RubyGems - subiam - Versions diffs - 1.2.1 - Mend

subiam 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (41) hide show

checksums.yaml +7 -0
data/.gitignore +19 -0
data/.rspec +4 -0
data/Gemfile +4 -0
data/LICENSE.txt +48 -0
data/README.md +408 -0
data/Rakefile +5 -0
data/bin/subiam +189 -0
data/lib/subiam/client.rb +565 -0
data/lib/subiam/driver.rb +466 -0
data/lib/subiam/dsl/context/group.rb +35 -0
data/lib/subiam/dsl/context/managed_policy.rb +23 -0
data/lib/subiam/dsl/context/role.rb +59 -0
data/lib/subiam/dsl/context/user.rb +43 -0
data/lib/subiam/dsl/context.rb +101 -0
data/lib/subiam/dsl/converter.rb +202 -0
data/lib/subiam/dsl/helper/arn.rb +22 -0
data/lib/subiam/dsl.rb +9 -0
data/lib/subiam/exporter.rb +278 -0
data/lib/subiam/ext/array_ext.rb +13 -0
data/lib/subiam/ext/hash_ext.rb +41 -0
data/lib/subiam/ext/string_ext.rb +25 -0
data/lib/subiam/logger.rb +27 -0
data/lib/subiam/password_manager.rb +41 -0
data/lib/subiam/template_helper.rb +20 -0
data/lib/subiam/utils.rb +31 -0
data/lib/subiam/version.rb +3 -0
data/lib/subiam.rb +36 -0
data/spec/spec_helper.rb +95 -0
data/spec/subiam/attach_detach_policy_spec.rb +389 -0
data/spec/subiam/create_spec.rb +271 -0
data/spec/subiam/custom_managed_policy_spec.rb +232 -0
data/spec/subiam/delete_spec.rb +549 -0
data/spec/subiam/hash_ext_spec.rb +61 -0
data/spec/subiam/ignore_login_profile_spec.rb +73 -0
data/spec/subiam/rename_spec.rb +476 -0
data/spec/subiam/style_spec.rb +189 -0
data/spec/subiam/target_spec.rb +150 -0
data/spec/subiam/update_spec.rb +911 -0
data/subiam.gemspec +32 -0
metadata +251 -0

