beaker-aws 0.5.0 → 0.6.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 6b4745f452de2d148f3fec8898abd872aba8ee8c
4
- data.tar.gz: c6c1d60d17e1f2e0038646c2b6647aca8a95313c
3
+ metadata.gz: 57529b95c092329fae7b75595e5d037d1a911b7e
4
+ data.tar.gz: b0da2eb31f34a2577011d61ebba9c9ce6c1a90d3
5
5
  SHA512:
6
- metadata.gz: df37c8ff2640e9707a8d7cfc2f2c3d8e83aed44147ac404d9f5fdffeeb3e7ec22cbe1a642b0f39848de534a70d23d0732fa43b84974798e5f5c2b1aa38f89cfb
7
- data.tar.gz: 3584601c4b8f4b6fec30651816202628681a0d3616c480e68af91f16df1be68daca80ffe56cf29c1284098dcb94e44ad16fe5bdee7b7280eed5368480ee91003
6
+ metadata.gz: 74923a90c8fe25d456959961d7ae0f2f5672d6116e631fa9b8e514b14d6fad51320fc98d03ea42995629317a24ef8e3f51d028a220fc9876435427aeed37a5da
7
+ data.tar.gz: 9da09c3fc224398a918979348b0e9c1a454b0276dfd923dd1b97d7e526d03aea15d8f820b0fe6add671bda0ae5c9bab5a680332208c9ea2e380ef3dc84973113
data/CHANGELOG.md CHANGED
@@ -1,10 +1,20 @@
1
1
  # Change Log
2
2
 
3
+ ## [0.6.0](https://github.com/puppetlabs/beaker-aws/tree/0.6.0) (2018-07-16)
4
+ [Full Changelog](https://github.com/puppetlabs/beaker-aws/compare/0.5.0...0.6.0)
5
+
6
+ **Merged pull requests:**
7
+
8
+ - \(BKR-1481\) Rewrite beaker-aws to use shared .fog parsing [\#15](https://github.com/puppetlabs/beaker-aws/pull/15) ([Dakta](https://github.com/Dakta))
9
+ - Custom CIDRs for security group, none default VPC fixes [\#14](https://github.com/puppetlabs/beaker-aws/pull/14) ([ardeshireshghi](https://github.com/ardeshireshghi))
10
+ - \(MAINT\) Document Acceptance Test Setup [\#13](https://github.com/puppetlabs/beaker-aws/pull/13) ([Dakta](https://github.com/Dakta))
11
+
3
12
  ## [0.5.0](https://github.com/puppetlabs/beaker-aws/tree/0.5.0) (2018-06-13)
4
13
  [Full Changelog](https://github.com/puppetlabs/beaker-aws/compare/0.4.0...0.5.0)
5
14
 
