I'd like to document a real-world example, in the hopes that it's directly useful and that it also serves as a template for other use-cases around AWS. My particular use-case is pretty simple:
I have some EC2 instances behind an ELB. Those instances have a Security Group that allows web traffic from the ELB. I'd like to test this, in line with 'best practice', the style guide and in such a way that no IDs are hard-coded.
Here's an attempt in code to test my use-case. I realise it's not ideal - what can we do to refine it?
# This bit seems fine to me :-)
describe aws_elb(load_balancer_name: 'webserver-elb') do
it { should exist }
its('availability_zones.count') { should be > 1 }
its('external_ports.count') { should cmp 1 }
its('external_ports') { should include 80 }
end
# Things go wrong here though :-(
elb_sg_ids = aws_elb(load_balancer_name: 'webserver-elb').security_group_ids
ec2_sg_ids = aws_ec2_instance(name: 'webserver-asg').security_group_ids
ec2_sg_ids.each { |ec2_sg_id|
sg_group_rules = aws_security_group(ec2_sg_id).inbound_rules.select{|x| x[:user_id_group_pairs].length > 0}
sg_group_rules.each { |sg_group_rule|
sg_group_rule[:user_id_group_pairs].each { |user_id_group_pair|
describe user_id_group_pair[:group_id] do
it { should be_in elb_sg_ids}
end
}
}
}
How can this be improved?