beaker-aws 0.5.0 → 0.6.0

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 6b4745f452de2d148f3fec8898abd872aba8ee8c
-  data.tar.gz: c6c1d60d17e1f2e0038646c2b6647aca8a95313c
+  metadata.gz: 57529b95c092329fae7b75595e5d037d1a911b7e
+  data.tar.gz: b0da2eb31f34a2577011d61ebba9c9ce6c1a90d3
 SHA512:
-  metadata.gz: df37c8ff2640e9707a8d7cfc2f2c3d8e83aed44147ac404d9f5fdffeeb3e7ec22cbe1a642b0f39848de534a70d23d0732fa43b84974798e5f5c2b1aa38f89cfb
-  data.tar.gz: 3584601c4b8f4b6fec30651816202628681a0d3616c480e68af91f16df1be68daca80ffe56cf29c1284098dcb94e44ad16fe5bdee7b7280eed5368480ee91003
+  metadata.gz: 74923a90c8fe25d456959961d7ae0f2f5672d6116e631fa9b8e514b14d6fad51320fc98d03ea42995629317a24ef8e3f51d028a220fc9876435427aeed37a5da
+  data.tar.gz: 9da09c3fc224398a918979348b0e9c1a454b0276dfd923dd1b97d7e526d03aea15d8f820b0fe6add671bda0ae5c9bab5a680332208c9ea2e380ef3dc84973113

data/CHANGELOG.md

@@ -1,10 +1,20 @@
 # Change Log
 
+## [0.6.0](https://github.com/puppetlabs/beaker-aws/tree/0.6.0) (2018-07-16)
+[Full Changelog](https://github.com/puppetlabs/beaker-aws/compare/0.5.0...0.6.0)
+
+**Merged pull requests:**
+
+- \(BKR-1481\) Rewrite beaker-aws to use shared .fog parsing [\#15](https://github.com/puppetlabs/beaker-aws/pull/15) ([Dakta](https://github.com/Dakta))
+- Custom CIDRs for security group, none default VPC fixes [\#14](https://github.com/puppetlabs/beaker-aws/pull/14) ([ardeshireshghi](https://github.com/ardeshireshghi))
+- \(MAINT\) Document Acceptance Test Setup [\#13](https://github.com/puppetlabs/beaker-aws/pull/13) ([Dakta](https://github.com/Dakta))
+
 ## [0.5.0](https://github.com/puppetlabs/beaker-aws/tree/0.5.0) (2018-06-13)
 [Full Changelog](https://github.com/puppetlabs/beaker-aws/compare/0.4.0...0.5.0)
 
 **Merged pull requests:**
 
+- \(MAINT\) add changelog for 0.5.0 release [\#11](https://github.com/puppetlabs/beaker-aws/pull/11) ([kevpl](https://github.com/kevpl))
 - \(BKR-1464\) Rewrite to use AWS SDK v3 [\#10](https://github.com/puppetlabs/beaker-aws/pull/10) ([rodjek](https://github.com/rodjek))
 - \(MAINT\) Bump for new release [\#9](https://github.com/puppetlabs/beaker-aws/pull/9) ([cdenneen](https://github.com/cdenneen))
 - \(BKR-1199\) Updated documentation for use\_fog\_credentials [\#8](https://github.com/puppetlabs/beaker-aws/pull/8) ([cdenneen](https://github.com/cdenneen))