6
15
  **Merged pull requests:**
7
16
 
17
+ - \(MAINT\) add changelog for 0.5.0 release [\#11](https://github.com/puppetlabs/beaker-aws/pull/11) ([kevpl](https://github.com/kevpl))
8
18
  - \(BKR-1464\) Rewrite to use AWS SDK v3 [\#10](https://github.com/puppetlabs/beaker-aws/pull/10) ([rodjek](https://github.com/rodjek))
9
19
  - \(MAINT\) Bump for new release [\#9](https://github.com/puppetlabs/beaker-aws/pull/9) ([cdenneen](https://github.com/cdenneen))
10
20
  - \(BKR-1199\) Updated documentation for use\_fog\_credentials [\#8](https://github.com/puppetlabs/beaker-aws/pull/8) ([cdenneen](https://github.com/cdenneen))
@@ -0,0 +1,36 @@
1
+ Notes on testing `beaker-aws` if your AWS configuration requires MFA or IAM Roles.
2
+
3
+ # MAF and IAM Role
4
+
5
+ If the credentials you use to access EC2 require MFA (Milti-Factor Authentication), the current workflow is to manually fetch a session token then set it in `.fog` under `aws_session_token`:
6
+
7
+ 1. Install AWS CLI tools.
8
+ 2. Configure your shared credentials in `~/.aws`
9
+ 3. Get a temporary role session
10
+ ~~~console
11
+ $ aws sts assume-role --role-arn <ROLE_ARN_STRING> --role-session-name "<SESSION_NAME>" --serial-number <MFA_ARN_STRING> --token-code <MFA_TOKEN>
12
+ {
13
+ "Credentials": {
14
+ "AccessKeyId": "accesskeyid",
15
+ "SecretAccessKey": "secretaccesskey",
16
+ "SessionToken": "somesuperlongsessiontoken",
17
+ "Expiration": "2018-06-25T19:54:04Z"
18
+ },
19
+ "AssumedRoleUser": {
20
+ "AssumedRoleId": "<SESSION_ROLE_ID>",
21
+ "Arn": "<NAMED_ROLE_SESSION>"
22
+ }
23
+ }
24
+ ~~~
25
+ 4. Extract `AccessKeyId`, `SecretAccessKey`, and `SessionToken` and put them in your `.fog` file as `aws_access_key_id`, `aws_secret_access_key`, and `aws_session_token`. By default this session will be valid for one hour. See `aws sts assume-role help` to extend the session lifetime.
26
+ 5. You can now run beaker (or `beaker-aws` acceptance tests) on AWS:
27
+ ~~~console
28
+ $ bundle exec rake test:acceptance
29
+ ~~~
30
+ As always, be sure you have configured a passwordless SSH key. These tests look for `~/.ssh/id_rsa` as the default to provision SUTs with.
31
+
32
+ # Shared Credentials
33
+
34
+ In theory, there should eventually be support for roles from shared credentials in `~/.aws/` from the Ruby AWS SDK directly, but [that functionality is on the backlog](https://github.com/aws/aws-sdk-ruby/issues/1256). Regardless, that doesn't seem like it would necessarily work with MFA.
35
+
36
+ Support for IAM Roles and MFA are not formally planned for beaker-aws.
data/aws.md CHANGED
@@ -45,7 +45,7 @@ examples of AMI IDs, check out their
45
45
  [Amazon Linux AMI page](https://aws.amazon.com/amazon-linux-ami/).
46
46
 
47
47
  The `region-id` variable represents the EC2 region ID from AWS. For reference,
48
- checkout EC2's
48
+ checkout EC2's
49
49
  [Regions and Availability Zones page]
50
50
  (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html).
51
51
  An example of a region ID is `eu-west-1` for the Ireland data center.
@@ -72,7 +72,7 @@ The `host-vmname-value` references the ID created in the Amazon Image Config fil
72
72
  above. If not provided, Beaker will try to name an AMI Config using the host's
73
73
  platform string.
74
74
 
75
- **Note:** If you are using `amazon-6-x86_64` as `vmname`, you have to specify `platform` as `el-6-x86_64`. Similarly for `amazon-6-i386` use `el-6-i386` as `platform`.
75
+ **Note:** If you are using `amazon-6-x86_64` as `vmname`, you have to specify `platform` as `el-6-x86_64`. Similarly for `amazon-6-i386` use `el-6-i386` as `platform`.
76
76
 
77
77
  The `type` references the type variable in the Amazon Image Config file as well,
78
78
  so this key picks out the particular AMI ID from the set available for this type
@@ -82,7 +82,7 @@ The `ami-size` variable refers to
82
82
  [instance types](https://aws.amazon.com/ec2/instance-types/) by their model name.
83
83
  Some examples of these values are "m3.large", "c4.xlarge", and "r3.8xlarge". The
84
84
  default value if this key is not provided used by Beaker is "m1.small".
85
-
85
+
86
86
  ### ec2 VM Hostnames
87
87
 
