miam 0.2.2 → 0.2.3.beta
Sign up to get free protection for your applications and to get access to all the features.
- checksums.yaml +4 -4
- data/lib/miam.rb +1 -0
- data/lib/miam/client.rb +49 -4
- data/lib/miam/driver.rb +76 -0
- data/lib/miam/dsl/context.rb +12 -1
- data/lib/miam/dsl/context/managed_policy.rb +23 -0
- data/lib/miam/dsl/converter.rb +20 -0
- data/lib/miam/exporter.rb +44 -0
- data/lib/miam/version.rb +1 -1
- data/spec/miam/attach_detach_policy_spec.rb +1 -0
- data/spec/miam/create_spec.rb +3 -2
- data/spec/miam/custom_managed_policy_spec.rb +222 -0
- data/spec/miam/delete_spec.rb +1 -0
- data/spec/miam/ignore_login_profile_spec.rb +1 -0
- data/spec/miam/rename_spec.rb +1 -0
- data/spec/miam/update_spec.rb +1 -0
- data/spec/spec_helper.rb +2 -0
- metadata +34 -31
checksums.yaml
CHANGED
@@ -1,7 +1,7 @@
|
|
1
1
|
---
|
2
2
|
SHA1:
|
3
|
-
metadata.gz:
|
4
|
-
data.tar.gz:
|
3
|
+
metadata.gz: 041db7d696b371ba9e100126f05d5855c1d06156
|
4
|
+
data.tar.gz: 17757d1a0efd25ea076d4a76fd331db0dad5a74e
|
5
5
|
SHA512:
|
6
|
-
metadata.gz:
|
7
|
-
data.tar.gz:
|
6
|
+
metadata.gz: 61aed42e0653a7fb07a4cb1989bd23e077cf1df962110ad1d359b8bce09b9ede67cb1e5fc138e88eb6ba172a00d33cc2c2d598c2cbdf303db4aa455e2fd91d2c
|
7
|
+
data.tar.gz: c1e196039250f21678f48be94c704cd896b259c20449a1753a715fde5418ffbb62b25c05fa3e4a2c85c199dbe2013d236b763b8ffb1fe7f6f98cbbf8dbeddde3
|
data/lib/miam.rb
CHANGED
data/lib/miam/client.rb
CHANGED
@@ -13,8 +13,8 @@ class Miam::Client
|
|
13
13
|
exported, group_users, instance_profile_roles = Miam::Exporter.export(@iam, @options)
|
14
14
|
|
15
15
|
if block_given?
|
16
|
-
[:users, :groups, :roles, :instance_profiles].each do |type|
|
17
|
-
splitted = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}}
|
16
|
+
[:users, :groups, :roles, :instance_profiles, :policies].each do |type|
|
17
|
+
splitted = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}, :policies => {}}
|
18
18
|
|
19
19
|
if export_options[:split_more]
|
20
20
|
exported[type].sort_by {|k, v| k }.each do |name, attrs|
|
@@ -58,10 +58,12 @@ class Miam::Client
|
|
58
58
|
expected = load_file(file)
|
59
59
|
|
60
60
|
actual, group_users, instance_profile_roles = Miam::Exporter.export(@iam, @options)
|
61
|
-
updated =
|
61
|
+
updated = pre_walk_managed_policies(expected[:policies], actual[:policies])
|
62
|
+
updated = walk_groups(expected[:groups], actual[:groups], actual[:users], group_users) || updated
|
62
63
|
updated = walk_users(expected[:users], actual[:users], group_users) || updated
|
63
64
|
updated = walk_instance_profiles(expected[:instance_profiles], actual[:instance_profiles], actual[:roles], instance_profile_roles) || updated
|
64
65
|
updated = walk_roles(expected[:roles], actual[:roles], instance_profile_roles) || updated
|
66
|
+
updated = post_walk_managed_policies(actual[:policies]) || updated
|
65
67
|
|
66
68
|
if @options[:dry_run]
|
67
69
|
false
|
@@ -438,6 +440,50 @@ class Miam::Client
|
|
438
440
|
updated
|
439
441
|
end
|
440
442
|
|
443
|
+
def pre_walk_managed_policies(expected, actual)
|
444
|
+
updated = false
|
445
|
+
|
446
|
+
expected.each do |policy_name, expected_attrs|
|
447
|
+
actual_attrs = actual.delete(policy_name)
|
448
|
+
|
449
|
+
if actual_attrs
|
450
|
+
if expected_attrs[:path] != actual_attrs[:path]
|
451
|
+
log(:warn, "ManagedPolicy `#{policy_name}`: 'path' cannot be updated", :color => :yellow)
|
452
|
+
end
|
453
|
+
|
454
|
+
updated = walk_managed_policy(policy_name, expected_attrs[:document], actual_attrs[:document]) || updated
|
455
|
+
else
|
456
|
+
@driver.create_managed_policy(policy_name, expected_attrs)
|
457
|
+
updated = true
|
458
|
+
end
|
459
|
+
end
|
460
|
+
|
461
|
+
updated
|
462
|
+
end
|
463
|
+
|
464
|
+
def walk_managed_policy(policy_name, expected_document, actual_document)
|
465
|
+
updated = false
|
466
|
+
expected_document.sort_array!
