miam 0.1.0 → 0.1.1

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 1c277e2932203a2740972ef45fb3588f25e08ced
-  data.tar.gz: 560435cc28118cc841397919249697a68a2e6851
+  metadata.gz: dac584f8c0f3829974bbf66a703a0514b0bba56b
+  data.tar.gz: 4c1554986b97d252d2e6fea8c17dbdee4e7c0072
 SHA512:
-  metadata.gz: f631ea1267d5c62723f85129e26508dc712b5189ea53e47ada4aacbcbc4b75f22bf56971364dc7490734343d2e62d885a6bbf68636d622550495a35bda2585b5
-  data.tar.gz: fa71e40019ca1342ec1472c07c1ae376b4233e1bda0129ed3715e9c151c751b43d1339e08f11018752ab080ed6cec1debcc79bc9a7104891f13f6eb99c4b3490
+  metadata.gz: a197de1545bb2bfdaa906a215d23e61eb4ff63759875929a6f01605a38c6a3c4d5bd3dfa753a6e77af7c4521e0ef5f22ac36a70c1d049c8ada9e4a211f969601
+  data.tar.gz: cad4724a8a76be2bfc6c92ebc5ef97bf95a5e2b08f97469ce2f1213b95cc8ac42c89d694d71cf2805b3ce7e93258a3212354e076455a1852351c81e1a1bb9c59

data/README.md

@@ -63,7 +63,7 @@ Usage: miam [options]
 require 'other/iamfile'
 
 user "bob", :path => "/developer/" do
-  login_profile password_reset_required: true
+  login_profile :password_reset_required=>true
 
   groups(
     "Admin"
@@ -81,7 +81,7 @@ user "bob", :path => "/developer/" do
 end
 
 user "mary", :path => "/staff/" do
-  # login_profile password_reset_required: true
+  # login_profile :password_reset_required=>true
 
