miam 0.2.2 → 0.2.3.beta

checksums.yaml

@@ -1,7 +1,7 @@
 ---
 SHA1:
-  metadata.gz: 4e6e4cd6557f662ae0a5a816cbb3a5ef02fcaa3b
-  data.tar.gz: 9a388df856d85cad7be0d8f64755cc9bfedbc1f9
+  metadata.gz: 041db7d696b371ba9e100126f05d5855c1d06156
+  data.tar.gz: 17757d1a0efd25ea076d4a76fd331db0dad5a74e
 SHA512:
-  metadata.gz: f76fb2d4fb69bfef858ad518ae5c55ac09ad2e63d171a51914bc98f72c2299273107f23838aafaf73b6b407e31c22b39c6354ca6bb7f60bc027fcd4a93c8700b
-  data.tar.gz: 6d3036df28b30f7537f824c7748b52e395b526ae7ba534aa388ed030411cb5932b50d21c993b70289dfc904b948fa05ec093b86d16d2a33d753ac3c75e3a71fe
+  metadata.gz: 61aed42e0653a7fb07a4cb1989bd23e077cf1df962110ad1d359b8bce09b9ede67cb1e5fc138e88eb6ba172a00d33cc2c2d598c2cbdf303db4aa455e2fd91d2c
+  data.tar.gz: c1e196039250f21678f48be94c704cd896b259c20449a1753a715fde5418ffbb62b25c05fa3e4a2c85c199dbe2013d236b763b8ffb1fe7f6f98cbbf8dbeddde3

data/lib/miam.rb

@@ -22,6 +22,7 @@ require 'miam/driver'
 require 'miam/dsl'
 require 'miam/dsl/context'
 require 'miam/dsl/context/group'
+require 'miam/dsl/context/managed_policy'
 require 'miam/dsl/context/role'
 require 'miam/dsl/context/user'
 require 'miam/dsl/converter'

data/lib/miam/client.rb

@@ -13,8 +13,8 @@ class Miam::Client
     exported, group_users, instance_profile_roles = Miam::Exporter.export(@iam, @options)
 
     if block_given?
-      [:users, :groups, :roles, :instance_profiles].each do |type|
-        splitted = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}}
+      [:users, :groups, :roles, :instance_profiles, :policies].each do |type|
+        splitted = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}, :policies => {}}
 
         if export_options[:split_more]
           exported[type].sort_by {|k, v| k }.each do |name, attrs|
@@ -58,10 +58,12 @@ class Miam::Client
     expected = load_file(file)
 
     actual, group_users, instance_profile_roles = Miam::Exporter.export(@iam, @options)
-    updated = walk_groups(expected[:groups], actual[:groups], actual[:users], group_users)
+    updated = pre_walk_managed_policies(expected[:policies], actual[:policies])
+    updated = walk_groups(expected[:groups], actual[:groups], actual[:users], group_users) || updated
     updated = walk_users(expected[:users], actual[:users], group_users) || updated
     updated = walk_instance_profiles(expected[:instance_profiles], actual[:instance_profiles], actual[:roles], instance_profile_roles) || updated
     updated = walk_roles(expected[:roles], actual[:roles], instance_profile_roles) || updated
+    updated = post_walk_managed_policies(actual[:policies]) || updated
 
     if @options[:dry_run]
       false
@@ -438,6 +440,50 @@ class Miam::Client
     updated
   end
 