data/acceptance_test_setup.md

@@ -0,0 +1,36 @@
+Notes on testing `beaker-aws` if your AWS configuration requires MFA or IAM Roles.
+
+# MAF and IAM Role
+
+If the credentials you use to access EC2 require MFA (Milti-Factor Authentication), the current workflow is to manually fetch a session token then set it in `.fog` under `aws_session_token`:
+
+1. Install AWS CLI tools.
+2. Configure your shared credentials in `~/.aws`
+3. Get a temporary role session
+    ~~~console
+    $ aws sts assume-role --role-arn <ROLE_ARN_STRING> --role-session-name "<SESSION_NAME>" --serial-number <MFA_ARN_STRING> --token-code <MFA_TOKEN>
+    {
+        "Credentials": {
+            "AccessKeyId": "accesskeyid",
+            "SecretAccessKey": "secretaccesskey",
+            "SessionToken": "somesuperlongsessiontoken",
+            "Expiration": "2018-06-25T19:54:04Z"
+        },
+        "AssumedRoleUser": {
+            "AssumedRoleId": "<SESSION_ROLE_ID>",
+            "Arn": "<NAMED_ROLE_SESSION>"
+        }
+    }
+    ~~~
+4. Extract `AccessKeyId`, `SecretAccessKey`, and `SessionToken` and put them in your `.fog` file as `aws_access_key_id`, `aws_secret_access_key`, and `aws_session_token`. By default this session will be valid for one hour. See `aws sts assume-role help` to extend the session lifetime.
+5. You can now run beaker (or `beaker-aws` acceptance tests) on AWS:
+    ~~~console
+    $ bundle exec rake test:acceptance
+    ~~~
+    As always, be sure you have configured a passwordless SSH key. These tests look for `~/.ssh/id_rsa` as the default to provision SUTs with.
+
+# Shared Credentials
+
+In theory, there should eventually be support for roles from shared credentials in `~/.aws/` from the Ruby AWS SDK directly, but [that functionality is on the backlog](https://github.com/aws/aws-sdk-ruby/issues/1256). Regardless, that doesn't seem like it would necessarily work with MFA.
+
+Support for IAM Roles and MFA are not formally planned for beaker-aws.

data/aws.md

@@ -45,7 +45,7 @@ examples of AMI IDs, check out their
 [Amazon Linux AMI page](https://aws.amazon.com/amazon-linux-ami/).
 
 The `region-id` variable represents the EC2 region ID from AWS. For reference,
-checkout EC2's 
+checkout EC2's
 [Regions and Availability Zones page]
 (http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html).
 An example of a region ID is `eu-west-1` for the Ireland data center.
@@ -72,7 +72,7 @@ The `host-vmname-value` references the ID created in the Amazon Image Config fil
 above.  If not provided, Beaker will try to name an AMI Config using the host's
 platform string.
 
-**Note:** If you are using `amazon-6-x86_64` as `vmname`, you have to specify `platform` as `el-6-x86_64`. Similarly for `amazon-6-i386` use `el-6-i386` as `platform`. 
+**Note:** If you are using `amazon-6-x86_64` as `vmname`, you have to specify `platform` as `el-6-x86_64`. Similarly for `amazon-6-i386` use `el-6-i386` as `platform`.
 
 The `type` references the type variable in the Amazon Image Config file as well,
 so this key picks out the particular AMI ID from the set available for this type
@@ -82,7 +82,7 @@ The `ami-size` variable refers to
 [instance types](https://aws.amazon.com/ec2/instance-types/) by their model name.
 Some examples of these values are "m3.large", "c4.xlarge", and "r3.8xlarge". The
 default value if this key is not provided used by Beaker is "m1.small".
-      
+
 ### ec2 VM Hostnames
 
 By default, beaker will set the hostnames of the VMs to the 'Public DNS' hostname supplied by ec2 (and which is normally based on the Public IP address). If your test requires the hosts be named identically to the `<hostname>:` from your beaker hosts file, set `:use_beaker_hostnames: true` in the beaker hosts file.
@@ -147,3 +147,8 @@ like so:
     [AWS EC2 200 0.142666 0 retries] describe_key_pairs(:filters=>[{:name=>"key-name",:values=>["Beaker-johnsmith-Johns-Ubuntu-2-local"]}])
 
 The values string in that line is what you're looking for.
+
+### Add custom CIDRs to security groups inbound rules
+
+Beaker creates 2 security groups to be able to access the EC2 instance. By default it defines inbound rules which allow access to everyone(0.0.0.0/0). In order to limit that access it is possible to configure the host param `sg_cidr_ips` which can be supplid with a list of CIDRs.
+

data/ec2.md

@@ -34,7 +34,7 @@ hypervisor: ec2
       nfs_server: none
       consoleport: 443
 
-### Using role  
+### Using role
 *(If you'd like to use instance role you can disable reading fog credentials)*
 
 #### No fog file needed ####
@@ -56,7 +56,7 @@ Beaker will automagically provision EC2 nodes, provided the 'platform:' section
 ### Supported EC2 Variables ###
 These variables can either be set per-host or globally.
 
