One of the consequences of removing a mandatory security group id in case of a VPC is that when knife prints the security groups the machine is going to use and no id is specified, I don't yet know the security group id of the default VPC security group that's going to be used. I do know the name, 'default', but if I just print that instead, I'd get a minor inconsistency where it shows the default name if nothing is specified and an id if something is. If I'd want to remove that inconsistency, I'd need to do some sort of lookup through the Amazon API to get the name of the security group the id belongs to. If I'm doing that, I might as well do away with specifying the security group ids in knife altogether, and try to fix the issue on Fog's side. It seems to me that theoretically specifying a subnet id and security group name should be sufficient to uniquely identify the group. I don't know why that's not in Fog.
My current fix is sufficient for my needs, but perhaps leaving knife ec2 as is and attempting to fix this in Fog is better in general. Bryan, what do you think about this?