chef-provisioning-aws 3.0.4 → 3.0.6

data/lib/chef/provider/aws_rds_instance.rb

@@ -1,17 +1,17 @@
-require 'chef/provisioning/aws_driver/aws_provider'
-require 'chef/provisioning/aws_driver/tagging_strategy/rds'
+require "chef/provisioning/aws_driver/aws_provider"
+require "chef/provisioning/aws_driver/tagging_strategy/rds"
 
 class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvider
   include Chef::Provisioning::AWSDriver::TaggingStrategy::RDSConvergeTags
 
   provides :aws_rds_instance
 
-  REQUIRED_OPTIONS = %i(db_instance_identifier allocated_storage engine
-                        db_instance_class master_username master_user_password)
+  REQUIRED_OPTIONS = %i{db_instance_identifier allocated_storage engine
+                        db_instance_class master_username master_user_password}.freeze
 
-  OTHER_OPTIONS = %i(db_snapshot_identifier engine_version multi_az iops publicly_accessible db_name port db_subnet_group_name db_parameter_group_name)
+  OTHER_OPTIONS = %i{db_snapshot_identifier engine_version multi_az iops publicly_accessible db_name port db_subnet_group_name db_parameter_group_name}.freeze
 
-  def update_aws_object(instance)
+  def update_aws_object(_instance)
     Chef::Log.warn("aws_rds_instance does not support modifying a started instance")
     # There are required optiosn (like `allocated_storage`) that the use may not
     # specify on a resource to perform an update.  For example, they may want to
@@ -27,7 +27,7 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
   def create_aws_object
     converge_by "create RDS instance #{new_resource.db_instance_identifier} in #{region}" do
       if new_resource.db_snapshot_identifier
-        snap_options_hash = [:allocated_storage, :master_username, :master_user_password, :engine_version].each { |k| options_hash.delete(k) }
+        snap_options_hash = %i{allocated_storage master_username master_user_password engine_version}.each { |k| options_hash.delete(k) }
         new_resource.driver.rds_client.restore_db_instance_from_db_snapshot(options_hash).db_instance
       else
         new_resource.driver.rds_resource.create_db_instance(options_hash)
@@ -46,11 +46,11 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
         # http://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/Overview.DBInstance.Status.html
         # It cannot _actually_ return a deleted status, we're just looking for the error
         query_method: :db_instance_status,
-        expected_responses: ['deleted'],
+        expected_responses: ["deleted"],
         acceptable_errors: [::Aws::RDS::Errors::DBInstanceNotFound],
         tries: 60,
-        sleep: 10
-      ) { |instance| instance.reload }
+        sleep: 10, &:reload
+      )
     end
   end
 
@@ -58,16 +58,15 @@ class Chef::Provider::AwsRdsInstance < Chef::Provisioning::AWSDriver::AWSProvide
   # the resource as well as optional options
   def options_hash
     @options_hash ||= begin
-      opts = Hash[new_resource.additional_options.map{|(k,v)| [k.to_sym,v]}]
+      opts = Hash[new_resource.additional_options.map { |(k, v)| [k.to_sym, v] }]
       REQUIRED_OPTIONS.each do |opt|
         opts[opt] = new_resource.send(opt)
       end
       OTHER_OPTIONS.each do |opt|
-        opts[opt] = new_resource.send(opt) if ! new_resource.send(opt).nil?
+        opts[opt] = new_resource.send(opt) unless new_resource.send(opt).nil?
       end
       AWSResource.lookup_options(opts, resource: new_resource)
       opts
     end
   end
-
 end

data/lib/chef/provider/aws_rds_parameter_group.rb

@@ -1,5 +1,5 @@
-require 'chef/provisioning/aws_driver/aws_provider'
-require 'chef/provisioning/aws_driver/tagging_strategy/rds'
+require "chef/provisioning/aws_driver/aws_provider"
+require "chef/provisioning/aws_driver/tagging_strategy/rds"
 
 # inspiration taken from providers/aws_rds_subnet_group.rb
 # but different enough that I'm not sure there is easy abstraction
@@ -33,7 +33,7 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
 
   def update_aws_object(_parameter_group)
     updates = required_updates
-    if ! updates.empty?
+    unless updates.empty?
       converge_by updates do
         driver.modify_db_parameter_group(desired_update_options)
       end
@@ -82,21 +82,21 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
       ret << "  set group parameters to #{desired_options[:parameters]}"
     end
 
-    if ! desired_options[:db_parameter_group_family].nil?
+    unless desired_options[:db_parameter_group_family].nil?
       # modify_db_parameter_group doesn't support updating the db_parameter_group_family  according to
       # http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_parameter_group-instance_method
       # which is frustrating because it is required for create
       Chef::Log.warn "Updating description for RDS parameter groups is not supported by RDS client."
     end
 