|
467
|
+
actual_document.sort_array!
|
468
|
+
|
469
|
+
if expected_document != actual_document
|
470
|
+
@driver.update_managed_policy(policy_name, expected_document, actual_document)
|
471
|
+
updated = true
|
472
|
+
end
|
473
|
+
|
474
|
+
updated
|
475
|
+
end
|
476
|
+
|
477
|
+
def post_walk_managed_policies(actual)
|
478
|
+
updated = false
|
479
|
+
|
480
|
+
actual.each do |policy_name, actual_attrs|
|
481
|
+
@driver.delete_managed_policy(policy_name)
|
482
|
+
updated = true
|
483
|
+
end
|
484
|
+
|
485
|
+
updated
|
486
|
+
end
|
441
487
|
|
442
488
|
def load_file(file)
|
443
489
|
if file.kind_of?(String)
|
@@ -495,7 +541,6 @@ class Miam::Client
|
|
495
541
|
end
|
496
542
|
end
|
497
543
|
|
498
|
-
|
499
544
|
normalized
|
500
545
|
end
|
501
546
|
end
|
data/lib/miam/driver.rb
CHANGED
@@ -2,6 +2,7 @@ class Miam::Driver
|
|
2
2
|
include Miam::Logger::Helper
|
3
3
|
|
4
4
|
MAX_POLICY_SIZE = 2048
|
5
|
+
MAX_POLICY_VERSIONS = 5
|
5
6
|
|
6
7
|
def initialize(iam, options = {})
|
7
8
|
@iam = iam
|
@@ -362,6 +363,73 @@ class Miam::Driver
|
|
362
363
|
}.flatten
|
363
364
|
end
|
364
365
|
|
366
|
+
def create_managed_policy(policy_name, attrs)
|
367
|
+
log(:info, "Create ManagedPolicy `#{policy_name}`", :color => :cyan)
|
368
|
+
|
369
|
+
unless_dry_run do
|
370
|
+
params = {
|
371
|
+
:policy_name => policy_name,
|
372
|
+
:path => attrs[:path],
|
373
|
+
:policy_document => encode_document(attrs[:document]),
|
374
|
+
}
|
375
|
+
|
376
|
+
@iam.create_policy(params)
|
377
|
+
end
|
378
|
+
end
|
379
|
+
|
380
|
+
def delete_managed_policy(policy_name)
|
381
|
+
log(:info, "Delete ManagedPolicy `#{policy_name}`", :color => :red)
|
382
|
+
|
383
|
+
unless_dry_run do
|
384
|
+
policy_versions = @iam.list_policy_versions(
|
385
|
+
:policy_arn => policy_arn(policy_name),
|
386
|
+
:max_items => MAX_POLICY_VERSIONS
|
387
|
+
)
|
388
|
+
|
389
|
+
policy_versions.versions.reject {|pv|
|
390
|
+
pv.is_default_version
|
391
|
+
}.each {|pv|
|
392
|
+
@iam.delete_policy_version(
|
393
|
+
:policy_arn => policy_arn(policy_name),
|
394
|
+
:version_id => pv.version_id
|
395
|
+
)
|
396
|
+
}
|
397
|
+
|
398
|
+
@iam.delete_policy(
|
399
|
+
:policy_arn => policy_arn(policy_name)
|
400
|
+
)
|
401
|
+
end
|
402
|
+
end
|
403
|
+
|
404
|
+
def update_managed_policy(policy_name, policy_document, old_policy_document)
|
405
|
+
log(:info, "Update ManagedPolicy `#{policy_name}`", :color => :green)
|
406
|
+
log(:info, Miam::Utils.diff(old_policy_document, policy_document, :color => @options[:color]), :color => false)
|
407
|
+
|
408
|
+
unless_dry_run do
|
409
|
+
policy_versions = @iam.list_policy_versions(
|
410
|
+
:policy_arn => policy_arn(policy_name),
|
411
|
+
:max_items => MAX_POLICY_VERSIONS
|
412
|
+
)
|
413
|
+
|
414
|
+
if policy_versions.versions.length >= MAX_POLICY_VERSIONS
|
415
|
+
delete_policy_version = policy_versions.versions.reject {|pv|
|
416
|
+
pv.is_default_version
|
417
|
+
}.sort_by {|pv| pv.version_id[1..-1].to_i }.first
|
418
|
+
|
419
|
+
@iam.delete_policy_version(
|
420
|
+
:policy_arn => policy_arn(policy_name),
|
421
|
+
:version_id => delete_policy_version.version_id
|
422
|
+
)
|
423
|
+
end
|
424
|
+
|
425
|
+
@iam.create_policy_version(
|
426
|
+
:policy_arn => policy_arn(policy_name),
|
427
|
