miam 0.1.0 → 0.1.1

data/lib/miam/dsl/context/user.rb

@@ -1,6 +1,6 @@
 class Miam::DSL::Context::User
   def initialize(name, &block)
-    @name = name
+    @user_name = name
     @result = {:groups => [], :policies => {}}
     instance_eval(&block)
   end
@@ -21,13 +21,13 @@ class Miam::DSL::Context::User
     name = name.to_s
 
     if @result[:policies][name]
-      raise "User `#{name}` > Policy `#{name}`: already defined"
+      raise "User `#{@user_name}` > Policy `#{name}`: already defined"
     end
 
     policy_document = yield
 
     unless policy_document.kind_of?(Hash)
-      raise "User `#{name}` > Policy `#{name}`: wrong argument type #{policy_document.class} (expected Hash)"
+      raise "User `#{@user_name}` > Policy `#{name}`: wrong argument type #{policy_document.class} (expected Hash)"
     end
 
     @result[:policies][name] = policy_document

data/lib/miam/dsl/converter.rb

@@ -12,6 +12,8 @@ class Miam::DSL::Converter
     [
       output_users(@exported[:users]),
       output_groups(@exported[:groups]),
+      output_roles(@exported[:roles]),
+      output_instance_profiles(@exported[:instance_profiles]),
     ].join("\n")
   end
 
@@ -72,6 +74,62 @@ end
     EOS
   end
 
+  def output_roles(roles)
+    roles.each.sort_by {|k, v| k }.map {|role_name, attrs|
+      output_role(role_name, attrs)
+    }.join("\n")
+  end
+
+  def output_role(role_name, attrs)
+    role_options = {:path => attrs[:path]}
+
+    <<-EOS
+role #{role_name.inspect}, #{Miam::Utils.unbrace(role_options.inspect)} do
+  #{output_role_instance_profiles(attrs[:instance_profiles])}
+
+  #{output_assume_role_policy_document(attrs[:assume_role_policy_document])}
+
+  #{output_policies(attrs[:policies])}
+end
+    EOS
+  end
+
+  def output_role_instance_profiles(instance_profiles)
+    if instance_profiles.empty?
+      instance_profiles = ['# no instance_profile']
+    else
+      instance_profiles = instance_profiles.map {|i| i.inspect }
+    end
+
+    instance_profiles = "\n    " + instance_profiles.join(",\n    ") + "\n  "
+    "instance_profiles(#{instance_profiles})"
+  end
+
+  def output_instance_profiles(instance_profiles)
+    instance_profiles.each.sort_by {|k, v| k }.map {|instance_profile_name, attrs|
+      output_instance_profile(instance_profile_name, attrs)
+    }.join("\n")
+  end
+
+  def output_assume_role_policy_document(assume_role_policy_document)
+    assume_role_policy_document = assume_role_policy_document.pretty_inspect
+    assume_role_policy_document.gsub!("\n", "\n    ").strip!
+
+    <<-EOS.strip
+  assume_role_policy_document do
+    #{assume_role_policy_document}
+  end
+    EOS
+  end
+
+  def output_instance_profile(instance_profile_name, attrs)
+    instance_profile_options = {:path => attrs[:path]}
+
+    <<-EOS
+instance_profile #{instance_profile_name.inspect}, #{Miam::Utils.unbrace(instance_profile_options.inspect)}
+    EOS
+  end
+
   def output_policies(policies)
     policies.map {|policy_name, policy_document|
       output_policy(policy_name, policy_document)

data/lib/miam/exporter.rb

@@ -11,19 +11,24 @@ class Miam::Exporter
   def export(&block)
     users = list_users
     groups = list_groups
+    roles = list_roles
+    instance_profiles = list_instance_profiles
     group_users = {}
+    instance_profile_roles = {}
 
     export_options = {
-      :progress_total => (users.length + groups.length),
+      :progress_total => (users.length + groups.length + roles.length + instance_profiles.length),
       :progress => 0,
     }
 
     expected = {
       :users => export_users(users, group_users, export_options, &block),
       :groups => export_groups(groups, export_options, &block),
+      :roles => export_roles(roles, instance_profile_roles, export_options, &block),
+      :instance_profiles => export_instance_profiles(instance_profiles, export_options, &block),
     }
 