+  def pre_walk_managed_policies(expected, actual)
+    updated = false
+
+    expected.each do |policy_name, expected_attrs|
+      actual_attrs = actual.delete(policy_name)
+
+      if actual_attrs
+        if expected_attrs[:path] != actual_attrs[:path]
+          log(:warn, "ManagedPolicy `#{policy_name}`: 'path' cannot be updated", :color => :yellow)
+        end
+
+        updated = walk_managed_policy(policy_name, expected_attrs[:document], actual_attrs[:document]) || updated
+      else
+        @driver.create_managed_policy(policy_name, expected_attrs)
+        updated = true
+      end
+    end
+
+    updated
+  end
+
+  def walk_managed_policy(policy_name, expected_document, actual_document)
+    updated = false
+    expected_document.sort_array!
+    actual_document.sort_array!
+
+    if expected_document != actual_document
+      @driver.update_managed_policy(policy_name, expected_document, actual_document)
+      updated = true
+    end
+
+    updated
+  end
+
+  def post_walk_managed_policies(actual)
+    updated = false
+
+    actual.each do |policy_name, actual_attrs|
+      @driver.delete_managed_policy(policy_name)
+      updated = true
+    end
+
+    updated
+  end
 
   def load_file(file)
     if file.kind_of?(String)
@@ -495,7 +541,6 @@ class Miam::Client
       end
     end
 
-
     normalized
   end
 end

data/lib/miam/driver.rb

@@ -2,6 +2,7 @@ class Miam::Driver
   include Miam::Logger::Helper
 
   MAX_POLICY_SIZE = 2048
+  MAX_POLICY_VERSIONS = 5
 
   def initialize(iam, options = {})
     @iam = iam
@@ -362,6 +363,73 @@ class Miam::Driver
     }.flatten
   end
 
+  def create_managed_policy(policy_name, attrs)
+    log(:info, "Create ManagedPolicy `#{policy_name}`", :color => :cyan)
+
+    unless_dry_run do
+      params = {
+        :policy_name => policy_name,
+        :path => attrs[:path],
+        :policy_document => encode_document(attrs[:document]),
+      }
+
+      @iam.create_policy(params)
+    end
+  end
+
+  def delete_managed_policy(policy_name)
+    log(:info, "Delete ManagedPolicy `#{policy_name}`", :color => :red)
+
+    unless_dry_run do
+      policy_versions = @iam.list_policy_versions(
+        :policy_arn => policy_arn(policy_name),
+        :max_items => MAX_POLICY_VERSIONS
+      )
+
+      policy_versions.versions.reject {|pv|
+        pv.is_default_version
+      }.each {|pv|
+        @iam.delete_policy_version(
+          :policy_arn => policy_arn(policy_name),
+          :version_id => pv.version_id
+        )
+      }
+
+      @iam.delete_policy(
+        :policy_arn => policy_arn(policy_name)
+      )
+    end
+  end
+
+  def update_managed_policy(policy_name, policy_document, old_policy_document)
+    log(:info, "Update ManagedPolicy `#{policy_name}`", :color => :green)
+    log(:info, Miam::Utils.diff(old_policy_document, policy_document, :color => @options[:color]), :color => false)
+
+    unless_dry_run do
+      policy_versions = @iam.list_policy_versions(
+        :policy_arn => policy_arn(policy_name),
+        :max_items => MAX_POLICY_VERSIONS
+      )
+
+      if policy_versions.versions.length >= MAX_POLICY_VERSIONS
+        delete_policy_version = policy_versions.versions.reject {|pv|
+          pv.is_default_version
+        }.sort_by {|pv| pv.version_id[1..-1].to_i }.first
+
+        @iam.delete_policy_version(
+          :policy_arn => policy_arn(policy_name),
+          :version_id => delete_policy_version.version_id
+        )
+      end
+
+      @iam.create_policy_version(
+        :policy_arn => policy_arn(policy_name),
+        :policy_document => encode_document(policy_document),
+        set_as_default: true
+      )
+    end
+  end
+
   private
 
   def encode_document(policy_document)
@@ -386,4 +454,12 @@ class Miam::Driver
   def unless_dry_run
     yield unless @options[:dry_run]
   end
+
+  def user_id
+    @user_id ||= @iam.get_user.user.user_id
+  end
+
+  def policy_arn(policy_name)
+    "arn:aws:iam::#{user_id}:policy/#{policy_name}"
+  end
 end

data/lib/miam/dsl/context.rb

@@ -12,7 +12,7 @@ class Miam::DSL::Context
   def initialize(path, options = {}, &block)
     @path = path
     @options = options
-    @result = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}}
+    @result = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}, :policies => {}}
 
