The provisioning agent currently is the only place within Ensemble
that can take global actions with respect to the provider. Consequently,
provisioning is currently responsible for the current, if simple EC2
security group management (with the policy of open all ports, seen in
the code `ensemble.providers.ec2.launch.EC2LaunchMachine`).
The provisioning agent will watch for the existence of
**/services/<internal service id>/exposed**, and if so watch the
service units settings **/units/<internal unit id>/ports** and make
changes in the firewall settings through the provider.
For the EC2 provider, this will be done through security groups (see
below). Later we will revisit to let a machine agent do this in the
context of iptables, so as to get out of the 500 security group limit
for EC2, enable multiple service units per machine, be generic with
other providers, and to provide future support for internal firewall
config.
This bug was subdivided into a number of bugs. Although expose-cleanup and future support for exposed and unexposed hooks is forthcoming, it doesn't make sense to keep this overarching bug just going on.