feat: ec2 sec-groups to describe security groups (#492)

tekumara · web-flow · commit 66e7f91ccc28 · 2025-04-01T20:50:46.000+11:00
```
aec ec2 sec-groups
                                                                                         
  GroupId                GroupName   Description                  VpcId                  
 ─────────────────────────────────────────────────────────────────────────────────────── 
  sg-25d2fabfa34eaa065   default     default VPC security group   vpc-b1f00f09091896c57  
  default                default     default                      vpc-b1f00f09091896c57
```
diff --git a/Makefile b/Makefile
@@ -1,6 +1,7 @@
 include *.mk
 
 ## generate docs
+.PHONY: docs
 docs: $(venv)
 	$(venv)/bin/cog -r docs/*.md
 # trim trailing whitespace so hooks are happy
diff --git a/docs/ami.md b/docs/ami.md
@@ -36,11 +36,11 @@ cog.out(f"```\n{docs('aec ami describe', ami.describe(config, owner='09972010947
 ]]] -->
 ```
 aec ami describe
-
+                                                                                                                                     
   Name                                                              ImageId        CreationDate               RootDeviceName   Size  
- ───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-  ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20170727   ami-1e749f67   2024-01-24T10:50:11.000Z   /dev/sda1        15  
-  ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20170721   ami-785db401   2024-01-24T10:50:11.000Z   /dev/sda1        15
+ ─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
+  ubuntu/images/hvm-ssd/ubuntu-trusty-14.04-amd64-server-20170727   ami-1e749f67   2025-04-01T09:46:15.000Z   /dev/sda1        15    
+  ubuntu/images/hvm-ssd/ubuntu-xenial-16.04-amd64-server-20170721   ami-785db401   2025-04-01T09:46:15.000Z   /dev/sda1        15
 ```
 <!-- [[[end]]] -->
 
diff --git a/docs/ec2.md b/docs/ec2.md
@@ -15,20 +15,22 @@ from aec.main import build_parser
 cog.out(f"```\n{build_parser()._subparsers._actions[1].choices['ec2'].format_help()}```")
 ]]] -->
 ```
-usage: aec ec2 [-h] {create-key-pair,describe,launch,logs,modify,start,stop,subnets,rename,tag,tags,status,templates,terminate,user-data} ...
+usage: aec ec2 [-h]
+               {create-key-pair,describe,launch,logs,modify,start,stop,sec-groups,subnets,rename,tag,tags,status,templates,terminate,user-data} ...
 
 optional arguments:
   -h, --help            show this help message and exit
 
 subcommands:
-  {create-key-pair,describe,launch,logs,modify,start,stop,subnets,rename,tag,tags,status,templates,terminate,user-data}
+  {create-key-pair,describe,launch,logs,modify,start,stop,sec-groups,subnets,rename,tag,tags,status,templates,terminate,user-data}
     create-key-pair     Create a key pair.
     describe            List EC2 instances in the region.
     launch              Launch a tagged EC2 instance with an EBS volume.
     logs                Show the system logs.
     modify              Change an instance's type.
     start               Start EC2 instance.
     stop                Stop EC2 instance.
+    sec-groups          Describe security groups in the region, optionally filtered by VPC ID.
     subnets             Describe subnets.
     rename              Rename EC2 instance(s).
     tag                 Tag EC2 instance(s).
