def test_create_sg_different_vpc_same_rules(iam_client_stub, ec2_client_stub):
# use default stubs to skip ahead to security group configuration
stubs.skip_to_configure_sg(ec2_client_stub, iam_client_stub)
# given head and worker nodes with custom subnets defined...
# expect to first describe the worker subnet ID
stubs.describe_subnets_echo(ec2_client_stub, AUX_SUBNET)
# expect to second describe the head subnet ID
stubs.describe_subnets_echo(ec2_client_stub, DEFAULT_SUBNET)
# given no existing security groups within the VPC...
stubs.describe_no_security_groups(ec2_client_stub)
# expect to first create a security group on the worker node VPC
stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG_AUX_SUBNET)
# expect new worker security group details to be retrieved after creation
stubs.describe_sgs_on_vpc(
ec2_client_stub,
[AUX_SUBNET["VpcId"]],
[DEFAULT_SG_AUX_SUBNET],
)
# expect to second create a security group on the head node VPC
stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG)
# expect new head security group details to be retrieved after creation
stubs.describe_sgs_on_vpc(
ec2_client_stub,
[DEFAULT_SUBNET["VpcId"]],
[DEFAULT_SG],
)
# given no existing default head security group inbound rules...
# expect to authorize all default head inbound rules
stubs.authorize_sg_ingress(
ec2_client_stub,
DEFAULT_SG_DUAL_GROUP_RULES,
)
# given no existing default worker security group inbound rules...
# expect to authorize all default worker inbound rules
stubs.authorize_sg_ingress(
ec2_client_stub,
DEFAULT_SG_WITH_RULES_AUX_SUBNET,
)
# given our mocks and an example config file as input...
# expect the config to be loaded, validated, and bootstrapped successfully
config = helpers.bootstrap_aws_example_config_file("example-subnets.yaml")
# expect the bootstrapped config to show different head and worker security
# groups residing on different subnets
assert config["head_node"]["SecurityGroupIds"] == [DEFAULT_SG["GroupId"]]
assert config["head_node"]["SubnetIds"] == [DEFAULT_SUBNET["SubnetId"]]
assert config["worker_nodes"]["SecurityGroupIds"] == [AUX_SG["GroupId"]]
assert config["worker_nodes"]["SubnetIds"] == [AUX_SUBNET["SubnetId"]]
# expect no pending responses left in IAM or EC2 client stub queues
iam_client_stub.assert_no_pending_responses()
ec2_client_stub.assert_no_pending_responses()
def test_create_sg_with_custom_inbound_rules_and_name(iam_client_stub,
ec2_client_stub):
# use default stubs to skip ahead to security group configuration
stubs.skip_to_configure_sg(ec2_client_stub, iam_client_stub)
# expect to describe the head subnet ID
stubs.describe_subnets_echo(ec2_client_stub, DEFAULT_SUBNET)
# given no existing security groups within the VPC...
stubs.describe_no_security_groups(ec2_client_stub)
# expect to create a security group on the head node VPC
stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG_WITH_NAME)
# expect new head security group details to be retrieved after creation
stubs.describe_sgs_on_vpc(
ec2_client_stub,
[DEFAULT_SUBNET["VpcId"]],
[DEFAULT_SG_WITH_NAME],
)
# given custom existing default head security group inbound rules...
# expect to authorize both default and custom inbound rules
stubs.authorize_sg_ingress(
ec2_client_stub,
DEFAULT_SG_WITH_NAME_AND_RULES,
)
# given the prior modification to the head security group...
# expect the next read of a head security group property to reload it
stubs.describe_sg_echo(ec2_client_stub, DEFAULT_SG_WITH_NAME_AND_RULES)
_get_vpc_id_or_die.cache_clear()
# given our mocks and an example config file as input...
# expect the config to be loaded, validated, and bootstrapped successfully
config = helpers.bootstrap_aws_example_config_file(
"example-security-group.yaml")
# expect the bootstrapped config to have the custom security group...
# name and in bound rules
assert config["provider"]["security_group"][
"GroupName"] == DEFAULT_SG_WITH_NAME_AND_RULES["GroupName"]
assert config["provider"]["security_group"][
"IpPermissions"] == CUSTOM_IN_BOUND_RULES
# expect no pending responses left in IAM or EC2 client stub queues
iam_client_stub.assert_no_pending_responses()
ec2_client_stub.assert_no_pending_responses()
def test_create_sg_different_vpc_same_rules(iam_client_stub, ec2_client_stub,
correct_az: bool):
# use default stubs to skip ahead to security group configuration
stubs.skip_to_configure_sg(ec2_client_stub, iam_client_stub)
default_subnet = copy.deepcopy(DEFAULT_SUBNET)
if not correct_az:
default_subnet["AvailabilityZone"] = "us-west-2b"
# given head and worker nodes with custom subnets defined...
# expect to second describe the head subnet ID
stubs.describe_subnets_echo(ec2_client_stub, [default_subnet])
# expect to first describe the worker subnet ID
stubs.describe_subnets_echo(ec2_client_stub, [AUX_SUBNET])
# given no existing security groups within the VPC...
stubs.describe_no_security_groups(ec2_client_stub)
# expect to first create a security group on the worker node VPC
stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG_AUX_SUBNET)
# expect new worker security group details to be retrieved after creation
stubs.describe_sgs_on_vpc(
ec2_client_stub,
[AUX_SUBNET["VpcId"]],
[DEFAULT_SG_AUX_SUBNET],
)
# expect to second create a security group on the head node VPC
stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG)
# expect new head security group details to be retrieved after creation
stubs.describe_sgs_on_vpc(
ec2_client_stub,
[DEFAULT_SUBNET["VpcId"]],
[DEFAULT_SG],
)
# given no existing default head security group inbound rules...
# expect to authorize all default head inbound rules
stubs.authorize_sg_ingress(
ec2_client_stub,
DEFAULT_SG_DUAL_GROUP_RULES,
)
# given no existing default worker security group inbound rules...
# expect to authorize all default worker inbound rules
stubs.authorize_sg_ingress(
ec2_client_stub,
DEFAULT_SG_WITH_RULES_AUX_SUBNET,
)
# given our mocks and an example config file as input...
# expect the config to be loaded, validated, and bootstrapped successfully
error = None
try:
config = helpers.bootstrap_aws_example_config_file(
"example-subnets.yaml")
except ClickException as e:
error = e
_get_subnets_or_die.cache_clear()
if not correct_az:
assert isinstance(error,
ClickException), "Did not get a ClickException!"
iam_client_stub._queue.clear()
ec2_client_stub._queue.clear()
return
# expect the bootstrapped config to show different head and worker security
# groups residing on different subnets
for node_type_key, node_type in config["available_node_types"].items():
node_config = node_type["node_config"]
security_group_ids = node_config["SecurityGroupIds"]
subnet_ids = node_config["SubnetIds"]
if node_type_key == config["head_node_type"]:
assert security_group_ids == [DEFAULT_SG["GroupId"]]
assert subnet_ids == [DEFAULT_SUBNET["SubnetId"]]
else:
assert security_group_ids == [AUX_SG["GroupId"]]
assert subnet_ids == [AUX_SUBNET["SubnetId"]]
# expect no pending responses left in IAM or EC2 client stub queues
iam_client_stub.assert_no_pending_responses()
ec2_client_stub.assert_no_pending_responses()