-    if ! desired_options[:description].nil?
+    unless desired_options[:description].nil?
       # modify_db_parameter_group doesn't support updating the description according to
       # http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_parameter_group-instance_method
       # which is frustrating because it is required for create
       Chef::Log.warn "Updating description for RDS parameter groups is not supported by RDS client."
     end
 
-    if ! (desired_options[:aws_tags].nil? || desired_options[:aws_tags].empty?)
+    unless desired_options[:aws_tags].nil? || desired_options[:aws_tags].empty?
       # modify_db_parameter_group doesn't support the tags key according to
       # http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_parameter_group-instance_method
       Chef::Log.warn "Updating tags for RDS parameter groups is not supported by RDS client."
@@ -118,9 +118,9 @@ class Chef::Provider::AwsRdsParameterGroup < Chef::Provisioning::AWSDriver::AWSP
     # value for apply_method for that parameter later in a recipe, or not be itempotent.
     #
     # Breaking the user is never the right option, so we have elected to not be itempotent.
-    ! (desired_options[:parameters].nil? || desired_options[:parameters].empty?)
+    !(desired_options[:parameters].nil? || desired_options[:parameters].empty?)
   end
-  
+
   def driver
     new_resource.driver.rds
   end

data/lib/chef/provider/aws_rds_subnet_group.rb

@@ -1,5 +1,5 @@
-require 'chef/provisioning/aws_driver/aws_provider'
-require 'chef/provisioning/aws_driver/tagging_strategy/rds'
+require "chef/provisioning/aws_driver/aws_provider"
+require "chef/provisioning/aws_driver/tagging_strategy/rds"
 
 class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProvider
   include Chef::Provisioning::AWSDriver::TaggingStrategy::RDSConvergeTags
@@ -12,7 +12,7 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
     end
   end
 
-  def destroy_aws_object(subnet_group)
+  def destroy_aws_object(_subnet_group)
     converge_by "delete RDS subnet group #{new_resource.name} in #{region}" do
       driver.delete_db_subnet_group(db_subnet_group_name: new_resource.name)
     end
@@ -20,7 +20,7 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
 
   def update_aws_object(subnet_group)
     updates = required_updates(subnet_group)
-    if ! updates.empty?
+    unless updates.empty?
       converge_by updates do
         driver.modify_db_subnet_group(desired_options)
       end
@@ -48,11 +48,11 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
       ret << "  set group description to #{desired_options[:db_subnet_group_description]}"
     end
 
-    if ! xor_array(desired_options[:subnet_ids], subnet_ids(subnet_group[:subnets])).empty?
+    unless xor_array(desired_options[:subnet_ids], subnet_ids(subnet_group[:subnets])).empty?
       ret << "  set subnets to #{desired_options[:subnet_ids]}"
     end
 
-    if ! (desired_options[:aws_tags].nil? || desired_options[:aws_tags].empty?)
+    unless desired_options[:aws_tags].nil? || desired_options[:aws_tags].empty?
       # modify_db_subnet_group doesn't support the tags key according to
       # http://docs.aws.amazon.com/AWSRubySDK/latest/AWS/RDS/Client.html#modify_db_subnet_group-instance_method
       Chef::Log.warn "Updating tags for RDS subnet groups is not supported."
@@ -62,11 +62,10 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
     ret
   end
 
-
   private
 
   def subnet_ids(subnets)
-    subnets.map {|i| i[:subnet_identifier] }
+    subnets.map { |i| i[:subnet_identifier] }
   end
 
   def xor_array(a, b)
@@ -78,7 +77,7 @@ class Chef::Provider::AwsRdsSubnetGroup < Chef::Provisioning::AWSDriver::AWSProv
   def tag_hash_to_array(tag_hash)
     ret = []
     tag_hash.each do |key, value|
-      ret << {:key => key, :value => value}
+      ret << { key: key, value: value }
     end
     ret
   end

data/lib/chef/provider/aws_route_table.rb

@@ -1,5 +1,5 @@
-require 'chef/provisioning/aws_driver/aws_provider'
-require 'retryable'
+require "chef/provisioning/aws_driver/aws_provider"
+require "retryable"
 
 class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
   include Chef::Provisioning::AWSDriver::TaggingStrategy::EC2ConvergeTags
@@ -9,7 +9,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
   def action_create
     route_table = super
 
-    if !new_resource.routes.nil?
+    unless new_resource.routes.nil?
       update_routes(vpc, route_table, new_resource.ignore_route_targets)
     end
 