-    [expected, group_users]
+    [expected, group_users, instance_profile_roles]
   end
 
   private
@@ -123,6 +128,82 @@ class Miam::Exporter
     result
   end
 
+  def export_roles(roles, instance_profile_roles, export_options = {})
+    result = {}
+
+    roles.each do |role|
+      role_name = role.role_name
+
+      instance_profiles = export_role_instance_profiles(role_name)
+
+      instance_profiles.each do |instance_profile_name|
+        instance_profile_roles[instance_profile_name] ||= []
+        instance_profile_roles[instance_profile_name] << role_name
+      end
+
+      document = CGI.unescape(role.assume_role_policy_document)
+
+      result[role_name] = {
+        :path => role.path,
+        :assume_role_policy_document => JSON.parse(document),
+        :instance_profiles => instance_profiles,
+        :policies => export_role_policies(role_name),
+      }
+
+      export_options[:progress] += 1
+      yield(export_options) if block_given?
+    end
+
+    result
+  end
+
+  def export_role_instance_profiles(role_name)
+    @iam.list_instance_profiles_for_role(:role_name => role_name).map {|resp|
+      resp.instance_profiles.map do |instance_profile|
+        instance_profile.instance_profile_name
+      end
+    }.flatten
+  end
+
+  def export_role_policies(role_name)
+    result = {}
+
+    @iam.list_role_policies(:role_name => role_name).each do |resp|
+      resp.policy_names.map do |policy_name|
+        policy = @iam.get_role_policy(:role_name => role_name, :policy_name => policy_name)
+        document = CGI.unescape(policy.policy_document)
+        result[policy_name] = JSON.parse(document)
+      end
+    end
+
+    result
+  end
+
+  def export_instance_profiles(instance_profiles, export_options = {})
+    result = {}
+
+    instance_profiles.each do |instance_profile|
+      instance_profile_name = instance_profile.instance_profile_name
+
+      result[instance_profile_name] = {
+        :path => instance_profile.path,
+      }
+
+      export_options[:progress] += 1
+      yield(export_options) if block_given?
+    end
+
+    result
+  end
+
+  def export_role_instance_profiles(role_name)
+    @iam.list_instance_profiles_for_role(:role_name => role_name).map {|resp|
+      resp.instance_profiles.map do |instance_profile|
+        instance_profile.instance_profile_name
+      end
+    }.flatten
+  end
+
   def list_users
     @iam.list_users.map {|resp|
       resp.users.to_a
@@ -134,4 +215,16 @@ class Miam::Exporter
       resp.groups.to_a
     }.flatten
   end
+
+  def list_roles
+    @iam.list_roles.map {|resp|
+      resp.roles.to_a
+    }.flatten
+  end
+
+  def list_instance_profiles
+    @iam.list_instance_profiles.map {|resp|
+      resp.instance_profiles.to_a
+    }.flatten
+  end
 end

data/lib/miam/logger.rb

@@ -16,12 +16,11 @@ class Miam::Logger < ::Logger
   end
 
   module Helper
-    def log(level, message, options = {})
-      options = (@options || {}).merge(options)
+    def log(level, message, log_options = {})
       message = "[#{level.to_s.upcase}] #{message}" unless level == :info
-      message << ' (dry-run)' if options[:dry_run]
-      message = message.send(options[:color]) if options[:color]
-      logger = options[:logger] || Miam::Logger.instance
+      message << ' (dry-run)' if @options[:dry_run]
+      message = message.send(log_options[:color]) if log_options[:color]
+      logger = @options[:logger] || Miam::Logger.instance
       logger.send(level, message)
     end
   end

data/lib/miam/password_manager.rb

@@ -1,4 +1,6 @@
 class Miam::PasswordManager
+  include Miam::Logger::Helper
+
   def initialize(output, options = {})
     @output = output
     @options = options
@@ -11,6 +13,8 @@ class Miam::PasswordManager
   end
 
