furnish-aws 0.0.1

data/test/test_ec2.rb

@@ -0,0 +1,225 @@
+require 'helper'
+require 'furnish/provisioners/ec2'
+require 'furnish/provisioners/security_group'
+
+class TestEC2 < Furnish::SchedulerTestCase
+  AMI           = "ami-e2861d8b" # ubuntu 12.04 LTS from vendor, us-east-1 instance store
+  KEY_PAIR_NAME = "furnish-test-key"
+  DUMMY_KEY     = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZ2lpDmXAxAo8XKThAgkF+iPcXPs6S72RPTcb191Krq43Offay8VdnLecRYLZslvbaQKLfvsfjwZP95yJt2GHnMhSOY4gXkowmjLFjth6BQK42vsuMVVDpwQn9kIPvgCh2UA3b1ti1dV9VznSgBaxDoCsZpzIlF6LHGMIU6qkX938ZQ2IPahu144FTemEwWWvPX6Eyow8narSRGTPFWqbY+Q8jti/pLroNxMiq4nMpIYlCH5fW37C7bSyQOgdAtCq3YfxzM45j2cRVOQKjNLDH8Al6OH7wOsDJUxu0MbfnHSIMcDH3jDyDWqkrAle6B0d+52/7SeqTLMrH8aMPDLIwXW9MwLW7kdMt2XCLZWCo3bf+JOvC2BxZSjLnaOaruM/ckjnzhZYX/qLm49T0feh1+3JZhYD40+aYRT+r1Se+0+AP1YeY9pRSfo0KD0nd1VbKbgIYUY0d/n5fmbsejAmGB4IhVEXgKBhSLHEJiNrB5ahqxHziObr3Y64J6uQ088egs7uxtK/NOm5WqsW+QSPu4xvtFawzkQjALw3pGw9C3DJuCJ2hoO3OdVo8SGlIGvtEYZnEOU5sWSP3gfd4TWRVgc6pOwrlXWHG1/6151Ufpm2blRZFv0j10WaDPYw/W+JEUwczrAg6hacZa0SPpybPzwNBLFQXRz1BeB/dKUykCQ=="
+
+  def setup
+    @klass = Furnish::Provisioner::EC2
+    super
+  end
+
+  def teardown
+    sched.teardown
+    super
+  end
+
+  def make_key(obj)
+    delete_key(obj)
+    obj.ec2.key_pairs.import("furnish-test-key", DUMMY_KEY)
+  end
+
+  def delete_key(obj)
+    obj.ec2.key_pairs["furnish-test-key"].delete rescue nil
+  end
+
+  def security_group_provisioner
+    Furnish::Provisioner::SecurityGroup.new(base_args)
+  end
+
+  def build_provisioner(ec2_args=args)
+    [
+      security_group_provisioner,
+      @klass.new(ec2_args)
+    ]
+  end
+
+  def base_args
+    {
+      :access_key     => ENV["AWS_ACCESS_KEY_ID"],
+      :secret_key     => ENV["AWS_SECRET_ACCESS_KEY"],
+      :region         => "us-east-1"
+    }
+  end
+
+  def args
+    base_args.merge({
+      :instance_type  => ENV["FURNISH_EC2_TEST_INSTANCE_SIZE"] || "c1.medium",
+      :key_name   => KEY_PAIR_NAME,
+      :image_id   => AMI
+    })
+  end
+
+  def make_basic_obj
+    opts = {
+      :access_key => "qwe123",
+      :secret_key => "password1",
+      :key_name   => "foo",
+      :image_id   => "ami-1234",
+      :region     => "us-east-1"
+    }
+
+    obj = @klass.new(opts)
+
+    # the object constructed, and the options used to build it, for later reflection.
