RubyGems - miam - Versions diffs - 0.2.1.beta → 0.2.1.beta2 - Mend

miam 0.2.1.beta → 0.2.1.beta2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

checksums.yaml +4 -4
data/.gitignore +1 -0
data/README.md +9 -0
data/bin/miam +33 -8
data/lib/miam/client.rb +88 -7
data/lib/miam/driver.rb +44 -3
data/lib/miam/dsl/context/group.rb +5 -1
data/lib/miam/dsl/context/role.rb +6 -2
data/lib/miam/dsl/context/user.rb +6 -2
data/lib/miam/dsl/converter.rb +17 -0
data/lib/miam/exporter.rb +6 -0
data/lib/miam/version.rb +1 -1
data/miam.gemspec +3 -3
data/spec/miam/attach_detach_policy_spec.rb +382 -0
data/spec/miam/create_spec.rb +5 -0
data/spec/miam/delete_spec.rb +5 -0
data/spec/miam/rename_spec.rb +5 -0
data/spec/miam/update_spec.rb +5 -0
metadata +14 -12

checksums.yaml CHANGED

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 36c61dfa27b8707f131eb351e67812370c895f13
-  data.tar.gz: 032983200bcecaea10c62a3248c421b500a11f1a
+  metadata.gz: 4ae6239d6d5f9f0eef078614f4b493e041027e8c
+  data.tar.gz: 76dbd8857e2d4705823d7f09ca5fc9e611602ddf
 SHA512:
-  metadata.gz: 1ad638d2a6d62919f5f747348201d013489ae232edc156d2b0669b69be526295315759843f573bdcbb49acc9f7eed54d8c8728cbb26b6c8135e96e0c960c95c2
-  data.tar.gz: e735a72122942c6592517a09bb573aa69699f186afb209055257914c6a574ff21258be4b5a7e9f1707764d419b9f5ec0a14d72b013d576a6201ee0324a2f97a8
+  metadata.gz: 55489685bbd41ab9d6945a4e4f088f1af12af92a708ee910a812665c77ac0df7dfdb6ac4ccfa214de39eba8d129e45a82dc9714b40d179da364780d77756cc6b
+  data.tar.gz: ef9a4b34c0e49d1e15f3af8c9dd8b69eae4be274049a9f9d175c343079b2b34a47823ea905d3f706190cf3b7e0bec5a0daceee884be4fcd00cbc841c4b7bb35b

data/.gitignore CHANGED

@@ -16,3 +16,4 @@ test.rb
 IAMfile
 *.iam
 account.csv
+*.json

data/README.md CHANGED

@@ -86,6 +86,10 @@ user "bob", :path => "/developer/" do
         "Effect"=>"Allow",
         "Resource"=>"*"}]}
   end
+  attached_managed_policies(
+    # attached_managed_policy
+  )
 end
 user "mary", :path => "/staff/" do
@@ -114,6 +118,11 @@ user "mary", :path => "/staff/" do
         "Effect"=>"Allow",
         "Resource"=>"*"}]}
   end
+  attached_managed_policies(
+    "arn:aws:iam::aws:policy/AdministratorAccess",
+    "arn:aws:iam::123456789012:policy/my_policy"
+  )
 end
 group "Admin", :path => "/admin/" do