+
:policy_document => encode_document(policy_document),
|
428
|
+
set_as_default: true
|
429
|
+
)
|
430
|
+
end
|
431
|
+
end
|
432
|
+
|
365
433
|
private
|
366
434
|
|
367
435
|
def encode_document(policy_document)
|
@@ -386,4 +454,12 @@ class Miam::Driver
|
|
386
454
|
def unless_dry_run
|
387
455
|
yield unless @options[:dry_run]
|
388
456
|
end
|
457
|
+
|
458
|
+
def user_id
|
459
|
+
@user_id ||= @iam.get_user.user.user_id
|
460
|
+
end
|
461
|
+
|
462
|
+
def policy_arn(policy_name)
|
463
|
+
"arn:aws:iam::#{user_id}:policy/#{policy_name}"
|
464
|
+
end
|
389
465
|
end
|
data/lib/miam/dsl/context.rb
CHANGED
@@ -12,7 +12,7 @@ class Miam::DSL::Context
|
|
12
12
|
def initialize(path, options = {}, &block)
|
13
13
|
@path = path
|
14
14
|
@options = options
|
15
|
-
@result = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}}
|
15
|
+
@result = {:users => {}, :groups => {}, :roles => {}, :instance_profiles => {}, :policies => {}}
|
16
16
|
|
17
17
|
@context = Hashie::Mash.new(
|
18
18
|
:path => path,
|
@@ -83,4 +83,15 @@ class Miam::DSL::Context
|
|
83
83
|
|
84
84
|
@result[:instance_profiles][name] = instance_profile_options
|
85
85
|
end
|
86
|
+
|
87
|
+
def managed_policy(name, policy_options = {}, &block)
|
88
|
+
name = name.to_s
|
89
|
+
|
90
|
+
if @result[:policies][name]
|
91
|
+
raise "ManagedPolicy `#{name}` is already defined"
|
92
|
+
end
|
93
|
+
|
94
|
+
attrs = Miam::DSL::Context::ManagedPolicy.new(@context, name, &block).result
|
95
|
+
@result[:policies][name] = policy_options.merge(attrs)
|
96
|
+
end
|
86
97
|
end
|
@@ -0,0 +1,23 @@
|
|
1
|
+
class Miam::DSL::Context::ManagedPolicy
|
2
|
+
include Miam::TemplateHelper
|
3
|
+
|
4
|
+
def initialize(context, name, &block)
|
5
|
+
@policy_name = name
|
6
|
+
@context = context.merge(:policy_name => name)
|
7
|
+
@result = {:document => get_document(block)}
|
8
|
+
end
|
9
|
+
|
10
|
+
attr_reader :result
|
11
|
+
|
12
|
+
private
|
13
|
+
|
14
|
+
def get_document(block)
|
15
|
+
document = instance_eval(&block)
|
16
|
+
|
17
|
+
unless document.kind_of?(Hash)
|
18
|
+
raise "ManagedPolicy `#{@policy_name}`: wrong argument type #{document.class} (expected Hash)"
|
19
|
+
end
|
20
|
+
|
21
|
+
document
|
22
|
+
end
|
23
|
+
end
|
data/lib/miam/dsl/converter.rb
CHANGED
@@ -14,6 +14,7 @@ class Miam::DSL::Converter
|
|
14
14
|
output_groups(@exported[:groups]),
|
15
15
|
output_roles(@exported[:roles]),
|
16
16
|
output_instance_profiles(@exported[:instance_profiles]),
|
17
|
+
output_managed_policies(@exported[:policies]),
|
17
18
|
].join("\n")
|
18
19
|
end
|
19
20
|
|
@@ -172,6 +173,25 @@ instance_profile #{instance_profile_name.inspect}, #{Miam::Utils.unbrace(instanc
|
|
172
173
|
"attached_managed_policies(#{attached_managed_policies})"
|
173
174
|
end
|
174
175
|
|
176
|
+
def output_managed_policies(policies)
|
177
|
+
policies.each.sort_by {|k, v| k }.map {|policy_name, attrs|
|
178
|
+
next unless target_matched?(policy_name)
|
179
|
+
output_managed_policy(policy_name, attrs)
|
180
|
+
}.select {|i| i }.join("\n")
|
181
|
+
end
|
182
|
+
|
183
|
+
def output_managed_policy(policy_name, attrs)
|
184
|
+
policy_options = {:path => attrs[:path]}
|
185
|
+
policy_document = attrs[:document].pretty_inspect
|
186
|
+
policy_document.gsub!("\n", "\n ").strip!
