subiam 1.2.1 → 1.3.0

Sign up to get free protection for your applications and to get access to all the features.
checksums.yaml CHANGED
@@ -1,7 +1,7 @@
1
1
  ---
2
2
  SHA1:
3
- metadata.gz: 5f32814fa2db9f3e157767104fe4da0752b40120
4
- data.tar.gz: 677bf6d1e8fdbf6b0a9e13e7527add9ad8f8b69d
3
+ metadata.gz: 9e9c53dfa71f2d449b85caa531f6d97915c6413b
4
+ data.tar.gz: c73ef382a5339c7d728ebf2c28a4cfdfe96ef4da
5
5
  SHA512:
6
- metadata.gz: e3cc7e53244ab488c971c4f7ff583db303889cb76e951e2254174642e3a16d9663f7a009569e595101b397293fa4e9e3835236b2c055f2d4880f9f17c6ddd5f9
7
- data.tar.gz: 6c74f7af2951620201979b7f16551724c95c8df036b47f76f8896ad0845310c7beb257b6c8ca1ad214c5f8da9017efab3989486bec2208800d9d51b8e20f3f00
6
+ metadata.gz: 2e9b69459246c5e88d7980df906f8424069eb6cc40481115d88585e5d771ed988bca742722721c1b6c1caeb0e7708e605788ec469e1407f379ad34fc3f4d2373
7
+ data.tar.gz: bbfcdf2e17ca809dcb682e24074c152c1dc1d9a0d1885ba3cce57f89c3784fe42f80b3acfddf0230b71de2c288e95b5846185625b8764189606f4f39f569e655
data/README.md CHANGED
@@ -7,6 +7,9 @@ It defines the state of IAM using DSL, and updates IAM according to DSL.
7
7
  It's forked from Miam. Miam is designed to manage all IAM entities in the AWS account. Subiam is not so. Subiam is designed to manage sub part of IAM entities in the AWS account. For example around MySQL instances / around web servers / around lambda functions / around monitoring systems.
8
8
 
9
9
  **Notice**
10
+ * `>= 1.3.0`
11
+ * Specify default region: `ap-northeast-1`. User does't have to specify region unless using isolated AWS region like GovCloud.
12
+
10
13
  * `>= 1.2.0`
11
14
  * Add helper methods: `arn_policy_by_aws`, `arn_policy_by_current_account`
12
15
 
@@ -41,7 +44,6 @@ Or install it yourself as:
41
44
  ```sh
42
45
  export AWS_ACCESS_KEY_ID='...'
43
46
  export AWS_SECRET_ACCESS_KEY='...'
44
- export AWS_REGION='us-east-1'
45
47
  vi subiam-xxx.rb
46
48
  subiam -a --dry-run subiam-xxx.rb
47
49
  subiam -a subiam-xxx.rb
@@ -55,22 +57,24 @@ Usage: subiam [options]
55
57
  --credentials-path PATH
56
58
  -k, --access-key ACCESS_KEY
57
59
  -s, --secret-key SECRET_KEY
58
- -r, --region REGION
60
+ -r, --region REGION default: ap-northeast-1
59
61
  -a, --apply
60
- -f, --file FILE
62
+ -f, --file FILE Specify the file path to apply.
61
63
  --dry-run
62
64
  --account-output FILE
63
65
  -e, --export
64
- -o, --output FILE
66
+ -o, --output FILE Specify the file path to export current IAM settings.
65
67
  --split
66
68
  --split-more
67
- --format=FORMAT
69
+ --format FORMAT
70
+ ruby or json. (default: ruby)
68
71
  --export-concurrency N
69
72
  --ignore-login-profile
70
73
  --no-color
71
74
  --no-progress
72
75
  --debug
73
76
  --enable-delete
77
+ Enable to delete top level elements. (default: false)
74
78
  ```
75
79
 