@@ -29,14 +29,14 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
     converge_by "create route table #{new_resource.name} in VPC #{new_resource.vpc} (#{vpc.id}) and region #{region}" do
       route_table = vpc.create_route_table
       retry_with_backoff(::Aws::EC2::Errors::ServiceError) do
-        route_table.create_tags({
-             :tags => [
-                 {
-                     :key => "Name",
-                     :value => new_resource.name
-                 }
-             ]
-         })
+        route_table.create_tags(
+          tags: [
+            {
+              key: "Name",
+              value: new_resource.name
+            }
+          ]
+        )
       end
       route_table
     end
@@ -48,17 +48,17 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
     if new_resource.vpc
       desired_vpc_id = Chef::Resource::AwsVpc.get_aws_object_id(new_resource.vpc, resource: new_resource)
       if vpc.id != desired_vpc_id
-        raise "VPC of route table #{new_resource.to_s} is #{vpc.id}, but desired VPC is #{desired_vpc_id}!  The AWS SDK does not support updating the main route table except by creating a new route table."
+        raise "VPC of route table #{new_resource} is #{vpc.id}, but desired VPC is #{desired_vpc_id}!  The AWS SDK does not support updating the main route table except by creating a new route table."
       end
     end
   end
 
   def destroy_aws_object(route_table)
-    converge_by "delete #{new_resource.to_s} in #{region}" do
+    converge_by "delete #{new_resource} in #{region}" do
       begin
         route_table.delete
       rescue ::Aws::EC2::Errors::DependencyViolation
-        raise "#{new_resource.to_s} could not be deleted because it is the main route table for #{route_table.vpc.id} or it is being used by a subnet"
+        raise "#{new_resource} could not be deleted because it is the main route table for #{route_table.vpc.id} or it is being used by a subnet"
       end
     end
   end
@@ -74,7 +74,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
       # Ignore the automatic local route
       next if route.nil?
       route_target = route.gateway_id || route.nat_gateway_id || route.instance_id || route.network_interface_id || route.vpc_peering_connection_id
-      next if route_target == 'local'
+      next if route_target == "local"
       next if ignore_route_targets.find { |target| route_target.match(/#{target}/) }
       current_routes[route.destination_cidr_block] = route
     end
@@ -94,7 +94,7 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
         end
       else
         action_handler.perform_action "route #{destination_cidr_block} to #{route_target} (#{target})" do
-          route_table.create_route({ :destination_cidr_block => destination_cidr_block }.merge(options))
+          route_table.create_route({ destination_cidr_block: destination_cidr_block }.merge(options))
         end
       end
     end
@@ -114,10 +114,9 @@ class Chef::Provider::AwsRouteTable < Chef::Provisioning::AWSDriver::AWSProvider
     # Add propagated routes
     if gateway_ids
       gateway_ids.each do |gateway_id|
-        if !current_propagating_vgw_set.reject! { |vgw_set| vgw_set[:gateway_id] == gateway_id }
-          action_handler.perform_action "enable route propagation for route table #{route_table.id} to virtual private gateway #{gateway_id}" do
-            route_table.client.enable_vgw_route_propagation(route_table_id: route_table.id, gateway_id: gateway_id)
-          end
+        next if current_propagating_vgw_set.reject! { |vgw_set| vgw_set[:gateway_id] == gateway_id }
+        action_handler.perform_action "enable route propagation for route table #{route_table.id} to virtual private gateway #{gateway_id}" do
+          route_table.client.enable_vgw_route_propagation(route_table_id: route_table.id, gateway_id: gateway_id)
         end
       end
     end

data/lib/chef/provider/aws_s3_bucket.rb

@@ -1,9 +1,8 @@
-require 'chef/provisioning/aws_driver/aws_provider'
-require 'chef/provisioning/aws_driver/tagging_strategy/s3'
-require 'date'
+require "chef/provisioning/aws_driver/aws_provider"
+require "chef/provisioning/aws_driver/tagging_strategy/s3"
+require "date"
 
 class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
-
   def aws_tagger
     @aws_tagger ||= begin
       s3_strategy = Chef::Provisioning::AWSDriver::TaggingStrategy::S3.new(
@@ -26,17 +25,17 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
     bucket = super
 
     if new_resource.enable_website_hosting
-     if !website_exist?(new_resource,bucket)
+      if !website_exist?(new_resource, bucket)
         converge_by "enable website configuration for bucket #{new_resource.name}" do
-          create_website(bucket,new_resource )
+          create_website(bucket, new_resource)
         end
       elsif modifies_website_configuration?(bucket)
         converge_by "reconfigure website configuration for bucket #{new_resource.name} to #{new_resource.website_options}" do
-          create_website(bucket,new_resource )
+          create_website(bucket, new_resource)
         end
-      end
+       end
     else
-      if website_exist?(new_resource,bucket)
+      if website_exist?(new_resource, bucket)
         converge_by "disable website configuration for bucket #{new_resource.name}" do
           new_resource.driver.s3_client.delete_bucket_website(bucket: new_resource.name)
         end
@@ -48,20 +47,17 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
 
   def create_aws_object
     converge_by "create S3 bucket #{new_resource.name}" do
-      options = new_resource.options.merge({bucket: new_resource.name})
+      options = new_resource.options.merge(bucket: new_resource.name)
       new_resource.driver.s3_client.create_bucket(options)
       # S3 buckets already have a top level name property so they don't need
       # a 'Name' tag
     end
   end
 