|
187
|
+
|
188
|
+
<<-EOS
|
189
|
+
managed_policy #{policy_name.inspect}, #{Miam::Utils.unbrace(policy_options.inspect)} do
|
190
|
+
#{policy_document}
|
191
|
+
end
|
192
|
+
EOS
|
193
|
+
end
|
194
|
+
|
175
195
|
def target_matched?(name)
|
176
196
|
if @options[:target]
|
177
197
|
name =~ @options[:target]
|
data/lib/miam/exporter.rb
CHANGED
@@ -1,5 +1,7 @@
|
|
1
1
|
# coding: utf-8
|
2
2
|
class Miam::Exporter
|
3
|
+
AWS_MANAGED_POLICY_PREFIX = 'arn:aws:iam::aws:'
|
4
|
+
|
3
5
|
def self.export(iam, options = {})
|
4
6
|
self.new(iam, options).export
|
5
7
|
end
|
@@ -17,6 +19,7 @@ class Miam::Exporter
|
|
17
19
|
users = account_authorization_details[:user_detail_list]
|
18
20
|
groups = account_authorization_details[:group_detail_list]
|
19
21
|
roles = account_authorization_details[:role_detail_list]
|
22
|
+
policies = account_authorization_details[:policies]
|
20
23
|
instance_profiles = list_instance_profiles
|
21
24
|
group_users = {}
|
22
25
|
instance_profile_roles = {}
|
@@ -37,6 +40,7 @@ class Miam::Exporter
|
|
37
40
|
:groups => export_groups(groups),
|
38
41
|
:roles => export_roles(roles, instance_profile_roles),
|
39
42
|
:instance_profiles => export_instance_profiles(instance_profiles),
|
43
|
+
:policies => export_policies(policies),
|
40
44
|
}
|
41
45
|
|
42
46
|
[expected, group_users, instance_profile_roles]
|
@@ -192,6 +196,45 @@ class Miam::Exporter
|
|
192
196
|
result
|
193
197
|
end
|
194
198
|
|
199
|
+
def export_policies(policies)
|
200
|
+
result = {}
|
201
|
+
|
202
|
+
Parallel.each(policies, :in_threads => @concurrency) do |policy|
|
203
|
+
if policy.arn.start_with?(AWS_MANAGED_POLICY_PREFIX)
|
204
|
+
next
|
205
|
+
end
|
206
|
+
|
207
|
+
policy_name = policy.policy_name
|
208
|
+
document = export_policy_document(policy)
|
209
|
+
|
210
|
+
result[policy_name] = {
|
211
|
+
:path => policy.path,
|
212
|
+
:document => document,
|
213
|
+
}
|
214
|
+
end
|
215
|
+
|
216
|
+
result
|
217
|
+
end
|
218
|
+
|
219
|
+
def export_policy_document(policy)
|
220
|
+
policy_version = nil
|
221
|
+
|
222
|
+
policy_version_list = policy.policy_version_list.sort_by do |pv|
|
223
|
+
pv.version_id[1..-1].to_i
|
224
|
+
end
|
225
|
+
|
226
|
+
policy_version_list.each do |pv|
|
227
|
+
policy_version = pv
|
228
|
+
|
229
|
+
if pv.is_default_version
|
230
|
+
break
|
231
|
+
end
|
232
|
+
end
|
233
|
+
|
234
|
+
document = CGI.unescape(policy_version.document)
|
235
|
+
JSON.parse(document)
|
236
|
+
end
|
237
|
+
|
195
238
|
def list_instance_profiles
|
196
239
|
@iam.list_instance_profiles.map {|resp|
|
197
240
|
resp.instance_profiles.to_a
|
@@ -209,6 +252,7 @@ class Miam::Exporter
|
|
209
252
|
:user_detail_list,
|
210
253
|
:group_detail_list,
|
211
254
|
:role_detail_list,
|
255
|
+
:policies,
|
212
256
|
]
|
213
257
|
|
214
258
|
keys.each do |key|
|
data/lib/miam/version.rb
CHANGED
data/spec/miam/create_spec.rb
CHANGED
@@ -5,7 +5,7 @@ describe 'create' do
|
|
5
5
|
it do
|
6
6
|
updated = apply(subject) { '' }
|
7
7
|
expect(updated).to be_falsey
|
8
|
-
expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}})
|
8
|
+
expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
|
9
9
|
end
|
10
10
|
end
|
11
11
|
|
@@ -124,6 +124,7 @@ describe 'create' do
|
|
124
124
|
[{"Effect"=>"Allow",
|
125
125
|
"Action"=>"ses:SendRawEmail",
|
126
126
|
"Resource"=>"*"}]}}}},
|
127
|
+
:policies => {},
|
127
128
|
:roles=>
|
128
129
|
{"my-role"=>
|
129
130
|
{:path=>"/any/",
|