     @context = Hashie::Mash.new(
       :path => path,
@@ -83,4 +83,15 @@ class Miam::DSL::Context
 
     @result[:instance_profiles][name] = instance_profile_options
   end
+
+  def managed_policy(name, policy_options = {}, &block)
+    name = name.to_s
+
+    if @result[:policies][name]
+      raise "ManagedPolicy `#{name}` is already defined"
+    end
+
+    attrs = Miam::DSL::Context::ManagedPolicy.new(@context, name, &block).result
+    @result[:policies][name] = policy_options.merge(attrs)
+  end
 end

data/lib/miam/dsl/context/managed_policy.rb

@@ -0,0 +1,23 @@
+class Miam::DSL::Context::ManagedPolicy
+  include Miam::TemplateHelper
+
+  def initialize(context, name, &block)
+    @policy_name = name
+    @context = context.merge(:policy_name => name)
+    @result = {:document => get_document(block)}
+  end
+
+  attr_reader :result
+
+  private
+
+  def get_document(block)
+    document = instance_eval(&block)
+
+    unless document.kind_of?(Hash)
+      raise "ManagedPolicy `#{@policy_name}`: wrong argument type #{document.class} (expected Hash)"
+    end
+
+    document
+  end
+end

data/lib/miam/dsl/converter.rb

@@ -14,6 +14,7 @@ class Miam::DSL::Converter
       output_groups(@exported[:groups]),
       output_roles(@exported[:roles]),
       output_instance_profiles(@exported[:instance_profiles]),
+      output_managed_policies(@exported[:policies]),
     ].join("\n")
   end
 
@@ -172,6 +173,25 @@ instance_profile #{instance_profile_name.inspect}, #{Miam::Utils.unbrace(instanc
     "attached_managed_policies(#{attached_managed_policies})"
   end
 
+  def output_managed_policies(policies)
+    policies.each.sort_by {|k, v| k }.map {|policy_name, attrs|
+      next unless target_matched?(policy_name)
+      output_managed_policy(policy_name, attrs)
+    }.select {|i| i }.join("\n")
+  end
+
+  def output_managed_policy(policy_name, attrs)
+    policy_options = {:path => attrs[:path]}
+    policy_document = attrs[:document].pretty_inspect
+    policy_document.gsub!("\n", "\n    ").strip!
+
+    <<-EOS
+managed_policy #{policy_name.inspect}, #{Miam::Utils.unbrace(policy_options.inspect)} do
+  #{policy_document}
+end
+    EOS
+  end
+
   def target_matched?(name)
     if @options[:target]
       name =~ @options[:target]

data/lib/miam/exporter.rb

@@ -1,5 +1,7 @@
 # coding: utf-8
 class Miam::Exporter
+  AWS_MANAGED_POLICY_PREFIX = 'arn:aws:iam::aws:'
+
   def self.export(iam, options = {})
     self.new(iam, options).export
   end
@@ -17,6 +19,7 @@ class Miam::Exporter
     users = account_authorization_details[:user_detail_list]
     groups = account_authorization_details[:group_detail_list]
     roles = account_authorization_details[:role_detail_list]
+    policies = account_authorization_details[:policies]
     instance_profiles = list_instance_profiles
     group_users = {}
     instance_profile_roles = {}
@@ -37,6 +40,7 @@ class Miam::Exporter
       :groups => export_groups(groups),
       :roles => export_roles(roles, instance_profile_roles),
       :instance_profiles => export_instance_profiles(instance_profiles),
+      :policies => export_policies(policies),
     }
 
     [expected, group_users, instance_profile_roles]
@@ -192,6 +196,45 @@ class Miam::Exporter
     result
   end
 
