Class: Awspec::Generator::Spec::SecurityGroup

Inherits:
Object
  • Object
show all
Includes:
Helper::Finder
Defined in:
lib/awspec/generator/spec/security_group.rb

Constant Summary

Constants included from Helper::Finder

Helper::Finder::CLIENTS, Helper::Finder::CLIENT_OPTIONS

Instance Method Summary collapse

Methods included from Helper::Finder

#select_subnet_by_vpc_id

Methods included from Helper::Finder::Transfer

#find_transfer_server

Methods included from Helper::Finder::CognitoIdentityPool

#find_identitypool_by_name

Methods included from Helper::Finder::Msk

#find_msk_cluster_by_name

Methods included from Helper::Finder::CognitoUserPool

#find_userpool_by_name

Methods included from Helper::Finder::Secretsmanager

#find_secret

Methods included from Helper::Finder::Mq

#find_broker

Methods included from Helper::Finder::Codedeploy

#find_codedeploy_app, #find_codedeploy_deployment_group

Methods included from Helper::Finder::Redshift

#find_redshift_cluster_identifier, #select_all_redshift_cluster_parameters, #select_redshift_by_vpc_id

Methods included from Helper::Finder::Emr

#find_emr_cluster

Methods included from Helper::Finder::SNSTopic

#find_sns_topic, #find_sns_topic_subs

Methods included from Helper::Finder::Eks

#find_eks_cluster, #find_eks_nodegroup

Methods included from Helper::Finder::Batch

#find_batch_compute_environment, #find_batch_job_definition, #find_batch_job_queue

Methods included from Helper::Finder::Kinesis

#find_kinesis_by_stream_name

Methods included from Helper::Finder::Apigateway

#find_api_resources_by_id, #find_apigateway_by_id, #find_apigateway_by_name

Methods included from Helper::Finder::Codebuild

#find_codebuild_project, #select_all_codebuild_projects

Methods included from Helper::Finder::Cloudformation

#find_cloudformation_stack

Methods included from Helper::Finder::SsmParameter

#find_parameter_tag, #find_ssm_parameter

Methods included from Helper::Finder::Sqs

#find_queue, #find_tags_for_queue

Methods included from Helper::Finder::Dynamodb

#find_dynamodb_table

Methods included from Helper::Finder::CloudwatchLogs

#find_cloudwatch_logs_group, #find_cloudwatch_logs_metric_fileter_by_log_group_name, #find_cloudwatch_logs_stream_by_log_group_name, #find_cloudwatch_logs_subscription_fileter_by_log_group_name, #find_tags_by_log_group_name, #last_cloudwatch_logs_stream_by_log_group_name, #select_all_cloudwatch_logs_log_groups

Methods included from Helper::Finder::AccountAttributes

#find_ec2_account_attributes, #find_lambda_account_settings, #find_rds_account_attributes, #find_ses_send_quota

Methods included from Helper::Finder::Acm

#find_certificate, #select_all_certificates

Methods included from Helper::Finder::WafRegional

#find_wafregional_ip_set, #find_wafregional_rule, #find_wafregional_web_acl

Methods included from Helper::Finder::Waf

#find_waf_ip_set, #find_waf_rule, #find_waf_web_acl

Methods included from Helper::Finder::Cloudtrail

#find_trail, #get_trail_status, #get_trail_tags, #is_logging?, #select_all_trails

Methods included from Helper::Finder::Elastictranscoder

#find_pipeline

Methods included from Helper::Finder::Cloudfront

#find_cloudfront_distribution

Methods included from Helper::Finder::Ami

#find_ami

Methods included from Helper::Finder::Directconnect

#find_virtual_interface, #select_virtual_interfaces

Methods included from Helper::Finder::Ses

#find_ses_identity

Methods included from Helper::Finder::CloudwatchEvent

#find_cloudwatch_event, #select_all_cloudwatch_events

Methods included from Helper::Finder::Cloudwatch

#find_cloudwatch_alarm, #select_all_cloudwatch_alarms

Methods included from Helper::Finder::Elasticsearch

#find_elasticsearch_domain, #select_all_elasticsearch_domains

Methods included from Helper::Finder::Elasticache

#find_cache_cluster, #find_cache_subnet_group

Methods included from Helper::Finder::Kms

#find_kms_key, #find_kms_key_by_alias, #select_all_kms_aliases

Methods included from Helper::Finder::Iam

#select_all_attached_policies, #select_all_iam_groups, #select_all_iam_roles, #select_all_iam_users, #select_attached_entities, #select_attached_groups, #select_attached_roles, #select_attached_users, #select_iam_group_by_user_name, #select_policy_evaluation_results