@@ -77,11 +79,11 @@ cog.out(f"```\n{docs('aec ec2 describe', ec2.describe(config))}\n```")
 ]]] -->
 ```
 aec ec2 describe
-
-  InstanceId            State     Name    Type       DnsName                                      LaunchTime                  ImageId  
- ──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
-  i-b39b1ea60119e503e   running   alice   t3.small   ec2-54-214-187-100.compute-1.amazonaws.com   2024-01-24 10:50:11+00:00   ami-03cf127a  
-  i-52d4b17a9a8586a31   running   sam     t3.small   ec2-54-214-105-52.compute-1.amazonaws.com    2024-01-24 10:50:11+00:00   ami-03cf127a
+                                                                                                                                            
+  InstanceId            State     Name    Type       DnsName                                      LaunchTime                  ImageId       
+ ────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── 
+  i-d11c784672f583196   running   alice   t3.small   ec2-54-214-8-190.compute-1.amazonaws.com     2025-04-01 09:46:15+00:00   ami-03cf127a  
+  i-919d8e2adf1445b8d   running   sam     t3.small   ec2-54-214-106-199.compute-1.amazonaws.com   2025-04-01 09:46:16+00:00   ami-03cf127a
 ```
 <!-- [[[end]]] -->
 
@@ -116,11 +118,11 @@ cog.out(f"```\n{docs('aec ec2 describe -c Name,SubnetId,Volumes,Image.CreationDa
 ]]] -->
 ```
 aec ec2 describe -c Name,SubnetId,Volumes,Image.CreationDate
-
-  Name    SubnetId          Volumes           Image.CreationDate  
- ──────────────────────────────────────────────────────────────────────
-  alice   subnet-8ffb733b   ['Size=15 GiB']   2024-01-24T10:50:11.000Z  
-  sam     subnet-8ffb733b   ['Size=15 GiB']   2024-01-24T10:50:11.000Z
+                                                                                 
+  Name    SubnetId                   Volumes           Image.CreationDate        
+ ─────────────────────────────────────────────────────────────────────────────── 
+  alice   subnet-3c34502dfd1bc971e   ['Size=15 GiB']   2025-04-01T09:46:15.000Z  
+  sam     subnet-3c34502dfd1bc971e   ['Size=15 GiB']   2025-04-01T09:46:15.000Z
 ```
 <!-- [[[end]]] -->
 
@@ -212,15 +214,30 @@ cog.out(f"```\n{docs('aec ec2 subnets', ec2.subnets(config))}\n```")
 ]]] -->
 ```
 aec ec2 subnets
+                                                                                               
+  SubnetId                   VpcId                   AvailabilityZone   CidrBlock        Name  
+ ───────────────────────────────────────────────────────────────────────────────────────────── 
+  subnet-3c34502dfd1bc971e   vpc-b1f00f09091896c57   us-east-1a         172.31.0.0/20          
+  subnet-569837d96526af096   vpc-b1f00f09091896c57   us-east-1b         172.31.16.0/20         
+  subnet-8a3b095072e46bf09   vpc-b1f00f09091896c57   us-east-1c         172.31.32.0/20         
+  subnet-c3e0557e8334ec7b5   vpc-b1f00f09091896c57   us-east-1d         172.31.48.0/20         
+  subnet-67ffe1d070fd23148   vpc-b1f00f09091896c57   us-east-1e         172.31.64.0/20         
+  subnet-fbfe5e577853e5221   vpc-b1f00f09091896c57   us-east-1f         172.31.80.0/20
+```
+<!-- [[[end]]] -->
 
-  SubnetId          VpcId          AvailabilityZone   CidrBlock        Name  
- ───────────────────────────────────────────────────────────────────────────
-  subnet-8ffb733b   vpc-df045ae9   us-east-1a         172.31.0.0/20  
-  subnet-50f11bb4   vpc-df045ae9   us-east-1b         172.31.16.0/20  
-  subnet-93811557   vpc-df045ae9   us-east-1c         172.31.32.0/20  
-  subnet-f17e6261   vpc-df045ae9   us-east-1d         172.31.48.0/20  
-  subnet-1a5d6685   vpc-df045ae9   us-east-1e         172.31.64.0/20  
-  subnet-b12557cf   vpc-df045ae9   us-east-1f         172.31.80.0/20
+Describe security groups:
+
+<!-- [[[cog
+cog.out(f"```\n{docs('aec ec2 sec-groups', ec2.sec_groups(config))}\n```")
+]]] -->
+```
+aec ec2 sec-groups
+                                                                                         
+  GroupId                GroupName   Description                  VpcId                  
+ ─────────────────────────────────────────────────────────────────────────────────────── 
+  sg-25d2fabfa34eaa065   default     default VPC security group   vpc-b1f00f09091896c57  
+  default                default     default                      vpc-b1f00f09091896c57
 ```
 <!-- [[[end]]] -->
 
diff --git a/src/aec/command/ec2.py b/src/aec/command/ec2.py
@@ -617,6 +617,38 @@ def status_text(summary: InstanceStatusSummaryTypeDef, key: str = "reachability"
     )
 
 
+def sec_groups(config: Config, vpc_id: str | None = None) -> list[dict[str, str | None]]:
+    """
+    Describe security groups in the region, optionally filtered by VPC ID.