data/bin/miam CHANGED

@@ -13,9 +13,14 @@ file = DEFAULT_FILENAME
 output_file = '-'
 account_output = 'account.csv'
 split = false
+MAGIC_COMMENT = <<-EOS
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+EOS
 options = {
   :dry_run => false,
+  :format  => :ruby,
   :color   => true,
   :debug   => false,
 }
@@ -29,6 +34,7 @@ ARGV.options do |opt|
     region = nil
     profile_name = nil
     credentials_path = nil
+    format_passed = false
     opt.on('-p', '--profile PROFILE_NAME')          {|v| profile_name                 = v                                     }
     opt.on(''  , '--credentials-path PATH')         {|v| credentials_path             = v                                     }
@@ -43,6 +49,7 @@ ARGV.options do |opt|
     opt.on('-o', '--output FILE')                   {|v| output_file                  = v                                     }
     opt.on(''  , '--split')                         {    split                        = true                                  }
     opt.on(''  , '--split-more')                    {    split                        = :more                                 }
+    opt.on('',   '--format=FORMAT', [:ruby, :json]) {|v| format_passed = true; options[:format] = v                           }
     opt.on(''  , '--export-concurrency N', Integer) {|v| options[:export_concurrency] = v                                     }
     opt.on(''  , '--target REGEXP')                 {|v| options[:target]             = Regexp.new(v)                         }
     opt.on(''  , '--no-color')                      {    options[:color]              = false                                 }
@@ -70,6 +77,10 @@ ARGV.options do |opt|
     aws_opts[:region] = region if region
     Aws.config.update(aws_opts)
+    if not format_passed and [file, output_file].any? {|i| i =~ /\.json\z/ }
+      options[:format] = :json
+    end
   rescue => e
     $stderr.puts("[ERROR] #{e.message}")
     exit 1
@@ -97,9 +108,9 @@ begin
       output_file = DEFAULT_FILENAME if output_file == '-'
       requires = []
-      client.export(:split_more => (split == :more)) do |args|
+      client.export(:split_more => (split == :more), :convert => (options[:format] == :ruby)) do |args|
         type, dsl = args.values_at(:type, :dsl)
-        next if dsl.strip.empty?
+        next if dsl.empty?
         type = type.to_s
         dir = File.dirname(output_file)
@@ -117,27 +128,41 @@ begin
           requires << iam_filename
         end
+        if options[:format] == :json
+          iam_file << '.json'
+        end
         logger.info("  write `#{iam_file}`")
         open(iam_file, 'wb') do |f|
+          f.puts MAGIC_COMMENT if options[:format] == :ruby
           f.puts dsl
         end
       end
-      logger.info("  write `#{output_file}`")
+      if options[:format] == :ruby
+        logger.info("  write `#{output_file}`")
-      open(output_file, 'wb') do |f|
-        requires.each do |iam_file|
-          f.puts "require '#{iam_file}'"
+        open(output_file, 'wb') do |f|
+          f.puts MAGIC_COMMENT
+          requires.each do |iam_file|
+            f.puts "require '#{iam_file}'"
+          end
         end
       end
     else
+      exported = client.export(:convert => (options[:format] == :ruby))
       if output_file == '-'
         logger.info('# Export IAM')
-        puts client.export.strip
+        puts exported
       else
         logger.info("Export IAM to `#{output_file}`")
-        open(output_file, 'wb') {|f| f.puts client.export.strip }
+        open(output_file, 'wb') do |f|
+          f.puts MAGIC_COMMENT if options[:format] == :ruby
+          f.puts exported
+        end
       end
     end
   when :apply