-  def update_aws_object(bucket)
-  end
+  def update_aws_object(bucket); end
 
   def destroy_aws_object(bucket)
-    if purging
-      new_resource.recursive_delete(true)
-    end
+    new_resource.recursive_delete(true) if purging
     converge_by "delete S3 bucket #{new_resource.name}" do
       if new_resource.recursive_delete
         bucket.delete!
@@ -73,17 +69,18 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
 
   private
 
-  def website_exist?(new_resource,bucket)
-    return true if new_resource.driver.s3_client.get_bucket_website(bucket: new_resource.name) 
+  def website_exist?(new_resource, _bucket)
+    return true if new_resource.driver.s3_client.get_bucket_website(bucket: new_resource.name)
   rescue Aws::S3::Errors::NoSuchWebsiteConfiguration
-    return false
+    false
   end
 
-  def create_website(bucket,new_resource )
+  def create_website(_bucket, new_resource)
     website_configuration = Aws::S3::Types::WebsiteConfiguration.new(
-            new_resource.website_options)
+      new_resource.website_options
+    )
     s3_client = new_resource.driver.s3_client
-    s3_client.put_bucket_website( bucket: new_resource.name,  website_configuration:website_configuration)
+    s3_client.put_bucket_website(bucket: new_resource.name, website_configuration: website_configuration)
   end
 
   def modifies_website_configuration?(aws_object)
@@ -102,10 +99,10 @@ class Chef::Provider::AwsS3Bucket < Chef::Provisioning::AWSDriver::AWSProvider
   def s3_website_endpoint_region
     # ¯\_(ツ)_/¯
     case aws_object.location_constraint
-    when nil, 'US'
-      'us-east-1'
-    when 'EU'
-      'eu-west-1'
+    when nil, "US"
+      "us-east-1"
+    when "EU"
+      "eu-west-1"
     else
       aws_object.location_constraint
     end

data/lib/chef/provider/aws_security_group.rb

@@ -1,7 +1,7 @@
-require 'chef/provisioning/aws_driver/aws_provider'
-require 'date'
-require 'ipaddr'
-require 'set'
+require "chef/provisioning/aws_driver/aws_provider"
+require "date"
+require "ipaddr"
+require "set"
 
 class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvider
   include Chef::Provisioning::AWSDriver::TaggingStrategy::EC2ConvergeTags
@@ -21,7 +21,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
       options = { description: new_resource.description.to_s }
       options[:vpc_id] = new_resource.vpc if new_resource.vpc
       options[:group_name] = new_resource.name
-      if options[:description].nil? or options[:description]==""
+      if options[:description].nil? || (options[:description] == "")
         options[:description] = new_resource.name.to_s
       end
       options = AWSResource.lookup_options(options, resource: new_resource)
@@ -29,7 +29,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
 
       sg = new_resource.driver.ec2_resource.create_security_group(options)
       retry_with_backoff(::Aws::EC2::Errors::InvalidSecurityGroupsIDNotFound, ::Aws::EC2::Errors::InvalidGroupNotFound) do
-        new_resource.driver.ec2_resource.create_tags(resources: [sg.id],tags: [{key: "Name", value: new_resource.name}]) 
+        new_resource.driver.ec2_resource.create_tags(resources: [sg.id], tags: [{ key: "Name", value: new_resource.name }])
       end
       sg
     end
@@ -39,7 +39,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     if !new_resource.description.nil? && new_resource.description != sg.description
       raise "Security group descriptions cannot be changed after being created!  Desired description for #{new_resource.name} (#{sg.id}) was \"#{new_resource.description}\" and actual description is \"#{sg.description}\""
     end
-    if !new_resource.vpc.nil?
+    unless new_resource.vpc.nil?
       desired_vpc = Chef::Resource::AwsVpc.get_aws_object_id(new_resource.vpc, resource: new_resource)
       if desired_vpc != sg.vpc_id
         raise "Security group VPC cannot be changed after being created!  Desired VPC for #{new_resource.name} (#{sg.id}) was #{new_resource.vpc} (#{desired_vpc}) and actual VPC is #{sg.vpc_id}"
@@ -49,8 +49,8 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
   end
 
   def destroy_aws_object(sg)
-    converge_by "delete security group #{new_resource.to_s} in #{region}" do
-      sg.delete({ dry_run: false })
+    converge_by "delete security group #{new_resource} in #{region}" do
+      sg.delete(dry_run: false)
     end
   end
 
@@ -58,13 +58,9 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
 
   def apply_rules(sg)
     vpc = sg.vpc_id
-    if !new_resource.outbound_rules.nil?
-      update_outbound_rules(sg, vpc)
-    end
+    update_outbound_rules(sg, vpc) unless new_resource.outbound_rules.nil?
 