88
88
  By default, beaker will set the hostnames of the VMs to the 'Public DNS' hostname supplied by ec2 (and which is normally based on the Public IP address). If your test requires the hosts be named identically to the `<hostname>:` from your beaker hosts file, set `:use_beaker_hostnames: true` in the beaker hosts file.
@@ -147,3 +147,8 @@ like so:
147
147
  [AWS EC2 200 0.142666 0 retries] describe_key_pairs(:filters=>[{:name=>"key-name",:values=>["Beaker-johnsmith-Johns-Ubuntu-2-local"]}])
148
148
 
149
149
  The values string in that line is what you're looking for.
150
+
151
+ ### Add custom CIDRs to security groups inbound rules
152
+
153
+ Beaker creates 2 security groups to be able to access the EC2 instance. By default it defines inbound rules which allow access to everyone(0.0.0.0/0). In order to limit that access it is possible to configure the host param `sg_cidr_ips` which can be supplid with a list of CIDRs.
154
+
data/ec2.md CHANGED
@@ -34,7 +34,7 @@ hypervisor: ec2
34
34
  nfs_server: none
35
35
  consoleport: 443
36
36
 
37
- ### Using role
37
+ ### Using role
38
38
  *(If you'd like to use instance role you can disable reading fog credentials)*
39
39
 
40
40
  #### No fog file needed ####
@@ -56,7 +56,7 @@ Beaker will automagically provision EC2 nodes, provided the 'platform:' section
56
56
  ### Supported EC2 Variables ###
57
57
  These variables can either be set per-host or globally.
58
58
 
59
- ####`additional_ports`####
59
+ #### `additional_ports` ####
60
60
  Ports to be opened on the instance, in addition to those opened by Beaker to support Puppet functionality. Can be a single value or an array. Example valid values: 1001, [1001], [1001, 1002].
61
61
 
62
62
  Ports opened by default:
@@ -66,17 +66,22 @@ Ports opened by default:
66
66
  * `database` will also have [5432, 8080, 8081] opened
67
67
  * If you have a split install, all the hosts with `master`, `dashboard` and `database` role will have port 8143 opened
68
68
 
69
- ####`amisize` ####
70
- The [instance type](https://aws.amazon.com/ec2/instance-types/) - defaults to `m1.small`.
71
- ####`snapshot`####
69
+ #### `amisize` ####
70
+ The [instance type](https://aws.amazon.com/ec2/instance-types/) - defaults to `m1.small`.
71
+
72
+ #### `snapshot` ####
72
73
  The snapshot to use for ec2 instance creation.
73
- ####`subnet_id`####
74
+
75
+ #### `subnet_id` ####
74
76
  If defined the instance will be created in this EC2 subnet. `vpc_id` must be defined. Cannot be defined at the same time as `subnet_ids`.
75
- ####`subnet_ids`####
77
+
78
+ #### `subnet_ids` ####
76
79
  If defined the instace will be crated in one of the provided array of EC2 subnets. `vpc_id` must be defined. Cannot be defined at the same time as `subnet_id`.
77
- ####`vmname`####
80
+
81
+ #### `vmname` ####
78
82
  Used to look up the pre-defined AMI information in `config/image_templates/ec2.yaml`. Will default to `platform` if not defined.
79
- #####Example ec2.yaml#####
83
+
84
+ ##### Example ec2.yaml #####
80
85
  In this example the `vmname` would be `puppetlabs-centos-5-x86-64-west`. Looking up the `vmname` in the `ec2.yaml` file provides an AMI ID by type (`pe` or `foss`) and the region.
81
86
 