Methods included from Helper::Finder::Lambda

#find_lambda, #select_all_lambda_functions, #select_event_source_by_function_arn

Methods included from Helper::Finder::Elb

#find_elb, #find_elb_attribute, #select_all_elb_tags, #select_elb_by_vpc_id

Methods included from Helper::Finder::Ebs

#find_ebs, #select_all_attached_ebs, #select_ebs_by_instance_id

Methods included from Helper::Finder::Autoscaling

#find_autoscaling_group, #find_block_device_mapping, #find_launch_configuration, #select_alb_target_group_by_autoscaling_group_name, #select_autoscaling_group_by_vpc_id, #select_lb_target_group_by_autoscaling_group_name

Methods included from Helper::Finder::S3

#find_bucket, #find_bucket_acl, #find_bucket_cors, #find_bucket_lifecycle_configuration, #find_bucket_location, #find_bucket_logging, #find_bucket_policy, #find_bucket_server_side_encryption, #find_bucket_tag, #find_bucket_versioning, #head_object, #select_all_buckets

Methods included from Helper::Finder::Route53

#find_hosted_zone, #select_record_sets_by_hosted_zone_id

Methods included from Helper::Finder::Rds

#find_db_cluster, #find_db_subnet_group, #find_global_cluster, #find_rds, #find_rds_proxy, #select_all_rds_db_cluster_parameters, #select_all_rds_db_parameters, #select_rds_by_vpc_id, #select_rds_proxy_by_vpc_id

Methods included from Helper::Finder::SecurityGroup

#describe_security_groups, #find_security_group, #select_security_group_by_group_id, #select_security_group_by_group_name, #select_security_group_by_tag_name, #select_security_group_by_vpc_id

Methods included from Helper::Finder::Firehose

#find_delivery_stream

Methods included from Helper::Finder::Eip

#select_eip, #select_eip_by_instance_id

Methods included from Helper::Finder::Efs

#find_efs, #find_efs_tags, #get_id_by_name_tag, #get_name_by_id, #select_all_file_systems

Methods included from Helper::Finder::Ecs

#find_ecs_cluster, #find_ecs_container_instance, #find_ecs_container_instances, #find_ecs_service, #find_ecs_task_definition, #select_ecs_container_instance_arn_by_cluster_name

Methods included from Helper::Finder::Ecr

#find_ecr_repository, #get_policy_text

Methods included from Helper::Finder::Ec2

#dup_ec2_instance, #find_ec2, #find_ec2_attribute, #find_ec2_credit_specifications, #find_ec2_status, #find_launch_template, #find_launch_template_versions, #find_nat_gateway, #find_network_interface, #find_tgw_attachments_by_tgw_id, #find_vpn_connection, #select_ec2_by_vpc_id, #select_internet_gateway_by_vpc_id, #select_nat_gateway_by_vpc_id, #select_network_interface_by_instance_id, #select_network_interface_by_vpc_id

Methods included from Helper::Finder::Subnet

#find_subnet

Methods included from Helper::Finder::VpcEndpoints

#find_vpc_endpoint

Methods included from Helper::Finder::Vpc

#find_network_acl, #find_route_table, #find_vpc, #find_vpc_attribute, #find_vpc_peering_connection, #select_network_acl_by_vpc_id, #select_route_table_by_vpc_id, #select_vpc_attribute, #select_vpc_peering_connection_by_vpc_id

Methods included from Helper::Finder::Alb

#find_alb, #find_alb_listener, #find_alb_target_group, #select_alb_by_vpc_id, #select_alb_listener_by_alb_arn, #select_all_alb_tags, #select_rule_by_alb_listener_id