data/spec/subiam/update_spec.rb ADDED Viewed

@@ -0,0 +1,911 @@
+describe 'update' do
+  let(:dsl) do
+    <<-RUBY
+      target /^iam-test-/
+      user "iam-test-bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+        groups(
+          "iam-test-Admin",
+          "iam-test-SES"
+        )
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+      user "iam-test-mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+      group "iam-test-Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+      end
+      group "iam-test-SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+      end
+      role "iam-test-my-role", :path=>"/any/" do
+        instance_profiles(
+          "iam-test-my-instance-profile"
+        )
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+      instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+    RUBY
+  end
+  let(:expected) do
+    {:users=>
+      {"iam-test-bob"=>
+        {:path=>"/devloper/",
+         :groups=>["iam-test-Admin", "iam-test-SES"],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :login_profile=>{:password_reset_required=>true}},
+       "iam-test-mary"=>
+        {:path=>"/staff/",
+         :groups=>[],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :groups=>
+      {"iam-test-Admin"=>
+        {:path=>"/admin/",
+          :attached_managed_policies=>[],
+         :policies=>
+          {"Admin"=>
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
+       "iam-test-SES"=>
+        {:path=>"/ses/",
+          :attached_managed_policies=>[],
+         :policies=>
+          {"ses-policy"=>
+            {"Statement"=>
+              [{"Effect"=>"Allow",
+                "Action"=>"ses:SendRawEmail",
+                "Resource"=>"*"}]}}}},
+     :policies=>{},
+     :roles=>
+      {"iam-test-my-role"=>
+        {:path=>"/any/",
+         :assume_role_policy_document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]},
+         :instance_profiles=>["iam-test-my-instance-profile"],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"role-policy"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
+  end
+  before(:each) do
+    apply { dsl }
+  end
+  context 'when no change' do
+    subject { client }
+    it do
+      updated = apply(subject) { dsl }
+      expect(updated).to be_falsey
+      expect(export).to eq expected
+    end
+  end
+  context 'when update policy' do
+    let(:update_policy_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:Put*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:Put*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-mary"][:policies]["S3"]["Statement"][0]["Action"] = ["s3:Get*", "s3:List*", "s3:Put*"]
+      expected[:groups]["iam-test-SES"][:policies]["ses-policy"]["Statement"][0]["Action"] = "*"
+      expected[:roles]["iam-test-my-role"][:policies]["role-policy"]["Statement"][0]["Action"] = ["s3:Get*", "s3:List*", "s3:Put*"]
+      expect(export).to eq expected
+    end
+  end
+  context 'when update path' do
+    let(:update_path_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/xstaff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_path_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-mary"][:path] = "/xstaff/"
+      expected[:groups]["iam-test-SES"][:path] = "/ses/ses/"
+      expect(export).to eq expected
+    end
+  end
+  context 'when update path (role, instance_profile)' do
+    let(:cannot_update_path_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/xxx/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/xxx/"
+      RUBY
+    end
+    let(:logger) do
+      logger = Logger.new('/dev/null')
+      expect(logger).to receive(:warn).with("[WARN] Role `iam-test-my-role`: 'path' cannot be updated")
+      expect(logger).to receive(:warn).with("[WARN] InstanceProfile `iam-test-my-instance-profile`: 'path' cannot be updated")
+      logger
+    end
+    subject { client(logger: logger) }
+    it do
+      updated = apply(subject) { cannot_update_path_dsl }
+      expect(updated).to be_falsey
+      expect(export).to eq expected
+    end
+  end
+  context 'when update assume_role_policy' do
+    let(:update_assume_role_policy_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"SID",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_assume_role_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:roles]["iam-test-my-role"][:assume_role_policy_document]["Statement"][0]["Sid"] = "SID"
+      expect(export).to eq expected
+    end
+  end
+  context 'when update groups' do
+    let(:update_groups_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_groups_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-bob"][:groups] = ["iam-test-Admin"]
+      expected[:users]["iam-test-mary"][:groups] = ["iam-test-Admin", "iam-test-SES"]
+      expect(export).to eq expected
+    end
+  end
+  context 'when update login_profile' do
+    let(:update_login_profile_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>false
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_login_profile_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-bob"][:login_profile][:password_reset_required] = false
+      expect(export).to eq expected
+    end
+  end
+  context 'when delete login_profile' do
+    let(:delete_login_profile_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_login_profile_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-bob"].delete(:login_profile)
+      expect(export).to eq expected
+    end
+  end
+  context 'when delete policy' do
+    let(:delete_policy_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { delete_policy_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["iam-test-bob"][:policies].delete("S3")
+      expected[:groups]["iam-test-SES"][:policies].delete("ses-policy")
+      expected[:roles]["iam-test-my-role"][:policies].delete("role-policy")
+      expect(export).to eq expected
+    end
+  end
+  context 'when update instance_profiles' do
+    let(:update_instance_profiles_dsl) do
+      <<-RUBY
+        target /^iam-test-/
+        user "iam-test-bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+          groups(
+            "iam-test-Admin",
+            "iam-test-SES"
+          )
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        user "iam-test-mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+        group "iam-test-SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+        role "iam-test-my-role", :path=>"/any/" do
+          instance_profiles(
+            "iam-test-my-instance-profile2"
+          )
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+        instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
+        instance_profile "iam-test-my-instance-profile2", :path=>"/profile2/"
+      RUBY
+    end
+    subject { client }
+    it do
+      updated = apply(subject) { update_instance_profiles_dsl }
+      expect(updated).to be_truthy
+      expected[:roles]["iam-test-my-role"][:instance_profiles] = ["iam-test-my-instance-profile2"]
+      expected[:instance_profiles]["iam-test-my-instance-profile2"] = {:path=>"/profile2/"}
+      expect(export).to eq expected
+    end
+  end
+end