   groups(
     # no group
@@ -113,6 +113,28 @@ group "Admin", :path => "/admin/" do
     {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
   end
 end
+
+role "S3", :path => "/" do
+  instance_profiles(
+    "S3"
+  )
+
+  assume_role_policy_document do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Sid"=>"",
+        "Effect"=>"Allow",
+        "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+        "Action"=>"sts:AssumeRole"}]}
+  end
+
+  policy "S3-role-policy" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+  end
+end
+
+instance_profile "S3", :path => "/"
 ```
 
 ## Rename

data/bin/miam

@@ -94,8 +94,9 @@ begin
       output_file = DEFAULT_FILENAME if output_file == '-'
       requires = []
 
-      client.export do |users_or_groups, dsl|
-        iam_file = File.join(File.dirname(output_file), "#{users_or_groups}.iam")
+      client.export do |type, dsl|
+        next if dsl.strip.empty?
+        iam_file = File.join(File.dirname(output_file), "#{type}.iam")
         requires << iam_file
         logger.info("  write `#{iam_file}`")
 
@@ -114,10 +115,10 @@ begin
     else
       if output_file == '-'
         logger.info('# Export IAM')
-        puts client.export
+        puts client.export.strip
       else
         logger.info("Export IAM to `#{output_file}`")
-        open(output_file, 'wb') {|f| f.puts client.export }
+        open(output_file, 'wb') {|f| f.puts client.export.strip }
       end
     end
   when :apply

data/lib/miam.rb

@@ -15,6 +15,7 @@ require 'miam/driver'
 require 'miam/dsl'
 require 'miam/dsl/context'
 require 'miam/dsl/context/group'
+require 'miam/dsl/context/role'
 require 'miam/dsl/context/user'
 require 'miam/dsl/converter'
 require 'miam/exporter'

data/lib/miam/client.rb

@@ -1,4 +1,6 @@
 class Miam::Client
+  include Miam::Logger::Helper
+
   def initialize(options = {})
     @options = options
     aws_config = options.delete(:aws_config) || {}
@@ -8,15 +10,15 @@ class Miam::Client
   end
 
   def export
-    exported, group_users = Miam::Exporter.export(@iam, @options) do |export_options|
+    exported, group_users, instance_profile_roles = Miam::Exporter.export(@iam, @options) do |export_options|
       progress(*export_options.values_at(:progress_total, :progress))
     end
 
     if block_given?
-      [:users, :groups].each do |users_or_groups|
-        splitted = {:users => {}, :groups => {}}
-        splitted[users_or_groups] = exported[users_or_groups]
-        yield(users_or_groups, Miam::DSL.convert(splitted, @options).strip)
+      [:users, :groups, :roles, :instance_profiles].each do |type|
+        splitted = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}}
+        splitted[type] = exported[type]
+        yield(type, Miam::DSL.convert(splitted, @options).strip)
       end
     else
       Miam::DSL.convert(exported, @options)
@@ -32,12 +34,14 @@ class Miam::Client
   def walk(file)
     expected = load_file(file)
 
-    actual, group_users = Miam::Exporter.export(@iam, @options) do |export_options|
+    actual, group_users, instance_profile_roles = Miam::Exporter.export(@iam, @options) do |export_options|
       progress(*export_options.values_at(:progress_total, :progress))
     end
 
     updated = walk_groups(expected[:groups], actual[:groups], actual[:users], group_users)
     updated = walk_users(expected[:users], actual[:users], group_users) || updated
+    updated = walk_instance_profiles(expected[:instance_profiles], actual[:instance_profiles], actual[:roles], instance_profile_roles) || updated
+    updated = walk_roles(expected[:roles], actual[:roles], instance_profile_roles) || updated
 
     if @options[:dry_run]
       false
@@ -168,6 +172,125 @@ class Miam::Client
     walk_policies(:group, group_name, expected_attrs[:policies], actual_attrs[:policies])
   end
 
+  def walk_roles(expected, actual, instance_profile_roles)
+    updated = false
+
+    expected.each do |role_name, expected_attrs|
+      actual_attrs = actual.delete(role_name)
+
+      if actual_attrs
+        updated = walk_role(role_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_role(role_name, expected_attrs)
+        walk_role(role_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+
+    actual.each do |role_name, attrs|
+      instance_profile_names = []
+
+      instance_profile_roles.each do |instance_profile_name, roles|
+        if roles.include?(role_name)
+          instance_profile_names << instance_profile_name
+        end
+      end
+
+      @driver.delete_role(role_name, instance_profile_names, attrs)
+
+      instance_profile_roles.each do |instance_profile_name, roles|
+        roles.delete(role_name)
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_role(role_name, expected_attrs, actual_attrs)
+    if expected_attrs.values_at(:path) != actual_attrs.values_at(:path)
+      log(:warn, "Role `#{role_name}`: 'path' cannot be updated", :color => :yellow)
+    end
+
+    updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document])