@@ -259,7 +260,7 @@ describe 'create' do
|
|
259
260
|
it do
|
260
261
|
updated = apply(subject) { dsl }
|
261
262
|
expect(updated).to be_falsey
|
262
|
-
expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}})
|
263
|
+
expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
|
263
264
|
end
|
264
265
|
end
|
265
266
|
end
|
@@ -0,0 +1,222 @@
|
|
1
|
+
describe 'custom managed policy' do
|
2
|
+
let(:dsl) do
|
3
|
+
<<-RUBY
|
4
|
+
managed_policy "my-policy", :path=>"/" do
|
5
|
+
{"Version"=>"2012-10-17",
|
6
|
+
"Statement"=>
|
7
|
+
[{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
|
8
|
+
end
|
9
|
+
|
10
|
+
user "mary", :path=>"/staff/" do
|
11
|
+
policy "S3" do
|
12
|
+
{"Statement"=>
|
13
|
+
[{"Action"=>
|
14
|
+
["s3:Get*",
|
15
|
+
"s3:List*"],
|
16
|
+
"Effect"=>"Allow",
|
17
|
+
"Resource"=>"*"}]}
|
18
|
+
end
|
19
|
+
|
20
|
+
attached_managed_policies(
|
21
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
|
22
|
+
)
|
23
|
+
end
|
24
|
+
RUBY
|
25
|
+
end
|
26
|
+
|
27
|
+
let(:expected) do
|
28
|
+
{:users=>
|
29
|
+
{"mary"=>
|
30
|
+
{:path=>"/staff/",
|
31
|
+
:groups=>[],
|
32
|
+
:attached_managed_policies=>[
|
33
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"],
|
34
|
+
:policies=>
|
35
|
+
{"S3"=>
|
36
|
+
{"Statement"=>
|
37
|
+
[{"Action"=>["s3:Get*", "s3:List*"],
|
38
|
+
"Effect"=>"Allow",
|
39
|
+
"Resource"=>"*"}]}}}},
|
40
|
+
:groups=>{},
|
41
|
+
:instance_profiles=>{},
|
42
|
+
:policies=>
|
43
|
+
{"my-policy"=>
|
44
|
+
{:path=>"/",
|
45
|
+
:document=>
|
46
|
+
{"Version"=>"2012-10-17",
|
47
|
+
"Statement"=>
|
48
|
+
[{"Effect"=>"Allow",
|
49
|
+
"Action"=>"directconnect:Describe*",
|
50
|
+
"Resource"=>"*"}]}}},
|
51
|
+
:roles=>{}}
|
52
|
+
end
|
53
|
+
|
54
|
+
before(:each) do
|
55
|
+
apply { dsl }
|
56
|
+
end
|
57
|
+
|
58
|
+
context 'when no change' do
|
59
|
+
subject { client }
|
60
|
+
|
61
|
+
it do
|
62
|
+
updated = apply(subject) { dsl }
|
63
|
+
expect(updated).to be_falsey
|
64
|
+
expect(export).to eq expected
|
65
|
+
end
|
66
|
+
end
|
67
|
+
|
68
|
+
context 'when create and attach' do
|
69
|
+
subject { client }
|
70
|
+
|
71
|
+
it do
|
72
|
+
updated = apply(subject) {
|
73
|
+
<<-RUBY
|
74
|
+
managed_policy "my-policy", :path=>"/" do
|
75
|
+
{"Version"=>"2012-10-17",
|
76
|
+
"Statement"=>
|
77
|
+
[{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
|
78
|
+
end
|
79
|
+
|
80
|
+
managed_policy "my-policy2", :path=>"/" do
|
81
|
+
{"Version"=>"2012-10-17",
|
82
|
+
"Statement"=>
|
83
|
+
[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
|
84
|
+
end
|
85
|
+
|
86
|
+
user "mary", :path=>"/staff/" do
|
87
|
+
policy "S3" do
|
88
|
+
{"Statement"=>
|
89
|
+
[{"Action"=>
|
90
|
+
["s3:Get*",
|
91
|
+
"s3:List*"],
|
92
|
+
"Effect"=>"Allow",
|
93
|
+
"Resource"=>"*"}]}
|
94
|
+
end
|
95
|
+
|
96
|
+
attached_managed_policies(
|
97
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy",
|
98
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
|
99
|
+
)
|
100
|
+
end
|
101
|
+
RUBY
|
102
|
+
}
|
103
|
+
|
104
|
+
expect(updated).to be_truthy
|
105
|
+
expected[:policies]["my-policy2"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}
|
106
|
+
expected[:users]["mary"][:attached_managed_policies] << "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
|
107
|
+
expected[:users]["mary"][:attached_managed_policies].sort!
|
108
|
+
actual = export
|
109
|
+
actual[:users]["mary"][:attached_managed_policies].sort!