76
80
  ## IAM definition files example
@@ -144,47 +148,28 @@ template "ec2-assume-role-attrs" do
144
148
  end
145
149
  ```
146
150
 
147
-
148
- ## Use management policy
149
-
150
- ```ruby
151
- user "foo", path: '/' do
152
- attached_managed_policies(
153
- 'arn:aws:iam::0123456789:policy/MyPolicy',
154
-
155
- arn_policy_by_current_account("MyPolicy2"),
156
- # == "arn:aws:iam::0123456789:policy/MyPolicy2'
157
-
158
- arn_policy_by_aws("AdministratorAccess")
159
- # == 'arn:aws:iam::aws:policy/AdministratorAccess'
160
- )
161
- end
162
- ```
163
-
164
-
165
- ---
166
- old examples (but works if add `target`)
151
+ ## General example (User / Group / Role)
167
152
 
168
153
  ```ruby
169
154
  import 'other/iamfile'
170
155
 
171
- target /^monitoring-/
156
+ target /.*/ # managing IAMs whole account
172
157
 
173
- user "monitoring-bob", :path => "/monitoring-user/" do
174
- login_profile :password_reset_required=>true
158
+ user "monitoring-bob", path: "/monitoring-user/" do
159
+ login_profile password_reset_required: true
175
160
 
176
161
  groups(
177
162
  "Admin"
178
163
  )
179
164
 
180
165
  policy "bob-policy" do
181
- {"Version"=>"2012-10-17",
182
- "Statement"=>
183
- [{"Action"=>
166
+ {Version: "2012-10-17",
167
+ Statement:
168
+ [{Action:
184
169
  ["s3:Get*",
185
170
  "s3:List*"],
186
- "Effect"=>"Allow",
187
- "Resource"=>"*"}]}
171
+ Effect: "Allow",
172
+ Resource: "*"}]}
188
173
  end
189
174
 
190
175
  attached_managed_policies(
@@ -192,31 +177,31 @@ user "monitoring-bob", :path => "/monitoring-user/" do
192
177
  )
193
178
  end
194
179
 
195
- user "mary", :path => "/staff/" do
196
- # login_profile :password_reset_required=>true
180
+ user "mary", path: "/staff/" do
181
+ # login_profile password_reset_required: true
197
182
 
198
183
  groups(
199
184
  # no group
200
185
  )
201
186
 
202
187
  policy "s3-readonly" do
203
- {"Version"=>"2012-10-17",
204
- "Statement"=>
205
- [{"Action"=>
188
+ {Version: "2012-10-17",
189
+ Statement:
190
+ [{Action:
206
191
  ["s3:Get*",
207
192
  "s3:List*"],
208
- "Effect"=>"Allow",
209
- "Resource"=>"*"}]}
193
+ Effect: "Allow",
194
+ Resource: "*"}]}
210
195
  end
211
196
 
212
197
  policy "route53-readonly" do
213
- {"Version"=>"2012-10-17",
214
- "Statement"=>
215
- [{"Action"=>
198
+ {Version: "2012-10-17",
199
+ Statement:
200
+ [{Action:
216
201
  ["route53:Get*",
217
202
  "route53:List*"],
218
- "Effect"=>"Allow",
219
- "Resource"=>"*"}]}
203
+ Effect: "Allow",
204
+ Resource: "*"}]}
220
205
  end
221
206
 
222
207
  attached_managed_policies(
@@ -225,45 +210,43 @@ user "mary", :path => "/staff/" do
225
210
  )
226
211
  end
227
212
 
228
- group "Admin", :path => "/admin/" do
213
+ group "Admin", path: "/admin/" do
229
214
  policy "Admin" do
230
- {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
215
+ {Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
231
216
  end
232
217
  end
233
218
 
234
- role "S3", :path => "/" do
219
+ role "S3", path: "/" do
235
220
  instance_profiles(
236
221
  "S3"
237
222
  )
238
223
 
