creates security groups if they don't already exist

lib/ec2-security-czar/base.rb

@@ -20,6 +20,7 @@ def initialize(environment=nil, args={})
       else
         @ec2 = AWS.ec2
       end
+      create_missing_security_groups
     end
 
     def update_rules
@@ -33,6 +34,11 @@ def security_groups
       SecurityGroup.from_api(ec2)
     end
 
+    def create_missing_security_groups
+      security_groups
+      SecurityGroup.missing_security_groups.each{|msg| ec2.security_groups.create(msg)}
+    end
+
     def load_config
       return @config if @config
       @config = AwsConfig[YAML.load_file(config_filename)]

lib/ec2-security-czar/security_group.rb

@@ -42,7 +42,7 @@ def update_rules
     end
 
     def self.from_api(ec2)
-      @security_groups ||= ec2.security_groups
+      @security_groups = ec2.security_groups
     end
 
     def self.name_lookup(name)
@@ -53,6 +53,16 @@ def self.name_lookup(name)
       @security_group_hash[name]
     end
 
+    def self.config_security_groups
+      Dir["config/*.yml"].reject!{|file| file == "config/aws_keys.yml"}.map do |file|
+        File.basename(file,File.extname(file))
+      end
+    end
+
+    def self.missing_security_groups
+      config_security_groups - security_groups.map(&:name)
+    end
+
     private
 
     def self.security_groups

spec/lib/ec2-security-czar/base_spec.rb

@@ -16,6 +16,8 @@ module Ec2SecurityCzar
       stub_const("SecurityGroup", double("Security Group"))
       allow(AWS).to receive(:ec2).and_return(ec2)
       allow(AWS).to receive(:config)
+      allow(SecurityGroup).to receive(:missing_security_groups) {[]}
+      allow(SecurityGroup).to receive(:from_api) {[]}
     end
 
     context ".new" do
@@ -44,7 +46,6 @@ module Ec2SecurityCzar
           subject.new
         end
         it "runs mfa auth" do
-          allow(AWS).to receive(:config)
           expect_any_instance_of(Base).to receive(:mfa_auth).with(mfa_token)
           subject.new(nil, token: mfa_token)
         end
@@ -85,6 +86,18 @@ module Ec2SecurityCzar
       end
     end
 
+    context "#create_missing_security_rules" do
+      let(:aws_security_groups) { double }
+
+      it "calls AWS.security_group.create" do
+        allow(SecurityGroup).to receive(:missing_security_groups).and_return([], ["foo_group"])
+        allow(ec2).to receive(:security_groups) {aws_security_groups}
+        expect(aws_security_groups).to receive(:create).with("foo_group")
+        allow_any_instance_of(Base).to receive(:security_groups)
+        subject.create_missing_security_groups
+      end
+    end
+
     context "#security_groups" do
       it "delegates to the SecurityGroup class" do
         expect(SecurityGroup).to receive(:from_api).with(ec2)

spec/lib/ec2-security-czar/security_group_spec.rb

@@ -87,6 +87,44 @@ module Ec2SecurityCzar
       end
     end
 
+    context "#config_security_groups" do
+      let(:environment) { 'parsed' }
+      let(:erb_file) { "--- \nenvironment: <%= environment %> \n" }
+
+      before do
+        allow(File).to receive(:read).with(filename).and_return(erb_file)
+      end
+
+      it "returns an array of file names with out the extension" do
+        allow(Dir).to receive(:[]).and_return(["config/aws_keys.yml", "config/foo.yml", "config/bar.yml"])
+        expect(SecurityGroup.send(:config_security_groups)).to eq(["foo","bar"])
+      end
+    end
+
+    context "#missing_security_groups" do
+      let(:environment) { 'parsed' }
+      let(:erb_file) { "--- \nenvironment: <%= environment %> \n" }
+      let(:security_group_1) { double }
+      let(:security_group_2) { double }
+
+      before do
+        allow(File).to receive(:read).with(filename).and_return(erb_file)
+        allow(SecurityGroup).to receive(:config_security_groups).and_return(["foo","bar"])
+        allow(security_group_1).to receive(:name).and_return("foo")
+        allow(security_group_2).to receive(:name).and_return("bar")
+      end
+
+      it "returns nil if config_security_groups is the same as security_groups" do
+        allow(SecurityGroup).to receive(:security_groups).and_return([security_group_1, security_group_2])
+        expect(SecurityGroup.send(:missing_security_groups)).to eq([])
+      end
+
+      it "returns groups in config_security_groups not in security_groups" do
+        allow(SecurityGroup).to receive(:security_groups).and_return([security_group_2])
+        expect(SecurityGroup.send(:missing_security_groups)).to eq(["foo"])
+      end
+    end
+
     context ".name_lookup" do
       let(:security_group_name) { 'sec-group-name' }
       let(:security_group_id) { 'sec-group' }
@@ -99,6 +137,9 @@ module Ec2SecurityCzar
 
     context ".from_api" do
       let(:ec2) { double }
+      before do
+        SecurityGroup.instance_variable_set(:@security_groups, nil)
+      end
       it "delegates to the ec2 object" do
         expect(ec2).to receive(:security_groups)
         SecurityGroup.from_api(ec2)