|
110
|
+
expect(actual).to eq expected
|
111
|
+
end
|
112
|
+
end
|
113
|
+
|
114
|
+
context 'when create and delete' do
|
115
|
+
subject { client }
|
116
|
+
|
117
|
+
it do
|
118
|
+
updated = apply(subject) {
|
119
|
+
<<-RUBY
|
120
|
+
managed_policy "my-policy2", :path=>"/" do
|
121
|
+
{"Version"=>"2012-10-17",
|
122
|
+
"Statement"=>
|
123
|
+
[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
|
124
|
+
end
|
125
|
+
|
126
|
+
user "mary", :path=>"/staff/" do
|
127
|
+
policy "S3" do
|
128
|
+
{"Statement"=>
|
129
|
+
[{"Action"=>
|
130
|
+
["s3:Get*",
|
131
|
+
"s3:List*"],
|
132
|
+
"Effect"=>"Allow",
|
133
|
+
"Resource"=>"*"}]}
|
134
|
+
end
|
135
|
+
|
136
|
+
attached_managed_policies(
|
137
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
|
138
|
+
)
|
139
|
+
end
|
140
|
+
RUBY
|
141
|
+
}
|
142
|
+
|
143
|
+
expect(updated).to be_truthy
|
144
|
+
expected[:policies] = {"my-policy2" => {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}}
|
145
|
+
expected[:users]["mary"][:attached_managed_policies] = ["arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"]
|
146
|
+
expect(export).to eq expected
|
147
|
+
end
|
148
|
+
end
|
149
|
+
|
150
|
+
context 'when update' do
|
151
|
+
subject { client }
|
152
|
+
|
153
|
+
it do
|
154
|
+
updated = apply(subject) {
|
155
|
+
<<-RUBY
|
156
|
+
managed_policy "my-policy", :path=>"/" do
|
157
|
+
{"Version"=>"2012-10-17",
|
158
|
+
"Statement"=>
|
159
|
+
[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
|
160
|
+
end
|
161
|
+
|
162
|
+
user "mary", :path=>"/staff/" do
|
163
|
+
policy "S3" do
|
164
|
+
{"Statement"=>
|
165
|
+
[{"Action"=>
|
166
|
+
["s3:Get*",
|
167
|
+
"s3:List*"],
|
168
|
+
"Effect"=>"Allow",
|
169
|
+
"Resource"=>"*"}]}
|
170
|
+
end
|
171
|
+
|
172
|
+
attached_managed_policies(
|
173
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
|
174
|
+
)
|
175
|
+
end
|
176
|
+
RUBY
|
177
|
+
}
|
178
|
+
|
179
|
+
expect(updated).to be_truthy
|
180
|
+
expected[:policies]["my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
|
181
|
+
expect(export).to eq expected
|
182
|
+
end
|
183
|
+
end
|
184
|
+
|
185
|
+
context 'when update 7 times' do
|
186
|
+
subject { client }
|
187
|
+
|
188
|
+
it do
|
189
|
+
4.times do
|
190
|
+
apply(subject) { dsl }
|
191
|
+
|
192
|
+
apply(subject) {
|
193
|
+
<<-RUBY
|
194
|
+
managed_policy "my-policy", :path=>"/" do
|
195
|
+
{"Version"=>"2012-10-17",
|
196
|
+
"Statement"=>
|
197
|
+
[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
|
198
|
+
end
|
199
|
+
|
200
|
+
user "mary", :path=>"/staff/" do
|
201
|
+
policy "S3" do
|
202
|
+
{"Statement"=>
|
203
|
+
[{"Action"=>
|
204
|
+
["s3:Get*",
|
205
|
+
"s3:List*"],
|
206
|
+
"Effect"=>"Allow",
|
207
|
+
"Resource"=>"*"}]}
|
208
|
+
end
|
209
|
+
|
210
|
+
attached_managed_policies(
|
211
|
+
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
|
212
|
+
)
|
213
|
+
end
|
214
|
+
RUBY
|
215
|
+
}
|
216
|
+
end
|
217
|
+
|
218
|
+
expected[:policies]["my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
|
219
|
+
expect(export).to eq expected
|
220
|
+
end
|
221
|
+
end
|
222
|
+
end
|
data/spec/miam/delete_spec.rb
CHANGED
data/spec/miam/rename_spec.rb
CHANGED
data/spec/miam/update_spec.rb
CHANGED
data/spec/spec_helper.rb
CHANGED
metadata
CHANGED
@@ -1,167 +1,167 @@
|
|
1
1
|
--- !ruby/object:Gem::Specification
|
2
2
|
name: miam
|
3
3
|
version: !ruby/object:Gem::Version
|
4
|
-
version: 0.2.
