kumogata-template 0.0.26 → 0.0.27

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: be4c7caa3556239afc3151427c364e99c744aff3
-  data.tar.gz: 1de25309a11916e14ed6f428bdc2aeb4bb6b9e17
+  metadata.gz: 2383c2d571276248b35f727736cd4aea37204b62
+  data.tar.gz: e33971d8091ebf93f0bb9b64928e9466e074225c
 SHA512:
-  metadata.gz: 220f97ebfde87403b34dbd4f9d82a913e1d2b65e2897006defae79ddb5546f84e07eba8a2da49a06459080e940ebf9f206babe179dc42722b0b8eda8d06d237d
-  data.tar.gz: 919dcf05d5dd0e5405d952c9f577570576e80da40f1efe17e4684a460d6b769a85d94b59c4ed2ee820bd974c4ae7e559cbd75058d09cf7e50b9fd21151f022a3
+  metadata.gz: 16d1afa6529932af0d96e5319637110cd09ea507838d3b207e685d7ec4f405bd99ec16e80291772531cb11d6a7ef705517dabbc55df0131cea9ea39674e95edf
+  data.tar.gz: '01658b9dc49640b269209d5f9aaee2abcbf8f664c2f258c3dc6c6674c20f0fcad114161f33dce88701b0bca049ce5c3e0905d6d32d1bc6b74afabf770fd616b8'

data/.travis.yml

@@ -2,7 +2,7 @@ sudo: false
 language: ruby
 cache: bundler
 rvm:
-  - 2.3.1
+  - 2.3.4
 gemfile: n0ts/kumogata-template/Gemfile
 script:
   - bundle install --path vendor/bundle

data/Gemfile

@@ -1,4 +1,6 @@
 source 'https://rubygems.org'
 
+ENV['NOKOGIRI_USE_SYSTEM_LIBRARIES'] = 'YES'
+
 # Specify your gem's dependencies in kumogata.gemspec
 gemspec

data/Gemfile.lock

@@ -1,20 +1,20 @@
 PATH
   remote: .
   specs:
-    kumogata-template (0.0.24)
+    kumogata-template (0.0.27)
       aws-sdk (~> 2.3)
       kumogata (= 0.5.12)
 
 GEM
   remote: https://rubygems.org/
   specs:
-    aws-sdk (2.9.15)
-      aws-sdk-resources (= 2.9.15)
-    aws-sdk-core (2.9.15)
+    aws-sdk (2.9.25)
+      aws-sdk-resources (= 2.9.25)
+    aws-sdk-core (2.9.25)
       aws-sigv4 (~> 1.0)
       jmespath (~> 1.0)
-    aws-sdk-resources (2.9.15)
-      aws-sdk-core (= 2.9.15)
+    aws-sdk-resources (2.9.25)
+      aws-sdk-core (= 2.9.25)
     aws-sdk-v1 (1.67.0)
       json (~> 1.4)
       nokogiri (~> 1)
@@ -50,7 +50,7 @@ GEM
       uuidtools
     libv8 (3.16.14.19)
     mini_portile2 (2.0.0)
-    minitest (5.10.1)
+    minitest (5.10.2)
     net-ssh (4.1.0)
     nokogiri (1.6.7.2)
       mini_portile2 (~> 2.0.0.rc2)
@@ -62,7 +62,7 @@ GEM
     therubyracer (0.12.2)
       libv8 (~> 3.16.14.0)
       ref
-    tins (1.13.2)
+    tins (1.14.0)
     uuidtools (2.1.5)
 
 PLATFORMS
@@ -75,4 +75,4 @@ DEPENDENCIES
   rake (~> 11.1)
 
 BUNDLED WITH
-   1.13.7
+   1.14.6

data/lib/kumogata/template.rb

@@ -20,6 +20,7 @@ require 'kumogata/template/helper'
 require 'kumogata/template/iam'
 require 'kumogata/template/lambda'
 require 'kumogata/template/logs'
+require 'kumogata/template/redshift'
 require 'kumogata/template/s3'
 require 'kumogata/template/sns'
 require 'kumogata/template/version'

data/lib/kumogata/template/ecr.rb

@@ -4,17 +4,11 @@
 require 'kumogata/template/helper'
 require 'kumogata/template/iam'
 