data/lib/miam/client.rb CHANGED

@@ -2,7 +2,7 @@ class Miam::Client
   include Miam::Logger::Helper
   def initialize(options = {})
-    @options = options
+    @options = {:format => :ruby}.merge(options)
     aws_config = options.delete(:aws_config) || {}
     @iam = Aws::IAM::Client.new(aws_config)
     @driver = Miam::Driver.new(@iam, options)
@@ -21,15 +21,30 @@ class Miam::Client
             more_splitted = splitted.dup
             more_splitted[type] = {}
             more_splitted[type][name] = attrs
-            yield(:type => type, :name => name, :dsl => Miam::DSL.convert(more_splitted, @options).strip)
+            dsl = exec_by_format(
+              :ruby => proc { Miam::DSL.convert(more_splitted, @options).strip },
+              :json => proc { JSON.pretty_generate(more_splitted) }
+            )
+            yield(:type => type, :name => name, :dsl => dsl)
           end
         else
           splitted[type] = exported[type]
-          yield(:type => type, :dsl => Miam::DSL.convert(splitted, @options).strip)
+          dsl = exec_by_format(
+            :ruby => proc { Miam::DSL.convert(splitted, @options).strip },
+            :json => proc { JSON.pretty_generate(splitted) }
+          )
+          yield(:type => type, :dsl => dsl)
         end
       end
     else
-      Miam::DSL.convert(exported, @options)
+      dsl = exec_by_format(
+        :ruby => proc { Miam::DSL.convert(exported, @options).strip },
+        :json => proc { JSON.pretty_generate(exported) }
+      )
     end
   end
@@ -97,6 +112,7 @@ class Miam::Client
   def walk_user(user_name, expected_attrs, actual_attrs)
     updated = walk_login_profile(user_name, expected_attrs[:login_profile], actual_attrs[:login_profile])
     updated = walk_user_groups(user_name, expected_attrs[:groups], actual_attrs[:groups]) || updated
+    updated = walk_attached_managed_policies(:user, user_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
     walk_policies(:user, user_name, expected_attrs[:policies], actual_attrs[:policies]) || updated
   end
@@ -182,7 +198,8 @@ class Miam::Client
   end
   def walk_group(group_name, expected_attrs, actual_attrs)
-    walk_policies(:group, group_name, expected_attrs[:policies], actual_attrs[:policies])
+    updated = walk_policies(:group, group_name, expected_attrs[:policies], actual_attrs[:policies])
+    walk_attached_managed_policies(:group, group_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
   end
   def walk_roles(expected, actual, instance_profile_roles)
@@ -232,6 +249,7 @@ class Miam::Client
     updated = walk_assume_role_policy(role_name, expected_attrs[:assume_role_policy_document], actual_attrs[:assume_role_policy_document])
     updated = walk_role_instance_profiles(role_name, expected_attrs[:instance_profiles], actual_attrs[:instance_profiles]) || updated
+    updated = walk_attached_managed_policies(:role, role_name, expected_attrs[:attached_managed_policies], actual_attrs[:attached_managed_policies]) || updated
     walk_policies(:role, role_name, expected_attrs[:policies], actual_attrs[:policies]) || updated
   end
@@ -389,13 +407,43 @@ class Miam::Client
     updated
   end
+  def walk_attached_managed_policies(type, name, expected_attached_managed_policies, actual_attached_managed_policies)
+    expected_attached_managed_policies = expected_attached_managed_policies.sort
+    actual_attached_managed_policies = actual_attached_managed_policies.sort
+    updated = false
+    if expected_attached_managed_policies != actual_attached_managed_policies
+      add_attached_managed_policies = expected_attached_managed_policies - actual_attached_managed_policies
+      remove_attached_managed_policies = actual_attached_managed_policies - expected_attached_managed_policies
+      unless add_attached_managed_policies.empty?
+        @driver.attach_policies(type, name, add_attached_managed_policies)
+      end
+      unless remove_attached_managed_policies.empty?
+        @driver.detach_policies(type, name, remove_attached_managed_policies)
+      end
+      updated = true
+    end
+    updated
+  end
   def load_file(file)
     if file.kind_of?(String)
       open(file) do |f|
-        Miam::DSL.parse(f.read, file)
+        exec_by_format(
+          :ruby => proc { Miam::DSL.parse(f.read, file) },
+          :json => proc { load_json(f) }
+        )
       end
     elsif file.respond_to?(:read)
-      Miam::DSL.parse(file.read, file.path)
+      exec_by_format(
+        :ruby => proc { Miam::DSL.parse(file.read, file.path) },
+        :json => proc { load_json(f) }
+      )
     else
       raise TypeError, "can't convert #{file} into File"
     end
@@ -408,4 +456,37 @@ class Miam::Client
       true
     end
   end
+  def exec_by_format(proc_by_format)
+    format_proc = proc_by_format[@options[:format]]
+    raise "Invalid format: #{@options[:format]}" unless format_proc
+    format_proc.call
+  end
+  def load_json(json)
+    json = JSON.load(json)
+    normalized = {}
+    json.each do |top_key, top_value|
+      normalized[top_key.to_sym] = top_attrs = {}
+      top_value.each do |second_key, second_value|
+        top_attrs[second_key] = second_attrs = {}
+        second_value.each do |third_key, third_value|
+          third_key = third_key.to_sym
+          if third_key == :login_profile
+            new_third_value = {}
+            third_value.each {|k, v| new_third_value[k.to_sym] = v }
+            third_value = new_third_value
+          end
+          second_attrs[third_key] = third_value
+        end
+      end
+    end
+    normalized
+  end
 end