+    return obj, opts
+  end
+
+  def make_launch_options_obj
+    obj, opts = make_basic_obj
+
+    # add defaults
+    opts.merge!(:count => 1, :instance_type => "c1.medium", :security_group_ids => [])
+
+    # deal with things launch_options doesn't need to care about
+    [:access_key, :secret_key, :region].each { |x| opts.delete(x) }
+
+    return obj, opts
+  end
+
+  def test_constructor
+    base_args = { :access_key => "qwe123", :secret_key => "password1" }
+    assert_raises(ArgumentError, "AWS region must be provided to the provisioner.") { @klass.new(base_args) }
+    assert_raises(ArgumentError, "key_name is required for instance provision") { @klass.new(base_args.merge(:availability_zone => "us-east-1b")) }
+
+    base_args.merge!(:key_name => "foo")
+
+    assert_raises(ArgumentError, "an AMI image_id must be provided") { @klass.new(base_args) }
+
+    base_args.merge!(:image_id => "ami-1234")
+
+    obj = @klass.new(base_args.merge(:availability_zone => "us-east-1b"))
+    assert_equal("us-east-1", obj.region, "AZ was mapped to region name when region isn't supplied")
+    assert_equal(1, obj.count, "default instance count is 1")
+    assert_equal("c1.medium", obj.instance_type, "default instance type is c1.medium")
+    assert_kind_of(Array, obj.security_group_ids, "security group is array by default")
+    assert_empty(obj.security_group_ids, "default array of security groups is empty")
+
+    base_args.merge!(:region => "us-east-1")
+
+    {
+      :count => 2,
+      :instance_type => "m1.small",
+      :security_group_ids => %w[quux]
+    }.each do |key, value|
+      obj = @klass.new(base_args.merge(key => value))
+      assert_equal(value, obj.send(key), "#{key.to_s} accepts default overrides in the constructor")
+    end
+
+    assert_raises(ArgumentError) { @klass.new(base_args.merge(:region => "us-east-1", :availability_zone => "us-east-2a")) }
+    assert_kind_of(Furnish::Provisioner::AWS, @klass.new(base_args.merge(:region => "us-east-1")))
+  end
+
+  def test_launch_options
+    obj, opts = make_launch_options_obj
+    assert_equal(opts, obj.launch_options, "launch_options generates sane defaults")
+
+    @klass::PASSTHROUGH_ATTRS.each do |test_key|
+      obj, opts = make_launch_options_obj
+      obj.send("#{test_key}=", "something")
+      assert_equal(opts.merge(test_key.to_sym => "something"), obj.launch_options, "changes to #{test_key} are reflected")
+    end
+  end
+
+  def test_startup_shutdown
+    secgroup = security_group_provisioner
+    assert(secgroup.startup, "security group was provisioned")
+    obj = @klass.new(args.merge(:security_group_ids => [secgroup.group_id]))
+    make_key(obj)
+
+    assert_empty(obj.instance_ids, "no instance_ids are stored")
+    result = obj.startup
+    assert(result, "machine was provisioned")
+    refute_empty(result[:ips], "result has ip addresses")
+    refute_empty(result[:ec2_instance_ids], "result has instance ids")
+    assert(result[:ips].all? { |str| str.kind_of?(String) && str.split(/\./).count == 4 && str !~ /^10\./ }, "all items are strings and look like IP addresses and are not private IPs")
+    assert(result[:ec2_instance_ids].all? { |str| str.kind_of?(String) && str =~ /^i-/ }, "all items are strings and look like EC2 instance ids")
+    refute_empty(obj.instance_ids, "we now have instance_ids")
+    assert(obj.instance_ids.all? { |id| obj.ec2.instances[id].status == :running }, "all machines are running")
+    assert(obj.instance_ids.all? { |id| obj.ec2.instances[id].security_groups.map(&:id) == [secgroup.group_id] }, "machines are in the appropriate security group")
+    assert_equal([secgroup.group_id], obj.security_group_ids, "group ids reflect all groups the machines are in")
+    instance_ids = obj.instance_ids