+    """
+
+    ec2_client = boto3.client("ec2", region_name=config.get("region", None))
+
+    # Prepare filters
+    filters: list[FilterTypeDef] = []
+    if vpc_id:
+        filters.append({"Name": "vpc-id", "Values": [vpc_id]})
+
+    paginator = ec2_client.get_paginator("describe_security_groups")
+    pages = paginator.paginate(Filters=filters)
+
+    groups_info: list[dict[str, str | None]] = []
+
+    for page in pages:
+        groups_info.extend(
+            {
+                "GroupId": sg["GroupId"],
+                "GroupName": sg.get("GroupName"),
+                "Description": sg.get("Description"),
+                "VpcId": sg.get("VpcId"),
+            }
+            for sg in page["SecurityGroups"]
+        )
+
+    # Sort the results, e.g., by VpcId then GroupName
+    return sorted(groups_info, key=lambda g: (g["VpcId"], g["GroupName"]))
+
+
 def subnets(config: Config, vpc_id: str | None = None) -> list[dict[str, Any]]:
     """Describe subnets."""
 
diff --git a/src/aec/main.py b/src/aec/main.py
@@ -86,6 +86,10 @@ def tag_arg_checker(tag: str) -> str:
         config_arg,
         Arg("ident", type=str, help="Name tag of instance or instance id")
     ]),
+    Cmd(ec2.sec_groups, [
+        config_arg,
+        Arg("-v", "--vpc-id", help="Filter to these VPCs"),
+    ]),
     Cmd(ec2.subnets, [
         config_arg,
         Arg("-v", "--vpc-id", help="Filter to these VPCs"),
diff --git a/tests/test_ec2.py b/tests/test_ec2.py
@@ -20,6 +20,7 @@
     logs,
     modify,
     rename,
+    sec_groups,
     start,
     status,
     stop,
@@ -467,3 +468,43 @@ def test_user_data_missing(mock_aws_config: Config):
 
     data = user_data(config=mock_aws_config, ident="no_userdata")
     assert not data
+
+
+def test_sec_groups_no_filter(mock_aws_config: Config):
+    """Test retrieving security groups without filters."""
+    # Default VPC should have a default security group
+    groups = sec_groups(mock_aws_config)
+
+    assert len(groups) >= 1
+
+    group = groups[0]
+    assert "GroupId" in group
+    assert "GroupName" in group
+    assert "Description" in group
+    assert "VpcId" in group
+
+
+def test_sec_groups_with_vpc_filter(mock_aws_config: Config):
+    """Test retrieving security groups with VPC filter."""
+    ec2_client = boto3.client("ec2", region_name=mock_aws_config["region"])
+
+    # Create a new VPC in addition to the default VPC
+    # Will come with a default security group
+    vpc_response = ec2_client.create_vpc(CidrBlock="10.0.0.0/16")
+    vpc_id = vpc_response["Vpc"]["VpcId"]
+
+    try:
+        # Get all security groups
+        all_groups = sec_groups(mock_aws_config)
+
+        # Get security groups for the specific VPC
+        vpc_groups = sec_groups(mock_aws_config, vpc_id=vpc_id)
+
+        # Verify filtering works
+        assert len(vpc_groups) >= 1
+        assert all(group["VpcId"] == vpc_id for group in vpc_groups)
+
+        # Verify total count is higher (includes the default VPC's groups)
+        assert len(all_groups) > len(vpc_groups)
+    finally:
+        ec2_client.delete_vpc(VpcId=vpc_id)