|
4
|
+
version: 0.2.3.beta
|
5
5
|
platform: ruby
|
6
6
|
authors:
|
7
7
|
- Genki Sugawara
|
8
8
|
autorequire:
|
9
9
|
bindir: bin
|
10
10
|
cert_chain: []
|
11
|
-
date:
|
11
|
+
date: 2016-01-23 00:00:00.000000000 Z
|
12
12
|
dependencies:
|
13
13
|
- !ruby/object:Gem::Dependency
|
14
14
|
name: aws-sdk-core
|
15
15
|
requirement: !ruby/object:Gem::Requirement
|
16
16
|
requirements:
|
17
|
-
- -
|
17
|
+
- - ">="
|
18
18
|
- !ruby/object:Gem::Version
|
19
19
|
version: 2.0.42
|
20
20
|
type: :runtime
|
21
21
|
prerelease: false
|
22
22
|
version_requirements: !ruby/object:Gem::Requirement
|
23
23
|
requirements:
|
24
|
-
- -
|
24
|
+
- - ">="
|
25
25
|
- !ruby/object:Gem::Version
|
26
26
|
version: 2.0.42
|
27
27
|
- !ruby/object:Gem::Dependency
|
28
28
|
name: ruby-progressbar
|
29
29
|
requirement: !ruby/object:Gem::Requirement
|
30
30
|
requirements:
|
31
|
-
- -
|
31
|
+
- - ">="
|
32
32
|
- !ruby/object:Gem::Version
|
33
33
|
version: '0'
|
34
34
|
type: :runtime
|
35
35
|
prerelease: false
|
36
36
|
version_requirements: !ruby/object:Gem::Requirement
|
37
37
|
requirements:
|
38
|
-
- -
|
38
|
+
- - ">="
|
39
39
|
- !ruby/object:Gem::Version
|
40
40
|
version: '0'
|
41
41
|
- !ruby/object:Gem::Dependency
|
42
42
|
name: parallel
|
43
43
|
requirement: !ruby/object:Gem::Requirement
|
44
44
|
requirements:
|
45
|
-
- -
|
45
|
+
- - ">="
|
46
46
|
- !ruby/object:Gem::Version
|
47
47
|
version: '0'
|
48
48
|
type: :runtime
|
49
49
|
prerelease: false
|
50
50
|
version_requirements: !ruby/object:Gem::Requirement
|
51
51
|
requirements:
|
52
|
-
- -
|
52
|
+
- - ">="
|
53
53
|
- !ruby/object:Gem::Version
|
54
54
|
version: '0'
|
55
55
|
- !ruby/object:Gem::Dependency
|
56
56
|
name: term-ansicolor
|
57
57
|
requirement: !ruby/object:Gem::Requirement
|
58
58
|
requirements:
|
59
|
-
- -
|
59
|
+
- - ">="
|
60
60
|
- !ruby/object:Gem::Version
|
61
61
|
version: '0'
|
62
62
|
type: :runtime
|
63
63
|
prerelease: false
|
64
64
|
version_requirements: !ruby/object:Gem::Requirement
|
65
65
|
requirements:
|
66
|
-
- -
|
66
|
+
- - ">="
|
67
67
|
- !ruby/object:Gem::Version
|
68
68
|
version: '0'
|
69
69
|
- !ruby/object:Gem::Dependency
|
70
70
|
name: diffy
|
71
71
|
requirement: !ruby/object:Gem::Requirement
|
72
72
|
requirements:
|
73
|
-
- -
|
73
|
+
- - ">="
|
74
74
|
- !ruby/object:Gem::Version
|
75
75
|
version: '0'
|
76
76
|
type: :runtime
|
77
77
|
prerelease: false
|
78
78
|
version_requirements: !ruby/object:Gem::Requirement
|
79
79
|
requirements:
|
80
|
-
- -
|
80
|
+
- - ">="
|
81
81
|
- !ruby/object:Gem::Version
|
82
82
|
version: '0'
|
83
83
|
- !ruby/object:Gem::Dependency
|
84
84
|
name: hashie
|
85
85
|
requirement: !ruby/object:Gem::Requirement
|
86
86
|
requirements:
|
87
|
-
- -
|
87
|
+
- - ">="
|
88
88
|
- !ruby/object:Gem::Version
|
89
89
|
version: '0'
|
90
90
|
type: :runtime
|
91
91
|
prerelease: false
|
92
92
|
version_requirements: !ruby/object:Gem::Requirement
|
93
93
|
requirements:
|
94
|
-
- -
|
94
|
+
- - ">="
|
95
95
|
- !ruby/object:Gem::Version
|
96
96
|
version: '0'
|
97
97
|
- !ruby/object:Gem::Dependency
|
98
98
|
name: bundler
|
99
99
|
requirement: !ruby/object:Gem::Requirement
|
100
100
|
requirements:
|
101
|
-
- -
|
101
|
+
- - ">="
|
102
102
|
- !ruby/object:Gem::Version
|
103
103
|
version: '0'
|
104
104
|
type: :development
|
105
105
|
prerelease: false
|
106
106
|
version_requirements: !ruby/object:Gem::Requirement
|
107
107
|
requirements:
|
108
|
-
- -
|
108
|
+
- - ">="
|
109
109
|
- !ruby/object:Gem::Version
|
110
110
|
version: '0'
|
111
111
|
- !ruby/object:Gem::Dependency
|
112
112
|
name: rake
|
113
113
|
requirement: !ruby/object:Gem::Requirement
|
114
114
|
requirements:
|
115
|
-
- -
|
115
|
+
- - ">="
|
116
116
|
- !ruby/object:Gem::Version
|
117
117
|
version: '0'
|
118
118
|