+  def export_policies(policies)
+    result = {}
+
+    Parallel.each(policies, :in_threads => @concurrency) do |policy|
+      if policy.arn.start_with?(AWS_MANAGED_POLICY_PREFIX)
+        next
+      end
+
+      policy_name = policy.policy_name
+      document = export_policy_document(policy)
+
+      result[policy_name] = {
+        :path => policy.path,
+        :document => document,
+      }
+    end
+
+    result
+  end
+
+  def export_policy_document(policy)
+    policy_version = nil
+
+    policy_version_list = policy.policy_version_list.sort_by do |pv|
+      pv.version_id[1..-1].to_i
+    end
+
+    policy_version_list.each do |pv|
+      policy_version = pv
+
+      if pv.is_default_version
+        break
+      end
+    end
+
+    document = CGI.unescape(policy_version.document)
+    JSON.parse(document)
+  end
+
   def list_instance_profiles
     @iam.list_instance_profiles.map {|resp|
       resp.instance_profiles.to_a
@@ -209,6 +252,7 @@ class Miam::Exporter
       :user_detail_list,
       :group_detail_list,
       :role_detail_list,
+      :policies,
     ]
 
     keys.each do |key|

data/lib/miam/version.rb

@@ -1,3 +1,3 @@
 module Miam
-  VERSION = '0.2.2'
+  VERSION = '0.2.3.beta'
 end

data/spec/miam/attach_detach_policy_spec.rb

@@ -134,6 +134,7 @@ describe 'attach/detach policy' do
               [{"Effect"=>"Allow",
                 "Action"=>"ses:SendRawEmail",
                 "Resource"=>"*"}]}}}},
+     :policies=>{},
      :roles=>
       {"my-role"=>
         {:path=>"/any/",

data/spec/miam/create_spec.rb

@@ -5,7 +5,7 @@ describe 'create' do
     it do
       updated = apply(subject) { '' }
       expect(updated).to be_falsey
-      expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}})
+      expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
     end
   end
 
@@ -124,6 +124,7 @@ describe 'create' do
                   [{"Effect"=>"Allow",
                     "Action"=>"ses:SendRawEmail",
                     "Resource"=>"*"}]}}}},
+         :policies => {},
          :roles=>
           {"my-role"=>
             {:path=>"/any/",
@@ -259,7 +260,7 @@ describe 'create' do
       it do
         updated = apply(subject) { dsl }
         expect(updated).to be_falsey
-        expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}})
+        expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
       end
     end
   end

