In a default deny situation, where the operator doesn't want to open up a foundation-wide security group at service installation time, it would be useful to create and bind a security group on the fly (that allows communication to the service deployment) at service instance creation time.
1. Developer creates service
2. Broker checks if if the ASG allowing communication exists
3. If not, broker binds the ASG to the app's space
4. Rest of flow works as normal
The developer would need to restart the app after service bind anyway, so the security group would get applied as part of that flow.
Has anyone built something this as an open source library? Have run across some folks that are interested in this as a cross-cutting broker behavior, to keep their traffic rules as restrictive as possible.