-####`additional_ports`####
+#### `additional_ports` ####
 Ports to be opened on the instance, in addition to those opened by Beaker to support Puppet functionality.  Can be a single value or an array.  Example valid values: 1001, [1001], [1001, 1002].
 
 Ports opened by default:
@@ -66,17 +66,22 @@ Ports opened by default:
 * `database` will also have [5432, 8080, 8081] opened
 * If you have a split install, all the hosts with `master`, `dashboard` and `database` role will have port 8143 opened
 
-####`amisize` ####
-The [instance type](https://aws.amazon.com/ec2/instance-types/) - defaults to `m1.small`.  
-####`snapshot`####
+#### `amisize` ####
+The [instance type](https://aws.amazon.com/ec2/instance-types/) - defaults to `m1.small`.
+
+#### `snapshot` ####
 The snapshot to use for ec2 instance creation.
-####`subnet_id`####
+
+#### `subnet_id` ####
 If defined the instance will be created in this EC2 subnet.  `vpc_id` must be defined.  Cannot be defined at the same time as `subnet_ids`.
-####`subnet_ids`####
+
+#### `subnet_ids` ####
 If defined the instace will be crated in one of the provided array of EC2 subnets.  `vpc_id` must be defined.  Cannot be defined at the same time as `subnet_id`.
-####`vmname`####
+
+#### `vmname` ####
 Used to look up the pre-defined AMI information in `config/image_templates/ec2.yaml`.  Will default to `platform` if not defined.
-#####Example ec2.yaml#####
+
+##### Example ec2.yaml #####
 In this example the `vmname` would be `puppetlabs-centos-5-x86-64-west`.  Looking up the `vmname` in the `ec2.yaml` file provides an AMI ID by type (`pe` or `foss`) and the region.
 
 ```
@@ -87,9 +92,22 @@ AMI:
     :region: us-west-2
 ```
 
-####`volume_size`####
+#### `volume_size` ####
 Size of the [EBS Volume](http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/EBSVolumes.html) that will be attached to the EC2 instance.
-####`vpc_id`####
+
+#### `vpc_id` ####
 ID of the [VPC](https://aws.amazon.com/vpc/) to create the instances in.  If not provided will either use the default VPC for the provided region (marked as `isDefault`), otherwise falls back to `nil`.  If subnet information is provided (`subnet_id`/`subnet_ids`) this must be defined.
-####`user`####
+
+#### `sg_cidr_ips` ####
+Comma seperated list of [CIDRs](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/authorizing-access-to-an-instance.html) which define the whitelisted IPs used by beaker. They will be added to the security groups which are created and associated with EC2 instance. Below is an example:
+
+```
+HOSTS:
+  somehostname:
+    sg_cidr_ips: 172.28.40.0/24,172.20.112.0/20
+```
+
+This is optional and by default is set to '0.0.0.0/0'.
+
+#### `user` ####
 By default root login is not allowed with Amazon Linux. Setting it to ec2-user will trigger `sshd_config` and `authorized_keys` changes by beaker.

data/lib/beaker/hypervisor/aws_sdk.rb

@@ -265,6 +265,8 @@ module Beaker
       amitype = host['vmname'] || host['platform']
       amisize = host['amisize'] || 'm1.small'
       vpc_id = host['vpc_id'] || @options['vpc_id'] || nil
+      host['sg_cidr_ips'] = host['sg_cidr_ips'] || '0.0.0.0/0';
+      sg_cidr_ips = host['sg_cidr_ips'].split(',')
 
       if vpc_id && !subnet_id
         raise RuntimeError, "A subnet_id must be provided with a vpc_id"
@@ -324,9 +326,9 @@ module Beaker
         end
       end
 