82
87
  ```
@@ -87,9 +92,22 @@ AMI:
87
92
  :region: us-west-2
88
93
  ```
89
94
 
90
- ####`volume_size`####
95
+ #### `volume_size` ####
91
96
  Size of the [EBS Volume](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) that will be attached to the EC2 instance.
92
- ####`vpc_id`####
97
+
98
+ #### `vpc_id` ####
93
99
  ID of the [VPC](https://aws.amazon.com/vpc/) to create the instances in. If not provided will either use the default VPC for the provided region (marked as `isDefault`), otherwise falls back to `nil`. If subnet information is provided (`subnet_id`/`subnet_ids`) this must be defined.
94
- ####`user`####
100
+
101
+ #### `sg_cidr_ips` ####
102
+ Comma seperated list of [CIDRs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html) which define the whitelisted IPs used by beaker. They will be added to the security groups which are created and associated with EC2 instance. Below is an example:
103
+
104
+ ```
105
+ HOSTS:
106
+ somehostname:
107
+ sg_cidr_ips: 172.28.40.0/24,172.20.112.0/20
108
+ ```
109
+
110
+ This is optional and by default is set to '0.0.0.0/0'.
111
+
112
+ #### `user` ####
95
113
  By default root login is not allowed with Amazon Linux. Setting it to ec2-user will trigger `sshd_config` and `authorized_keys` changes by beaker.
@@ -265,6 +265,8 @@ module Beaker
265
265
  amitype = host['vmname'] || host['platform']
266
266
  amisize = host['amisize'] || 'm1.small'
267
267
  vpc_id = host['vpc_id'] || @options['vpc_id'] || nil
268
+ host['sg_cidr_ips'] = host['sg_cidr_ips'] || '0.0.0.0/0';
269
+ sg_cidr_ips = host['sg_cidr_ips'].split(',')
268
270
 
269
271
  if vpc_id && !subnet_id
270
272
  raise RuntimeError, "A subnet_id must be provided with a vpc_id"
@@ -324,9 +326,9 @@ module Beaker
324
326
  end
325
327
  end
326
328
 
327
- security_group = ensure_group(vpc || region, Beaker::EC2Helper.amiports(host))
329
+ security_group = ensure_group(vpc || region, Beaker::EC2Helper.amiports(host), sg_cidr_ips)
328
330
  #check if ping is enabled
329
- ping_security_group = ensure_ping_group(vpc || region)
331
+ ping_security_group = ensure_ping_group(vpc || region, sg_cidr_ips)
330
332
 
331
333
  msg = "aws-sdk: launching %p on %p using %p/%p%s" %
332
334
  [host.name, amitype, amisize, image_type,
@@ -340,7 +342,7 @@ module Beaker
340
342
  :enabled => true,
341
343
  },
342
344
  :key_name => ensure_key_pair(region).key_pairs.first.key_name,
343
- :security_groups => [security_group.group_name, ping_security_group.group_name],
345
+ :security_group_ids => [security_group.group_id, ping_security_group.group_id],
344
346
  :instance_type => amisize,
345
347
  :disable_api_termination => false,
346
348
  :instance_initiated_shutdown_behavior => "terminate",
@@ -478,7 +480,7 @@ module Beaker
478
480
  # TODO: should probably be a in a shared method somewhere
479
481
  for tries in 1..10
480
482
  refreshed_instance = instance_by_id(instance.instance_id)
481
-
483
+
482
484
  if refreshed_instance.nil?
483
485
  @logger.debug("Instance #{name} not yet available (#{e})")
484
486
  else
@@ -715,7 +717,7 @@ module Beaker
715
717
  # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html
716
718
  # Also note that without an elastic ip set, while this will
717
719
  # preserve the hostname across a full shutdown/startup of the vm
718
- # (as opposed to a reboot) -- the ip address will have changed.
720
+ # (as opposed to a reboot) -- the ip address will have changed.
719
721
  host.exec(Command.new("sed -ie '/^HOSTNAME/ s/=.*/=#{host.name}/' /etc/sysconfig/network"))
720
722
  end
721
723
  end
@@ -908,9 +910,10 @@ module Beaker
908
910
  # Accepts a VPC as input for checking & creation.
909
911
  #
910
912
  # @param vpc [Aws::EC2::VPC] the AWS vpc control object
913
+ # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
911
914
  # @return [Aws::EC2::SecurityGroup] created security group
912
915
  # @api private
913
- def ensure_ping_group(vpc)
916
+ def ensure_ping_group(vpc, sg_cidr_ips = ['0.0.0.0/0'])
914
917
  @logger.notify("aws-sdk: Ensure security group exists that enables ping, create if not")
915
918
 
