From d1a64ebd070496e8e8de2e86ac6a873878144d43 Mon Sep 17 00:00:00 2001 From: Tarun Menon Date: Thu, 6 Nov 2025 10:16:09 +1100 Subject: [PATCH 1/3] fix security group rule type from Egress to Ingress in CloudFormation template --- rds-proxy.cfndsl.rb | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/rds-proxy.cfndsl.rb b/rds-proxy.cfndsl.rb index 82d4e93..c53736d 100644 --- a/rds-proxy.cfndsl.rb +++ b/rds-proxy.cfndsl.rb @@ -17,7 +17,7 @@ GroupDescription FnJoin(' ', [ Ref(:EnvironmentName), external_parameters[:component_name], 'security group' ]) if security_group_rules.has_key?('ingress') - SecurityGroupEgress generate_security_group_rules(security_group_rules['ingress'], ip_blocks, true) + SecurityGroupIngress generate_security_group_rules(security_group_rules['ingress'], ip_blocks, true) end if security_group_rules.has_key?('egress') From a74a075bb2df019984b87675eb2aefc3d17c62ae Mon Sep 17 00:00:00 2001 From: Tarun Menon Date: Thu, 6 Nov 2025 10:17:20 +1100 Subject: [PATCH 2/3] use shared test workflow --- .github/workflows/rspec.yaml | 23 +++-------------------- 1 file changed, 3 insertions(+), 20 deletions(-) diff --git a/.github/workflows/rspec.yaml b/.github/workflows/rspec.yaml index b1ee9a7..d0a2ef8 100644 --- a/.github/workflows/rspec.yaml +++ b/.github/workflows/rspec.yaml @@ -3,23 +3,6 @@ name: cftest on: [push, pull_request] jobs: - test: - name: test - runs-on: ubuntu-latest - - steps: - - uses: actions/checkout@v2 - - name: set up ruby 2.7 - uses: actions/setup-ruby@v1 - with: - ruby-version: 2.7.x - - name: install gems - run: gem install cfhighlander rspec - - name: set cfndsl spec - run: cfndsl -u - - name: cftest - run: rspec - env: - AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }} - AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }} - AWS_REGION: ap-southeast-2 \ No newline at end of file + rspec: + uses: theonestack/shared-workflows/.github/workflows/rspec.yaml@main + secrets: inherit \ No newline at end of file From 96f9c610ba9934df648251172c1dd69c9fcac0c4 Mon Sep 17 00:00:00 2001 From: Tarun Menon Date: Thu, 6 Nov 2025 10:26:35 +1100 Subject: [PATCH 3/3] update tests --- spec/default_spec.rb | 29 +++++++++++++++++++++++++ spec/disable_iam_auth_spec.rb | 29 +++++++++++++++++++++++++ spec/mysql_spec.rb | 29 +++++++++++++++++++++++++ spec/postgres_spec.rb | 29 +++++++++++++++++++++++++ spec/security_group_rules_spec.rb | 35 ++++++++++++++++++++++++++++++- spec/service_discovery_spec.rb | 29 +++++++++++++++++++++++++ 6 files changed, 179 insertions(+), 1 deletion(-) diff --git a/spec/default_spec.rb b/spec/default_spec.rb index ff1d353..4219b39 100644 --- a/spec/default_spec.rb +++ b/spec/default_spec.rb @@ -34,6 +34,35 @@ end + context "ProxyPortAccessToDBCluster" do + let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] } + + it "is of type AWS::EC2::SecurityGroupIngress" do + expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress") + end + + it "to have property IpProtocol" do + expect(resource["Properties"]["IpProtocol"]).to eq("tcp") + end + + it "to have property FromPort" do + expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property ToPort" do + expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property SourceSecurityGroupId" do + expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]}) + end + + it "to have property GroupId" do + expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"}) + end + + end + context "RdsProxy" do let(:resource) { template["Resources"]["RdsProxy"] } diff --git a/spec/disable_iam_auth_spec.rb b/spec/disable_iam_auth_spec.rb index 20cc91c..2ad7083 100644 --- a/spec/disable_iam_auth_spec.rb +++ b/spec/disable_iam_auth_spec.rb @@ -34,6 +34,35 @@ end + context "ProxyPortAccessToDBCluster" do + let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] } + + it "is of type AWS::EC2::SecurityGroupIngress" do + expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress") + end + + it "to have property IpProtocol" do + expect(resource["Properties"]["IpProtocol"]).to eq("tcp") + end + + it "to have property FromPort" do + expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property ToPort" do + expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property SourceSecurityGroupId" do + expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]}) + end + + it "to have property GroupId" do + expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"}) + end + + end + context "RdsProxy" do let(:resource) { template["Resources"]["RdsProxy"] } diff --git a/spec/mysql_spec.rb b/spec/mysql_spec.rb index 54211eb..a75f041 100644 --- a/spec/mysql_spec.rb +++ b/spec/mysql_spec.rb @@ -34,6 +34,35 @@ end + context "ProxyPortAccessToDBCluster" do + let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] } + + it "is of type AWS::EC2::SecurityGroupIngress" do + expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress") + end + + it "to have property IpProtocol" do + expect(resource["Properties"]["IpProtocol"]).to eq("tcp") + end + + it "to have property FromPort" do + expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property ToPort" do + expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property SourceSecurityGroupId" do + expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]}) + end + + it "to have property GroupId" do + expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"}) + end + + end + context "RdsProxy" do let(:resource) { template["Resources"]["RdsProxy"] } diff --git a/spec/postgres_spec.rb b/spec/postgres_spec.rb index c2086c7..547b725 100644 --- a/spec/postgres_spec.rb +++ b/spec/postgres_spec.rb @@ -34,6 +34,35 @@ end + context "ProxyPortAccessToDBCluster" do + let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] } + + it "is of type AWS::EC2::SecurityGroupIngress" do + expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress") + end + + it "to have property IpProtocol" do + expect(resource["Properties"]["IpProtocol"]).to eq("tcp") + end + + it "to have property FromPort" do + expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property ToPort" do + expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property SourceSecurityGroupId" do + expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]}) + end + + it "to have property GroupId" do + expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"}) + end + + end + context "RdsProxy" do let(:resource) { template["Resources"]["RdsProxy"] } diff --git a/spec/security_group_rules_spec.rb b/spec/security_group_rules_spec.rb index c228483..faa93c8 100644 --- a/spec/security_group_rules_spec.rb +++ b/spec/security_group_rules_spec.rb @@ -28,8 +28,12 @@ expect(resource["Properties"]["GroupDescription"]).to eq({"Fn::Join"=>[" ", [{"Ref"=>"EnvironmentName"}, "rds-proxy", "security group"]]}) end + it "to have property SecurityGroupIngress" do + expect(resource["Properties"]["SecurityGroupIngress"]).to eq([{"FromPort"=>5432, "IpProtocol"=>"tcp", "ToPort"=>5432, "Description"=>{"Fn::Sub"=>"access to the postgres port from another security group"}, "SourceSecurityGroupId"=>{"Fn::Sub"=>"${MyAppSecurityGroupId}"}}]) + end + it "to have property SecurityGroupEgress" do - expect(resource["Properties"]["SecurityGroupEgress"]).to eq([{"FromPort"=>5432, "IpProtocol"=>"tcp", "ToPort"=>5432, "Description"=>{"Fn::Sub"=>"access to the postgres port from another security group"}, "SourceSecurityGroupId"=>{"Fn::Sub"=>"${MyAppSecurityGroupId}"}}, {"FromPort"=>"-1", "IpProtocol"=>"-1", "ToPort"=>"-1", "Description"=>{"Fn::Sub"=>"allow all egress traffic"}, "CidrIp"=>{"Fn::Sub"=>"0.0.0.0/0"}}]) + expect(resource["Properties"]["SecurityGroupEgress"]).to eq([{"FromPort"=>"-1", "IpProtocol"=>"-1", "ToPort"=>"-1", "Description"=>{"Fn::Sub"=>"allow all egress traffic"}, "CidrIp"=>{"Fn::Sub"=>"0.0.0.0/0"}}]) end it "to have property Tags" do @@ -38,6 +42,35 @@ end + context "ProxyPortAccessToDBCluster" do + let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] } + + it "is of type AWS::EC2::SecurityGroupIngress" do + expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress") + end + + it "to have property IpProtocol" do + expect(resource["Properties"]["IpProtocol"]).to eq("tcp") + end + + it "to have property FromPort" do + expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property ToPort" do + expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property SourceSecurityGroupId" do + expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]}) + end + + it "to have property GroupId" do + expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"}) + end + + end + context "RdsProxy" do let(:resource) { template["Resources"]["RdsProxy"] } diff --git a/spec/service_discovery_spec.rb b/spec/service_discovery_spec.rb index b0422c3..65d7853 100644 --- a/spec/service_discovery_spec.rb +++ b/spec/service_discovery_spec.rb @@ -34,6 +34,35 @@ end + context "ProxyPortAccessToDBCluster" do + let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] } + + it "is of type AWS::EC2::SecurityGroupIngress" do + expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress") + end + + it "to have property IpProtocol" do + expect(resource["Properties"]["IpProtocol"]).to eq("tcp") + end + + it "to have property FromPort" do + expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property ToPort" do + expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"}) + end + + it "to have property SourceSecurityGroupId" do + expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]}) + end + + it "to have property GroupId" do + expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"}) + end + + end + context "RdsProxy" do let(:resource) { template["Resources"]["RdsProxy"] }