Merge pull request #53 from engineyard/delete-rds-ec2-security-group

raise when destroying an ec2 firewall authorized to an rds firewall

lib/fog/aws/rds.rb

@@ -126,11 +126,13 @@ module Fog
 
         def initialize(options={})
           @use_iam_profile = options[:use_iam_profile]
-          @region = options[:region] || 'us-east-1'
+          @region          = options[:region] || 'us-east-1'
 
           unless ['ap-northeast-1', 'ap-southeast-1', 'ap-southeast-2', 'eu-central-1', 'eu-west-1', 'us-east-1', 'us-west-1', 'us-west-2', 'sa-east-1'].include?(@region)
             raise ArgumentError, "Unknown region: #{@region.inspect}"
           end
+
+          setup_credentials(options)
         end
 
         def data

lib/fog/aws/requests/compute/delete_security_group.rb

@@ -46,53 +46,67 @@ module Fog
           if name && id
             raise Fog::Compute::AWS::Error.new("May not specify both group_name and group_id")
           end
+
           if id
             name = self.data[:security_groups].reject { |k,v| v['groupId'] != id } .keys.first
           end
 
+          unless self.data[:security_groups][name]
+            raise Fog::Compute::AWS::NotFound.new("The security group '#{name}' does not exist")
+          end
+
           response = Excon::Response.new
-          if self.data[:security_groups][name]
 
-            used_by_groups = []
-            self.region_data.each do |access_key, key_data|
-              key_data[:security_groups].each do |group_name, group|
-                next if group == self.data[:security_groups][name]
+          used_by_groups = []
 
-                group['ipPermissions'].each do |group_ip_permission|
-                  group_ip_permission['groups'].each do |group_group_permission|
-                    if group_group_permission['groupName'] == name &&
-                        group_group_permission['userId'] == self.data[:owner_id]
-                      used_by_groups << "#{key_data[:owner_id]}:#{group_name}"
-                    end
+          # ec2 authorizations
+          self.region_data.each do |_, key_data|
+            key_data[:security_groups].each do |group_name, group|
+              next if group == self.data[:security_groups][name]
+
+              group['ipPermissions'].each do |group_ip_permission|
+                group_ip_permission['groups'].each do |group_group_permission|
+                  if group_group_permission['groupName'] == name &&
+                      group_group_permission['userId'] == self.data[:owner_id]
+                    used_by_groups << "#{key_data[:owner_id]}:#{group_name}"
                   end
                 end
               end
             end
+          end
 
-            active_instances = self.data[:instances].values.select do |instance|
-              if instance['groupSet'].include?(name) && instance['instanceState'] != "terminated"
-                instance
+          # rds authorizations
+          Fog::AWS::RDS::Mock.data[self.region].each do |_, data|
+            (data[:security_groups] || []).each do |group_name, group|
+              (group["EC2SecurityGroups"] || []).each do |ec2_group|
+                if ec2_group["EC2SecurityGroupName"] == name && ec2_group["Status"] != "revoking"
+                  used_by_groups << "#{group["OwnerId"]}:#{group_name}"
+                end
               end
             end
-
-            unless used_by_groups.empty?
-              raise Fog::Compute::AWS::Error.new("InvalidGroup.InUse => Group #{self.data[:owner_id]}:#{name} is used by groups: #{used_by_groups.uniq.join(" ")}")
-            end
-
-            if active_instances.any?
-              raise Fog::Compute::AWS::Error.new("InUse => There are active instances using security group '#{name}'")
-            end
-
-            self.data[:security_groups].delete(name)
-            response.status = 200
-            response.body = {
-              'requestId' => Fog::AWS::Mock.request_id,
-              'return'    => true
-            }
-            response
-          else
-            raise Fog::Compute::AWS::NotFound.new("The security group '#{name}' does not exist")
           end
+
+          active_instances = self.data[:instances].values.select do |instance|
+            if instance['groupSet'].include?(name) && instance['instanceState'] != "terminated"
+              instance
+            end
+          end
+
+          unless used_by_groups.empty?
+            raise Fog::Compute::AWS::Error.new("InvalidGroup.InUse => Group #{self.data[:owner_id]}:#{name} is used by groups: #{used_by_groups.uniq.join(" ")}")
+          end
+
+          if active_instances.any?
+            raise Fog::Compute::AWS::Error.new("InUse => There are active instances using security group '#{name}'")
+          end
+
+          self.data[:security_groups].delete(name)
+          response.status = 200
+          response.body = {
+            'requestId' => Fog::AWS::Mock.request_id,
+            'return'    => true
+          }
+          response
         end
       end
     end

tests/requests/compute/security_group_tests.rb

@@ -408,6 +408,15 @@ Shindo.tests('Fog::Compute[:aws] | security group requests', ['aws']) do
       Fog::Compute[:aws].delete_security_group('not_a_group_name')
     end
 
+    @rds_security_group = Fog::AWS[:rds].security_groups.create(:id => "rdsgroup", :description => 'fog rds test')
+
+    tests("#delete_security_group('when authorized to an rds firewall')").raises(Fog::Compute::AWS::Error) do
+      @rds_security_group.authorize_ec2_security_group(@security_group.name)
+      Fog::Compute[:aws].delete_security_group(@security_group.name)
+    end
+
+    @rds_security_group.destroy
+
     @security_group.destroy
     @other_security_group.destroy