-
 def _ecr_policy(name, args)
   action = args[name.to_sym][:action] || []
   user = args[name.to_sym][:user] || []
-  users = []
-  user.each do |v|
-    users << _iam_arn("iam", { account_id: v[:id], type: "user", user: v[:name] })
-  end
-  principal = _{
-    AWS users
-  }
+  account = args[name.to_sym][:account]
+  principal = { account: account }
   policy = {
     service: "ecr",
     action: action,

data/lib/kumogata/template/helper.rb

@@ -245,3 +245,35 @@ def _window_time(service, start_time)
   end
   "#{start_time.strftime(format)}-#{end_time.strftime(format)}"
 end
+
+def _ref_arn(service, name)
+  # FIXME
+  _{
+    Fn__Join [
+              ",",
+              [
+               "arn:aws:#{service}:::",
+               _{ Ref _resource_name(name) },
+              ]
+             ]
+  }
+end
+
+def _ref_pseudo(type)
+  pseudo =
+    case type
+    when "account"
+      "AccountId"
+    when "notification arns"
+      "NotificationARNs"
+    when "no value"
+      "NoValue"
+    when "region"
+      "Region"
+    when "stack id"
+      "StackId"
+    when "stack name"
+      "StackName"
+    end
+  _{ Ref "AWS::#{pseudo}" }
+end

data/lib/kumogata/template/iam.rb

@@ -63,6 +63,54 @@ def _iam_policies(name, args)
   array
 end
 
+def _iam_policy_principal(args, key = "principal")
+  principal = args[key.to_sym] || {}
+  return "" if principal.empty?
+  return principal if principal.is_a? String
+
+  if principal.key? :account
+    account = principal[:account]
+    if account.is_a? Hash
+      _{
+        AWS _iam_arn("iam", { type: "user", account_id: account[:id], user: account[:name] })
+      }
+    else
+      _{
+        AWS account
+      }
+    end
+  elsif principal.key? :accounts
+    accounts = []
+    principal[:accounts].each do |v|
+      accounts << _iam_arn("iam", { type: "user", account_id: v[:id], user: v[:name] })
+    end
+    _{
+      AWS accounts
+    }
+  elsif principal.key? :federated
+    _{
+      Federated principal[:federated]
+    }
+  elsif principal.key? :assumed_role
+    assumed_role = principal[:assumed_role]
+    _{
+      AWS _iam_arn("iam",
+                   { sts: true, type: "assumed-role",
+                     account_id: assumed_role[:id], user: assumed_role[:name] })
+    }
+  elsif principal.key? :services or principal.key? :service
+    _{
+      Service principal[:services] || principal[:service]
+    }
+  elsif principal.key? :canonical
+    _{
+      CanonicalUser principal[:canonical]
+    }
+  else
+    ""
+  end
+end
+
 def _iam_policy_document(name, args)
   array = []
   documents = args[name.to_sym] || []
@@ -74,14 +122,12 @@ def _iam_policy_document(name, args)
 
     actions = action.collect{|vv| "#{service}:#{vv}" }
     if v.key? :resource
-      if v[:resource].is_a? String
-        resource = _iam_arn(service, v[:resource])
-      else
-        resource = v[:resource].collect{|vv| _iam_arn(service, vv) }
-      end
+      resource = _iam_arn(service, v[:resource])
     else
       resource = [ "*" ]
     end
+    principal = _iam_policy_principal(v)
+    not_principal = _iam_policy_principal(v, "not_principal")
 