type: :development
|
119
119
|
prerelease: false
|
120
120
|
version_requirements: !ruby/object:Gem::Requirement
|
121
121
|
requirements:
|
122
|
-
- -
|
122
|
+
- - ">="
|
123
123
|
- !ruby/object:Gem::Version
|
124
124
|
version: '0'
|
125
125
|
- !ruby/object:Gem::Dependency
|
126
126
|
name: rspec
|
127
127
|
requirement: !ruby/object:Gem::Requirement
|
128
128
|
requirements:
|
129
|
-
- -
|
129
|
+
- - ">="
|
130
130
|
- !ruby/object:Gem::Version
|
131
131
|
version: 3.0.0
|
132
132
|
type: :development
|
133
133
|
prerelease: false
|
134
134
|
version_requirements: !ruby/object:Gem::Requirement
|
135
135
|
requirements:
|
136
|
-
- -
|
136
|
+
- - ">="
|
137
137
|
- !ruby/object:Gem::Version
|
138
138
|
version: 3.0.0
|
139
139
|
- !ruby/object:Gem::Dependency
|
140
140
|
name: rspec-instafail
|
141
141
|
requirement: !ruby/object:Gem::Requirement
|
142
142
|
requirements:
|
143
|
-
- -
|
143
|
+
- - ">="
|
144
144
|
- !ruby/object:Gem::Version
|
145
145
|
version: '0'
|
146
146
|
type: :development
|
147
147
|
prerelease: false
|
148
148
|
version_requirements: !ruby/object:Gem::Requirement
|
149
149
|
requirements:
|
150
|
-
- -
|
150
|
+
- - ">="
|
151
151
|
- !ruby/object:Gem::Version
|
152
152
|
version: '0'
|
153
153
|
- !ruby/object:Gem::Dependency
|
154
154
|
name: coveralls
|
155
155
|
requirement: !ruby/object:Gem::Requirement
|
156
156
|
requirements:
|
157
|
-
- -
|
157
|
+
- - ">="
|
158
158
|
- !ruby/object:Gem::Version
|
159
159
|
version: '0'
|
160
160
|
type: :development
|
161
161
|
prerelease: false
|
162
162
|
version_requirements: !ruby/object:Gem::Requirement
|
163
163
|
requirements:
|
164
|
-
- -
|
164
|
+
- - ">="
|
165
165
|
- !ruby/object:Gem::Version
|
166
166
|
version: '0'
|
167
167
|
description: Miam is a tool to manage IAM. It defines the state of IAM using DSL,
|
@@ -173,9 +173,9 @@ executables:
|
|
173
173
|
extensions: []
|
174
174
|
extra_rdoc_files: []
|
175
175
|
files:
|
176
|
-
- .gitignore
|
177
|
-
- .rspec
|
178
|
-
- .travis.yml
|
176
|
+
- ".gitignore"
|
177
|
+
- ".rspec"
|
178
|
+
- ".travis.yml"
|
179
179
|
- Gemfile
|
180
180
|
- LICENSE.txt
|
181
181
|
- README.md
|
@@ -187,6 +187,7 @@ files:
|
|
187
187
|
- lib/miam/dsl.rb
|
188
188
|
- lib/miam/dsl/context.rb
|
189
189
|
- lib/miam/dsl/context/group.rb
|
190
|
+
- lib/miam/dsl/context/managed_policy.rb
|
190
191
|
- lib/miam/dsl/context/role.rb
|
191
192
|
- lib/miam/dsl/context/user.rb
|
192
193
|
- lib/miam/dsl/converter.rb
|
@@ -201,6 +202,7 @@ files:
|
|
201
202
|
- miam.gemspec
|
202
203
|
- spec/miam/attach_detach_policy_spec.rb
|
203
204
|
- spec/miam/create_spec.rb
|
205
|
+
- spec/miam/custom_managed_policy_spec.rb
|
204
206
|
- spec/miam/delete_spec.rb
|
205
207
|
- spec/miam/hash_ext_spec.rb
|
206
208
|
- spec/miam/ignore_login_profile_spec.rb
|
@@ -217,23 +219,24 @@ require_paths:
|
|
217
219
|
- lib
|
218
220
|
required_ruby_version: !ruby/object:Gem::Requirement
|
219
221
|
requirements:
|
220
|
-
- -
|
222
|
+
- - ">="
|
221
223
|
- !ruby/object:Gem::Version
|
222
224
|
version: '0'
|
223
225
|
required_rubygems_version: !ruby/object:Gem::Requirement
|
224
226
|
requirements:
|
225
|
-
- -
|
227
|
+
- - ">"
|
226
228
|
- !ruby/object:Gem::Version
|
227
|
-
version:
|
229
|
+
version: 1.3.1
|
228
230
|
requirements: []
|
229
231
|
rubyforge_project:
|
230
|
-
rubygems_version: 2.4.
|
232
|
+
rubygems_version: 2.4.5.1
|
231
233
|
signing_key:
|
232
234
|
specification_version: 4
|
233
235
|
summary: Miam is a tool to manage IAM.
|
234
236
|
test_files:
|
235
237
|
- spec/miam/attach_detach_policy_spec.rb
|
236
238
|
- spec/miam/create_spec.rb
|
239
|
+
- spec/miam/custom_managed_policy_spec.rb
|
237
240
|
- spec/miam/delete_spec.rb
|
238
241
|
- spec/miam/hash_ext_spec.rb
|
239
242
|
- spec/miam/ignore_login_profile_spec.rb
|