+    assert(obj.shutdown, "shutdown was successsful")
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :terminated }, "all machines are terminated")
+
+    obj = @klass.new(args)
+    assert_empty(obj.instance_ids, "no instance_ids are stored")
+    result = obj.startup(:security_group_ids => [secgroup.group_id])
+    assert(result, "machine was provisioned")
+    refute_empty(result[:ips], "result has ip addresses")
+    refute_empty(result[:ec2_instance_ids], "result has instance ids")
+    assert(result[:ips].all? { |str| str.kind_of?(String) && str.split(/\./).count == 4 && str !~ /^10\./ }, "all items are strings and look like IP addresses and are not private IPs")
+    assert(result[:ec2_instance_ids].all? { |str| str.kind_of?(String) && str =~ /^i-/ }, "all items are strings and look like EC2 instance ids")
+    refute_empty(obj.instance_ids, "we now have instance_ids")
+    assert(obj.instance_ids.all? { |id| obj.ec2.instances[id].status == :running }, "all machines are running")
+    assert(obj.instance_ids.all? { |id| obj.ec2.instances[id].security_groups.map(&:id) == [secgroup.group_id] }, "machines are in the appropriate security group")
+    assert_equal([secgroup.group_id], obj.security_group_ids, "group ids reflect all groups the machines are in")
+    instance_ids = obj.instance_ids
+    assert(obj.shutdown, "shutdown was successsful")
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :terminated }, "all machines are terminated")
+
+    secgroup2 = security_group_provisioner
+    assert(secgroup2.startup, "security group was provisioned")
+    obj = @klass.new(args.merge(:security_group_ids => [secgroup.group_id]))
+
+    assert_empty(obj.instance_ids, "no instance_ids are stored")
+    result = obj.startup(:security_group_ids => [secgroup2.group_id])
+    assert(result, "machine was provisioned")
+    refute_empty(result[:ips], "result has ip addresses")
+    refute_empty(result[:ec2_instance_ids], "result has instance ids")
+    assert(result[:ips].all? { |str| str.kind_of?(String) && str.split(/\./).count == 4 && str !~ /^10\./ }, "all items are strings and look like IP addresses and are not private IPs")
+    assert(result[:ec2_instance_ids].all? { |str| str.kind_of?(String) && str =~ /^i-/ }, "all items are strings and look like EC2 instance ids")
+    refute_empty(obj.instance_ids, "we now have instance_ids")
+    assert(obj.instance_ids.all? { |id| obj.ec2.instances[id].status == :running }, "all machines are running")
+    assert(obj.instance_ids.all? { |id| obj.ec2.instances[id].security_groups.map(&:id).sort == [secgroup.group_id, secgroup2.group_id].sort }, "machines are in the appropriate security groups")
+    assert_equal([secgroup.group_id, secgroup2.group_id].sort, obj.security_group_ids.sort, "group ids reflect all groups the machines are in")
+    instance_ids = obj.instance_ids
+    assert(obj.shutdown, "shutdown was successsful")
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :terminated }, "all machines are terminated")
+  ensure
+    delete_key(obj) rescue nil
+    obj.shutdown rescue nil
+    secgroup.shutdown rescue nil
+    secgroup2.shutdown rescue nil
+  end
+
+  def test_provisioner
+    secgroup = security_group_provisioner
+    obj = @klass.new(args)
+    make_key(obj)
+
+    sched.serial = true
+    sched.schedule_provision('test1', [secgroup, obj])
+    sched.run
+    assert_solved('test1')
+    prov = sched.vm.groups['test1']
+    instance_ids = prov[1].instance_ids
+    assert_equal(1, instance_ids.count, "instance_ids are getting tracked inside the provisioner")
+    assert_equal([prov[0].group_id], prov[1].security_group_ids, "security groups were propogated correctly")
+    assert_equal(["ami #{prov[1].image_id}; #{prov[1].count} servers; instance_ids: #{instance_ids.inspect}"], prov[1].report, "reporting is accurate")
