refactor mappings, subnets, tags and add tests

.travis.yml

@@ -1,6 +1,10 @@
 language: ruby
 rvm:
-  - 2.3
+  - 2.5
+install:
+  - gem install cfhighlander cfn-nag
+before_script:
+  - cfndsl -u
 script:
-  - gem install cfhighlander --prerelease
-  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then cfhighlander cfcompile ; else cfhighlander cfcompile --validate; fi
+  - if [ "${TRAVIS_PULL_REQUEST}" != "false" ]; then cfhighlander cftest --no-validate; else cfhighlander cftest; fi
+  - cfn_nag_scan -i out/tests

aurora-postgres.cfhighlander.rb

@@ -1,32 +1,18 @@
 CfhighlanderTemplate do
 
   Name 'aurora-postgres'
-  Description "Highlander Aurora Postgres component #{component_version}"
-  DependsOn 'vpc@1.2.0'
 
   Parameters do
     ComponentParam 'EnvironmentName', 'dev', isGlobal: true
     ComponentParam 'EnvironmentType', 'development', isGlobal: true, allowedValues: ['development', 'production']
-    ComponentParam 'StackOctet', isGlobal: true
-
-    MappingParam('WriterInstanceType') do
-      map 'EnvironmentType'
-      attribute 'WriterInstanceType'
-    end
-    MappingParam('ReaderInstanceType') do
-      map 'EnvironmentType'
-      attribute 'ReaderInstanceType'
-    end
-    MappingParam('DnsDomain') do
-      map 'AccountId'
-      attribute 'DnsDomain'
-    end
-    maximum_availability_zones.times do |az|
-      ComponentParam "SubnetPersistence#{az}"
-    end
-
+    ComponentParam 'WriterInstanceType'
+    ComponentParam 'ReaderInstanceType'
+    ComponentParam 'DnsDomain'
     ComponentParam 'SnapshotID'
-    ComponentParam 'EnableReader', 'false'
+    ComponentParam 'EnableReader', 'false', allowedValues: ['true', 'false']
     ComponentParam 'VPCId', type: 'AWS::EC2::VPC::Id'
+    ComponentParam 'SubnetIds', type: 'CommaDelimitedList'
+    ComponentParam 'KmsKeyId' if (defined? kms) && (kms)
   end
+
 end

aurora-postgres.cfndsl.rb

@@ -1,67 +1,92 @@
 CloudFormation do
 
-  Description "#{component_name} - #{component_version}"
-
   Condition("EnableReader", FnEquals(Ref("EnableReader"), 'true'))
   Condition("UseUsernameAndPassword", FnEquals(Ref(:SnapshotID), ''))
   Condition("UseSnapshotID", FnNot(FnEquals(Ref(:SnapshotID), '')))
 
-  az_conditions_resources('SubnetPersistence', maximum_availability_zones)
-
-  tags = []
-  tags << { Key: 'Environment', Value: Ref(:EnvironmentName) }
-  tags << { Key: 'EnvironmentType', Value: Ref(:EnvironmentType) }
+  aurora_tags = []
+  aurora_tags << { Key: 'Name', Value: FnSub("${EnvironmentName}-#{component_name}") }
+  aurora_tags << { Key: 'Environment', Value: Ref(:EnvironmentName) }
+  aurora_tags << { Key: 'EnvironmentType', Value: Ref(:EnvironmentType) }
+  aurora_tags.push(*tags.map {|k,v| {Key: k, Value: FnSub(v)}}).uniq { |h| h[:Key] } if defined? tags
 
-  extra_tags.each { |key,value| tags << { Key: key, Value: value } } if defined? extra_tags
+  ingress = []
+  security_group_rules.each do |rule|
+    sg_rule = {
+      FromPort: cluster_port,
+      IpProtocol: 'TCP',
+      ToPort: cluster_port,
+    }
+    if rule['security_group_id']
+      sg_rule['SourceSecurityGroupId'] = FnSub(rule['security_group_id'])
+    else 
+      sg_rule['CidrIp'] = FnSub(rule['ip']) 
+    end
+    if rule['desc']
+      sg_rule['Description'] = FnSub(rule['desc'])
+    end
+    ingress << sg_rule
+  end if defined?(security_group_rules)
 
   EC2_SecurityGroup(:SecurityGroup) do
     VpcId Ref('VPCId')
-    GroupDescription FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'security group' ])
-    SecurityGroupIngress sg_create_rules(security_group, ip_blocks)
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'security-group' ])}]
+    GroupDescription FnSub("Aurora postgres #{component_name} access for the ${EnvironmentName} environment")
+    SecurityGroupIngress ingress if ingress.any?
+    SecurityGroupEgress ([
+      {
+        CidrIp: "0.0.0.0/0",
+        Description: "outbound all for ports",
+        IpProtocol: -1,
+      }
+    ]) 
+    Tags aurora_tags
   end
 
   RDS_DBSubnetGroup(:DBClusterSubnetGroup) {
-    SubnetIds az_conditional_resources('SubnetPersistence', maximum_availability_zones)
-    DBSubnetGroupDescription FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'subnet group' ])
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'subnet-group' ])}]
+    SubnetIds Ref('SubnetIds')
+    DBSubnetGroupDescription FnSub("Aurora postgres #{component_name} subnets for the ${EnvironmentName} environment")
+    Tags aurora_tags
   }
 
   RDS_DBClusterParameterGroup(:DBClusterParameterGroup) {
-    Description FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'cluster parameter group' ])
-    Family 'aurora-postgresql9.6'
+    Description FnSub("Aurora postgres #{component_name} cluster parameters for the ${EnvironmentName} environment")
+    Family family
     Parameters cluster_parameters if defined? cluster_parameters
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'cluster-parameter-group' ])}]
+    Tags aurora_tags
   }
 
