Updating SecurityGroup / Ingress Spec (#27)

* Updating SecurityGroup / Ingress Spec to allow From/To to be conditional per AWS CFT Specs

* Update cfn_parser_security_group_spec.rb

* Fixing Merge format.

* Update security_group.rb

lib/cfn-model/schema/AWS_EC2_SecurityGroupEgress.yml

@@ -11,7 +11,7 @@ mapping:
     mapping:
       FromPort:
         type:   any
-        required: yes
+        required: no
       GroupId:
         type: any
         required: yes
@@ -20,7 +20,7 @@ mapping:
         required: yes
       ToPort:
         type:   any
-        required: yes
+        required: no
       =:
         type: any
   =:

lib/cfn-model/schema/AWS_EC2_SecurityGroupIngress.yml

@@ -11,7 +11,7 @@ mapping:
     mapping:
       FromPort:
         type:   any
-        required: yes
+        required: no
       GroupId:
         type: any
         required: yes
@@ -20,7 +20,7 @@ mapping:
         required: yes
       ToPort:
         type:   any
-        required: yes
+        required: no
       =:
         type: any
   =:

spec/factories/security_group.rb

@@ -26,6 +26,35 @@ def security_group_with_one_ingress_rule(cfn_model: CfnModel.new, security_group
   expected_security_group
 end
 
+def security_group_with_one_ingress_rule_ipprotocol(cfn_model: CfnModel.new, security_group_id: 'sg3', ingress_group_id: nil)
+  ingress_rule = AWS::EC2::SecurityGroupIngress.new cfn_model
+  ingress_rule.cidrIp = '10.1.2.3/32'
+  ingress_rule.ipProtocol = '-1'
+  ingress_rule.groupId = ingress_group_id
+
+  expected_security_group = AWS::EC2::SecurityGroup.new cfn_model
+  expected_security_group.vpcId = { 'Ref' => 'VpcId' }
+  expected_security_group.groupDescription = 'some_group_desc'
+  expected_security_group.logical_resource_id = security_group_id
+  expected_security_group.ingresses << ingress_rule
+  expected_security_group.securityGroupIngress << {
+      'CidrIp' => '10.1.2.3/32',
+      'IpProtocol' => '-1'
+  }
+
+  yield expected_security_group, ingress_rule if block_given?
+  expected_security_group
+end
+
+def standalone_ingress_rule_ip_protocol(cfn_model: CfnModel.new)
+  expected_ingress_rule = AWS::EC2::SecurityGroupIngress.new cfn_model
+  expected_ingress_rule.cidrIp = '10.1.2.3/32'
+  expected_ingress_rule.ipProtocol = '-1'
+  expected_ingress_rule.groupId = 'group1'
+
+  expected_ingress_rule
+end
+
 def security_group_with_no_rules(cfn_model: CfnModel.new, id: 'sg')
   expected_security_group = AWS::EC2::SecurityGroup.new cfn_model
   expected_security_group.vpcId = { 'Ref' => 'VpcId' }
@@ -146,3 +175,32 @@ def security_group_with_one_ingress_and_one_egress_rule(cfn_model: CfnModel.new,
   yield expected_security_group, ingress_rule, egress_rule if block_given?
   expected_security_group
 end
+
+def security_group_with_one_egress_rule_ipprotocol(cfn_model: CfnModel.new, security_group_id: 'sg3', ingress_group_id: nil)
+  egress_rule = AWS::EC2::SecurityGroupEgress.new cfn_model
+  egress_rule.cidrIp = '10.1.2.3/32'
+  egress_rule.ipProtocol = '-1'
+  egress_rule.groupId = ingress_group_id
+
+  expected_security_group = AWS::EC2::SecurityGroup.new cfn_model
+  expected_security_group.vpcId = { 'Ref' => 'VpcId' }
+  expected_security_group.groupDescription = 'some_group_desc'
+  expected_security_group.logical_resource_id = security_group_id
+  expected_security_group.egresses << egress_rule
+  expected_security_group.securityGroupEgress << {
+      'CidrIp' => '10.1.2.3/32',
+      'IpProtocol' => '-1'
+  }
+
+  yield expected_security_group, egress_rule if block_given?
+  expected_security_group
+end
+
+def standalone_egress_rule_ip_protocol(cfn_model: CfnModel.new)
+  expected_egress_rule = AWS::EC2::SecurityGroupEgress.new cfn_model
+  expected_egress_rule.cidrIp = '10.1.2.3/32'
+  expected_egress_rule.ipProtocol = '-1'
+  expected_egress_rule.groupId = 'group1'
+
+  expected_egress_rule
+end

