Allow multiple ip addresses in security group

README.md

@@ -237,9 +237,9 @@ security_group_filter:
     value: 'MyOtherSG'
 ```
 
-### `security_group_cidr_ip`
+#### `security_group_cidr_ip`
 
-The EC2 [security group][group_docs] ip, in CIDR block format, to use when creating the security group.
+The EC2 [security group][group_docs] ip address, in CIDR block format, to use when creating the security group. Optionally, you can provide an array of ip addresses instead when having multiple ip addresses for the security group is desirable.
 
 The default is "0.0.0.0/0".
 

lib/kitchen/driver/ec2.rb

@@ -785,7 +785,9 @@ def create_security_group(state)
               ip_protocol: "tcp",
               from_port: port,
               to_port: port,
-              ip_ranges: [{ cidr_ip: config[:security_group_cidr_ip] }],
+              ip_ranges: Array(config[:security_group_cidr_ip]).map do |cidr_ip|
+                { cidr_ip: cidr_ip }
+              end,
             }
           end
         )

spec/kitchen/driver/ec2_spec.rb

@@ -546,7 +546,7 @@
         include_examples "common create"
       end
 
-      context "with a ip address configured" do
+      context "with an ip address configured as a string" do
         before do
           config[:security_group_cidr_ip] = "1.2.3.4/32"
           expect(actual_client).to receive(:describe_subnets).with(filters: [{ name: "subnet-id", values: ["subnet-1234"] }]).and_return(double(subnets: [double(vpc_id: "vpc-1")]))
@@ -562,6 +562,38 @@
         include_examples "common create"
       end
 
+      context "with an ip address configured as an array" do
+        before do
+          config[:security_group_cidr_ip] = ["10.0.0.0/22"]
+          expect(actual_client).to receive(:describe_subnets).with(filters: [{ name: "subnet-id", values: ["subnet-1234"] }]).and_return(double(subnets: [double(vpc_id: "vpc-1")]))
+          expect(actual_client).to receive(:create_security_group).with(group_name: /kitchen-/, description: /Test Kitchen for/, vpc_id: "vpc-1").and_return(double(group_id: "sg-9876"))
+          expect(actual_client).to receive(:authorize_security_group_ingress).with(group_id: "sg-9876", ip_permissions: [
+            { ip_protocol: "tcp", from_port: 22, to_port: 22, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }] },
+            { ip_protocol: "tcp", from_port: 3389, to_port: 3389, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }] },
+            { ip_protocol: "tcp", from_port: 5985, to_port: 5985, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }] },
+            { ip_protocol: "tcp", from_port: 5986, to_port: 5986, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }] },
+          ])
+        end
+
+        include_examples "common create"
+      end
+
+      context "with multiple ip addresses configured as an array" do
+        before do
+          config[:security_group_cidr_ip] = ["10.0.0.0/22", "172.16.0.0/24"]
+          expect(actual_client).to receive(:describe_subnets).with(filters: [{ name: "subnet-id", values: ["subnet-1234"] }]).and_return(double(subnets: [double(vpc_id: "vpc-1")]))
+          expect(actual_client).to receive(:create_security_group).with(group_name: /kitchen-/, description: /Test Kitchen for/, vpc_id: "vpc-1").and_return(double(group_id: "sg-9876"))
+          expect(actual_client).to receive(:authorize_security_group_ingress).with(group_id: "sg-9876", ip_permissions: [
+            { ip_protocol: "tcp", from_port: 22, to_port: 22, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }, { cidr_ip: "172.16.0.0/24" }] },
+            { ip_protocol: "tcp", from_port: 3389, to_port: 3389, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }, { cidr_ip: "172.16.0.0/24" }] },
+            { ip_protocol: "tcp", from_port: 5985, to_port: 5985, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }, { cidr_ip: "172.16.0.0/24" }] },
+            { ip_protocol: "tcp", from_port: 5986, to_port: 5986, ip_ranges: [{ cidr_ip: "10.0.0.0/22" }, { cidr_ip: "172.16.0.0/24" }] },
+          ])
+        end
+
+        include_examples "common create"
+      end
+
       context "with a default VPC" do
         before do
           config.delete(:subnet_id)