-    if !new_resource.inbound_rules.nil?
-      update_inbound_rules(sg, vpc)
-    end
+    update_inbound_rules(sg, vpc) unless new_resource.inbound_rules.nil?
   end
 
   def update_inbound_rules(sg, vpc)
@@ -94,100 +90,95 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     # Actually update the rules (remove, add)
     #
     update_rules(desired_rules, sg.ip_permissions,
-      authorize: proc do |port_range, protocol, actors|
-        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
-        converge_by "authorize #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          names.each do |iprange|
-           begin
-            if iprange.include?('-')
-              # user_id_group_pairs allows to add inbound rules for source security group
-              sg.authorize_ingress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  user_id_group_pairs: actors
-                }]
-              })
-=begin
-              sg.authorize_ingress({
-                group
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  prefix_list_ids: [{
-                    prefix_list_id: iprange
-                  }]
-                }]
-              })
-=end
-            else
-              sg.authorize_ingress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  ip_ranges: [{
-                    cidr_ip: iprange
-                  }]
-                }]
-              })
-            end
-           rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
-             Chef::Log.debug("Ignoring duplicate permission")
-           end
-          end
-        end
-      end,
-
-      revoke: proc do |port_range, protocol, actors|
-        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
-        converge_by "revoke the ability of #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          names.each do |iprange|
-           begin
-            if iprange.include?('-')
-              # user_id_group_pairs allows to revoke inbound rules for source security group
-              sg.revoke_ingress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  user_id_group_pairs: actors
-                }]
-              })
-=begin
-              sg.revoke_ingress({
-                group
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  prefix_list_ids: [{
-                    prefix_list_id: iprange
-                  }]
-                }]
-              })
-=end
-            else
-              sg.revoke_ingress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  ip_ranges: [{
-                    cidr_ip: iprange
-                  }]
-                }]
-              })
-            end
-           rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
-             Chef::Log.debug("Ignoring missing permission")
-           end
-          end
-        end
-      end
-    )
+                 authorize: proc do |port_range, protocol, actors|
+                   names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+                   converge_by "authorize #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
+                     names.each do |iprange|
+                       begin
+                         if iprange.include?("-")
+                           # user_id_group_pairs allows to add inbound rules for source security group
+                           sg.authorize_ingress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               user_id_group_pairs: actors
+                             }]
+                           )
+                         #               sg.authorize_ingress({
+                         #                 group
+                         #                 ip_permissions: [{
+                         #                   ip_protocol: protocol,
+                         #                   from_port: port_range.first,
+                         #                   to_port: port_range.last,
+                         #                   prefix_list_ids: [{
+                         #                     prefix_list_id: iprange
+                         #                   }]
+                         #                 }]
+                         #               })
+                         else
+                           sg.authorize_ingress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               ip_ranges: [{
+                                 cidr_ip: iprange
+                               }]
+                             }]
+                           )
+                         end
+                       rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
+                         Chef::Log.debug("Ignoring duplicate permission")
+                       end
+                     end
+                   end
+                 end,
+
+                 revoke: proc do |port_range, protocol, actors|
+                   names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+                   converge_by "revoke the ability of #{names.join(', ')} to send traffic to group #{new_resource.name} (#{sg.id}) on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
+                     names.each do |iprange|
+                       begin
+                         if iprange.include?("-")
+                           # user_id_group_pairs allows to revoke inbound rules for source security group
+                           sg.revoke_ingress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               user_id_group_pairs: actors
+                             }]
+                           )
+                         #               sg.revoke_ingress({
+                         #                 group
+                         #                 ip_permissions: [{
+                         #                   ip_protocol: protocol,
+                         #                   from_port: port_range.first,
+                         #                   to_port: port_range.last,
+                         #                   prefix_list_ids: [{
+                         #                     prefix_list_id: iprange
+                         #                   }]
+                         #                 }]
+                         #               })
+                         else
+                           sg.revoke_ingress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               ip_ranges: [{
+                                 cidr_ip: iprange
+                               }]
+                             }]
+                           )
+                         end
+                       rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
+                         Chef::Log.debug("Ignoring missing permission")
+                       end
+                     end
+                   end
+                 end)
   end
 