916
919
  group = client.describe_security_groups(
@@ -921,7 +924,7 @@ module Beaker
921
924
  ).security_groups.first
922
925
 
923
926
  if group.nil?
924
- group = create_ping_group(vpc)
927
+ group = create_ping_group(vpc, sg_cidr_ips)
925
928
  end
926
929
 
927
930
  group
@@ -933,9 +936,10 @@ module Beaker
933
936
  #
934
937
  # @param vpc [Aws::EC2::VPC] the AWS vpc control object
935
938
  # @param ports [Array<Number>] an array of port numbers
939
+ # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
936
940
  # @return [Aws::EC2::SecurityGroup] created security group
937
941
  # @api private
938
- def ensure_group(vpc, ports)
942
+ def ensure_group(vpc, ports, sg_cidr_ips = ['0.0.0.0/0'])
939
943
  @logger.notify("aws-sdk: Ensure security group exists for ports #{ports.to_s}, create if not")
940
944
  name = group_id(ports)
941
945
 
@@ -947,7 +951,7 @@ module Beaker
947
951
  ).security_groups.first
948
952
 
949
953
  if group.nil?
950
- group = create_group(vpc, ports)
954
+ group = create_group(vpc, ports, sg_cidr_ips)
951
955
  end
952
956
 
953
957
  group
@@ -957,10 +961,11 @@ module Beaker
957
961
  #
958
962
  # Accepts a region or VPC for group creation.
959
963
  #
960
- # @param rv [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
964
+ # @param region_or_vpc [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
965
+ # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
961
966
  # @return [Aws::EC2::SecurityGroup] created security group
962
967
  # @api private
963
- def create_ping_group(region_or_vpc)
968
+ def create_ping_group(region_or_vpc, sg_cidr_ips = ['0.0.0.0/0'])
964
969
  @logger.notify("aws-sdk: Creating group #{PING_SECURITY_GROUP_NAME}")
965
970
  cl = region_or_vpc.is_a?(String) ? client(region_or_vpc) : client
966
971
 
@@ -972,13 +977,16 @@ module Beaker
972
977
 
973
978
  group = cl.create_security_group(params)
974
979
 
975
- cl.authorize_security_group_ingress(
976
- :cidr_ip => '0.0.0.0/0',
977
- :ip_protocol => 'icmp',
978
- :from_port => '8', # 8 == ICMPv4 ECHO request
979
- :to_port => '-1', # -1 == All ICMP codes
980
- :group_id => group.group_id,
981
- )
980
+ sg_cidr_ips.each do |cidr_ip|
981
+ add_ingress_rule(
982
+ cl,
983
+ group,
984
+ cidr_ip,
985
+ '8', # 8 == ICMPv4 ECHO request
986
+ '-1', # -1 == All ICMP codes
987
+ 'icmp',
988
+ )
989
+ end
982
990
 
983
991
  group
984
992
  end
@@ -987,37 +995,58 @@ module Beaker
987
995
  #
988
996
  # Accepts a region or VPC for group creation.
989
997
  #
990
- # @param rv [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
998
+ # @param region_or_vpc [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
991
999
  # @param ports [Array<Number>] an array of port numbers
1000
+ # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
992
1001
  # @return [Aws::EC2::SecurityGroup] created security group
993
1002
  # @api private
994
- def create_group(region_or_vpc, ports)
1003
+ def create_group(region_or_vpc, ports, sg_cidr_ips = ['0.0.0.0/0'])
995
1004
  name = group_id(ports)
996
1005
  @logger.notify("aws-sdk: Creating group #{name} for ports #{ports.to_s}")
1006
+ @logger.notify("aws-sdk: Creating group #{name} with CIDR IPs #{sg_cidr_ips.to_s}")
997
1007
  cl = region_or_vpc.is_a?(String) ? client(region_or_vpc) : client
998
1008
 
