def test_create_sg_different_vpc_same_rules(iam_client_stub, ec2_client_stub): # use default stubs to skip ahead to security group configuration stubs.skip_to_configure_sg(ec2_client_stub, iam_client_stub) # given head and worker nodes with custom subnets defined... # expect to first describe the worker subnet ID stubs.describe_subnets_echo(ec2_client_stub, AUX_SUBNET) # expect to second describe the head subnet ID stubs.describe_subnets_echo(ec2_client_stub, DEFAULT_SUBNET) # given no existing security groups within the VPC... stubs.describe_no_security_groups(ec2_client_stub) # expect to first create a security group on the worker node VPC stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG_AUX_SUBNET) # expect new worker security group details to be retrieved after creation stubs.describe_sgs_on_vpc( ec2_client_stub, [AUX_SUBNET["VpcId"]], [DEFAULT_SG_AUX_SUBNET], ) # expect to second create a security group on the head node VPC stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG) # expect new head security group details to be retrieved after creation stubs.describe_sgs_on_vpc( ec2_client_stub, [DEFAULT_SUBNET["VpcId"]], [DEFAULT_SG], ) # given no existing default head security group inbound rules... # expect to authorize all default head inbound rules stubs.authorize_sg_ingress( ec2_client_stub, DEFAULT_SG_DUAL_GROUP_RULES, ) # given no existing default worker security group inbound rules... # expect to authorize all default worker inbound rules stubs.authorize_sg_ingress( ec2_client_stub, DEFAULT_SG_WITH_RULES_AUX_SUBNET, ) # given our mocks and an example config file as input... # expect the config to be loaded, validated, and bootstrapped successfully config = helpers.bootstrap_aws_example_config_file("example-subnets.yaml") # expect the bootstrapped config to show different head and worker security # groups residing on different subnets assert config["head_node"]["SecurityGroupIds"] == [DEFAULT_SG["GroupId"]] assert config["head_node"]["SubnetIds"] == [DEFAULT_SUBNET["SubnetId"]] assert config["worker_nodes"]["SecurityGroupIds"] == [AUX_SG["GroupId"]] assert config["worker_nodes"]["SubnetIds"] == [AUX_SUBNET["SubnetId"]] # expect no pending responses left in IAM or EC2 client stub queues iam_client_stub.assert_no_pending_responses() ec2_client_stub.assert_no_pending_responses()
def test_create_sg_with_custom_inbound_rules_and_name(iam_client_stub, ec2_client_stub): # use default stubs to skip ahead to security group configuration stubs.skip_to_configure_sg(ec2_client_stub, iam_client_stub) # expect to describe the head subnet ID stubs.describe_subnets_echo(ec2_client_stub, DEFAULT_SUBNET) # given no existing security groups within the VPC... stubs.describe_no_security_groups(ec2_client_stub) # expect to create a security group on the head node VPC stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG_WITH_NAME) # expect new head security group details to be retrieved after creation stubs.describe_sgs_on_vpc( ec2_client_stub, [DEFAULT_SUBNET["VpcId"]], [DEFAULT_SG_WITH_NAME], ) # given custom existing default head security group inbound rules... # expect to authorize both default and custom inbound rules stubs.authorize_sg_ingress( ec2_client_stub, DEFAULT_SG_WITH_NAME_AND_RULES, ) # given the prior modification to the head security group... # expect the next read of a head security group property to reload it stubs.describe_sg_echo(ec2_client_stub, DEFAULT_SG_WITH_NAME_AND_RULES) _get_vpc_id_or_die.cache_clear() # given our mocks and an example config file as input... # expect the config to be loaded, validated, and bootstrapped successfully config = helpers.bootstrap_aws_example_config_file( "example-security-group.yaml") # expect the bootstrapped config to have the custom security group... # name and in bound rules assert config["provider"]["security_group"][ "GroupName"] == DEFAULT_SG_WITH_NAME_AND_RULES["GroupName"] assert config["provider"]["security_group"][ "IpPermissions"] == CUSTOM_IN_BOUND_RULES # expect no pending responses left in IAM or EC2 client stub queues iam_client_stub.assert_no_pending_responses() ec2_client_stub.assert_no_pending_responses()
def test_create_sg_different_vpc_same_rules(iam_client_stub, ec2_client_stub, correct_az: bool): # use default stubs to skip ahead to security group configuration stubs.skip_to_configure_sg(ec2_client_stub, iam_client_stub) default_subnet = copy.deepcopy(DEFAULT_SUBNET) if not correct_az: default_subnet["AvailabilityZone"] = "us-west-2b" # given head and worker nodes with custom subnets defined... # expect to second describe the head subnet ID stubs.describe_subnets_echo(ec2_client_stub, [default_subnet]) # expect to first describe the worker subnet ID stubs.describe_subnets_echo(ec2_client_stub, [AUX_SUBNET]) # given no existing security groups within the VPC... stubs.describe_no_security_groups(ec2_client_stub) # expect to first create a security group on the worker node VPC stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG_AUX_SUBNET) # expect new worker security group details to be retrieved after creation stubs.describe_sgs_on_vpc( ec2_client_stub, [AUX_SUBNET["VpcId"]], [DEFAULT_SG_AUX_SUBNET], ) # expect to second create a security group on the head node VPC stubs.create_sg_echo(ec2_client_stub, DEFAULT_SG) # expect new head security group details to be retrieved after creation stubs.describe_sgs_on_vpc( ec2_client_stub, [DEFAULT_SUBNET["VpcId"]], [DEFAULT_SG], ) # given no existing default head security group inbound rules... # expect to authorize all default head inbound rules stubs.authorize_sg_ingress( ec2_client_stub, DEFAULT_SG_DUAL_GROUP_RULES, ) # given no existing default worker security group inbound rules... # expect to authorize all default worker inbound rules stubs.authorize_sg_ingress( ec2_client_stub, DEFAULT_SG_WITH_RULES_AUX_SUBNET, ) # given our mocks and an example config file as input... # expect the config to be loaded, validated, and bootstrapped successfully error = None try: config = helpers.bootstrap_aws_example_config_file( "example-subnets.yaml") except ClickException as e: error = e _get_subnets_or_die.cache_clear() if not correct_az: assert isinstance(error, ClickException), "Did not get a ClickException!" iam_client_stub._queue.clear() ec2_client_stub._queue.clear() return # expect the bootstrapped config to show different head and worker security # groups residing on different subnets for node_type_key, node_type in config["available_node_types"].items(): node_config = node_type["node_config"] security_group_ids = node_config["SecurityGroupIds"] subnet_ids = node_config["SubnetIds"] if node_type_key == config["head_node_type"]: assert security_group_ids == [DEFAULT_SG["GroupId"]] assert subnet_ids == [DEFAULT_SUBNET["SubnetId"]] else: assert security_group_ids == [AUX_SG["GroupId"]] assert subnet_ids == [AUX_SUBNET["SubnetId"]] # expect no pending responses left in IAM or EC2 client stub queues iam_client_stub.assert_no_pending_responses() ec2_client_stub.assert_no_pending_responses()