   def puts_password(user, type, password)
+    log(:info, "User `#{user}` > `#{type}`: put password to `#{@output}`")
+
     open_output do |f|
       f.puts("#{user},#{type},#{password}")
     end

data/lib/miam/version.rb

@@ -1,3 +1,3 @@
 module Miam
-  VERSION = '0.1.0'
+  VERSION = '0.1.1'
 end

data/spec/miam/create_spec.rb

@@ -5,7 +5,7 @@ describe 'create' do
     it do
       updated = apply(subject) { '' }
       expect(updated).to be_falsey
-      expect(export).to eq({:users=>{}, :groups=>{}})
+      expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}})
     end
   end
 
@@ -53,6 +53,32 @@ describe 'create' do
               [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
           end
         end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
       RUBY
     end
 
@@ -96,7 +122,25 @@ describe 'create' do
                   {"Statement"=>
                     [{"Effect"=>"Allow",
                       "Action"=>"ses:SendRawEmail",
-                      "Resource"=>"*"}]}}}}}
+                      "Resource"=>"*"}]}}}},
+           :roles=>
+            {"my-role"=>
+              {:path=>"/any/",
+               :assume_role_policy_document=>
+                {"Version"=>"2012-10-17",
+                 "Statement"=>
+                  [{"Sid"=>"",
+                    "Effect"=>"Allow",
+                    "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                    "Action"=>"sts:AssumeRole"}]},
+               :instance_profiles=>["my-instance-profile"],
+               :policies=>
+                {"role-policy"=>
+                  {"Statement"=>
+                    [{"Action"=>["s3:Get*", "s3:List*"],
+                      "Effect"=>"Allow",
+                      "Resource"=>"*"}]}}}},
+           :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}}
         )
       end
     end
@@ -107,7 +151,7 @@ describe 'create' do
       it do
         updated = apply(subject) { dsl }
         expect(updated).to be_falsey
-        expect(export).to eq({:users=>{}, :groups=>{}})
+        expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}})
       end
     end
   end

data/spec/miam/delete_spec.rb

@@ -42,6 +42,32 @@ describe 'delete' do
             [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
         end
       end
+
+      role "my-role", :path=>"/any/" do
+        instance_profiles(
+          "my-instance-profile"
+        )
+
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+
+      instance_profile "my-instance-profile", :path=>"/profile/"
     RUBY
   end
 
@@ -79,7 +105,25 @@ describe 'delete' do
             {"Statement"=>
               [{"Effect"=>"Allow",
                 "Action"=>"ses:SendRawEmail",
-                "Resource"=>"*"}]}}}}}
+                "Resource"=>"*"}]}}}},
+     :roles=>
+      {"my-role"=>
+        {:path=>"/any/",
+         :assume_role_policy_document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]},
+         :instance_profiles=>["my-instance-profile"],
+         :policies=>
+          {"role-policy"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}}
   end
 
   before(:each) do
@@ -122,6 +166,32 @@ describe 'delete' do
             {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
           end
         end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
       RUBY
     end
 
@@ -162,6 +232,32 @@ describe 'delete' do
               [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
           end
         end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
       RUBY
     end
 
@@ -194,6 +290,32 @@ describe 'delete' do
             {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
           end
         end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
       RUBY
     end
 
@@ -219,4 +341,202 @@ describe 'delete' do
       end
     end
   end
+
+  context 'when delete instance_profile' do
+    let(:delete_instance_profiles_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin",
+            "SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_instance_profiles_dsl }
+      expect(updated).to be_truthy
+      expected[:roles]["my-role"][:instance_profiles] = []
+      expected[:instance_profiles].delete("my-instance-profile")
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when delete role' do
+    let(:delete_role_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin",
+            "SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_role_dsl }
+      expect(updated).to be_truthy
+      expected[:roles].delete("my-role")
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when delete role and instance_profile' do
+    let(:delete_role_and_instance_profile_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin",
+            "SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_role_and_instance_profile_dsl }
+      expect(updated).to be_truthy
+      expected[:roles].delete("my-role")
+      expected[:instance_profiles].delete("my-instance-profile")
+      expect(export).to eq expected
+    end
+  end
 end