999
- group = cl.create_security_group(
1009
+ params = {
1010
+ :description => "Custom Beaker security group for #{ports.to_a}",
1000
1011
  :group_name => name,
1001
- :description => "Custom Beaker security group for #{ports.to_a}"
1002
- )
1012
+ }
1013
+
1014
+ params[:vpc_id] = region_or_vpc.vpc_id if region_or_vpc.is_a?(Aws::EC2::Types::Vpc)
1015
+
1016
+ group = cl.create_security_group(params)
1003
1017
 
1004
1018
  unless ports.is_a? Set
1005
1019
  ports = Set.new(ports)
1006
1020
  end
1007
1021
 
1008
- ports.each do |port|
1009
- cl.authorize_security_group_ingress(
1010
- :cidr_ip => '0.0.0.0/0',
1011
- :ip_protocol => 'tcp',
1012
- :from_port => port,
1013
- :to_port => port,
1014
- :group_id => group.group_id,
1015
- )
1022
+ sg_cidr_ips.each do |cidr_ip|
1023
+ ports.each do |port|
1024
+ add_ingress_rule(cl, group, cidr_ip, port, port)
1025
+ end
1016
1026
  end
1017
1027
 
1018
1028
  group
1019
1029
  end
1020
1030
 
1031
+ # Authorizes connections from certain CIDR to a range of ports
1032
+ #
1033
+ # @param cl [Aws::EC2::Client]
1034
+ # @param sg_group [Aws::EC2::SecurityGroup] the AWS security group
1035
+ # @param cidr_ip [String] CIDR used for outbound security group rule
1036
+ # @param from_port [String] Starting Port number in the range
1037
+ # @param to_port [String] Ending Port number in the range
1038
+ # @return [void]
1039
+ # @api private
1040
+ def add_ingress_rule(cl, sg_group, cidr_ip, from_port, to_port, protocol = 'tcp')
1041
+ cl.authorize_security_group_ingress(
1042
+ :cidr_ip => cidr_ip,
1043
+ :ip_protocol => protocol,
1044
+ :from_port => from_port,
1045
+ :to_port => to_port,
1046
+ :group_id => sg_group.group_id,
1047
+ )
1048
+ end
1049
+
1021
1050
  # Return a hash containing AWS credentials
1022
1051
  #
1023
1052
  # @return [Hash<Symbol, String>] AWS credentials
@@ -1046,8 +1075,7 @@ module Beaker
1046
1075
  # @return [Aws::Credentials] ec2 credentials
1047
1076
  # @api private
1048
1077
  def load_fog_credentials(dot_fog = '.fog')
1049
- fog = YAML.load_file( dot_fog )
1050
- default = fog[:default]
1078
+ default = get_fog_credentials(dot_fog)
1051
1079
 
1052
1080
  raise "You must specify an aws_access_key_id in your .fog file (#{dot_fog}) for ec2 instances!" unless default[:aws_access_key_id]
1053
1081
  raise "You must specify an aws_secret_access_key in your .fog file (#{dot_fog}) for ec2 instances!" unless default[:aws_secret_access_key]
@@ -1,3 +1,3 @@
1
1
  module BeakerAws
2
- VERSION = '0.5.0'
2
+ VERSION = '0.6.0'
3
3
  end
@@ -992,6 +992,8 @@ module Beaker
992
992
  describe '#ensure_group' do
993
993
  let(:vpc) { instance_double(Aws::EC2::Types::Vpc, :vpc_id => 1) }
994
994
  let(:ports) { [22, 80, 8080] }
995
+ let(:default_sg_cidr_ips) { ['0.0.0.0/0'] }
996
+
995
997
  subject(:ensure_group) { aws.ensure_group(vpc, ports) }
996
998
 
997
999
  let(:mock_client) { instance_double(Aws::EC2::Client) }
@@ -1030,7 +1032,7 @@ module Beaker
1030
1032
  let(:group) { nil }
1031
1033
 