+    updated = walk_role_instance_profiles(role_name, expected_attrs[:instance_profiles], actual_attrs[:instance_profiles]) || updated
+    walk_policies(:role, role_name, expected_attrs[:policies], actual_attrs[:policies]) || updated
+  end
+
+  def walk_assume_role_policy(role_name, expected_assume_role_policy, actual_assume_role_policy)
+    updated = false
+
+    if expected_assume_role_policy != actual_assume_role_policy
+      @driver.update_assume_role_policy(role_name, expected_assume_role_policy)
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_role_instance_profiles(role_name, expected_instance_profiles, actual_instance_profiles)
+    expected_instance_profiles = expected_instance_profiles.sort
+    actual_instance_profiles = actual_instance_profiles.sort
+    updated = false
+
+    if expected_instance_profiles != actual_instance_profiles
+      add_instance_profiles = expected_instance_profiles - actual_instance_profiles
+      remove_instance_profiles = actual_instance_profiles - expected_instance_profiles
+
+      unless add_instance_profiles.empty?
+        @driver.add_role_to_instance_profiles(role_name, add_instance_profiles)
+      end
+
+      unless remove_instance_profiles.empty?
+        @driver.remove_role_from_instance_profiles(role_name, remove_instance_profiles)
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_instance_profiles(expected, actual, actual_roles, instance_profile_roles)
+    updated = false
+
+    expected.each do |instance_profile_name, expected_attrs|
+      actual_attrs = actual.delete(instance_profile_name)
+
+      if actual_attrs
+        updated = walk_instance_profile(instance_profile_name, expected_attrs, actual_attrs) || updated
+      else
+        actual_attrs = @driver.create_instance_profile(instance_profile_name, expected_attrs)
+        walk_instance_profile(instance_profile_name, expected_attrs, actual_attrs)
+        updated = true
+      end
+    end
+
+    actual.each do |instance_profile_name, attrs|
+      roles_in_instance_profile = instance_profile_roles.delete(instance_profile_name) || []
+      @driver.delete_instance_profile(instance_profile_name, attrs, roles_in_instance_profile)
+
+      actual_roles.each do |role_name, role_attrs|
+        role_attrs[:instance_profiles].delete(instance_profile_name)
+      end
+
+      updated = true
+    end
+
+    updated
+  end
+
+  def walk_instance_profile(instance_profile_name, expected_attrs, actual_attrs)
+    updated = false
+
+    if expected_attrs != actual_attrs
+      log(:warn, "InstanceProfile `#{instance_profile_name}`: 'path' cannot be updated", :color => :yellow)
+    end
+
+    updated
+  end
+
   def scan_rename(type, expected, actual, group_users)
     updated = false
 

data/lib/miam/driver.rb

@@ -151,6 +151,106 @@ class Miam::Driver
     end
   end
 
+  def create_role(role_name, attrs)
+    log(:info, "Create Role `#{role_name}`", :color => :cyan)
+    assume_role_policy_document = attrs.fetch(:assume_role_policy_document)
+
+    unless_dry_run do
+      params = {
+        :role_name => role_name,
+        :assume_role_policy_document => encode_document(assume_role_policy_document),
+      }
+
+      params[:path] = attrs[:path] if attrs[:path]
+      @iam.create_role(params)
+    end
+
+    new_role_attrs = {
+      :instance_profiles => [],
+      :assume_role_policy_document => assume_role_policy_document,
+      :policies => {}
+    }
+
+    new_role_attrs[:path] = attrs[:path] if attrs[:path]
+    new_role_attrs
+  end
+
+  def delete_role(role_name, instance_profile_names, attrs)
+    log(:info, "Delete Role `#{role_name}`", :color => :red)
+
+    unless_dry_run do
+      attrs[:policies].keys.each do |policy_name|
+        @iam.delete_role_policy(:role_name => role_name, :policy_name => policy_name)
+      end
+
+      instance_profile_names.each do |instance_profile_name|
+        @iam.remove_role_from_instance_profile(:instance_profile_name => instance_profile_name, :role_name => role_name)
+      end
+
+      @iam.delete_role(:role_name => role_name)
+    end
+  end
+
+  def add_role_to_instance_profiles(role_name, instance_profile_names)
+    log(:info, "Update Role `#{role_name}`", :color => :green)
+    log(:info, "  add instance_profiles=#{instance_profile_names.join(',')}", :color => :green)
+
+    unless_dry_run do
+      instance_profile_names.each do |instance_profile_name|
+        @iam.add_role_to_instance_profile(:instance_profile_name => instance_profile_name, :role_name => role_name)
+      end
+    end
+  end
+
+  def remove_role_from_instance_profiles(role_name, instance_profile_names)
+    log(:info, "Update Role `#{role_name}`", :color => :green)
+    log(:info, "  remove instance_profiles=#{instance_profile_names.join(',')}", :color => :green)
+
+    unless_dry_run do
+      instance_profile_names.each do |instance_profile_name|
+        @iam.remove_role_from_instance_profile(:instance_profile_name => instance_profile_name, :role_name => role_name)
