Feature/fix ingress

.github/workflows/rspec.yaml

@@ -3,23 +3,6 @@ name: cftest
 on: [push, pull_request]
 
 jobs:
-  test:
-    name: test
-    runs-on: ubuntu-latest
-
-    steps:
-    - uses: actions/checkout@v2
-    - name: set up ruby 2.7
-      uses: actions/setup-ruby@v1
-      with:
-        ruby-version: 2.7.x
-    - name: install gems
-      run: gem install cfhighlander rspec 
-    - name: set cfndsl spec
-      run: cfndsl -u
-    - name: cftest
-      run: rspec
-      env:
-        AWS_ACCESS_KEY: ${{ secrets.AWS_ACCESS_KEY }}
-        AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
-        AWS_REGION: ap-southeast-2
+  rspec:
+    uses: theonestack/shared-workflows/.github/workflows/rspec.yaml@main
+    secrets: inherit

rds-proxy.cfndsl.rb

@@ -17,7 +17,7 @@
     GroupDescription FnJoin(' ', [ Ref(:EnvironmentName), external_parameters[:component_name], 'security group' ])
 
     if security_group_rules.has_key?('ingress')
-      SecurityGroupEgress generate_security_group_rules(security_group_rules['ingress'], ip_blocks, true)
+      SecurityGroupIngress generate_security_group_rules(security_group_rules['ingress'], ip_blocks, true)
     end
 
     if security_group_rules.has_key?('egress')

spec/default_spec.rb

@@ -34,6 +34,35 @@
 
     end
 
+    context "ProxyPortAccessToDBCluster" do
+      let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] }
+
+      it "is of type AWS::EC2::SecurityGroupIngress" do
+          expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress")
+      end
+
+      it "to have property IpProtocol" do
+          expect(resource["Properties"]["IpProtocol"]).to eq("tcp")
+      end
+
+      it "to have property FromPort" do
+          expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property ToPort" do
+          expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property SourceSecurityGroupId" do
+          expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]})
+      end
+
+      it "to have property GroupId" do
+          expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"})
+      end
+
+    end
+
     context "RdsProxy" do
       let(:resource) { template["Resources"]["RdsProxy"] }
 

spec/disable_iam_auth_spec.rb

@@ -34,6 +34,35 @@
 
     end
 
+    context "ProxyPortAccessToDBCluster" do
+      let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] }
+
+      it "is of type AWS::EC2::SecurityGroupIngress" do
+          expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress")
+      end
+
+      it "to have property IpProtocol" do
+          expect(resource["Properties"]["IpProtocol"]).to eq("tcp")
+      end
+
+      it "to have property FromPort" do
+          expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property ToPort" do
+          expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property SourceSecurityGroupId" do
+          expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]})
+      end
+
+      it "to have property GroupId" do
+          expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"})
+      end
+
+    end
+
     context "RdsProxy" do
       let(:resource) { template["Resources"]["RdsProxy"] }
 

spec/mysql_spec.rb

@@ -34,6 +34,35 @@
 
     end
 
+    context "ProxyPortAccessToDBCluster" do
+      let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] }
+
+      it "is of type AWS::EC2::SecurityGroupIngress" do
+          expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress")
+      end
+
+      it "to have property IpProtocol" do
+          expect(resource["Properties"]["IpProtocol"]).to eq("tcp")
+      end
+
+      it "to have property FromPort" do
+          expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property ToPort" do
+          expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property SourceSecurityGroupId" do
+          expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]})
+      end
+
+      it "to have property GroupId" do
+          expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"})
+      end
+
+    end
+
     context "RdsProxy" do
       let(:resource) { template["Resources"]["RdsProxy"] }
 

spec/postgres_spec.rb

@@ -34,6 +34,35 @@
 
     end
 
+    context "ProxyPortAccessToDBCluster" do
+      let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] }
+
+      it "is of type AWS::EC2::SecurityGroupIngress" do
+          expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress")
+      end
+
+      it "to have property IpProtocol" do
+          expect(resource["Properties"]["IpProtocol"]).to eq("tcp")
+      end
+
+      it "to have property FromPort" do
+          expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property ToPort" do
+          expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property SourceSecurityGroupId" do
+          expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]})
+      end
+
+      it "to have property GroupId" do
+          expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"})
+      end
+
+    end
+
     context "RdsProxy" do
       let(:resource) { template["Resources"]["RdsProxy"] }
 

spec/security_group_rules_spec.rb

@@ -28,8 +28,12 @@
           expect(resource["Properties"]["GroupDescription"]).to eq({"Fn::Join"=>[" ", [{"Ref"=>"EnvironmentName"}, "rds-proxy", "security group"]]})
       end
 