   def update_outbound_rules(sg, vpc)
@@ -217,101 +208,95 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     #
     Chef::Log.info("dr: #{desired_rules}")
     update_rules(desired_rules, sg.ip_permissions_egress,
-
-      authorize: proc do |port_range, protocol, actors|
-        Chef::Log.info("proto: #{protocol.inspect}")
-        Chef::Log.info("port_range: #{port_range.inspect}")
-        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
-        converge_by "authorize group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          names.each do |iprange|
-           begin
-            if iprange.include?('-')
-              sg.authorize_egress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  user_id_group_pairs: actors
-                }]
-              })
-=begin
-              sg.authorize_egress({
-                group
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  prefix_list_ids: [{
-                    prefix_list_id: iprange
-                  }]
-                }]
-              })
-=end
-            else
-              sg.authorize_egress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  ip_ranges: [{
-                    cidr_ip: iprange
-                  }]
-                }]
-              })
-            end
-           rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
-             Chef::Log.debug("Ignoring duplicate permission")
-           end
-          end
-        end
-      end,
-
-      revoke: proc do |port_range, protocol, actors|
-        names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
-        converge_by "revoke the ability of group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
-          names.each do |iprange|
-           begin
-            if iprange.include?('-')
-              sg.revoke_egress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  user_id_group_pairs: actors
-                }]
-              })
-=begin
-              sg.revoke_egress({
-                group
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  prefix_list_ids: [{
-                    prefix_list_id: iprange
-                  }]
-                }]
-              })
-=end
-            else
-              sg.revoke_egress({
-                ip_permissions: [{
-                  ip_protocol: protocol,
-                  from_port: port_range.first,
-                  to_port: port_range.last,
-                  ip_ranges: [{
-                    cidr_ip: iprange
-                  }]
-                }]
-              })
-            end
-           rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
-             Chef::Log.debug("Ignoring missing permission")
-           end
-          end
-        end
-      end
-    )
+                 authorize: proc do |port_range, protocol, actors|
+                   Chef::Log.info("proto: #{protocol.inspect}")
+                   Chef::Log.info("port_range: #{port_range.inspect}")
+                   names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+                   converge_by "authorize group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
+                     names.each do |iprange|
+                       begin
+                         if iprange.include?("-")
+                           sg.authorize_egress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               user_id_group_pairs: actors
+                             }]
+                           )
+                         #               sg.authorize_egress({
+                         #                 group
+                         #                 ip_permissions: [{
+                         #                   ip_protocol: protocol,
+                         #                   from_port: port_range.first,
+                         #                   to_port: port_range.last,
+                         #                   prefix_list_ids: [{
+                         #                     prefix_list_id: iprange
+                         #                   }]
+                         #                 }]
+                         #               })
+                         else
+                           sg.authorize_egress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               ip_ranges: [{
+                                 cidr_ip: iprange
+                               }]
+                             }]
+                           )
+                         end
+                       rescue ::Aws::EC2::Errors::InvalidPermissionDuplicate => e
+                         Chef::Log.debug("Ignoring duplicate permission")
+                       end
+                     end
+                   end
+                 end,
+
+                 revoke: proc do |port_range, protocol, actors|
+                   names = actors.map { |a| a.is_a?(Hash) ? a[:group_id] : a }
+                   converge_by "revoke the ability of group #{new_resource.name} (#{sg.id}) to send traffic to #{names.join(', ')} on port_range #{port_range.inspect} with protocol #{protocol || 'nil'}" do
+                     names.each do |iprange|
+                       begin
+                         if iprange.include?("-")
+                           sg.revoke_egress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               user_id_group_pairs: actors
+                             }]
+                           )
+                         #               sg.revoke_egress({
+                         #                 group
+                         #                 ip_permissions: [{
+                         #                   ip_protocol: protocol,
+                         #                   from_port: port_range.first,
+                         #                   to_port: port_range.last,
+                         #                   prefix_list_ids: [{
+                         #                     prefix_list_id: iprange
+                         #                   }]
+                         #                 }]
+                         #               })
+                         else
+                           sg.revoke_egress(
+                             ip_permissions: [{
+                               ip_protocol: protocol,
+                               from_port: port_range.first,
+                               to_port: port_range.last,
+                               ip_ranges: [{
+                                 cidr_ip: iprange
+                               }]
+                             }]
+                           )
+                         end
+                       rescue ::Aws::EC2::Errors::InvalidPermissionNotFound => e
+                         Chef::Log.debug("Ignoring missing permission")
+                       end
+                     end
+                   end
+                 end)
   end
 
   def update_rules(desired_rules, actual_rules_list, authorize: nil, revoke: nil)
@@ -322,22 +307,21 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
         port_range: rule[:from_port] ? rule[:from_port]..rule[:to_port] : -1..-1,
         protocol: rule[:ip_protocol].to_s.to_sym
       }
-      rule[:user_id_group_pairs].map! { |h| h.select { |x| x != :group_name} }
-      add_rule(actual_rules, [ port_range ], rule[:user_id_group_pairs]) if rule[:user_id_group_pairs]
-      add_rule(actual_rules, [ port_range ], rule[:ip_ranges].map { |r| r[:cidr_ip] }) if rule[:ip_ranges]
+      rule[:user_id_group_pairs].map! { |h| h.reject { |x| x == :group_name } }
+      add_rule(actual_rules, [port_range], rule[:user_id_group_pairs]) if rule[:user_id_group_pairs]
+      add_rule(actual_rules, [port_range], rule[:ip_ranges].map { |r| r[:cidr_ip] }) if rule[:ip_ranges]
     end
 