data/spec/miam/custom_managed_policy_spec.rb

@@ -0,0 +1,222 @@
+describe 'custom managed policy' do
+  let(:dsl) do
+    <<-RUBY
+      managed_policy "my-policy", :path=>"/" do
+        {"Version"=>"2012-10-17",
+         "Statement"=>
+          [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
+      end
+
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+
+        attached_managed_policies(
+          "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
+        )
+      end
+    RUBY
+  end
+
+  let(:expected) do
+    {:users=>
+      {"mary"=>
+        {:path=>"/staff/",
+         :groups=>[],
+         :attached_managed_policies=>[
+          "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :groups=>{},
+     :instance_profiles=>{},
+     :policies=>
+      {"my-policy"=>
+        {:path=>"/",
+         :document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Effect"=>"Allow",
+              "Action"=>"directconnect:Describe*",
+              "Resource"=>"*"}]}}},
+     :roles=>{}}
+  end
+
+  before(:each) do
+    apply { dsl }
+  end
+
+  context 'when no change' do
+    subject { client }
+
+    it do
+      updated = apply(subject) { dsl }
+      expect(updated).to be_falsey
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when create and attach' do
+    subject { client }
+
+    it do
+      updated = apply(subject) {
+        <<-RUBY
+          managed_policy "my-policy", :path=>"/" do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
+          end
+
+          managed_policy "my-policy2", :path=>"/" do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
+          end
+
+          user "mary", :path=>"/staff/" do
+            policy "S3" do
+              {"Statement"=>
+                [{"Action"=>
+                   ["s3:Get*",
+                    "s3:List*"],
+                  "Effect"=>"Allow",
+                  "Resource"=>"*"}]}
+            end
+
+            attached_managed_policies(
+              "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy",
+              "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
+            )
+          end
+        RUBY
+      }
+
+      expect(updated).to be_truthy
+      expected[:policies]["my-policy2"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}
+      expected[:users]["mary"][:attached_managed_policies] << "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
+      expected[:users]["mary"][:attached_managed_policies].sort!
+      actual = export
+      actual[:users]["mary"][:attached_managed_policies].sort!
+      expect(actual).to eq expected
+    end
+  end
+
+  context 'when create and delete' do
+    subject { client }
+
+    it do
+      updated = apply(subject) {
+        <<-RUBY
+          managed_policy "my-policy2", :path=>"/" do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
+          end
+
+          user "mary", :path=>"/staff/" do
+            policy "S3" do
+              {"Statement"=>
+                [{"Action"=>
+                   ["s3:Get*",
+                    "s3:List*"],
+                  "Effect"=>"Allow",
+                  "Resource"=>"*"}]}
+            end
+
+            attached_managed_policies(
+              "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
+            )
+          end
+        RUBY
+      }
+
+      expect(updated).to be_truthy
+      expected[:policies] = {"my-policy2" => {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}}
+      expected[:users]["mary"][:attached_managed_policies] = ["arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"]
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when update' do
+    subject { client }
+
+    it do
+      updated = apply(subject) {
+        <<-RUBY
+          managed_policy "my-policy", :path=>"/" do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
+          end
+
+          user "mary", :path=>"/staff/" do
+            policy "S3" do
+              {"Statement"=>
+                [{"Action"=>
+                   ["s3:Get*",
+                    "s3:List*"],
+                  "Effect"=>"Allow",
+                  "Resource"=>"*"}]}
+            end
+
+            attached_managed_policies(
+              "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
+            )
+          end
+        RUBY
+      }
+
+      expect(updated).to be_truthy
+      expected[:policies]["my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when update 7 times' do
+    subject { client }
+
+    it do
+      4.times do
+        apply(subject) { dsl }
+
+        apply(subject) {
+          <<-RUBY
+            managed_policy "my-policy", :path=>"/" do
+              {"Version"=>"2012-10-17",
+               "Statement"=>
+                [{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
+            end
+
+            user "mary", :path=>"/staff/" do
+              policy "S3" do
+                {"Statement"=>
+                  [{"Action"=>
+                     ["s3:Get*",
+                      "s3:List*"],
+                    "Effect"=>"Allow",
+                    "Resource"=>"*"}]}
+              end
+
+              attached_managed_policies(
+                "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
+              )
+            end
+          RUBY
+        }
+      end
+
+      expected[:policies]["my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
+      expect(export).to eq expected
+    end
+  end
+end

data/spec/miam/delete_spec.rb

@@ -110,6 +110,7 @@ describe 'delete' do
               [{"Effect"=>"Allow",
                 "Action"=>"ses:SendRawEmail",
                 "Resource"=>"*"}]}}}},
+     :policies => {},
      :roles=>
       {"my-role"=>
         {:path=>"/any/",

data/spec/miam/ignore_login_profile_spec.rb

@@ -48,6 +48,7 @@ describe 'ignore login profile' do
          :attached_managed_policies=>[],
          :login_profile=>{:password_reset_required=>true}}},
      :groups=>{},
+     :policies=>{},
      :roles=>{},
      :instance_profiles=>{}}
   end

data/spec/miam/rename_spec.rb

@@ -110,6 +110,7 @@ describe 'update' do
               [{"Effect"=>"Allow",
                 "Action"=>"ses:SendRawEmail",
                 "Resource"=>"*"}]}}}},
+     :policies => {},
      :roles=>
       {"my-role"=>
         {:path=>"/any/",

data/spec/miam/update_spec.rb

@@ -110,6 +110,7 @@ describe 'update' do
               [{"Effect"=>"Allow",
                 "Action"=>"ses:SendRawEmail",
                 "Resource"=>"*"}]}}}},
+     :policies=>{},
      :roles=>
       {"my-role"=>
         {:path=>"/any/",

data/spec/spec_helper.rb

@@ -16,6 +16,8 @@ Aws.config.update(
   secret_access_key: ENV['MIAM_TEST_SECRET_ACCESS_KEY'] || 'tiger'
 )
 