data/lib/miam/driver.rb CHANGED

@@ -17,7 +17,7 @@ class Miam::Driver
       @iam.create_user(params)
     end
-    new_user_attrs = {:groups => [], :policies => {}}
+    new_user_attrs = {:groups => [], :policies => {}, :attached_managed_policies => []}
     new_user_attrs[:path] = attrs[:path] if attrs[:path]
     new_user_attrs
   end
@@ -54,6 +54,10 @@ class Miam::Driver
         @iam.remove_user_from_group(:group_name => group_name, :user_name => user_name)
       end
+      attrs[:attached_managed_policies].each do |policy_arn|
+        @iam.detach_user_policy(:user_name => user_name, :policy_arn => policy_arn)
+      end
       list_access_key_ids(user_name).each do |access_key_id|
         @iam.delete_access_key(:user_name => user_name, :access_key_id => access_key_id)
       end
@@ -130,7 +134,7 @@ class Miam::Driver
       @iam.create_group(params)
     end
-    new_group_attrs = {:policies => {}}
+    new_group_attrs = {:policies => {}, :attached_managed_policies => []}
     new_group_attrs[:path] = attrs[:path] if attrs[:path]
     new_group_attrs
   end
@@ -147,6 +151,10 @@ class Miam::Driver
         @iam.remove_user_from_group(:group_name => group_name, :user_name => user_name)
       end
+      attrs[:attached_managed_policies].each do |policy_arn|
+        @iam.detach_group_policy(:group_name => group_name, :policy_arn => policy_arn)
+      end
       @iam.delete_group(:group_name => group_name)
     end
   end
@@ -168,7 +176,8 @@ class Miam::Driver
     new_role_attrs = {
       :instance_profiles => [],
       :assume_role_policy_document => assume_role_policy_document,
-      :policies => {}
+      :policies => {},
+      :attached_managed_policies => [],
     }
     new_role_attrs[:path] = attrs[:path] if attrs[:path]
@@ -187,6 +196,10 @@ class Miam::Driver
         @iam.remove_role_from_instance_profile(:instance_profile_name => instance_profile_name, :role_name => role_name)
       end
+      attrs[:attached_managed_policies].each do |policy_arn|
+        @iam.detach_role_policy(:role_name => role_name, :policy_arn => policy_arn)
+      end
       @iam.delete_role(:role_name => role_name)
     end
   end
@@ -305,6 +318,34 @@ class Miam::Driver
     end
   end
+  def attach_policies(type, name, policies)
+    type = type.to_s
+    type_s = type.slice(0, 1).upcase + type.slice(1..-1)
+    log(:info, "Update #{type_s} `#{name}`", :color => :green)
+    log(:info, "  attach policies=#{policies.join(',')}", :color => :green)
+    unless_dry_run do
+      policies.each do |arn|
+        @iam.send("attach_#{type}_policy", :"#{type}_name" => name, :policy_arn => arn)
+      end
+    end
+  end
+  def detach_policies(type, name, policies)
+    type = type.to_s
+    type_s = type.slice(0, 1).upcase + type.slice(1..-1)
+    log(:info, "Update #{type_s} `#{name}`", :color => :green)
+    log(:info, "  detach policies=#{policies.join(',')}", :color => :green)
+    unless_dry_run do
+      policies.each do |arn|
+        @iam.send("detach_#{type}_policy", :"#{type}_name" => name, :policy_arn => arn)
+      end
+    end
+  end
   def list_access_key_ids(user_name)
     @iam.list_access_keys(:user_name => user_name).map {|resp|
       resp.access_key_metadata.map do |metadata|