+      it "to have property SecurityGroupIngress" do
+          expect(resource["Properties"]["SecurityGroupIngress"]).to eq([{"FromPort"=>5432, "IpProtocol"=>"tcp", "ToPort"=>5432, "Description"=>{"Fn::Sub"=>"access to the postgres port from another security group"}, "SourceSecurityGroupId"=>{"Fn::Sub"=>"${MyAppSecurityGroupId}"}}])
+      end
+
       it "to have property SecurityGroupEgress" do
-          expect(resource["Properties"]["SecurityGroupEgress"]).to eq([{"FromPort"=>5432, "IpProtocol"=>"tcp", "ToPort"=>5432, "Description"=>{"Fn::Sub"=>"access to the postgres port from another security group"}, "SourceSecurityGroupId"=>{"Fn::Sub"=>"${MyAppSecurityGroupId}"}}, {"FromPort"=>"-1", "IpProtocol"=>"-1", "ToPort"=>"-1", "Description"=>{"Fn::Sub"=>"allow all egress traffic"}, "CidrIp"=>{"Fn::Sub"=>"0.0.0.0/0"}}])
+          expect(resource["Properties"]["SecurityGroupEgress"]).to eq([{"FromPort"=>"-1", "IpProtocol"=>"-1", "ToPort"=>"-1", "Description"=>{"Fn::Sub"=>"allow all egress traffic"}, "CidrIp"=>{"Fn::Sub"=>"0.0.0.0/0"}}])
       end
 
       it "to have property Tags" do
@@ -38,6 +42,35 @@
 
     end
 
+    context "ProxyPortAccessToDBCluster" do
+      let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] }
+
+      it "is of type AWS::EC2::SecurityGroupIngress" do
+          expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress")
+      end
+
+      it "to have property IpProtocol" do
+          expect(resource["Properties"]["IpProtocol"]).to eq("tcp")
+      end
+
+      it "to have property FromPort" do
+          expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property ToPort" do
+          expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property SourceSecurityGroupId" do
+          expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]})
+      end
+
+      it "to have property GroupId" do
+          expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"})
+      end
+
+    end
+
     context "RdsProxy" do
       let(:resource) { template["Resources"]["RdsProxy"] }
 

spec/service_discovery_spec.rb

@@ -34,6 +34,35 @@
 
     end
 
+    context "ProxyPortAccessToDBCluster" do
+      let(:resource) { template["Resources"]["ProxyPortAccessToDBCluster"] }
+
+      it "is of type AWS::EC2::SecurityGroupIngress" do
+          expect(resource["Type"]).to eq("AWS::EC2::SecurityGroupIngress")
+      end
+
+      it "to have property IpProtocol" do
+          expect(resource["Properties"]["IpProtocol"]).to eq("tcp")
+      end
+
+      it "to have property FromPort" do
+          expect(resource["Properties"]["FromPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property ToPort" do
+          expect(resource["Properties"]["ToPort"]).to eq({"Ref"=>"TargetDBClusterPort"})
+      end
+
+      it "to have property SourceSecurityGroupId" do
+          expect(resource["Properties"]["SourceSecurityGroupId"]).to eq({"Fn::GetAtt"=>["SecurityGroup", "GroupId"]})
+      end
+
+      it "to have property GroupId" do
+          expect(resource["Properties"]["GroupId"]).to eq({"Ref"=>"DBClusterSecurityGroup"})
+      end
+
+    end
+
     context "RdsProxy" do
       let(:resource) { template["Resources"]["RdsProxy"] }