+MIAM_TEST_ACCOUNT_ID = Aws::IAM::Client.new.get_user.user.user_id
+
 RSpec.configure do |config|
   config.before(:each) do
     apply { '' }

metadata

@@ -1,167 +1,167 @@
 --- !ruby/object:Gem::Specification
 name: miam
 version: !ruby/object:Gem::Version
-  version: 0.2.2
+  version: 0.2.3.beta
 platform: ruby
 authors:
 - Genki Sugawara
 autorequire: 
 bindir: bin
 cert_chain: []
-date: 2015-11-30 00:00:00.000000000 Z
+date: 2016-01-23 00:00:00.000000000 Z
 dependencies:
 - !ruby/object:Gem::Dependency
   name: aws-sdk-core
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.42
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 2.0.42
 - !ruby/object:Gem::Dependency
   name: ruby-progressbar
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: parallel
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: term-ansicolor
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: diffy
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: hashie
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :runtime
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: bundler
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rake
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: rspec
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.0.0
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: 3.0.0
 - !ruby/object:Gem::Dependency
   name: rspec-instafail
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 - !ruby/object:Gem::Dependency
   name: coveralls
   requirement: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
   type: :development
   prerelease: false
   version_requirements: !ruby/object:Gem::Requirement
     requirements:
-    - - '>='
+    - - ">="
       - !ruby/object:Gem::Version
         version: '0'
 description: Miam is a tool to manage IAM. It defines the state of IAM using DSL,
@@ -173,9 +173,9 @@ executables:
 extensions: []
 extra_rdoc_files: []
 files:
-- .gitignore
-- .rspec
-- .travis.yml
+- ".gitignore"
+- ".rspec"
+- ".travis.yml"
 - Gemfile
 - LICENSE.txt
 - README.md
@@ -187,6 +187,7 @@ files:
 - lib/miam/dsl.rb
 - lib/miam/dsl/context.rb
 - lib/miam/dsl/context/group.rb
+- lib/miam/dsl/context/managed_policy.rb
 - lib/miam/dsl/context/role.rb
 - lib/miam/dsl/context/user.rb
 - lib/miam/dsl/converter.rb
@@ -201,6 +202,7 @@ files:
 - miam.gemspec
 - spec/miam/attach_detach_policy_spec.rb
 - spec/miam/create_spec.rb
+- spec/miam/custom_managed_policy_spec.rb
 - spec/miam/delete_spec.rb
 - spec/miam/hash_ext_spec.rb
 - spec/miam/ignore_login_profile_spec.rb
@@ -217,23 +219,24 @@ require_paths:
 - lib
 required_ruby_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">="
     - !ruby/object:Gem::Version
       version: '0'
 required_rubygems_version: !ruby/object:Gem::Requirement
   requirements:
-  - - '>='
+  - - ">"
     - !ruby/object:Gem::Version
-      version: '0'
+      version: 1.3.1
 requirements: []
 rubyforge_project: 
-rubygems_version: 2.4.8
+rubygems_version: 2.4.5.1
 signing_key: 
 specification_version: 4
 summary: Miam is a tool to manage IAM.
 test_files:
 - spec/miam/attach_detach_policy_spec.rb
 - spec/miam/create_spec.rb
+- spec/miam/custom_managed_policy_spec.rb
 - spec/miam/delete_spec.rb
 - spec/miam/hash_ext_spec.rb
 - spec/miam/ignore_login_profile_spec.rb