data/lib/miam/dsl/context/group.rb CHANGED

@@ -1,7 +1,7 @@
 class Miam::DSL::Context::Group
   def initialize(name, &block)
     @group_name = name
-    @result = {:policies => {}}
+    @result = {:policies => {}, :attached_managed_policies => []}
     instance_eval(&block)
   end
@@ -24,4 +24,8 @@ class Miam::DSL::Context::Group
     @result[:policies][name] = policy_document
   end
+  def attached_managed_policies(*policies)
+    @result[:attached_managed_policies].concat(policies.map(&:to_s))
+  end
 end

data/lib/miam/dsl/context/role.rb CHANGED

@@ -1,7 +1,7 @@
 class Miam::DSL::Context::Role
   def initialize(name, &block)
     @role_name = name
-    @result = {:instance_profiles => [], :policies => {}}
+    @result = {:instance_profiles => [], :policies => {}, :attached_managed_policies => []}
     instance_eval(&block)
   end
@@ -16,7 +16,7 @@ class Miam::DSL::Context::Role
   private
   def instance_profiles(*profiles)
-    @result[:instance_profiles].concat(profiles.map {|i| i.to_s })
+    @result[:instance_profiles].concat(profiles.map(&:to_s))
   end
   def assume_role_policy_document
@@ -48,4 +48,8 @@ class Miam::DSL::Context::Role
     @result[:policies][name] = policy_document
   end
+  def attached_managed_policies(*policies)
+    @result[:attached_managed_policies].concat(policies.map(&:to_s))
+  end
 end

data/lib/miam/dsl/context/user.rb CHANGED

@@ -1,7 +1,7 @@
 class Miam::DSL::Context::User
   def initialize(name, &block)
     @user_name = name
-    @result = {:groups => [], :policies => {}}
+    @result = {:groups => [], :policies => {}, :attached_managed_policies => []}
     instance_eval(&block)
   end
@@ -14,7 +14,7 @@ class Miam::DSL::Context::User
   end
   def groups(*grps)
-    @result[:groups].concat(grps.map {|i| i.to_s })
+    @result[:groups].concat(grps.map(&:to_s))
   end
   def policy(name)
@@ -32,4 +32,8 @@ class Miam::DSL::Context::User
     @result[:policies][name] = policy_document
   end
+  def attached_managed_policies(*policies)
+    @result[:attached_managed_policies].concat(policies.map(&:to_s))
+  end
 end

data/lib/miam/dsl/converter.rb CHANGED

@@ -36,6 +36,8 @@ user #{user_name.inspect}, #{Miam::Utils.unbrace(user_options.inspect)} do
   #{output_user_groups(attrs[:groups])}
   #{output_policies(attrs[:policies])}
+  #{output_attached_managed_policies(attrs[:attached_managed_policies])}
 end
     EOS
   end
@@ -72,6 +74,8 @@ end
     <<-EOS
 group #{group_name.inspect}, #{Miam::Utils.unbrace(group_options.inspect)} do
   #{output_policies(attrs[:policies])}
+  #{output_attached_managed_policies(attrs[:attached_managed_policies])}
 end
     EOS
   end
@@ -93,6 +97,8 @@ role #{role_name.inspect}, #{Miam::Utils.unbrace(role_options.inspect)} do
   #{output_assume_role_policy_document(attrs[:assume_role_policy_document])}
   #{output_policies(attrs[:policies])}
+  #{output_attached_managed_policies(attrs[:attached_managed_policies])}
 end
     EOS
   end
@@ -155,6 +161,17 @@ instance_profile #{instance_profile_name.inspect}, #{Miam::Utils.unbrace(instanc
     EOS
   end
+  def output_attached_managed_policies(attached_managed_policies)
+    if attached_managed_policies.empty?
+      attached_managed_policies = ['# attached_managed_policy']
+    else
+      attached_managed_policies = attached_managed_policies.map {|i| i.inspect }
+    end
+    attached_managed_policies = "\n    " + attached_managed_policies.join(",\n    ") + "\n  "
+    "attached_managed_policies(#{attached_managed_policies})"
+  end
   def target_matched?(name)
     if @options[:target]
       name =~ @options[:target]