     array << _{
       Sid v[:sid] if v.key? :sid
@@ -89,8 +135,8 @@ def _iam_policy_document(name, args)
       NotAction no_action v[:no_action] if v.key? :no_action
       Action actions
       Resource resource unless v.key? :no_resource
-      Principal v[:principal] if v.key? :principal
-      NotPrincipal v[:not_principal] if v.key? :not_principal
+      Principal principal unless principal.empty?
+      NotPrincipal not_principal unless not_principal.empty?
       Condition _iam_to_policy_condition(v[:condition]) if v.key? :condition
     }
   end
@@ -133,29 +179,62 @@ end
 # Amazon Resource Names (ARNs) and AWS Service Namespaces
 # https://docs.aws.amazon.com/general/latest/gr/aws-arns-and-namespaces.html
 def _iam_arn(service, resource)
-  arn_prefix = "arn:aws:#{service}"
+  def _convert(args)
+    return "" if args.empty?
+    return args if args.is_a? String
+    array = []
+    args.each_pair do |k, v|
+      array <<
+        case k.to_s
+        when "ref"
+          _{ Ref _resource_name(v) }
+        when /ref_(.*)/
+          _ref_pseudo($1)
+        else
+          v
+        end
+    end
+    (args.size == 1) ? array.first : array
+  end
 
+  arn_prefix = "arn:aws:#{service}"
   case service
   when "s3"
+    arn_prefix_s3 = "#{arn_prefix}:::"
     if resource.is_a? String
-      "#{arn_prefix}:::#{resource}"
+      "#{arn_prefix_s3}#{resource}"
+
+    elsif resource.is_a? Hash
+      _{ Fn__Join "", [ arn_prefix_s3, _convert(resource) ] }
+
     else
-      resources = [ "#{arn_prefix}:::" ]
-      resource.each do |v|
-        if v =~ /^Ref_(.*)/
-          resources << _{ Ref _resource_name($1) }
+      array, array_map = [], []
+      resource.each_with_index do |v, i|
+        if v.is_a? String
+          array << v
+        elsif v.is_a? Hash
+          array << _convert(v)
         else
-          resources << v
+          tmp = [ arn_prefix_s3 ]
+          tmp += v.collect{|vv| _convert(vv) }
+          array_map << _{ Fn__Join "", tmp }
         end
       end
-      _{ Fn__Join "", resources }
+      return array_map unless array_map.empty?
+
+      if array.select{|v| v.is_a? Hash }.empty?
+        array.collect{|v| "#{arn_prefix_s3}#{v}" }
+      else
+        _{ Fn__Join "", array.insert(0, arn_prefix_s3) }
+      end
     end
 
   when "cloudformation"
     if resource == "*"
       resource
     else
-      "#{arn_prefix}:#{resource[:region]}:#{resource[:account_id]}:stack/#{resource[:stack]}"
+      resource = [ { region: resource[:region], account_id: resource[:account_id], stack: resource[:stack] } ] if resource.is_a? String
+      resource.collect{|v| "#{arn_prefix}:#{v[:region]}:#{v[:account_id]}:stack/#{v[:stack]}" }
     end
 
   when "iam"
@@ -170,7 +249,7 @@ def _iam_arn(service, resource)
     end
 
   when "elasticloadbalancing"
-    "#{arn_prefix}:*:*:loadbalancer/#{resource}"
+    resource.collect{|v| "#{arn_prefix}:*:*:loadbalancer/#{v}" }
 
   when "logs"
     "#{arn_prefix}:*:*:*"
@@ -180,22 +259,6 @@ def _iam_arn(service, resource)
   end
 end
 
-def _iam_s3_bucket_policy(region, bucket, prefix, aws_account_id)
-  account_id = ELB_ACCESS_LOG_ACCOUNT_ID[region.to_sym]
-  prefix = [ prefix ] if prefix.is_a? String
-  resource = prefix.collect{|v| "#{bucket}/#{v}/AWSLogs/#{aws_account_id}/*" }
-  [
-   {
-     service: "s3",
-     action: [ "PutObject" ],
-     principal: {
-       AWS: [ account_id ],
-     },
-     resource: resource,
-   },
-  ]
-end
-
 def _iam_login_profile(args)
   password = args[:password] || ""
   reset_required = _bool("reset_required", args, true)

data/lib/kumogata/template/redshift.rb

@@ -0,0 +1,26 @@
+#
+# Helper - Redshift
+#
+require 'kumogata/template/helper'
+
+def _redshift_parameters(args)
+  parameters = args[:parameters] || []
+
+  array = []
+  parameters.collect do |v|
+    name = v[:name] || ""
+    value =
+      if name == "wlm_json_configuration"
+        v[:value].to_json
+      else
+        v[:value] || ""
+      end
+    next if name.empty? or value.empty?
+
+    array << _{
+      ParameterName name
+      ParameterValue value
+    }
+  end
+  array
+end