1032
1034
  it 'creates group if group.nil?' do
1033
- expect(aws).to receive(:create_group).with(vpc, ports).and_return(group)
1035
+ expect(aws).to receive(:create_group).with(vpc, ports, default_sg_cidr_ips).and_return(group)
1034
1036
  allow(mock_client).to receive(:describe_security_groups).with(any_args).and_return(security_group_result)
1035
1037
  expect(ensure_group).to eq(group)
1036
1038
  end
@@ -1038,7 +1040,8 @@ module Beaker
1038
1040
  end
1039
1041
 
1040
1042
  describe '#create_group' do
1041
- let(:rv) { double('rv') }
1043
+ let(:group_vpc_id) { 'vpc-someid' }
1044
+ let(:rv) { instance_double(Aws::EC2::Types::Vpc, :vpc_id => group_vpc_id) }
1042
1045
  let(:ports) { [22, 80, 8080] }
1043
1046
  subject(:create_group) { aws.create_group(rv, ports) }
1044
1047
 
@@ -1065,6 +1068,7 @@ module Beaker
1065
1068
  it 'creates group with expected arguments' do
1066
1069
  group_name = "Beaker-1521896090"
1067
1070
  group_desc = "Custom Beaker security group for #{ports.to_a}"
1071
+
1068
1072
  expect(mock_client).to receive(:create_security_group).with(
1069
1073
  :group_name => group_name,
1070
1074
  :description => group_desc,
@@ -1073,6 +1077,24 @@ module Beaker
1073
1077
  expect(create_group).to eq(group)
1074
1078
  end
1075
1079
 
1080
+ context 'it is called with VPC as first param' do
1081
+ it 'creates group with expected arguments including vpc id' do
1082
+ group_name = "Beaker-1521896090"
1083
+ group_desc = "Custom Beaker security group for #{ports.to_a}"
1084
+
1085
+ allow(rv).to receive(:is_a?).with(String).and_return(false)
1086
+ allow(rv).to receive(:is_a?).with(Aws::EC2::Types::Vpc).and_return(true)
1087
+
1088
+ expect(mock_client).to receive(:create_security_group).with(
1089
+ :group_name => group_name,
1090
+ :description => group_desc,
1091
+ :vpc_id => group_vpc_id,
1092
+ ).and_return(group)
1093
+ allow(mock_client).to receive(:authorize_security_group_ingress).with(include(:group_id => group.group_id)).at_least(:once)
1094
+ expect(create_group).to eq(group)
1095
+ end
1096
+ end
1097
+
1076
1098
  it 'authorizes requested ports for group' do
1077
1099
  allow(mock_client).to receive(:create_security_group).with(any_args).and_return(group)
1078
1100
 
@@ -1081,6 +1103,21 @@ module Beaker
1081
1103
  end
1082
1104
  expect(create_group).to eq(group)
1083
1105
  end
1106
+
1107
+ context 'security group CIDRs are passed' do
1108
+ let(:sg_cidr_ips) { ['172.28.40.0/24', '172.20.112.0/20'] }
1109
+ subject(:create_group_with_cidr) { aws.create_group(rv, ports, sg_cidr_ips) }
1110
+
1111
+ it 'authorizes requested CIDR for group' do
1112
+ allow(mock_client).to receive(:create_security_group).with(any_args).and_return(group)
1113
+
1114
+ sg_cidr_ips.each do |cidr_ip|
1115
+ expect(mock_client).to receive(:authorize_security_group_ingress).with(include(:cidr_ip => cidr_ip)).exactly(3).times
1116
+ end
1117
+
1118
+ expect(create_group_with_cidr).to eq(group)
1119
+ end
1120
+ end
1084
1121
  end
1085
1122
 
1086
1123
  describe '#load_fog_credentials' do
@@ -1088,37 +1125,28 @@ module Beaker
1088
1125
  let(:dot_fog) { '.fog' }
1089
1126
  subject(:load_fog_credentials) { aws.load_fog_credentials(dot_fog) }
1090
1127
 
