I did a slight refactoring of the AWS WebServer example at <https://github.com/pulumi/examples/tree/master/aws-py-webserver>, and wrote a little test below that checks to ensure we don't have unrestricted CIDR blocks on security groups. A few things to note: (1) the project structure needs to change a little rather than declaring everything in __main__.py to facilitate importing, (2) we call a few pulumi.runtime.settings._set_x(..) helpers in our test before allocating anything, and (3) slightly awkwardly, I had to do the import inside of the test case itself, to avoid promises being allocated on a separate event loop than the test is running on.

test.py
import asyncio
import unittest

# Import the Pulumi SDK and turn on test mode *before* allocating anything.
import pulumi
pulumi.runtime.settings._set_test_mode_enabled(True)
pulumi.runtime.settings._set_project('webserver')
pulumi.runtime.settings._set_stack('test')

## Tests come next:

def async_test(coro):
    def wrapper(*args, **kwargs):
        loop = asyncio.new_event_loop()
        loop.run_until_complete(coro(*args, **kwargs))
        loop.close()
    return wrapper

class InstanceTests(unittest.TestCase):
    @async_test
    async def test_no_internet_access(self):
        # Now import the infrastructure module which will allocate our resource objects.
        from infra import group, server

        # Rendezvous with the resource's resulting ingress rules.
        ingress_fut = asyncio.Future()
        group.ingress.apply(lambda ig: ingress_fut.set_result(ig))
        ingress = await ingress_fut
        # Now loop through them and reject any that are open to the Internet (0.0.0.0/0).
        for rule in ingress:
            for cidr in rule['cidr_blocks']:
                self.assertNotEqual('0.0.0.0/0', cidr)