     #
     # Get the list of permissions to add and remove
     #
     actual_rules.each do |port_range, actors|
-      if desired_rules[port_range]
-        intersection = actors & desired_rules[port_range]
-        # Anything unhandled in desired_rules will be added
-        desired_rules[port_range] -= intersection
-        # Anything unhandled in actual_rules will be removed
-        actual_rules[port_range] -= intersection
-      end
+      next unless desired_rules[port_range]
+      intersection = actors & desired_rules[port_range]
+      # Anything unhandled in desired_rules will be added
+      desired_rules[port_range] -= intersection
+      # Anything unhandled in actual_rules will be removed
+      actual_rules[port_range] -= intersection
     end
 
     #
@@ -375,18 +359,18 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
     case port_spec
     when Integer
       port_spec = 0 if port_spec == -1
-      [ { port_range: port_spec..port_spec, protocol: :tcp } ]
+      [{ port_range: port_spec..port_spec, protocol: :tcp }]
     when Range
       port_spec = 0..0 if port_spec == (-1..-1)
-      [ { port_range: port_spec, protocol: :tcp } ]
+      [{ port_range: port_spec, protocol: :tcp }]
     when Array
       port_spec.map { |p| get_port_ranges(p) }.flatten
     when String, Symbol
       protocol = port_spec.to_s.downcase.to_sym
       if protocol.to_s =~ /(any|all|-1)/i
-        [ { port_range: -1..-1, protocol: :"-1" } ]
+        [{ port_range: -1..-1, protocol: :"-1" }]
       else
-        [ { port_range: 0..0, protocol: protocol } ]
+        [{ port_range: 0..0, protocol: protocol }]
       end
     when Hash
       port_range = port_spec[:port_range] || port_spec[:ports] || port_spec[:port] || 0
@@ -394,9 +378,9 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
       if port_spec[:protocol]
         protocol = port_spec[:protocol].to_s.downcase.to_sym
         if protocol.to_s =~ /(any|all|-1)/i
-          [ { port_range: -1..-1, protocol: :"-1" } ]
+          [{ port_range: -1..-1, protocol: :"-1" }]
         else
-          [ { port_range: port_range, protocol: protocol } ]
+          [{ port_range: port_range, protocol: protocol }]
         end
       else
         get_port_ranges(port_range)
@@ -404,7 +388,7 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
       # The to_s.to_sym dance is because if you specify a protocol number, AWS symbolifies it,
       # but 26.to_sym doesn't work (so we have to to_s it first).
     when nil
-      [ { port_range: -1..-1, protocol: :"-1" } ]
+      [{ port_range: -1..-1, protocol: :"-1" }]
     end
   end
 
@@ -414,72 +398,71 @@ class Chef::Provider::AwsSecurityGroup < Chef::Provisioning::AWSDriver::AWSProvi
   def get_actors(vpc, actor_spec)
     result = case actor_spec
 