data/lib/miam/exporter.rb CHANGED

@@ -52,6 +52,7 @@ class Miam::Exporter
       groups = user.group_list
       policies = export_user_policies(user)
       login_profile = export_login_profile(user_name)
+      attached_managed_policies = user.attached_managed_policies.map(&:policy_arn)
       @mutex.synchronize do
         groups.each do |group_name|
@@ -63,6 +64,7 @@ class Miam::Exporter
           :path => user.path,
           :groups => groups,
           :policies => policies,
+          :attached_managed_policies => attached_managed_policies
         }
         if login_profile
@@ -102,11 +104,13 @@ class Miam::Exporter
     Parallel.each(groups, :in_threads => @concurrency) do |group|
       group_name = group.group_name
       policies = export_group_policies(group)
+      attached_managed_policies = group.attached_managed_policies.map(&:policy_arn)
       @mutex.synchronize do
         result[group_name] = {
           :path => group.path,
           :policies => policies,
+          :attached_managed_policies => attached_managed_policies,
         }
         progress
@@ -134,6 +138,7 @@ class Miam::Exporter
       role_name = role.role_name
       instance_profiles = role.instance_profile_list.map {|i| i.instance_profile_name }
       policies = export_role_policies(role)
+      attached_managed_policies = role.attached_managed_policies.map(&:policy_arn)
       @mutex.synchronize do
         instance_profiles.each do |instance_profile_name|
@@ -148,6 +153,7 @@ class Miam::Exporter
           :assume_role_policy_document => JSON.parse(document),
           :instance_profiles => instance_profiles,
           :policies => policies,
+          :attached_managed_policies => attached_managed_policies,
         }
         progress

data/lib/miam/version.rb CHANGED

@@ -1,3 +1,3 @@
 module Miam
-  VERSION = '0.2.1.beta'
+  VERSION = '0.2.1.beta2'
 end

data/miam.gemspec CHANGED

@@ -20,12 +20,12 @@ Gem::Specification.new do |spec|
   spec.test_files    = spec.files.grep(%r{^(test|spec|features)/})
   spec.require_paths = ['lib']
-  spec.add_dependency 'aws-sdk-core', '~> 2.0.22'
+  spec.add_dependency 'aws-sdk-core', '~> 2.0.42'
   spec.add_dependency 'ruby-progressbar'
   spec.add_dependency 'parallel'
   spec.add_dependency 'term-ansicolor'
-  spec.add_development_dependency 'bundler', '~> 1.7'
-  spec.add_development_dependency 'rake', '~> 10.0'
+  spec.add_development_dependency 'bundler'
+  spec.add_development_dependency 'rake'
   spec.add_development_dependency 'rspec', '>= 3.0.0'
   spec.add_development_dependency 'rspec-instafail'
   spec.add_development_dependency 'coveralls'

