group


Is there a workaround to telling Juju to use a predefined security group on an AWS bootstrap? Due to permissions constraints/etc. our automation needs to work with predefined security groups that are made manually.

Something like:

juju bootstrap --config vpc-id-force=true --config vpc-id=vpc-for-juju --to “subnet=subnet-for-juju” --constraints “security-group-ids=sgs-for-juju” aws

… would be ideal, but this is not the case.

Is there a workaround for this? Is there a manner to request the above? I believe this would be helpful for those working in constricted environments.


This is not possible at present.

Juju sets up:

  • A model-level security group, named juju-<model UUID>-global for all Juju-related traffic
  • A security group for each machine, named juju-<model UUID>-<machine ID>, which is recognised by Juju’s firewaller and used to expose applications.