data/lib/kumogata/template/version.rb

@@ -1 +1 @@
-KUMOGATA_TEMPLATE_VERSION = '0.0.26'
+KUMOGATA_TEMPLATE_VERSION = '0.0.27'

data/template/redshift-cluster-parameter-group.rb

@@ -3,11 +3,12 @@
 # http://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-resource-redshift-clusterparametergroup.html
 #
 require 'kumogata/template/helper'
+require 'kumogata/template/redshift'
 
 name = _resource_name(args[:name], "redshift cluster parameter group")
 description = args[:description] || "#{args[:name]} redshift cluster parameter group description"
 family = args[:family] || "redshift-1.0"
-parameters = args[:parameters] || []
+parameters = _redshift_parameters(args)
 
 _(name) do
   Type "AWS::Redshift::ClusterParameterGroup"

data/test/iam_test.rb

@@ -81,6 +81,88 @@ Policies _iam_policies "test", test: [ { document: [ { service: "s3" } ] } ]
     assert_equal exp_template.chomp, act_template
   end
 
+  def test_iam_policy_principal
+    template = <<-EOS
+Test _iam_policy_principal principal: { account: 1 }
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": {
+    "AWS": "1"
+  }
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+Test _iam_policy_principal principal: { account: { id: 1, name: "test" } }
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": {
+    "AWS": "arn:aws:iam::1:user/test"
+  }
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+Test _iam_policy_principal principal: { accounts: [ { id: 1, name: "test" } ] }
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": {
+    "AWS": [
+      "arn:aws:iam::1:user/test"
+    ]
+  }
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+Test _iam_policy_principal principal: { federated: "test" }
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": {
+    "Federated": "test"
+  }
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+Test _iam_policy_principal principal: { assumed_role: { id: 1, name: "test/test" } }
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": {
+    "AWS": "arn:aws:sts::1:assumed-role/test/test"
+  }
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+
+     template = <<-EOS
+Test _iam_policy_principal principal: { service: "test" }
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": {
+    "Service": "test"
+  }
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+  end
+
   def test_iam_policy_document
     template = <<-EOS
 PolicyDocument _iam_policy_document "test", test: [ { service: "s3" } ]
@@ -190,28 +272,104 @@ arn _iam_arn("s3", "test")
 }
   EOS
     assert_equal exp_template.chomp, act_template
-  end
 
-  def test_iam_s3_bucket_policy
     template = <<-EOS
-arn _iam_s3_bucket_policy("us_east1", "test", "test", 1234)
+arn _iam_arn("s3", { ref: "test" })
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "arn": {
+    "Fn::Join": [
+      "",
+      [
+        "arn:aws:s3:::",
+        {
+          "Ref": "Test"
+        }
+      ]
+    ]
+  }
+}
+  EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+arn _iam_arn("s3", [ "test1", "test2" ])
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "arn": [
+    "arn:aws:s3:::test1",
+    "arn:aws:s3:::test2"
+  ]
+}
+  EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+arn _iam_arn("s3", [ { ref: "test" }, { ref_account: true }, "/*" ])
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "arn": {
+    "Fn::Join": [
+      "",
+      [
+        "arn:aws:s3:::",
+        {
+          "Ref": "Test"
+        },
+        {
+          "Ref": "AWS::AccountId"
+        },
+        "/*"
+      ]
+    ]
+  }
+}
+  EOS
+    assert_equal exp_template.chomp, act_template
+
+    template = <<-EOS
+test1 = [ { ref: "test1" }, { ref_account: true }, "/*" ]
+test2 = [ { ref: "test2" }, { ref_account: true }, "/*" ]
+arn _iam_arn("s3", [ test1, test2 ])
     EOS
     act_template = run_client_as_json(template)
     exp_template = <<-EOS
 {
   "arn": [
     {
-      "service": "s3",
-      "action": [
-        "PutObject"
-      ],
-      "principal": {
-        "AWS": [
-          null
+      "Fn::Join": [
+        "",
+        [
+          "arn:aws:s3:::",
+          {
+            "Ref": "Test1"
+          },
+          {
+            "Ref": "AWS::AccountId"
+          },
+          "/*"
+        ]
+      ]
+    },
+    {
+      "Fn::Join": [
+        "",
+        [
+          "arn:aws:s3:::",
+          {
+            "Ref": "Test2"
+          },
+          {
+            "Ref": "AWS::AccountId"
+          },
+          "/*"
         ]
-      },
-      "resource": [
-        "test/test/AWSLogs/1234/*"
       ]
     }
   ]