-      security_group = ensure_group(vpc || region, Beaker::EC2Helper.amiports(host))
+      security_group = ensure_group(vpc || region, Beaker::EC2Helper.amiports(host), sg_cidr_ips)
       #check if ping is enabled
-      ping_security_group = ensure_ping_group(vpc || region)
+      ping_security_group = ensure_ping_group(vpc || region, sg_cidr_ips)
 
       msg = "aws-sdk: launching %p on %p using %p/%p%s" %
             [host.name, amitype, amisize, image_type,
@@ -340,7 +342,7 @@ module Beaker
           :enabled => true,
         },
         :key_name => ensure_key_pair(region).key_pairs.first.key_name,
-        :security_groups => [security_group.group_name, ping_security_group.group_name],
+        :security_group_ids => [security_group.group_id, ping_security_group.group_id],
         :instance_type => amisize,
         :disable_api_termination => false,
         :instance_initiated_shutdown_behavior => "terminate",
@@ -478,7 +480,7 @@ module Beaker
         # TODO: should probably be a in a shared method somewhere
         for tries in 1..10
           refreshed_instance = instance_by_id(instance.instance_id)
-          
+
           if refreshed_instance.nil?
             @logger.debug("Instance #{name} not yet available (#{e})")
           else
@@ -715,7 +717,7 @@ module Beaker
               # http://docs.aws.amazon.com/AWSEC2/latest/UserGuide/set-hostname.html
               # Also note that without an elastic ip set, while this will
               # preserve the hostname across a full shutdown/startup of the vm
-              # (as opposed to a reboot) -- the ip address will have changed. 
+              # (as opposed to a reboot) -- the ip address will have changed.
               host.exec(Command.new("sed -ie '/^HOSTNAME/ s/=.*/=#{host.name}/' /etc/sysconfig/network"))
             end
           end
@@ -908,9 +910,10 @@ module Beaker
     # Accepts a VPC as input for checking & creation.
     #
     # @param vpc [Aws::EC2::VPC] the AWS vpc control object
+    # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
     # @return [Aws::EC2::SecurityGroup] created security group
     # @api private
-    def ensure_ping_group(vpc)
+    def ensure_ping_group(vpc, sg_cidr_ips = ['0.0.0.0/0'])
       @logger.notify("aws-sdk: Ensure security group exists that enables ping, create if not")
 
       group = client.describe_security_groups(
@@ -921,7 +924,7 @@ module Beaker
       ).security_groups.first
 
       if group.nil?
-        group = create_ping_group(vpc)
+        group = create_ping_group(vpc, sg_cidr_ips)
       end
 
       group
@@ -933,9 +936,10 @@ module Beaker
     #
     # @param vpc [Aws::EC2::VPC] the AWS vpc control object
     # @param ports [Array<Number>] an array of port numbers
+    # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
     # @return [Aws::EC2::SecurityGroup] created security group
     # @api private
-    def ensure_group(vpc, ports)
+    def ensure_group(vpc, ports, sg_cidr_ips = ['0.0.0.0/0'])
       @logger.notify("aws-sdk: Ensure security group exists for ports #{ports.to_s}, create if not")
       name = group_id(ports)
 
@@ -947,7 +951,7 @@ module Beaker
       ).security_groups.first
 
       if group.nil?
-        group = create_group(vpc, ports)
+        group = create_group(vpc, ports, sg_cidr_ips)
       end
 
       group
@@ -957,10 +961,11 @@ module Beaker
     #
     # Accepts a region or VPC for group creation.
     #
-    # @param rv [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
+    # @param region_or_vpc [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
+    # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
     # @return [Aws::EC2::SecurityGroup] created security group
     # @api private
-    def create_ping_group(region_or_vpc)
+    def create_ping_group(region_or_vpc, sg_cidr_ips = ['0.0.0.0/0'])
       @logger.notify("aws-sdk: Creating group #{PING_SECURITY_GROUP_NAME}")
       cl = region_or_vpc.is_a?(String) ? client(region_or_vpc) : client
 