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :running }, "all instances are running")
+    sched.teardown_group('test1')
+    refute_solved('test1')
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :terminated }, "all machines are terminated after shutdown")
+
+    # try with a larger count
+    obj = @klass.new(args.merge(:count => 5))
+    sched.schedule_provision('test2', [secgroup, obj])
+    sched.run
+    assert_solved('test2')
+    prov = sched.vm.groups['test2']
+    instance_ids = prov[1].instance_ids
+    assert_equal(5, instance_ids.count, "instance_ids are getting tracked inside the provisioner")
+    assert_equal([prov[0].group_id], prov[1].security_group_ids, "security groups were propogated correctly")
+    assert_equal(["ami #{prov[1].image_id}; #{prov[1].count} servers; instance_ids: #{instance_ids.inspect}"], prov[1].report, "reporting is accurate")
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :running }, "all instances are running")
+    sched.teardown_group('test2')
+    refute_solved('test2')
+    assert(instance_ids.all? { |id| obj.ec2.instances[id].status == :terminated }, "all machines are terminated after shutdown")
+  ensure
+    delete_key(obj) rescue nil
+  end
+end

data/test/test_security_group.rb

@@ -0,0 +1,322 @@
+require 'helper'
+require 'furnish/provisioners/security_group'
+
+#--
+# FIXME logging tests
+#++
+class TestSecurityGroup < Furnish::SchedulerTestCase
+  AMI           = "ami-e2861d8b" # ubuntu 12.04 LTS from vendor, us-east-1 instance store
+  KEY_PAIR_NAME = "furnish-test-key"
+  DUMMY_KEY     = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDZ2lpDmXAxAo8XKThAgkF+iPcXPs6S72RPTcb191Krq43Offay8VdnLecRYLZslvbaQKLfvsfjwZP95yJt2GHnMhSOY4gXkowmjLFjth6BQK42vsuMVVDpwQn9kIPvgCh2UA3b1ti1dV9VznSgBaxDoCsZpzIlF6LHGMIU6qkX938ZQ2IPahu144FTemEwWWvPX6Eyow8narSRGTPFWqbY+Q8jti/pLroNxMiq4nMpIYlCH5fW37C7bSyQOgdAtCq3YfxzM45j2cRVOQKjNLDH8Al6OH7wOsDJUxu0MbfnHSIMcDH3jDyDWqkrAle6B0d+52/7SeqTLMrH8aMPDLIwXW9MwLW7kdMt2XCLZWCo3bf+JOvC2BxZSjLnaOaruM/ckjnzhZYX/qLm49T0feh1+3JZhYD40+aYRT+r1Se+0+AP1YeY9pRSfo0KD0nd1VbKbgIYUY0d/n5fmbsejAmGB4IhVEXgKBhSLHEJiNrB5ahqxHziObr3Y64J6uQ088egs7uxtK/NOm5WqsW+QSPu4xvtFawzkQjALw3pGw9C3DJuCJ2hoO3OdVo8SGlIGvtEYZnEOU5sWSP3gfd4TWRVgc6pOwrlXWHG1/6151Ufpm2blRZFv0j10WaDPYw/W+JEUwczrAg6hacZa0SPpybPzwNBLFQXRz1BeB/dKUykCQ=="
+
+  def setup
+    @klass = Furnish::Provisioner::SecurityGroup
+    super
+  end
+
+  def teardown
+    sched.teardown
+    super
+  end
+
+  def make_key(obj)
+    delete_key(obj)
+    obj.ec2.key_pairs.import("furnish-test-key", DUMMY_KEY)
+  end
+
+  def delete_key(obj)
+    obj.ec2.key_pairs["furnish-test-key"].delete rescue nil
+  end
+
+  def args
+    {
+      :access_key => ENV["AWS_ACCESS_KEY_ID"],
+      :secret_key => ENV["AWS_SECRET_ACCESS_KEY"],
+      :region => "us-east-1"
+    }
+  end
+
+  def create_test_group
+    obj = @klass.new(args)
+    group = obj.ec2.security_groups.create(obj.generate_group_name)
+
+    return obj, group
+  end
+
+  def validate_perms(obj, group_id, type=:ingress, &block)
+    obj.ec2.security_groups[group_id].send("#{type}_ip_permissions").any?(&block)
+  end
+
+  def can_ping(obj, group_id, cidr)
+    validate_perms(obj, group_id) { |o| o.protocol == :icmp && o.ip_ranges.include?(cidr) }
+  end
+
+  def has_rule(obj, group_id, proto, port_range, addrs=["0.0.0.0/0"])
+    unless port_range.kind_of?(Range)
+      port_range = (port_range..port_range)
+    end
+
+    validate_perms(obj, group_id) do |o|
+      o.protocol == proto && o.port_range == port_range && addrs.all? { |a| o.ip_ranges.include?(a) }
+    end
+  end
+
+  def test_constructor
+    assert_raises(
+      ArgumentError,
+      "AWS region must be provided to the provisioner."