239
224
  assume_role_policy_document do
240
- {"Version"=>"2012-10-17",
241
- "Statement"=>
242
- [{"Sid"=>"",
243
- "Effect"=>"Allow",
244
- "Principal"=>{"Service"=>"ec2.amazonaws.com"},
245
- "Action"=>"sts:AssumeRole"}]}
225
+ {Version: "2012-10-17",
226
+ Statement:
227
+ [{Sid: "",
228
+ Effect: "Allow",
229
+ Principal: {Service: "ec2.amazonaws.com"},
230
+ Action: "sts:AssumeRole"}]}
246
231
  end
247
232
 
248
233
  policy "S3-role-policy" do
249
- {"Version"=>"2012-10-17",
250
- "Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
234
+ {Version: "2012-10-17",
235
+ Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
251
236
  end
252
237
  end
253
238
 
254
- instance_profile "S3", :path => "/"
239
+ instance_profile "S3", path: "/"
255
240
  ```
256
241
 
257
242
  ## Rename
258
243
 
259
244
  ```ruby
260
- import 'other/iamfile'
261
-
262
- user "bob2", :path => "/developer/", :renamed_from => "bob" do
245
+ user "bob2", path: "/developer/", renamed_from: "bob" do
263
246
  # ...
264
247
  end
265
248
 
266
- group "Admin2", :path => "/admin/". :renamed_from => "Admin" do
249
+ group "Admin2", path: "/admin/", renamed_from: "Admin" do
267
250
  # ...
268
251
  end
269
252
  ```
@@ -271,8 +254,8 @@ end
271
254
  ## Managed Policy attach/detach
272
255
 
273
256
  ```ruby
274
- user "bob", :path => "/developer/" do
275
- login_profile :password_reset_required=>true
257
+ user "bob", path: "/developer/" do
258
+ login_profile password_reset_required: true
276
259
 
277
260
  groups(
278
261
  "Admin"
@@ -291,14 +274,14 @@ end
291
274
  ## Custom Managed Policy
292
275
 
293
276
  ```ruby
294
- managed_policy "my-policy", :path=>"/" do
295
- {"Version"=>"2012-10-17",
296
- "Statement"=>
297
- [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
277
+ managed_policy "my-policy", path: "/" do
278
+ {Version: "2012-10-17",
279
+ Statement:
280
+ [{Effect: "Allow", Action: "directconnect:Describe*", Resource: "*"}]}
298
281
  end
299
282
 
300
- user "bob", :path => "/developer/" do
301
- login_profile :password_reset_required=>true
283
+ user "bob", path: "/developer/" do
284
+ login_profile password_reset_required: true
302
285
 
303
286
  groups(
304
287
  "Admin"
@@ -332,6 +315,7 @@ $ cat iam.json
332
315
  "policies": {
333
316
  ...
334
317
 
318
+ $ vi iam.json # add target
335
319
  $ subiam -a -f iam.json --dry-run
336
320
  Apply `iam.json` to IAM (dry-run)
337
321
  ᗧ 100%
@@ -343,29 +327,29 @@ No change
343
327
  ```ruby
344
328
  template "common-policy" do
345
329
  policy "my-policy" do
346
- {"Version"=>context.version,
347
- "Statement"=>
348
- [{"Action"=>
330
+ {Version: context.version,
331
+ Statement:
332
+ [{Action:
349
333
  ["s3:Get*",
350
334
  "s3:List*"],
351
- "Effect"=>"Allow",
352
- "Resource"=>"*"}]}
335
+ Effect: "Allow",
336
+ Resource: "*"}]}
353
337
  end
354
338
  end
355
339
 
356
340
  template "common-role-attrs" do
357
341
  assume_role_policy_document do
358
- {"Version"=>context.version,
359
- "Statement"=>
360
- [{"Sid"=>"",
361
- "Effect"=>"Allow",
362
- "Principal"=>{"Service"=>"ec2.amazonaws.com"},
363
- "Action"=>"sts:AssumeRole"}]}
342
+ {Version: context.version,
343
+ Statement:
344
+ [{Sid: "",
345
+ Effect: "Allow",
346
+ Principal: {Service: "ec2.amazonaws.com"},
347
+ Action: "sts:AssumeRole"}]}
364
348
  end
365
349
  end
366
350
 