data/spec/miam/attach_detach_policy_spec.rb ADDED

@@ -0,0 +1,382 @@
+describe 'attach/detach policy' do
+  let(:dsl) do
+    <<-RUBY
+      user "bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+        groups(
+          "Admin",
+          "SES"
+        )
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+      group "Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+      group "SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+      role "my-role", :path=>"/any/" do
+        instance_profiles(
+          "my-instance-profile"
+        )
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+        attached_managed_policies(
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+        )
+      end
+      instance_profile "my-instance-profile", :path=>"/profile/"
+    RUBY
+  end
+  let(:expected) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>["Admin", "SES"],
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :login_profile=>{:password_reset_required=>true}},
+       "mary"=>
+        {:path=>"/staff/",
+         :groups=>[],
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :groups=>
+      {"Admin"=>
+        {:path=>"/admin/",
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"Admin"=>
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
+       "SES"=>
+        {:path=>"/ses/",
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"ses-policy"=>
+            {"Statement"=>
+              [{"Effect"=>"Allow",
+                "Action"=>"ses:SendRawEmail",
+                "Resource"=>"*"}]}}}},
+     :roles=>
+      {"my-role"=>
+        {:path=>"/any/",
+         :assume_role_policy_document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]},
+         :instance_profiles=>["my-instance-profile"],
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :policies=>
+          {"role-policy"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}}
+  end
+  before(:each) do
+    apply { dsl }
+  end
+  context 'when no change' do
+    subject { client }
+    it do
+      updated = apply(subject) { dsl }
+      expect(updated).to be_falsey
+      expect(export).to eq expected
+    end
+  end
+  context 'when attach policy' do
+    let(:update_policy_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "Admin",
+            "SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+          )
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+          )
+        end
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+            "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+          )
+        end
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["mary"][:attached_managed_policies] << "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+      expected[:groups]["SES"][:attached_managed_policies] << "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+      expected[:roles]["my-role"][:attached_managed_policies] << "arn:aws:iam::aws:policy/AmazonRDSReadOnlyAccess"
+      expect(export).to eq expected
+    end
+  end
+  context 'when detach policy' do
+    let(:update_policy_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "Admin",
+            "SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+          )
+        end
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+            "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+          )
+        end
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+          )
+        end
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+          attached_managed_policies(
+          )
+        end
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["mary"][:attached_managed_policies].clear
+      expected[:groups]["SES"][:attached_managed_policies].clear
+      expected[:roles]["my-role"][:attached_managed_policies].clear
+      expect(export).to eq expected
+    end
+  end
+end

data/spec/miam/create_spec.rb CHANGED

@@ -93,6 +93,7 @@ describe 'create' do
             {"bob"=>
               {:path=>"/devloper/",
                :groups=>["Admin", "SES"],
+               :attached_managed_policies=>[],
                :policies=>
                 {"S3"=>
                   {"Statement"=>
@@ -103,6 +104,7 @@ describe 'create' do
              "mary"=>
               {:path=>"/staff/",
                :groups=>[],
+               :attached_managed_policies=>[],
                :policies=>
                 {"S3"=>
                   {"Statement"=>
@@ -112,11 +114,13 @@ describe 'create' do
            :groups=>
             {"Admin"=>
               {:path=>"/admin/",
+               :attached_managed_policies=>[],
                :policies=>
                 {"Admin"=>
                   {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
              "SES"=>
               {:path=>"/ses/",
+               :attached_managed_policies=>[],
                :policies=>
                 {"ses-policy"=>
                   {"Statement"=>
@@ -134,6 +138,7 @@ describe 'create' do
                     "Principal"=>{"Service"=>"ec2.amazonaws.com"},
                     "Action"=>"sts:AssumeRole"}]},
                :instance_profiles=>["my-instance-profile"],
+               :attached_managed_policies=>[],
                :policies=>
                 {"role-policy"=>
                   {"Statement"=>

data/spec/miam/delete_spec.rb CHANGED

@@ -76,6 +76,7 @@ describe 'delete' do
       {"bob"=>
         {:path=>"/devloper/",
          :groups=>["Admin", "SES"],
+         :attached_managed_policies=>[],
          :policies=>
           {"S3"=>
             {"Statement"=>
@@ -86,6 +87,7 @@ describe 'delete' do
        "mary"=>
         {:path=>"/staff/",
          :groups=>[],
+         :attached_managed_policies=>[],
          :policies=>
           {"S3"=>
             {"Statement"=>
@@ -95,11 +97,13 @@ describe 'delete' do
      :groups=>
       {"Admin"=>
         {:path=>"/admin/",
+         :attached_managed_policies=>[],
          :policies=>
           {"Admin"=>
             {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
        "SES"=>
         {:path=>"/ses/",
+         :attached_managed_policies=>[],
          :policies=>
           {"ses-policy"=>
             {"Statement"=>
@@ -117,6 +121,7 @@ describe 'delete' do
               "Principal"=>{"Service"=>"ec2.amazonaws.com"},
               "Action"=>"sts:AssumeRole"}]},
          :instance_profiles=>["my-instance-profile"],
+         :attached_managed_policies=>[],
          :policies=>
           {"role-policy"=>
             {"Statement"=>