@@ -972,13 +977,16 @@ module Beaker
 
       group = cl.create_security_group(params)
 
-      cl.authorize_security_group_ingress(
-        :cidr_ip     => '0.0.0.0/0',
-        :ip_protocol => 'icmp',
-        :from_port   => '8',  # 8 == ICMPv4 ECHO request
-        :to_port     => '-1', # -1 == All ICMP codes
-        :group_id    => group.group_id,
-      )
+      sg_cidr_ips.each do |cidr_ip|
+        add_ingress_rule(
+          cl,
+          group,
+          cidr_ip,
+          '8', # 8 == ICMPv4 ECHO request
+          '-1', # -1 == All ICMP codes
+          'icmp',
+        )
+      end
 
       group
     end
@@ -987,37 +995,58 @@ module Beaker
     #
     # Accepts a region or VPC for group creation.
     #
-    # @param rv [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
+    # @param region_or_vpc [Aws::EC2::Region, Aws::EC2::VPC] the AWS region or vpc control object
     # @param ports [Array<Number>] an array of port numbers
+    # @param sg_cidr_ips [Array<String>] CIDRs used for outbound security group rule
     # @return [Aws::EC2::SecurityGroup] created security group
     # @api private
-    def create_group(region_or_vpc, ports)
+    def create_group(region_or_vpc, ports, sg_cidr_ips = ['0.0.0.0/0'])
       name = group_id(ports)
       @logger.notify("aws-sdk: Creating group #{name} for ports #{ports.to_s}")
+      @logger.notify("aws-sdk: Creating group #{name} with CIDR IPs #{sg_cidr_ips.to_s}")
       cl = region_or_vpc.is_a?(String) ? client(region_or_vpc) : client
 
-      group = cl.create_security_group(
+      params = {
+        :description => "Custom Beaker security group for #{ports.to_a}",
         :group_name  => name,
-        :description => "Custom Beaker security group for #{ports.to_a}"
-      )
+      }
+
+      params[:vpc_id] = region_or_vpc.vpc_id if region_or_vpc.is_a?(Aws::EC2::Types::Vpc)
+
+      group = cl.create_security_group(params)
 
       unless ports.is_a? Set
         ports = Set.new(ports)
       end
 
-      ports.each do |port|
-        cl.authorize_security_group_ingress(
-          :cidr_ip     => '0.0.0.0/0',
-          :ip_protocol => 'tcp',
-          :from_port   => port,
-          :to_port     => port,
-          :group_id    => group.group_id,
-        )
+      sg_cidr_ips.each do |cidr_ip|
+        ports.each do |port|
+          add_ingress_rule(cl, group, cidr_ip, port, port)
+        end
       end
 
       group
     end
 
+    # Authorizes connections from certain CIDR to a range of ports
+    #
+    # @param cl [Aws::EC2::Client]
+    # @param sg_group [Aws::EC2::SecurityGroup] the AWS security group
+    # @param cidr_ip [String] CIDR used for outbound security group rule
+    # @param from_port [String] Starting Port number in the range
+    # @param to_port [String] Ending Port number in the range
+    # @return [void]
+    # @api private
+    def add_ingress_rule(cl, sg_group, cidr_ip, from_port, to_port, protocol = 'tcp')
+      cl.authorize_security_group_ingress(
+        :cidr_ip     => cidr_ip,
+        :ip_protocol => protocol,
+        :from_port   => from_port,
+        :to_port     => to_port,
+        :group_id    => sg_group.group_id,
+      )
+    end
+
     # Return a hash containing AWS credentials
     #
     # @return [Hash<Symbol, String>] AWS credentials
@@ -1046,8 +1075,7 @@ module Beaker
     # @return [Aws::Credentials] ec2 credentials
     # @api private
     def load_fog_credentials(dot_fog = '.fog')
-      fog = YAML.load_file( dot_fog )
-      default = fog[:default]
+      default = get_fog_credentials(dot_fog)
 