367
- user "bob", :path => "/developer/" do
368
- login_profile :password_reset_required=>true
351
+ user "bob", path: "/developer/" do
352
+ login_profile password_reset_required: true
369
353
 
370
354
  groups(
371
355
  "Admin"
@@ -374,8 +358,8 @@ user "bob", :path => "/developer/" do
374
358
  include_template "common-policy", version: "2012-10-17"
375
359
  end
376
360
 
377
- user "mary", :path => "/staff/" do
378
- # login_profile :password_reset_required=>true
361
+ user "mary", path: "/staff/" do
362
+ # login_profile password_reset_required: true
379
363
 
380
364
  groups(
381
365
  # no group
@@ -390,7 +374,7 @@ user "mary", :path => "/staff/" do
390
374
  )
391
375
  end
392
376
 
393
- role "S3", :path => "/" do
377
+ role "S3", path: "/" do
394
378
  instance_profiles(
395
379
  "S3"
396
380
  )
@@ -398,11 +382,27 @@ role "S3", :path => "/" do
398
382
  include_template "common-role-attrs"
399
383
 
400
384
  policy "S3-role-policy" do
401
- {"Version"=>"2012-10-17",
402
- "Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
385
+ {Version: "2012-10-17",
386
+ Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
403
387
  end
404
388
  end
405
389
  ```
406
390
 
391
+ ## Use management policy
392
+
393
+ ```ruby
394
+ user "foo", path: '/' do
395
+ attached_managed_policies(
396
+ 'arn:aws:iam::0123456789:policy/MyPolicy',
397
+
398
+ arn_policy_by_current_account("MyPolicy2"),
399
+ # == "arn:aws:iam::0123456789:policy/MyPolicy2'
400
+
401
+ arn_policy_by_aws("AdministratorAccess")
402
+ # == 'arn:aws:iam::aws:policy/AdministratorAccess'
403
+ )
404
+ end
405
+ ```
406
+
407
407
  ## Similar tools
408
408
  * [Codenize.tools](http://codenize.tools/)
data/bin/subiam CHANGED
@@ -36,26 +36,26 @@ ARGV.options do |opt|
36
36
  credentials_path = nil
37
37
  format_passed = false
38
38
 
39
- opt.on('-p', '--profile PROFILE_NAME') {|v| profile_name = v }
40
- opt.on('' , '--credentials-path PATH') {|v| credentials_path = v }
41
- opt.on('-k', '--access-key ACCESS_KEY') {|v| access_key = v }
42
- opt.on('-s', '--secret-key SECRET_KEY') {|v| secret_key = v }
43
- opt.on('-r', '--region REGION') {|v| region = v }
44
- opt.on('-a', '--apply') { mode = :apply }
45
- opt.on('-f', '--file FILE') {|v| file = v }
46
- opt.on('' , '--dry-run') { options[:dry_run] = true }
47
- opt.on('' , '--account-output FILE') {|v| options[:password_manager] = Subiam::PasswordManager.new(v, options) }
48
- opt.on('-e', '--export') { mode = :export }
49
- opt.on('-o', '--output FILE') {|v| output_file = v }
50
- opt.on('' , '--split') { split = true }
51
- opt.on('' , '--split-more') { split = :more }
52
- opt.on('', '--format=FORMAT', [:ruby, :json]) {|v| format_passed = true; options[:format] = v }
53
- opt.on('' , '--export-concurrency N', Integer) {|v| options[:export_concurrency] = v }
54
- opt.on('' , '--ignore-login-profile') { options[:ignore_login_profile] = true }
55
- opt.on('' , '--no-color') { options[:color] = false }
56
- opt.on('' , '--no-progress') { options[:no_progress] = true }