data/spec/miam/rename_spec.rb CHANGED

@@ -76,6 +76,7 @@ describe 'update' do
       {"bob"=>
         {:path=>"/devloper/",
          :groups=>["Admin", "SES"],
+         :attached_managed_policies=>[],
          :policies=>
           {"S3"=>
             {"Statement"=>
@@ -86,6 +87,7 @@ describe 'update' do
        "mary"=>
         {:path=>"/staff/",
          :groups=>[],
+         :attached_managed_policies=>[],
          :policies=>
           {"S3"=>
             {"Statement"=>
@@ -95,11 +97,13 @@ describe 'update' do
      :groups=>
       {"Admin"=>
         {:path=>"/admin/",
+          :attached_managed_policies=>[],
          :policies=>
           {"Admin"=>
             {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
        "SES"=>
         {:path=>"/ses/",
+          :attached_managed_policies=>[],
          :policies=>
           {"ses-policy"=>
             {"Statement"=>
@@ -117,6 +121,7 @@ describe 'update' do
               "Principal"=>{"Service"=>"ec2.amazonaws.com"},
               "Action"=>"sts:AssumeRole"}]},
          :instance_profiles=>["my-instance-profile"],
+         :attached_managed_policies=>[],
          :policies=>
           {"role-policy"=>
             {"Statement"=>

data/spec/miam/update_spec.rb CHANGED

@@ -76,6 +76,7 @@ describe 'update' do
       {"bob"=>
         {:path=>"/devloper/",
          :groups=>["Admin", "SES"],
+         :attached_managed_policies=>[],
          :policies=>
           {"S3"=>
             {"Statement"=>
@@ -86,6 +87,7 @@ describe 'update' do
        "mary"=>
         {:path=>"/staff/",
          :groups=>[],
+         :attached_managed_policies=>[],
          :policies=>
           {"S3"=>
             {"Statement"=>
@@ -95,11 +97,13 @@ describe 'update' do
      :groups=>
       {"Admin"=>
         {:path=>"/admin/",
+          :attached_managed_policies=>[],
          :policies=>
           {"Admin"=>
             {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
        "SES"=>
         {:path=>"/ses/",
+          :attached_managed_policies=>[],
          :policies=>
           {"ses-policy"=>
             {"Statement"=>
@@ -117,6 +121,7 @@ describe 'update' do
               "Principal"=>{"Service"=>"ec2.amazonaws.com"},
               "Action"=>"sts:AssumeRole"}]},
          :instance_profiles=>["my-instance-profile"],
+         :attached_managed_policies=>[],
          :policies=>
           {"role-policy"=>
             {"Statement"=>

metadata CHANGED

@@ -1,14 +1,14 @@
 --- !ruby/object:Gem::Specification
 name: miam
 version: !ruby/object:Gem::Version
-  version: 0.2.1.beta
+  version: 0.2.1.beta2
 platform: ruby
 authors:
 - Genki Sugawara
 autorequire:
 bindir: bin
 cert_chain: []
-date: 2015-03-16 00:00:00.000000000 Z
+date: 2015-05-10 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
@@ -16,14 +16,14 @@ dependencies:
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.22
+        version: 2.0.42
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
     - - ~>
       - !ruby/object:Gem::Version
-        version: 2.0.22
+        version: 2.0.42
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
@@ -70,30 +70,30 @@ dependencies:
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '1.7'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - ~>
+    - - '>='
       - !ruby/object:Gem::Version
-        version: '10.0'
+        version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
@@ -169,6 +169,7 @@ files:
 - lib/miam/utils.rb
 - lib/miam/version.rb
 - miam.gemspec
+- spec/miam/attach_detach_policy_spec.rb
 - spec/miam/create_spec.rb
 - spec/miam/delete_spec.rb
 - spec/miam/rename_spec.rb
@@ -199,6 +200,7 @@ signing_key:
 specification_version: 4
 summary: Miam is a tool to manage IAM.
 test_files:
+- spec/miam/attach_detach_policy_spec.rb
 - spec/miam/create_spec.rb
 - spec/miam/delete_spec.rb
 - spec/miam/rename_spec.rb