+    ) do
+      @klass.new(:access_key => "quux", :secret_key => "frobnik")
+    end # I hereby declare syntax bankruptcy
+
+    obj = @klass.new(args)
+
+    {
+      :ingress        => { :authorize => [], :revoke => [] },
+      :egress         => { :authorize => [], :revoke => [] },
+      :allow_ping     => [],
+      :disallow_ping  => [],
+      :group_name     => :auto,
+      :group_prefix   => "furnish-auto-",
+      :kill_instances => true,
+      :group_id       => nil
+    }.each do |key, value|
+      assert_equal(value, obj.send(key), "default for #{key} is correct")
+    end
+  end
+
+  def test_generate_group_name
+    obj = @klass.new(args)
+    obj.group_prefix = nil
+
+    assert_raises(
+      ArgumentError,
+        "group_prefix must be set when auto-generating security group names"
+    ) do
+      obj.generate_group_name
+    end
+
+    obj = @klass.new(args)
+    name = obj.generate_group_name
+    assert(name.start_with?(obj.group_prefix), 'generated name starts with the group prefix')
+    refute_includes(obj.ec2.security_groups.filter('group-name', [name]).map(&:name), name, 'generated name does NOT exist')
+  end
+
+  def test_allow_disallow_ping
+    obj, test_group = create_test_group
+
+    obj.allow_ping = true
+    obj.disallow_ping = false
+    obj.apply_group_rules(test_group)
+
+    assert(
+      can_ping(obj, test_group.id, '0.0.0.0/0'),
+      'allow_ping is true when set so on the provisioner'
+    )
+
+    test_group.delete
+
+    obj, test_group = create_test_group
+
+    obj.allow_ping = false
+    obj.disallow_ping = true
+    obj.apply_group_rules(test_group)
+
+    refute(
+      can_ping(obj, test_group.id, '0.0.0.0/0'),
+      'disallow_ping is true when set so on the provisioner'
+    )
+
+    test_group.delete
+
+    cidrs = [ "1.1.1.1/32", "1.2.3.4/24" ]
+
+    obj, test_group = create_test_group
+    obj.allow_ping = cidrs
+    obj.disallow_ping = false
+    obj.apply_group_rules(test_group)
+
+    cidrs.each do |addr|
+      assert(
+        can_ping(obj, test_group.id, addr),
+        "#{addr} is whitelisted for pings when set with #allow_ping="
+      )
+    end
+
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.allow_ping = false
+    obj.disallow_ping = cidrs
+    obj.apply_group_rules(test_group)
+
+    cidrs.each do |addr|
+      refute(
+        can_ping(obj, test_group.id, addr),
+        "#{addr} is blacklisted for pings when set with #disallow_ping="
+      )
+    end
+
+    test_group.delete
+  ensure
+    test_group.delete rescue nil
+  end
+
+  def test_apply_group_rules
+    #--
+    # this does not cover allow/disallow ping, that's in test_allow_disallow_ping.