   RDS_DBCluster(:DBCluster) {
     Engine 'aurora-postgresql'
+    EngineVersion engine_version if defined? engine_version
     DBClusterParameterGroupName Ref(:DBClusterParameterGroup)
     SnapshotIdentifier Ref(:SnapshotID)
     SnapshotIdentifier FnIf('UseSnapshotID',Ref(:SnapshotID), Ref('AWS::NoValue'))
     MasterUsername  FnIf('UseUsernameAndPassword', FnJoin('', [ '{{resolve:ssm:', FnSub(master_login['username_ssm_param']), ':1}}' ]), Ref('AWS::NoValue'))
     MasterUserPassword FnIf('UseUsernameAndPassword', FnJoin('', [ '{{resolve:ssm-secure:', FnSub(master_login['password_ssm_param']), ':1}}' ]), Ref('AWS::NoValue'))
     DBSubnetGroupName Ref(:DBClusterSubnetGroup)
     VpcSecurityGroupIds [ Ref(:SecurityGroup) ]
+    StorageEncrypted storage_encrypted if defined? storage_encrypted
+    KmsKeyId Ref('KmsKeyId') if (defined? kms) && (kms)
     Port cluster_port
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'cluster' ])}]
+    Tags aurora_tags
   }
 
   RDS_DBParameterGroup(:DBInstanceParameterGroup) {
-    Description FnJoin(' ', [ Ref(:EnvironmentName), component_name, 'instance parameter group' ])
-    Family 'aurora-postgresql9.6'
+    Description FnSub("Aurora postgres #{component_name} instance parameters for the ${EnvironmentName} environment")
+    Family family
     Parameters instance_parameters if defined? instance_parameters
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'instance-parameter-group' ])}]
+    Tags aurora_tags
   }
 
   RDS_DBInstance(:DBClusterInstanceWriter) {
     DBSubnetGroupName Ref(:DBClusterSubnetGroup)
     DBParameterGroupName Ref(:DBInstanceParameterGroup)
     DBClusterIdentifier Ref(:DBCluster)
     Engine 'aurora-postgresql'
+    EngineVersion engine_version if defined? engine_version
     PubliclyAccessible 'false'
     DBInstanceClass Ref(:WriterInstanceType)
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'writer-instance' ])}]
+    Tags aurora_tags
   }
 
   RDS_DBInstance(:DBClusterInstanceReader) {
@@ -70,9 +95,19 @@
     DBParameterGroupName Ref(:DBInstanceParameterGroup)
     DBClusterIdentifier Ref(:DBCluster)
     Engine 'aurora-postgresql'
+    EngineVersion engine_version if defined? engine_version
     PubliclyAccessible 'false'
     DBInstanceClass Ref(:ReaderInstanceType)
-    Tags tags + [{ Key: 'Name', Value: FnJoin('-', [ Ref(:EnvironmentName), component_name, 'reader-instance' ])}]
+    Tags aurora_tags
+  }
+
+  Route53_RecordSet(:DBClusterReaderRecord) {
+    Condition(:EnableReader)
+    HostedZoneName FnJoin('', [ Ref('EnvironmentName'), '.', Ref('DnsDomain'), '.'])
+    Name FnJoin('', [ hostname_read_endpoint, '.', Ref('EnvironmentName'), '.', Ref('DnsDomain'), '.' ])
+    Type 'CNAME'
+    TTL '60'
+    ResourceRecords [ FnGetAtt('DBCluster','ReadEndpoint.Address') ]
   }
 
   Route53_RecordSet(:DBHostRecord) {

aurora-postgres.config.yaml

@@ -1,5 +1,5 @@
-maximum_availability_zones: 5
 hostname: aurora2pg
+hostname_read_endpoint: aurora2pg-read
 
 cluster_port: 5432
 
@@ -10,19 +10,3 @@ master_login:
 cluster_parameters:
   timezone: "UTC"
 # instance_parameters:
-
-# Set `ip_blocks` here or export from vpc component
-ip_blocks:
-  local:
-    - 127.0.0.1/32
-
-
-security_group:
-  -
-    rules:
-      -
-        IpProtocol: tcp
-        FromPort: 5432
-        ToPort: 5432
-    ips:
-      - stack

tests/default.test.yaml

@@ -0,0 +1,8 @@
+test_metadata:
+  type: config
+  name: default
+  description: set the description for your test
+
+family: aurora-postgresql9.6
+engine: 9.6.12
+storage_encrypted: true

tests/kms.test.yaml

@@ -0,0 +1,8 @@
+test_metadata:
+  type: config
+  name: kms
+  description: set the description for your test
+
+family: aurora-postgresql9.6
+storage_encrypted: true
+kms: true

tests/security_group.test.yaml

@@ -0,0 +1,15 @@
+test_metadata:
+  type: config
+  name: security_group
+  description: set the description for your test
+
+family: aurora-postgresql9.6
+storage_encrypted: true
+
+security_group_rules:
+  -
+    security_group_id: sg-328h4242u3h
+    desc: access from my app
+  -
+    ip: 10.0.0.0/16
+    desc: access from peered vpc

tests/tags.test.yaml

@@ -0,0 +1,11 @@
+test_metadata:
+  type: config
+  name: tags
+  description: set the description for your test
+
+family: aurora-postgresql9.6
+storage_encrypted: true
+
+tags:
+  Name: ${EnvironmentName}-tag-test
+  CostCenter: test