spec/parser/cfn_parser_security_group_spec.rb

@@ -72,6 +72,35 @@
     end
   end
 
+  context 'a security group with one ingress with -1 IP protocol' do
+    it 'returns a size-1 collection of SecurityGroup object with size-1 collection of ingress rules' do
+      expected_security_groups = [
+          security_group_with_one_ingress_rule_ipprotocol
+      ]
+
+      test_templates('security_group/valid_security_group_with_single_ingress_ip_protocol').each do |test_template|
+        cfn_model = @cfn_parser.parse IO.read(test_template)
+
+        expect(cfn_model.security_groups).to eq expected_security_groups
+      end
+    end
+  end
+
+
+  context 'a stand alone ingress with -1 IP Protocol' do
+    it 'returns a size-1 collection of SecurityGroupIngress rules' do
+      expected_security_groups = [
+          standalone_ingress_rule_ip_protocol
+      ]
+
+      test_templates('security_group/valid_standalone_ingress_ipprotocol').each do |test_template|
+        cfn_model = @cfn_parser.parse IO.read(test_template)
+
+        expect(cfn_model.standalone_ingress).to eq expected_security_groups
+      end
+    end
+  end
+
   context 'a security group with two externalized ingress' do
     it 'returns a size-1 collection of SecurityGroup object with size-1 collection of ingress rules' do
       expected_security_groups = [
@@ -226,6 +255,34 @@
     end
   end
 
+  context 'a security group with one egress with -1 IP protocol' do
+    it 'returns a size-1 collection of SecurityGroup object with size-1 collection of egress rules' do
+      expected_security_groups = [
+          security_group_with_one_egress_rule_ipprotocol
+      ]
+
+      yaml_test_templates('security_group/valid_security_group_with_single_egress_ip_protocol').each do |test_template|
+        cfn_model = @cfn_parser.parse IO.read(test_template)
+
+        expect(cfn_model.security_groups).to eq expected_security_groups
+      end
+    end
+  end
+
+
+  context 'a stand alone egress with -1 IP Protocol' do
+    it 'returns a size-1 collection of SecurityGroupEgress rules' do
+      expected_security_groups = [
+          standalone_egress_rule_ip_protocol
+      ]
+
+      yaml_test_templates('security_group/valid_standalone_egress_ipprotocol').each do |test_template|
+        cfn_model = @cfn_parser.parse IO.read(test_template)
+
+        expect(cfn_model.standalone_egress).to eq expected_security_groups
+      end
+    end
+  end
 
   context 'egresses are parameterized', :synth do
     it 'maps the Fn::If to a hash and skips objectification of it' do
@@ -239,5 +296,5 @@
         expect(cfn_model.resources['sg1'].egresses.first.cidrIp).to eq '0.0.0.0/0'
       end
     end
-  end#
-end
+  end 
+end#

spec/test_templates/json/security_group/valid_security_group_with_single_egress_ip_protocol.json

@@ -0,0 +1,21 @@
+{
+  "Parameters": {
+    "VpcId": {
+      "Type": "AWS::EC2::VPC::Id"
+    }
+  },
+
+  "Resources": {
+    "sg3": {
+      "Type" : "AWS::EC2::SecurityGroup",
+      "Properties" : {
+        "GroupDescription" : "some_group_desc",
+        "SecurityGroupEgress" : {
+          "CidrIp": "10.1.2.3/32",
+          "IpProtocol": "-1"
+        },
+        "VpcId" : { "Ref": "VpcId" }
+      }
+    }
+  }
+}

spec/test_templates/json/security_group/valid_security_group_with_single_ingress_ip_protocol.json