+    # FIXME still need to cover tests that only work with VPC
+    #++
+
+    obj, test_group = create_test_group
+    obj.ingress = { :authorize => [[:tcp, 22]] }
+
+    obj.apply_group_rules(test_group)
+    assert(has_rule(obj, test_group.id, :tcp, 22), "tcp/22 rule was configured for security group")
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.ingress = { :authorize => [[:tcp, 22]], :revoke => [[:tcp, 22]] }
+    obj.apply_group_rules(test_group)
+    refute(has_rule(obj, test_group.id, :tcp, 22), "authorizing and revoking the same rule ends up in no rule")
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.ingress = { :authorize => [[:tcp, 22, '1.2.3.4/32', '2.3.4.5/8']] }
+    obj.apply_group_rules(test_group)
+    assert(has_rule(obj, test_group.id, :tcp, 22, ['1.2.3.4/32', '2.3.4.5/8']), "inlined CIDR gets propogated correctly")
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.ingress = { :authorize => [[:tcp, 22, ['1.2.3.4/32', '2.3.4.5/8']]] }
+    obj.apply_group_rules(test_group)
+    assert(has_rule(obj, test_group.id, :tcp, 22, ['1.2.3.4/32', '2.3.4.5/8']), "nested CIDR gets propogated correctly")
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.ingress = { :authorize => [[:tcp, 22..23]] }
+    obj.apply_group_rules(test_group)
+    assert(has_rule(obj, test_group.id, :tcp, 22..23), "ranges work")
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.ingress = { :authorize => [[:tcp, 22..23], [:udp, 22..23]] }
+    obj.apply_group_rules(test_group)
+    assert(has_rule(obj, test_group.id, :tcp, 22..23), "mixed tcp/udp works, multiple rules work")
+    assert(has_rule(obj, test_group.id, :udp, 22..23), "mixed tcp/udp works, multiple rules work")
+    test_group.delete
+
+    obj, test_group = create_test_group
+    obj.egress = { :authorize => [['10.10.10.10/32']] }
+    assert_raises(
+      ArgumentError,
+      "egress filtering was configured for #{test_group.id}/#{test_group.name} and it is not a VPC security group"
+    ) { obj.apply_group_rules(test_group) }
+
+    test_group.delete
+  ensure
+    test_group.delete rescue nil
+  end
+
+  def test_startup
+    obj = @klass.new(args)
+
+    assert_equal(:auto, obj.group_name, "group name is :auto by default")
+    assert(obj.startup, "startup completes with defaults")
+    refute_nil(obj.group_id, "group id is set after startup")
+    refute_equal(:auto, obj.group_name, ":auto group_name was changed after startup to actual name")
+    obj.ec2.security_groups[obj.group_id].delete
+
+    group_name = "furnish-test-frobnik"
+    obj = @klass.new(args.merge(:group_name => group_name))
+    assert(obj.startup, "startup completed with fixed group name")
+    refute_nil(obj.group_id, "group id is set after startup")
+    assert_equal(group_name, obj.group_name, "group name does not change after startup when name not initially set to :auto")
+
+    obj = @klass.new(args.merge(:group_name => group_name))
+    assert(obj.startup, "startup completed on a second run of same fixed group name")
+    refute_nil(obj.group_id, "group id is set after startup on an existing group")
+    assert_equal(group_name, obj.group_name, "group name does not change after startup when name not initially set to :auto")
+    obj.ec2.security_groups[obj.group_id].delete
+
+    obj = @klass.new(args.merge(:allow_ping => ['1.1.1.1/8'], :ingress => { :authorize => [[:tcp, 22]] }))
+    assert(obj.startup, "startup completes with defaults")
+    refute_nil(obj.group_id, "group id is set after startup on an existing group")
