#409 Update relationship between NACL and its entries

lib/cfn-model/model/ec2_network_acl.rb

@@ -3,13 +3,11 @@
 require_relative 'model_element'
 
 class AWS::EC2::NetworkAcl < ModelElement
-  attr_accessor :network_acl_egress_entries
-  attr_accessor :network_acl_ingress_entries
+  attr_accessor :network_acl_entries
 
   def initialize(cfn_model)
     super
-    @network_acl_egress_entries = []
-    @network_acl_ingress_entries = []
+    @network_acl_entries = []
     @resource_type = 'AWS::EC2::NetworkAcl'
   end
-end
+end

lib/cfn-model/model/ec2_network_acl_entry.rb

@@ -0,0 +1,10 @@
+# frozen_string_literal: true
+
+require_relative 'model_element'
+
+class AWS::EC2::NetworkAclEntry < ModelElement
+  def initialize(cfn_model)
+    super
+    @resource_type = 'AWS::EC2::NetworkAclEntry'
+  end
+end

lib/cfn-model/parser/ec2_network_acl_parser.rb

@@ -8,45 +8,23 @@
 class Ec2NetworkAclParser
   def parse(cfn_model:, resource:)
     network_acl = resource
-
     attach_nacl_entries_to_nacl(cfn_model: cfn_model, network_acl: network_acl)
     network_acl
   end
 
   private
 
-  def egress_network_acl_entries(cfn_model)
-    network_acl_entries = cfn_model.resources_by_type 'AWS::EC2::NetworkAclEntry'
-    network_acl_entries.select(&:egress)
-  end
-
-  def ingress_network_acl_entries(cfn_model)
-    network_acl_entries = cfn_model.resources_by_type 'AWS::EC2::NetworkAclEntry'
-    network_acl_entries.select do |network_acl_entry|
-      not_truthy?(network_acl_entry.egress)
-    end
-  end
-
-  def egress_nacl_entries_for_nacl(cfn_model, logical_resource_id)
-    egress_nacl_entries = egress_network_acl_entries(cfn_model)
-    egress_nacl_entries.select do |egress_nacl_entry|
-      References.resolve_resource_id(egress_nacl_entry.networkAclId) == logical_resource_id
-    end
-  end
-
-  def ingress_nacl_entries_for_nacl(cfn_model, logical_resource_id)
-    ingress_nacl_entries = ingress_network_acl_entries(cfn_model)
-    ingress_nacl_entries.select do |ingress_nacl_entry|
-      References.resolve_resource_id(ingress_nacl_entry.networkAclId) == logical_resource_id
+  def nacl_entries_for_nacl(cfn_model, logical_resource_id)
+    network_acl_entries = cfn_model.resources_by_type('AWS::EC2::NetworkAclEntry')
+                                   .select do |network_acl_entry|
+      References.resolve_resource_id(network_acl_entry.networkAclId) == logical_resource_id
     end
+    network_acl_entries
   end
 
   def attach_nacl_entries_for_nacl(cfn_model, network_acl)
-    egress_nacl_entries_for_nacl(cfn_model, network_acl.logical_resource_id).each do |egress_entry|
-      network_acl.network_acl_egress_entries << egress_entry.logical_resource_id
-    end
-    ingress_nacl_entries_for_nacl(cfn_model, network_acl.logical_resource_id).each do |ingress_entry|
-      network_acl.network_acl_ingress_entries << ingress_entry.logical_resource_id
+    nacl_entries_for_nacl(cfn_model, network_acl.logical_resource_id).each do |network_acl_entry|
+      network_acl.network_acl_entries << network_acl_entry
     end
   end
 

lib/cfn-model/schema/AWS_EC2_NetworkAcl.yml

@@ -0,0 +1,15 @@
+---
+type: map
+mapping:
+  Type:
+    type: str
+    required: yes
+    pattern: /AWS::EC2::NetworkAcl/
+  Properties:
+    type: map
+    required: yes
+    mapping:
+      =:
+        type: any
+  =:
+    type: any

lib/cfn-model/schema/AWS_EC2_NetworkAclEntry.yml

@@ -0,0 +1,21 @@
+---
+type: map
+mapping:
+  Type:
+    type: str
+    required: yes
+    pattern: /AWS::EC2::NetworkAclEntry/
+  Properties:
+    type: map
+    required: yes
+    mapping:
+      Icmp:
+        type: any
+        required: no
+      PortRange:
+        type: any
+        required: no
+      =:
+        type: any
+  =:
+    type: any

spec/factories/ec2_network_acl.rb

@@ -1,42 +1,38 @@
 require 'cfn-model/model/ec2_network_acl'
+require 'cfn-model/model/ec2_network_acl_entry'
 require 'cfn-model/model/cfn_model'
 