Methods included from Helper::Finder::Nlb

#find_nlb, #find_nlb_listener, #find_nlb_target_group, #select_nlb_by_vpc_id, #select_nlb_listener_by_nlb_arn, #select_rule_by_nlb_listener_id

Instance Method Details

#generate_by_vpc_id(vpc_id) ⇒ Object



7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
# File 'lib/awspec/generator/spec/security_group.rb', line 7

def generate_by_vpc_id(vpc_id)
  describes = %w[
    group_id group_name
  ]
  vpc = find_vpc(vpc_id)
  raise 'Not Found VPC' unless vpc

  @vpc_id = vpc[:vpc_id]
  @vpc_tag_name = vpc.tag_name
  sgs = select_security_group_by_vpc_id(@vpc_id)

  specs = sgs.map do |sg|
    linespecs = generate_linespecs(sg)
    inbound_rule_count = sg[:ip_permissions].reduce(0) do |sum, permission|
      sum += permission.ip_ranges.count + permission.user_id_group_pairs.count
    end
    outbound_rule_count = sg[:ip_permissions_egress].reduce(0) do |sum, permission|
      sum += permission.ip_ranges.count + permission.user_id_group_pairs.count
    end
    content = ERB.new(security_group_spec_template, nil, '-').result(binding).gsub(/^\n/, '')
  end
  specs.join("\n")
end

#generate_linespecs(sg) ⇒ Object



31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
# File 'lib/awspec/generator/spec/security_group.rb', line 31

def generate_linespecs(sg)
  linespecs = []
  permissions = { 'inbound' => sg.ip_permissions, 'outbound' => sg.ip_permissions_egress }
  %w[inbound outbound].each do |inout|
    permissions[inout].each do |permission|
      port = if permission.from_port.nil?
               nil
             elsif permission.from_port == permission.to_port
               permission.from_port
             else
               "'#{permission.from_port}-#{permission.to_port}'"
             end

      protocol = if permission.ip_protocol.to_i < 0
                   'all'
                 else
                   permission.ip_protocol
                 end

      permission.ip_ranges.each do |ip_range|
        target = ip_range.cidr_ip
        linespecs.push(ERB.new(security_group_spec_linetemplate, nil, '-').result(binding))
      end
      permission.user_id_group_pairs.each do |group|
        target = group.group_name
        target = group.group_id unless group.group_name
        linespecs.push(ERB.new(security_group_spec_linetemplate, nil, '-').result(binding))
      end
    end
  end
  linespecs
end

#security_group_spec_linetemplateObject



64
65
66
67
68
# File 'lib/awspec/generator/spec/security_group.rb', line 64

def security_group_spec_linetemplate
  <<-'EOF'
its(:<%= inout %>) { should be_opened<%- unless port.nil? -%>(<%= port %>)<%- end -%>.protocol('<%= protocol %>').for('<%= target %>') }
EOF
end

#security_group_spec_templateObject



70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
# File 'lib/awspec/generator/spec/security_group.rb', line 70

def security_group_spec_template
  <<-'EOF'
describe security_group('<%= sg.group_name %>') do
  it { should exist }
<% describes.each do |describe| %>
<%- if sg.key?(describe) -%>
  its(:<%= describe %>) { should eq '<%= sg[describe] %>' }
<%- end -%>
<% end %>
<% linespecs.each do |line| %>
  <%= line %>
<% end %>
  its(:inbound_rule_count) { should eq <%= inbound_rule_count %> }
  its(:outbound_rule_count) { should eq <%= outbound_rule_count %> }
  its(:inbound_permissions_count) { should eq <%= sg.ip_permissions.count %> }
  its(:outbound_permissions_count) { should eq <%= sg.ip_permissions_egress.count %> }
<%- if @vpc_tag_name -%>
  it { should belong_to_vpc('<%= @vpc_tag_name %>') }
<%- else -%>
  it { should belong_to_vpc('<%= @vpc_id %>') }
<%- end -%>
end
EOF
end