data/test/redshift_test.rb

@@ -0,0 +1,23 @@
+require 'abstract_unit'
+require 'kumogata/template/redshift'
+
+class RedshiftTest < Minitest::Test
+  def test_redshift_parameters
+    template = <<-EOS
+parameters = { name: "wlm_json_configuration", value: [ { test: "test" } ] }
+Test _redshift_parameters(parameters: [ parameters ])
+    EOS
+    act_template = run_client_as_json(template)
+    exp_template = <<-EOS
+{
+  "Test": [
+    {
+      "ParameterName": "wlm_json_configuration",
+      "ParameterValue": "[{\\"test\\":\\"test\\"}]"
+    }
+  ]
+}
+    EOS
+    assert_equal exp_template.chomp, act_template
+  end
+end

data/test/template/ecr-repository_test.rb

@@ -12,10 +12,8 @@ action = %w(
   UploadLayerPart
   CompleteLayerUpload
 )
-user = [
-  { id: 1, name: "test" }
-]
-_ecr_repository "test", { policy: { action: action, user: user } }
+account = { id: 1, name: "test" }
+_ecr_repository "test", { policy: { action: action, account: account } }
     EOS
     act_template = run_client_as_json(template)
     exp_template = <<-EOS
@@ -39,9 +37,7 @@ _ecr_repository "test", { policy: { action: action, user: user } }
               "ecr:CompleteLayerUpload"
             ],
             "Principal": {
-              "AWS": [
-                "arn:aws:iam::1:user/test"
-              ]
+              "AWS": "arn:aws:iam::1:user/test"
             }
           }
         ]

data/test/template/redshift-cluster-parameter-group_test.rb

@@ -3,7 +3,8 @@ require 'abstract_unit'
 class RedshiftClusterParameterGroupTest < Minitest::Test
   def test_normal
     template = <<-EOS
-_redshift_cluster_parameter_group "test", parameters: [ ParameterName: "enable_user_activity_logging", ParameterValue: "true"]
+parameters = [ { name: "enable_user_activity_logging", value: "true" } ]
+_redshift_cluster_parameter_group "test", parameters: parameters
     EOS
     act_template = run_client_as_json(template)
     exp_template = <<-EOS

metadata

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: kumogata-template
 version: !ruby/object:Gem::Version
-  version: 0.0.26
+  version: 0.0.27
 platform: ruby
 authors:
 - Naoya Nakazawa
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2017-05-15 00:00:00.000000000 Z
+date: 2017-05-26 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk
@@ -125,6 +125,7 @@ files:
 - lib/kumogata/template/iam.rb
 - lib/kumogata/template/lambda.rb
 - lib/kumogata/template/logs.rb
+- lib/kumogata/template/redshift.rb
 - lib/kumogata/template/s3.rb
 - lib/kumogata/template/sns.rb
 - lib/kumogata/template/version.rb
@@ -271,6 +272,7 @@ files:
 - test/iam_test.rb
 - test/lambda_test.rb
 - test/logs_test.rb
+- test/redshift_test.rb
 - test/s3_test.rb
 - test/sns_test.rb
 - test/template/alb-listener-rule_test.rb
@@ -413,7 +415,7 @@ required_rubygems_version: !ruby/object:Gem::Requirement
       version: '0'
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.6.11
+rubygems_version: 2.5.2
 signing_key: 
 specification_version: 4
 summary: Template for Kumogata.
@@ -440,6 +442,7 @@ test_files:
 - test/iam_test.rb
 - test/lambda_test.rb
 - test/logs_test.rb
+- test/redshift_test.rb
 - test/s3_test.rb
 - test/sns_test.rb
 - test/template/alb-listener-rule_test.rb