1091
- it 'returns loaded fog credentials' do
1092
- creds = {:access_key_id => 'awskey', :secret_access_key => 'awspass', :session_token => nil}
1093
- fog_hash = {:default => {:aws_access_key_id => 'awskey', :aws_secret_access_key => 'awspass'}}
1094
- expect(aws).to receive(:load_fog_credentials).and_call_original
1095
- expect(YAML).to receive(:load_file).and_return(fog_hash)
1096
- expect(load_fog_credentials).to have_attributes(creds)
1097
- end
1098
-
1099
- it 'returns loaded fog credentials with session token' do
1100
- creds = {:access_key_id => 'awskey', :secret_access_key => 'awspass', :session_token => 'sometoken'}
1101
- fog_hash = {:default => {:aws_access_key_id => 'awskey', :aws_secret_access_key => 'awspass', :aws_session_token => 'sometoken'}}
1128
+ it 'returns AWS::Credentials with loaded fog credentials and session token' do
1129
+ fog_creds = {:aws_access_key_id => 'awskey', :aws_secret_access_key => 'awspass', :aws_session_token => 'sometoken'}
1130
+ aws_creds = {:access_key_id => 'awskey', :secret_access_key => 'awspass', :session_token => 'sometoken'}
1102
1131
  expect(aws).to receive(:load_fog_credentials).and_call_original
1103
- expect(YAML).to receive(:load_file).and_return(fog_hash)
1104
- expect(load_fog_credentials).to have_attributes(creds)
1132
+ expect(aws).to receive(:get_fog_credentials).and_return(fog_creds)
1133
+ expect(load_fog_credentials).to have_attributes(aws_creds)
1105
1134
  end
1106
1135
 
1107
1136
  context 'raises errors' do
1108
- it 'if missing access_key credential' do
1109
- fog_hash = {:default => {:aws_secret_access_key => 'awspass'}}
1137
+ it 'if missing aws_access_key_id credential' do
1138
+ creds = {:aws_secret_access_key => 'awspass'}
1110
1139
  err_text = "You must specify an aws_access_key_id in your .fog file (#{dot_fog}) for ec2 instances!"
1111
1140
  expect(aws).to receive(:load_fog_credentials).and_call_original
1112
- expect(YAML).to receive(:load_file).and_return(fog_hash)
1141
+ expect(aws).to receive(:get_fog_credentials).and_return(creds)
1113
1142
  expect { load_fog_credentials }.to raise_error(err_text)
1114
1143
  end
1115
1144
 
1116
- it 'if missing secret_key credential' do
1117
- dot_fog = '.fog'
1118
- fog_hash = {:default => {:aws_access_key_id => 'awskey'}}
1145
+ it 'if missing aws_secret_access_key credential' do
1146
+ creds = {:aws_access_key_id => 'awskey'}
1119
1147
  err_text = "You must specify an aws_secret_access_key in your .fog file (#{dot_fog}) for ec2 instances!"
1120
1148
  expect(aws).to receive(:load_fog_credentials).and_call_original
1121
- expect(YAML).to receive(:load_file).and_return(fog_hash)
1149
+ expect(aws).to receive(:get_fog_credentials).and_return(creds)
1122
1150
  expect { load_fog_credentials }.to raise_error(err_text)
1123
1151
  end
1124
1152
  end
metadata CHANGED
@@ -1,14 +1,14 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: beaker-aws
3
3
  version: !ruby/object:Gem::Version
4
- version: 0.5.0
4
+ version: 0.6.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Rishi Javia, Kevin Imber, Tony Vu
8
8
  autorequire:
9
9
  bindir: bin
10
10
  cert_chain: []
11
- date: 2018-06-13 00:00:00.000000000 Z
11
+ date: 2018-07-16 00:00:00.000000000 Z
12
12
  dependencies:
13
13
  - !ruby/object:Gem::Dependency
14
14
  name: rspec
@@ -214,6 +214,7 @@ files:
214
214
  - README.md
215
215
  - Rakefile
216
216
  - acceptance/config/nodes/hosts.yml
217
+ - acceptance_test_setup.md
217
218
  - aws.md
218
219
  - beaker-aws.gemspec
219
220
  - bin/beaker-aws