       raise "You must specify an aws_access_key_id in your .fog file (#{dot_fog}) for ec2 instances!" unless default[:aws_access_key_id]
       raise "You must specify an aws_secret_access_key in your .fog file (#{dot_fog}) for ec2 instances!" unless default[:aws_secret_access_key]

data/lib/beaker-aws/version.rb

@@ -1,3 +1,3 @@
 module BeakerAws
-  VERSION = '0.5.0'
+  VERSION = '0.6.0'
 end

data/spec/beaker/hypervisor/aws_sdk_spec.rb

@@ -992,6 +992,8 @@ module Beaker
     describe '#ensure_group' do
       let(:vpc) { instance_double(Aws::EC2::Types::Vpc, :vpc_id => 1) }
       let(:ports) { [22, 80, 8080] }
+      let(:default_sg_cidr_ips) { ['0.0.0.0/0'] }
+
       subject(:ensure_group) { aws.ensure_group(vpc, ports) }
 
       let(:mock_client) { instance_double(Aws::EC2::Client) }
@@ -1030,7 +1032,7 @@ module Beaker
         let(:group) { nil }
 
         it 'creates group if group.nil?' do
-          expect(aws).to receive(:create_group).with(vpc, ports).and_return(group)
+          expect(aws).to receive(:create_group).with(vpc, ports, default_sg_cidr_ips).and_return(group)
           allow(mock_client).to receive(:describe_security_groups).with(any_args).and_return(security_group_result)
           expect(ensure_group).to eq(group)
         end
@@ -1038,7 +1040,8 @@ module Beaker
     end
 
     describe '#create_group' do
-      let(:rv) { double('rv') }
+      let(:group_vpc_id) { 'vpc-someid' }
+      let(:rv) { instance_double(Aws::EC2::Types::Vpc, :vpc_id => group_vpc_id) }
       let(:ports) { [22, 80, 8080] }
       subject(:create_group) { aws.create_group(rv, ports) }
 
@@ -1065,6 +1068,7 @@ module Beaker
       it 'creates group with expected arguments' do
         group_name = "Beaker-1521896090"
         group_desc = "Custom Beaker security group for #{ports.to_a}"
+
         expect(mock_client).to receive(:create_security_group).with(
           :group_name => group_name,
           :description => group_desc,
@@ -1073,6 +1077,24 @@ module Beaker
         expect(create_group).to eq(group)
       end
 
+      context 'it is called with VPC as first param' do
+        it 'creates group with expected arguments including vpc id' do
+          group_name = "Beaker-1521896090"
+          group_desc = "Custom Beaker security group for #{ports.to_a}"
+
+          allow(rv).to receive(:is_a?).with(String).and_return(false)
+          allow(rv).to receive(:is_a?).with(Aws::EC2::Types::Vpc).and_return(true)
+
+          expect(mock_client).to receive(:create_security_group).with(
+            :group_name => group_name,
+            :description => group_desc,
+            :vpc_id => group_vpc_id,
+          ).and_return(group)
+          allow(mock_client).to receive(:authorize_security_group_ingress).with(include(:group_id => group.group_id)).at_least(:once)
+          expect(create_group).to eq(group)
+        end
+      end
+
       it 'authorizes requested ports for group' do
         allow(mock_client).to receive(:create_security_group).with(any_args).and_return(group)
 
@@ -1081,6 +1103,21 @@ module Beaker
         end
         expect(create_group).to eq(group)
       end
+
+      context 'security group CIDRs are passed' do
+        let(:sg_cidr_ips) { ['172.28.40.0/24', '172.20.112.0/20'] }
+        subject(:create_group_with_cidr) { aws.create_group(rv, ports, sg_cidr_ips) }
+
+        it 'authorizes requested CIDR for group' do
+          allow(mock_client).to receive(:create_security_group).with(any_args).and_return(group)
+
+          sg_cidr_ips.each do |cidr_ip|
+            expect(mock_client).to receive(:authorize_security_group_ingress).with(include(:cidr_ip => cidr_ip)).exactly(3).times
+          end
+
+          expect(create_group_with_cidr).to eq(group)
+        end
+      end
     end
 
     describe '#load_fog_credentials' do
@@ -1088,37 +1125,28 @@ module Beaker
       let(:dot_fog) { '.fog' }
       subject(:load_fog_credentials) { aws.load_fog_credentials(dot_fog) }
 