-def network_acl_with_one_egress_entry(cfn_model: CfnModel.new)
-  network_acl = AWS::EC2::NetworkAcl.new cfn_model
-  network_acl.vpcId = 'testvpc1'
-  network_acl.network_acl_egress_entries << 'EgressEntry1'
-  network_acl
+def network_acl_with_one_entry(cfn_model: CfnModel.new, network_acl_id: 'myNetworkAcl',
+                               network_acl_entry_id: 'EgressEntry1')
+  network_acl_entry = AWS::EC2::NetworkAclEntry.new cfn_model
+  network_acl_entry.portRange = { 'From' => '443', 'To' => '443' }
+  network_acl_entry.logical_resource_id = network_acl_entry_id
+  network_acl_entry.protocol = '6'
+  network_acl_entry.ruleAction = 'allow'
+  network_acl_entry.ruleNumber = '100'
+  network_acl_entry.cidrBlock = '10.0.0.0/16'
+  network_acl_entry.egress = true
+  network_acl_entry.networkAclId = { 'Ref' => network_acl_id }
+  network_acl_entry
 end
 
-def network_acl_with_two_egress_entries(cfn_model: CfnModel.new)
-  network_acl = AWS::EC2::NetworkAcl.new cfn_model
-  network_acl.vpcId = 'testvpc1'
-  %w[EgressEntry1 EgressEntry2].each do |egress_entry|
-    network_acl.network_acl_egress_entries << egress_entry
-  end
-  network_acl
-end
-
-def network_acl_with_one_ingress_entry(cfn_model: CfnModel.new)
-  network_acl = AWS::EC2::NetworkAcl.new cfn_model
-  network_acl.vpcId = 'testvpc1'
-  network_acl.network_acl_ingress_entries << 'IngressEntry1'
-  network_acl
-end
-
-def network_acl_with_two_ingress_entries(cfn_model: CfnModel.new)
-  network_acl = AWS::EC2::NetworkAcl.new cfn_model
-  network_acl.vpcId = 'testvpc1'
-  %w[IngressEntry1 IngressEntry2].each do |ingress_entry|
-    network_acl.network_acl_ingress_entries << ingress_entry
-  end
-  network_acl
-end
-
-def network_acl_with_egress_and_ingress_entries(cfn_model: CfnModel.new)
-  network_acl = AWS::EC2::NetworkAcl.new cfn_model
-  network_acl.vpcId = 'testvpc1'
-  network_acl.network_acl_egress_entries << 'EgressEntry1'
-  network_acl.network_acl_ingress_entries << 'IngressEntry1'
-  network_acl
+def network_acl_with_two_entries(cfn_model: CfnModel.new, network_acl_id: 'myNetworkAcl',
+                                 network_acl_entry_id1: 'EgressEntry1',
+                                 network_acl_entry_id2: 'EgressEntry2')
+  network_acl_entries = []
+  network_acl_entry1 = AWS::EC2::NetworkAclEntry.new cfn_model
+  network_acl_entry2 = AWS::EC2::NetworkAclEntry.new cfn_model
+  network_acl_entry1.protocol = network_acl_entry2.protocol = '6'
+  network_acl_entry1.ruleAction = network_acl_entry2.ruleAction = 'allow'
+  network_acl_entry1.cidrBlock = network_acl_entry2.cidrBlock = '10.0.0.0/16'
+  network_acl_entry1.egress = network_acl_entry2.egress = true
+  network_acl_entry1.networkAclId = network_acl_entry2.networkAclId = { 'Ref' => network_acl_id }
+  network_acl_entry1.portRange = { 'From' => '443', 'To' => '443' }
+  network_acl_entry2.portRange = { 'From' => '80', 'To' => '80' }
+  network_acl_entry1.logical_resource_id = network_acl_entry_id1
+  network_acl_entry2.logical_resource_id = network_acl_entry_id2
+  network_acl_entry1.ruleNumber = '100'
+  network_acl_entry2.ruleNumber = '200'
+  network_acl_entries << network_acl_entry1 << network_acl_entry2
+  network_acl_entries
 end