+      end
+    end
+  end
+
+  def update_assume_role_policy(role_name, policy_document)
+    log(:info, "Update Role `#{role_name}` > AssumeRolePolicy", :color => :green)
+    log(:info, "  #{policy_document.pretty_inspect.gsub("\n", "\n  ").strip}", :color => :green)
+
+    unless_dry_run do
+      @iam.update_assume_role_policy(
+        :role_name => role_name,
+        :policy_document => encode_document(policy_document),
+      )
+    end
+  end
+
+  def create_instance_profile(instance_profile_name, attrs)
+    log(:info, "Create InstanceIrofile `#{instance_profile_name}`", :color => :cyan)
+
+    unless_dry_run do
+      params = {:instance_profile_name => instance_profile_name}
+      params[:path] = attrs[:path] if attrs[:path]
+      @iam.create_instance_profile(params)
+    end
+
+    new_instance_profile_attrs = {}
+    new_instance_profile_attrs[:path] = attrs[:path] if attrs[:path]
+    new_instance_profile_attrs
+  end
+
+  def delete_instance_profile(instance_profile_name, attrs, roles_in_instance_profile)
+    log(:info, "Delete InstanceProfile `#{instance_profile_name}`", :color => :red)
+
+    unless_dry_run do
+      roles_in_instance_profile.each do |role_name|
+        @iam.remove_role_from_instance_profile(:instance_profile_name => instance_profile_name, :role_name => role_name)
+      end
+
+      @iam.delete_instance_profile(:instance_profile_name => instance_profile_name)
+    end
+  end
+
   def update_name(type, user_or_group_name, new_name)
     log(:info, "Update #{Miam::Utils.camelize(type.to_s)} `#{user_or_group_name}`", :color => :green)
     log(:info, "  set name=#{new_name}", :color => :green)

data/lib/miam/dsl/context.rb

@@ -10,7 +10,7 @@ class Miam::DSL::Context
   def initialize(path, options = {}, &block)
     @path = path
     @options = options
-    @result = {:users => {}, :groups => {}}
+    @result = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}}
     instance_eval(&block)
   end
 
@@ -49,4 +49,25 @@ class Miam::DSL::Context
     attrs = Miam::DSL::Context::Group.new(name, &block).result
     @result[:groups][name] = group_options.merge(attrs)
   end
+
+  def role(name, role_options = {}, &block)
+    name = name.to_s
+
+    if @result[:roles][name]
+      raise "Role `#{name}` is already defined"
+    end
+
+    attrs = Miam::DSL::Context::Role.new(name, &block).result
+    @result[:roles][name] = role_options.merge(attrs)
+  end
+
+  def instance_profile(name, instance_profile_options = {}, &block)
+    name = name.to_s
+
+    if @result[:instance_profiles][name]
+      raise "instance_profile `#{name}` is already defined"
+    end
+
+    @result[:instance_profiles][name] = instance_profile_options
+  end
 end

data/lib/miam/dsl/context/group.rb

@@ -1,6 +1,6 @@
 class Miam::DSL::Context::Group
   def initialize(name, &block)
-    @name = name
+    @group_name = name
     @result = {:policies => {}}
     instance_eval(&block)
   end
@@ -13,13 +13,13 @@ class Miam::DSL::Context::Group
     name = name.to_s
 
     if @result[:policies][name]
-      raise "Group `#{name}` > Policy `#{name}`: already defined"
+      raise "Group `#{@group_name}` > Policy `#{name}`: already defined"
     end
 
     policy_document = yield
 
     unless policy_document.kind_of?(Hash)
-      raise "Group `#{name}` > Policy `#{name}`: wrong argument type #{policy_document.class} (expected Hash)"
+      raise "Group `#{@group_name}` > Policy `#{name}`: wrong argument type #{policy_document.class} (expected Hash)"
     end
 
     @result[:policies][name] = policy_document

data/lib/miam/dsl/context/role.rb

@@ -0,0 +1,51 @@
+class Miam::DSL::Context::Role
+  def initialize(name, &block)
+    @role_name = name
+    @result = {:instance_profiles => [], :policies => {}}
+    instance_eval(&block)
+  end
+
+  def result
+    unless @result[:assume_role_policy_document]
+      raise "Role `#{@role_name}`: AssumeRolePolicyDocument is not defined"
+    end
+
+    @result
+  end
+
+  private
+
+  def instance_profiles(*profiles)
+    @result[:instance_profiles].concat(profiles.map {|i| i.to_s })
+  end
+
+  def assume_role_policy_document
+    if @result[:assume_role_policy_document]
+      raise "Role `#{@role_name}` > AssumeRolePolicyDocument: already defined"
+    end
+
+    assume_role_policy_document = yield
+
+    unless assume_role_policy_document.kind_of?(Hash)
+      raise "Role `#{@role_name}` > AssumeRolePolicyDocument: wrong argument type #{policy_document.class} (expected Hash)"
+    end
+
+    @result[:assume_role_policy_document] = assume_role_policy_document
+  end
+
+  def policy(name)
+    name = name.to_s
+
+    if @result[:policies][name]
+      raise "Role `#{@role_name}` > Policy `#{name}`: already defined"
+    end
+
+    policy_document = yield
+
+    unless policy_document.kind_of?(Hash)
+      raise "Role `#{@role_name}` > Policy `#{name}`: wrong argument type #{policy_document.class} (expected Hash)"
+    end
+
+    @result[:policies][name] = policy_document
+  end
+end