-    # An array is always considered a list of actors.  Each one may follow any supported format.
-    when Array
-      actor_spec.map { |a| get_actors(vpc, a) }
-
-    # Hashes come in several forms:
-    when Hash
-      # The default AWS Ruby SDK form with :user_id, :group_id and :group_name forms
-      if actor_spec.keys.all? { |key| [ :user_id, :group_id, :group_name ].include?(key) }
-        if actor_spec.has_key?(:group_name)
-          vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
-          actor_spec[:group_id] ||= vpc_object.security_groups({filters: [name: "group-name", values: [actor_spec[:group_name]]]}).first.id
-        end
-        actor_spec[:user_id] ||= new_resource.driver.account_id
-
-        { user_id: actor_spec[:user_id], group_id: actor_spec[:group_id] }
-
-      # load_balancer: <load balancer name>
-      elsif actor_spec.keys == [ :load_balancer ]
-        lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec[:load_balancer], resource: new_resource)
-        get_actors(vpc, lb)
-
-      # security_group: <security group name>
-      elsif actor_spec.keys == [ :security_group ]
-        Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec[:security_group], resource: new_resource)
-
-      else
-        raise "Unable to reference security group with spec #{actor_spec}"
-      end
-
-    # If a load balancer is specified, grab it and then get its automatic security group
-    when /^elb-[a-fA-F0-9]+$/, Aws::ElasticLoadBalancing::Types::LoadBalancerDescription, Chef::Resource::AwsLoadBalancer
-      lb=actor_spec
-      if lb.class != Aws::ElasticLoadBalancing::Types::LoadBalancerDescription
-        lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec, resource: new_resource)
-      end
-      # get secgroup via vpc_id
-      vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
-      results = vpc_object.security_groups.to_a.select { |s| s.group_name == lb.source_security_group.group_name }
-      if results.size == 1  
-        get_actors(vpc, results.first.id)
-      else
-        raise ::Chef::Provisioning::AWSDriver::Exceptions::MultipleSecurityGroupError.new(lb.source_security_group.group_name, results)
-      end
-
-    # If a security group is specified, grab it
-    when /^sg-[a-fA-F0-9]+$/, ::Aws::EC2::SecurityGroup, Chef::Resource::AwsSecurityGroup
-      Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
-
-    # If an IP addresses / CIDR are passed, return it verbatim; otherwise, assume it's the
-    # name of a security group.
-    when String
-      begin
-        IPAddr.new(actor_spec)
-        # Add /32 to the end of raw IP addresses
-        actor_spec =~ /\// ? actor_spec : "#{actor_spec}/32"
-      rescue IPAddr::InvalidAddressError
-        Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
-      end
-
-    else
-      raise "Unexpected actor #{actor_spec} / #{actor_spec.class} in rules list"
-    end
+             # An array is always considered a list of actors.  Each one may follow any supported format.
+             when Array
+               actor_spec.map { |a| get_actors(vpc, a) }
+
+             # Hashes come in several forms:
+             when Hash
+               # The default AWS Ruby SDK form with :user_id, :group_id and :group_name forms
+               if actor_spec.keys.all? { |key| %i{user_id group_id group_name}.include?(key) }
+                 if actor_spec.key?(:group_name)
+                   vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
+                   actor_spec[:group_id] ||= vpc_object.security_groups(filters: [name: "group-name", values: [actor_spec[:group_name]]]).first.id
+                 end
+                 actor_spec[:user_id] ||= new_resource.driver.account_id
+
+                 { user_id: actor_spec[:user_id], group_id: actor_spec[:group_id] }
+
+               # load_balancer: <load balancer name>
+               elsif actor_spec.keys == [:load_balancer]
+                 lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec[:load_balancer], resource: new_resource)
+                 get_actors(vpc, lb)
+
+               # security_group: <security group name>
+               elsif actor_spec.keys == [:security_group]
+                 Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec[:security_group], resource: new_resource)
+
+               else
+                 raise "Unable to reference security group with spec #{actor_spec}"
+               end
+
+             # If a load balancer is specified, grab it and then get its automatic security group
+             when /^elb-[a-fA-F0-9]+$/, Aws::ElasticLoadBalancing::Types::LoadBalancerDescription, Chef::Resource::AwsLoadBalancer
+               lb = actor_spec
+               if lb.class != Aws::ElasticLoadBalancing::Types::LoadBalancerDescription
+                 lb = Chef::Resource::AwsLoadBalancer.get_aws_object(actor_spec, resource: new_resource)
+               end
+               # get secgroup via vpc_id
+               vpc_object = Chef::Resource::AwsVpc.get_aws_object(vpc, resource: new_resource)
+               results = vpc_object.security_groups.to_a.select { |s| s.group_name == lb.source_security_group.group_name }
+               if results.size == 1
+                 get_actors(vpc, results.first.id)
+               else
+                 raise ::Chef::Provisioning::AWSDriver::Exceptions::MultipleSecurityGroupError.new(lb.source_security_group.group_name, results)
+               end
+
+             # If a security group is specified, grab it
+             when /^sg-[a-fA-F0-9]+$/, ::Aws::EC2::SecurityGroup, Chef::Resource::AwsSecurityGroup
+               Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
+
+             # If an IP addresses / CIDR are passed, return it verbatim; otherwise, assume it's the
+             # name of a security group.
+             when String
+               begin
+                 IPAddr.new(actor_spec)
+                 # Add /32 to the end of raw IP addresses
+                 actor_spec =~ /\// ? actor_spec : "#{actor_spec}/32"
+               rescue IPAddr::InvalidAddressError
+                 Chef::Resource::AwsSecurityGroup.get_aws_object(actor_spec, resource: new_resource)
+               end
+
+             else
+               raise "Unexpected actor #{actor_spec} / #{actor_spec.class} in rules list"
+              end
 
     result = { user_id: result.owner_id, group_id: result.id } if result.is_a?(::Aws::EC2::SecurityGroup)
 
-    [ result ].flatten
+    [result].flatten
   end
-
 end