57
- opt.on('' , '--debug') { options[:debug] = true }
58
- opt.on('' , '--enable-delete') { options[:enable_delete] = true }
39
+ opt.on('-p', '--profile PROFILE_NAME') { |v| profile_name = v }
40
+ opt.on('', '--credentials-path PATH') { |v| credentials_path = v }
41
+ opt.on('-k', '--access-key ACCESS_KEY') { |v| access_key = v }
42
+ opt.on('-s', '--secret-key SECRET_KEY') { |v| secret_key = v }
43
+ opt.on('-r', '--region REGION', 'default: ap-northeast-1') { |v| region = v }
44
+ opt.on('-a', '--apply') { mode = :apply }
45
+ opt.on('-f', '--file FILE', 'Specify the file path to apply.') { |v| file = v }
46
+ opt.on('', '--dry-run') { options[:dry_run] = true }
47
+ opt.on('', '--account-output FILE') { |v| options[:password_manager] = Subiam::PasswordManager.new(v, options) }
48
+ opt.on('-e', '--export') { mode = :export }
49
+ opt.on('-o', '--output FILE', 'Specify the file path to export current IAM settings.') { |v| output_file = v }
50
+ opt.on('', '--split') { split = true }
51
+ opt.on('', '--split-more') { split = :more }
52
+ opt.on('', '--format FORMAT', [:ruby, :json], 'ruby or json. (default: ruby)') { |v| format_passed = true; options[:format] = v }
53
+ opt.on('', '--export-concurrency N', Integer) { |v| options[:export_concurrency] = v }
54
+ opt.on('', '--ignore-login-profile') { options[:ignore_login_profile] = true }
55
+ opt.on('', '--no-color') { options[:color] = false }
56
+ opt.on('', '--no-progress') { options[:no_progress] = true }
57
+ opt.on('', '--debug') { options[:debug] = true }
58
+ opt.on('', '--enable-delete', 'Enable to delete top level elements. (default: false)') { options[:enable_delete] = true }
59
59
  opt.parse!
60
60
 
61
61
  aws_opts = {}
@@ -76,7 +76,12 @@ ARGV.options do |opt|
76
76
  exit 1
77
77
  end
78
78
 
79
- aws_opts[:region] = region if region
79
+ if region
80
+ aws_opts[:region] = region
81
+ elsif !ENV['AWS_REGION']
82
+ aws_opts[:region] = 'ap-northeast-1' # default region
83
+ end
84
+
80
85
  Aws.config.update(aws_opts)
81
86
 
82
87
  if not format_passed and [file, output_file].any? {|i| i =~ /\.json\z/ }
data/lib/subiam/client.rb CHANGED
@@ -60,7 +60,7 @@ class Subiam::Client
60
60
  expected = load_file(file)
61
61
 
62
62
  unless expected[:target]
63
- raise "Required setting on DSL `target` not found"
63
+ raise "Target not found."
64
64
  end
65
65
  @target = expected[:target]
66
66
 
@@ -1,3 +1,3 @@
1
1
  module Subiam
2
- VERSION = '1.2.1'
2
+ VERSION = '1.3.0'
3
3
  end
metadata CHANGED
@@ -1,7 +1,7 @@
1
1
  --- !ruby/object:Gem::Specification
2
2
  name: subiam
3
3
  version: !ruby/object:Gem::Version
4
- version: 1.2.1
4
+ version: 1.3.0
5
5
  platform: ruby
6
6
  authors:
7
7
  - Genki Sugawara
@@ -9,7 +9,7 @@ authors:
9
9
  autorequire:
10
10
  bindir: bin
11
11
  cert_chain: []
12
- date: 2016-05-26 00:00:00.000000000 Z
12
+ date: 2016-05-27 00:00:00.000000000 Z
13
13
  dependencies:
14
14
  - !ruby/object:Gem::Dependency
15
15
  name: aws-sdk-core