spec/parser/cfn_parser_ec2_network_acl_spec.rb

@@ -7,77 +7,31 @@
   end
 
   context 'Network ACL that has one egress entry' do
-    it 'returns a Network ACL with one egress entry' do
-      expected_nacls = network_acl_with_one_egress_entry(cfn_model: CfnModel.new)
-      yaml_test_templates('ec2_network_acl/nacl_with_one_egress_entry').each do |test_template|
+    it 'returns a Network ACL with one entry' do
+      yaml_test_templates('ec2_network_acl/nacl_with_one_entry').each do |test_template|
         cfn_model = @cfn_parser.parse IO.read(test_template)
         nacls = cfn_model.resources_by_type 'AWS::EC2::NetworkAcl'
-
         expect(nacls.size).to eq 1
-        expect(nacls[0]).to eq expected_nacls
-        expect(nacls[0].network_acl_egress_entries).to eq expected_nacls.network_acl_egress_entries
-        expect(nacls[0].network_acl_egress_entries).not_to be_empty
+        nacl = nacls.first
+        expected_nacl_entries = network_acl_with_one_entry
+        actual_network_acl_entries = nacl.network_acl_entries.first
+        expect(actual_network_acl_entries).to eq expected_nacl_entries
       end
     end
   end
 
-  context 'Network ACL that has one ingress entry' do
-    it 'returns a Network ACL with one ingress entry' do
-      expected_nacls = network_acl_with_one_ingress_entry(cfn_model: CfnModel.new)
-      yaml_test_templates('ec2_network_acl/nacl_with_one_ingress_entry').each do |test_template|
+  context 'Network ACL that has two entries' do
+    it 'returns a Network ACL with two entries' do
+      yaml_test_templates('ec2_network_acl/nacl_with_two_entries').each do |test_template|
         cfn_model = @cfn_parser.parse IO.read(test_template)
         nacls = cfn_model.resources_by_type 'AWS::EC2::NetworkAcl'
-
-        expect(nacls.size).to eq 1
-        expect(nacls[0]).to eq expected_nacls
-        expect(nacls[0].network_acl_ingress_entries).to eq expected_nacls.network_acl_ingress_entries
-        expect(nacls[0].network_acl_ingress_entries).not_to be_empty
-      end
-    end
-  end
-
-  context 'Network ACL that has two egress entries' do
-    it 'returns a Network ACL with two egress entries' do
-      expected_nacls = network_acl_with_two_egress_entries(cfn_model: CfnModel.new)
-      yaml_test_templates('ec2_network_acl/nacl_with_two_egress_entries').each do |test_template|
-        cfn_model = @cfn_parser.parse IO.read(test_template)
-        nacls = cfn_model.resources_by_type 'AWS::EC2::NetworkAcl'
-
-        expect(nacls.size).to eq 1
-        expect(nacls[0]).to eq expected_nacls
-        expect(nacls[0].network_acl_egress_entries).to eq expected_nacls.network_acl_egress_entries
-        expect(nacls[0].network_acl_egress_entries).not_to be_empty
-      end
-    end
-  end
-
-  context 'Network ACL that has two ingress entries' do
-    it 'returns a Network ACL with two ingress entries' do
-      expected_nacls = network_acl_with_two_ingress_entries(cfn_model: CfnModel.new)
-      yaml_test_templates('ec2_network_acl/nacl_with_two_ingress_entries').each do |test_template|
-        cfn_model = @cfn_parser.parse IO.read(test_template)
-        nacls = cfn_model.resources_by_type 'AWS::EC2::NetworkAcl'
-
-        expect(nacls.size).to eq 1
-        expect(nacls[0]).to eq expected_nacls
-        expect(nacls[0].network_acl_ingress_entries).to eq expected_nacls.network_acl_ingress_entries
-        expect(nacls[0].network_acl_ingress_entries).not_to be_empty
-      end
-    end
-  end
-  context 'Network ACL that has one egress and ingress entry' do
-    it 'returns a Network ACL with one egress and ingress entry' do
-      expected_nacls = network_acl_with_egress_and_ingress_entries(cfn_model: CfnModel.new)
-      yaml_test_templates('ec2_network_acl/nacl_with_one_egress_and_ingress_entry').each do |test_template|
-        cfn_model = @cfn_parser.parse IO.read(test_template)
-        nacls = cfn_model.resources_by_type 'AWS::EC2::NetworkAcl'
-
         expect(nacls.size).to eq 1
-        expect(nacls[0]).to eq expected_nacls
-        expect(nacls[0].network_acl_egress_entries).to eq expected_nacls.network_acl_egress_entries
-        expect(nacls[0].network_acl_ingress_entries).to eq expected_nacls.network_acl_ingress_entries
-        expect(nacls[0].network_acl_egress_entries).not_to be_empty
-        expect(nacls[0].network_acl_ingress_entries).not_to be_empty
+        nacl = nacls.first
+        expected_nacl_entries = network_acl_with_two_entries
+        actual_network_acl_entries = nacl.network_acl_entries
+        expected_nacl_entries.zip(actual_network_acl_entries).each do |expected, actual|
+          expect(actual).to eq expected
+        end
       end
     end
   end