+    assert(has_rule(obj, obj.group_id, :tcp, 22), "tcp/22 rule was configured for security group")
+    assert(can_ping(obj, obj.group_id, '1.1.1.1/8'), "ping allow was configured properly")
+    obj.ec2.security_groups[obj.group_id].delete
+  ensure
+    obj.ec2.security_groups[obj.group_id].delete rescue nil
+  end
+
+  def test_shutdown
+    #
+    # FIXME instance reap tests -- need EC2 bits done first
+    #
+
+    group_name = "furnish-test-frobnik"
+    obj = @klass.new(args.merge(:group_name => group_name))
+    refute(obj.find_group_by_name(group_name), 'group name does not exist beforehand')
+    assert(obj.shutdown, 'shutdown still works if group does not exist beforehand')
+    assert(obj.startup, 'security group was created successfully')
+    assert(obj.find_group_by_name(group_name), 'group name does exist after startup')
+    assert(obj.shutdown, 'shutdown succeeded after group creation')
+    refute(obj.find_group_by_name(group_name), 'group name does not exist after shutdown')
+
+    obj = @klass.new(args)
+    assert(obj.startup, "group was created")
+
+    make_key(obj)
+
+    ec2_obj = Furnish::Provisioner::EC2.new(
+      :access_key     => ENV["AWS_ACCESS_KEY_ID"],
+      :secret_key     => ENV["AWS_SECRET_ACCESS_KEY"],
+      :region         => "us-east-1",
+      :instance_type  => ENV["FURNISH_EC2_TEST_INSTANCE_SIZE"] || "c1.medium",
+      :key_name       => KEY_PAIR_NAME,
+      :image_id       => AMI
+    )
+
+    assert(ec2_obj.startup(:security_group_ids => [obj.group_id]), "machine was started attached to the group")
+    assert(obj.shutdown, "shutdown of security group succeeded")
+    assert(ec2_obj.instance_ids.all? { |id| obj.ec2.instances[id].status == :terminated }, "all machines have been terminated as a result of the security group termination")
+
+    obj = @klass.new(args.merge(:kill_instances => false))
+    assert(obj.startup, "group was created")
+
+    ec2_obj = Furnish::Provisioner::EC2.new(
+      :access_key     => ENV["AWS_ACCESS_KEY_ID"],
+      :secret_key     => ENV["AWS_SECRET_ACCESS_KEY"],
+      :region         => "us-east-1",
+      :instance_type  => ENV["FURNISH_EC2_TEST_INSTANCE_SIZE"] || "c1.medium",
+      :key_name       => KEY_PAIR_NAME,
+      :image_id       => AMI
+    )
+
+    assert(ec2_obj.startup(:security_group_ids => [obj.group_id]), "machine was started attached to the group")
+    assert_raises(RuntimeError) { obj.shutdown }
+    assert(ec2_obj.shutdown, "machines shutdown directly")
+    assert(obj.shutdown, "security group destroyed successfully")
+  ensure
+    delete_key(obj) rescue nil
+    obj.ec2.security_groups[obj.group_id].delete rescue nil
+  end
+
+  def test_with_scheduler
+    obj = @klass.new(args)
+    sched.serial = true
+    sched.schedule_provision('test1', [obj])
+    sched.run
+    assert_solved('test1')
+    solved_obj = sched.vm.groups['test1'].first
+    refute_equal(:auto, solved_obj.group_name, 'group_name is no longer :auto after provision')
+    assert(obj.find_group_by_name(solved_obj.group_name), 'group exists after provision')
+    refute_nil(solved_obj.group_id, 'group_id is set after provision')
+    assert_equal(["name: #{solved_obj.group_name}, id: #{solved_obj.group_id}"], solved_obj.report, "report is returning expected data")
+    sched.teardown
+    refute(obj.find_group_by_name(solved_obj.group_name), 'group does not exist after teardown')
+  ensure
+    obj.find_group_by_name(obj.group_name).delete rescue nil
+    obj.ec2.security_groups[obj.group_id].delete rescue nil
+  end
+end