@@ -0,0 +1,21 @@
+{
+  "Parameters": {
+    "VpcId": {
+      "Type": "AWS::EC2::VPC::Id"
+    }
+  },
+
+  "Resources": {
+    "sg3": {
+      "Type" : "AWS::EC2::SecurityGroup",
+      "Properties" : {
+        "GroupDescription" : "some_group_desc",
+        "SecurityGroupIngress" : {
+          "CidrIp": "10.1.2.3/32",
+          "IpProtocol": "-1"
+        },
+        "VpcId" : { "Ref": "VpcId" }
+      }
+    }
+  }
+}

spec/test_templates/json/security_group/valid_standalone_egress_ipprotocol.json

@@ -0,0 +1,18 @@
+{
+  "Parameters": {
+    "VpcId": {
+      "Type": "AWS::EC2::VPC::Id"
+    }
+  },
+
+  "Resources": {
+    "sgi3": {
+      "Type": "AWS::EC2::SecurityGroupEgress",
+      "Properties": {
+        "GroupId": "group1",
+        "CidrIp": "10.1.2.3/32",
+        "IpProtocol": "-1"
+      }
+    }
+  }
+}

spec/test_templates/json/security_group/valid_standalone_ingress_ipprotocol.json

@@ -0,0 +1,18 @@
+{
+  "Parameters": {
+    "VpcId": {
+      "Type": "AWS::EC2::VPC::Id"
+    }
+  },
+
+  "Resources": {
+    "sgi3": {
+      "Type": "AWS::EC2::SecurityGroupIngress",
+      "Properties": {
+        "GroupId": "group1",
+        "CidrIp": "10.1.2.3/32",
+        "IpProtocol": "-1"
+      }
+    }
+  }
+}

spec/test_templates/yaml/security_group/valid_security_group_with_single_egress_ip_protocol.yml

@@ -0,0 +1,15 @@
+---
+Parameters:
+  VpcId:
+    Type: "AWS::EC2::VPC::Id"
+
+Resources:
+  sg3:
+    Type: "AWS::EC2::SecurityGroup"
+    Properties:
+      GroupDescription: "some_group_desc"
+      SecurityGroupEgress:
+        CidrIp: "10.1.2.3/32"
+        IpProtocol: '-1'
+      VpcId:
+        Ref: VpcId

spec/test_templates/yaml/security_group/valid_security_group_with_single_ingress_ip_protocol.yml

@@ -0,0 +1,15 @@
+---
+Parameters:
+  VpcId:
+    Type: "AWS::EC2::VPC::Id"
+
+Resources:
+  sg3:
+    Type: "AWS::EC2::SecurityGroup"
+    Properties:
+      GroupDescription: "some_group_desc"
+      SecurityGroupIngress:
+        CidrIp: "10.1.2.3/32"
+        IpProtocol: '-1'
+      VpcId:
+        Ref: VpcId

spec/test_templates/yaml/security_group/valid_standalone_egress_ipprotocol.yml

@@ -0,0 +1,8 @@
+---
+Resources:
+  sgi3:
+    Type: "AWS::EC2::SecurityGroupEgress"
+    Properties:
+        GroupId: 'group1'
+        CidrIp: "10.1.2.3/32"
+        IpProtocol: '-1'

spec/test_templates/yaml/security_group/valid_standalone_ingress_ipprotocol.yml

@@ -0,0 +1,8 @@
+---
+Resources:
+  sgi3:
+    Type: "AWS::EC2::SecurityGroupIngress"
+    Properties:
+        GroupId: 'group1'
+        CidrIp: "10.1.2.3/32"
+        IpProtocol: '-1'