-      it 'returns loaded fog credentials' do
-        creds = {:access_key_id => 'awskey', :secret_access_key => 'awspass', :session_token => nil}
-        fog_hash = {:default => {:aws_access_key_id => 'awskey', :aws_secret_access_key => 'awspass'}}
-        expect(aws).to receive(:load_fog_credentials).and_call_original
-        expect(YAML).to receive(:load_file).and_return(fog_hash)
-        expect(load_fog_credentials).to have_attributes(creds)
-      end
-
-      it 'returns loaded fog credentials with session token' do
-        creds = {:access_key_id => 'awskey', :secret_access_key => 'awspass', :session_token => 'sometoken'}
-        fog_hash = {:default => {:aws_access_key_id => 'awskey', :aws_secret_access_key => 'awspass', :aws_session_token => 'sometoken'}}
+      it 'returns AWS::Credentials with loaded fog credentials and session token' do
+        fog_creds = {:aws_access_key_id => 'awskey', :aws_secret_access_key => 'awspass', :aws_session_token => 'sometoken'}
+        aws_creds = {:access_key_id => 'awskey', :secret_access_key => 'awspass', :session_token => 'sometoken'}
         expect(aws).to receive(:load_fog_credentials).and_call_original
-        expect(YAML).to receive(:load_file).and_return(fog_hash)
-        expect(load_fog_credentials).to have_attributes(creds)
+        expect(aws).to receive(:get_fog_credentials).and_return(fog_creds)
+        expect(load_fog_credentials).to have_attributes(aws_creds)
       end
 
       context 'raises errors' do
-        it 'if missing access_key credential' do
-          fog_hash = {:default => {:aws_secret_access_key => 'awspass'}}
+        it 'if missing aws_access_key_id credential' do
+          creds = {:aws_secret_access_key => 'awspass'}
           err_text = "You must specify an aws_access_key_id in your .fog file (#{dot_fog}) for ec2 instances!"
           expect(aws).to receive(:load_fog_credentials).and_call_original
-          expect(YAML).to receive(:load_file).and_return(fog_hash)
+          expect(aws).to receive(:get_fog_credentials).and_return(creds)
           expect { load_fog_credentials }.to raise_error(err_text)
         end
 
-        it 'if missing secret_key credential' do
-          dot_fog = '.fog'
-          fog_hash = {:default => {:aws_access_key_id => 'awskey'}}
+        it 'if missing aws_secret_access_key credential' do
+          creds = {:aws_access_key_id => 'awskey'}
           err_text = "You must specify an aws_secret_access_key in your .fog file (#{dot_fog}) for ec2 instances!"
           expect(aws).to receive(:load_fog_credentials).and_call_original
-          expect(YAML).to receive(:load_file).and_return(fog_hash)
+          expect(aws).to receive(:get_fog_credentials).and_return(creds)
           expect { load_fog_credentials }.to raise_error(err_text)
         end
       end

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: beaker-aws
 version: !ruby/object:Gem::Version
-  version: 0.5.0
+  version: 0.6.0
 platform: ruby
 authors:
 - Rishi Javia, Kevin Imber, Tony Vu
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2018-06-13 00:00:00.000000000 Z
+date: 2018-07-16 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: rspec
@@ -214,6 +214,7 @@ files:
 - README.md
 - Rakefile
 - acceptance/config/nodes/hosts.yml
+- acceptance_test_setup.md
 - aws.md
 - beaker-aws.gemspec
 - bin/beaker-aws