subiam 1.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (41) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +19 -0
  3. data/.rspec +4 -0
  4. data/Gemfile +4 -0
  5. data/LICENSE.txt +48 -0
  6. data/README.md +408 -0
  7. data/Rakefile +5 -0
  8. data/bin/subiam +189 -0
  9. data/lib/subiam/client.rb +565 -0
  10. data/lib/subiam/driver.rb +466 -0
  11. data/lib/subiam/dsl/context/group.rb +35 -0
  12. data/lib/subiam/dsl/context/managed_policy.rb +23 -0
  13. data/lib/subiam/dsl/context/role.rb +59 -0
  14. data/lib/subiam/dsl/context/user.rb +43 -0
  15. data/lib/subiam/dsl/context.rb +101 -0
  16. data/lib/subiam/dsl/converter.rb +202 -0
  17. data/lib/subiam/dsl/helper/arn.rb +22 -0
  18. data/lib/subiam/dsl.rb +9 -0
  19. data/lib/subiam/exporter.rb +278 -0
  20. data/lib/subiam/ext/array_ext.rb +13 -0
  21. data/lib/subiam/ext/hash_ext.rb +41 -0
  22. data/lib/subiam/ext/string_ext.rb +25 -0
  23. data/lib/subiam/logger.rb +27 -0
  24. data/lib/subiam/password_manager.rb +41 -0
  25. data/lib/subiam/template_helper.rb +20 -0
  26. data/lib/subiam/utils.rb +31 -0
  27. data/lib/subiam/version.rb +3 -0
  28. data/lib/subiam.rb +36 -0
  29. data/spec/spec_helper.rb +95 -0
  30. data/spec/subiam/attach_detach_policy_spec.rb +389 -0
  31. data/spec/subiam/create_spec.rb +271 -0
  32. data/spec/subiam/custom_managed_policy_spec.rb +232 -0
  33. data/spec/subiam/delete_spec.rb +549 -0
  34. data/spec/subiam/hash_ext_spec.rb +61 -0
  35. data/spec/subiam/ignore_login_profile_spec.rb +73 -0
  36. data/spec/subiam/rename_spec.rb +476 -0
  37. data/spec/subiam/style_spec.rb +189 -0
  38. data/spec/subiam/target_spec.rb +150 -0
  39. data/spec/subiam/update_spec.rb +911 -0
  40. data/subiam.gemspec +32 -0
  41. metadata +251 -0
data/spec/subiam/update_spec.rb ADDED
@@ -0,0 +1,911 @@
1
+ describe 'update' do
2
+ let(:dsl) do
3
+ <<-RUBY
4
+ target /^iam-test-/
5
+
6
+ user "iam-test-bob", :path=>"/devloper/" do
7
+ login_profile :password_reset_required=>true
8
+
9
+ groups(
10
+ "iam-test-Admin",
11
+ "iam-test-SES"
12
+ )
13
+
14
+ policy "S3" do
15
+ {"Statement"=>
16
+ [{"Action"=>
17
+ ["s3:Get*",
18
+ "s3:List*"],
19
+ "Effect"=>"Allow",
20
+ "Resource"=>"*"}]}
21
+ end
22
+ end
23
+
24
+ user "iam-test-mary", :path=>"/staff/" do
25
+ policy "S3" do
26
+ {"Statement"=>
27
+ [{"Action"=>
28
+ ["s3:Get*",
29
+ "s3:List*"],
30
+ "Effect"=>"Allow",
31
+ "Resource"=>"*"}]}
32
+ end
33
+ end
34
+
35
+ group "iam-test-Admin", :path=>"/admin/" do
36
+ policy "Admin" do
37
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
38
+ end
39
+ end
40
+
41
+ group "iam-test-SES", :path=>"/ses/" do
42
+ policy "ses-policy" do
43
+ {"Statement"=>
44
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
45
+ end
46
+ end
47
+
48
+ role "iam-test-my-role", :path=>"/any/" do
49
+ instance_profiles(
50
+ "iam-test-my-instance-profile"
51
+ )
52
+
53
+ assume_role_policy_document do
54
+ {"Version"=>"2012-10-17",
55
+ "Statement"=>
56
+ [{"Sid"=>"",
57
+ "Effect"=>"Allow",
58
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
59
+ "Action"=>"sts:AssumeRole"}]}
60
+ end
61
+
62
+ policy "role-policy" do
63
+ {"Statement"=>
64
+ [{"Action"=>
65
+ ["s3:Get*",
66
+ "s3:List*"],
67
+ "Effect"=>"Allow",
68
+ "Resource"=>"*"}]}
69
+ end
70
+ end
71
+
72
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
73
+ RUBY
74
+ end
75
+
76
+ let(:expected) do
77
+ {:users=>
78
+ {"iam-test-bob"=>
79
+ {:path=>"/devloper/",
80
+ :groups=>["iam-test-Admin", "iam-test-SES"],
81
+ :attached_managed_policies=>[],
82
+ :policies=>
83
+ {"S3"=>
84
+ {"Statement"=>
85
+ [{"Action"=>["s3:Get*", "s3:List*"],
86
+ "Effect"=>"Allow",
87
+ "Resource"=>"*"}]}},
88
+ :login_profile=>{:password_reset_required=>true}},
89
+ "iam-test-mary"=>
90
+ {:path=>"/staff/",
91
+ :groups=>[],
92
+ :attached_managed_policies=>[],
93
+ :policies=>
94
+ {"S3"=>
95
+ {"Statement"=>
96
+ [{"Action"=>["s3:Get*", "s3:List*"],
97
+ "Effect"=>"Allow",
98
+ "Resource"=>"*"}]}}}},
99
+ :groups=>
100
+ {"iam-test-Admin"=>
101
+ {:path=>"/admin/",
102
+ :attached_managed_policies=>[],
103
+ :policies=>
104
+ {"Admin"=>
105
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
106
+ "iam-test-SES"=>
107
+ {:path=>"/ses/",
108
+ :attached_managed_policies=>[],
109
+ :policies=>
110
+ {"ses-policy"=>
111
+ {"Statement"=>
112
+ [{"Effect"=>"Allow",
113
+ "Action"=>"ses:SendRawEmail",
114
+ "Resource"=>"*"}]}}}},
115
+ :policies=>{},
116
+ :roles=>
117
+ {"iam-test-my-role"=>
118
+ {:path=>"/any/",
119
+ :assume_role_policy_document=>
120
+ {"Version"=>"2012-10-17",
121
+ "Statement"=>
122
+ [{"Sid"=>"",
123
+ "Effect"=>"Allow",
124
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
125
+ "Action"=>"sts:AssumeRole"}]},
126
+ :instance_profiles=>["iam-test-my-instance-profile"],
127
+ :attached_managed_policies=>[],
128
+ :policies=>
129
+ {"role-policy"=>
130
+ {"Statement"=>
131
+ [{"Action"=>["s3:Get*", "s3:List*"],
132
+ "Effect"=>"Allow",
133
+ "Resource"=>"*"}]}}}},
134
+ :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
135
+ end
136
+
137
+ before(:each) do
138
+ apply { dsl }
139
+ end
140
+
141
+ context 'when no change' do
142
+ subject { client }
143
+
144
+ it do
145
+ updated = apply(subject) { dsl }
146
+ expect(updated).to be_falsey
147
+ expect(export).to eq expected
148
+ end
149
+ end
150
+
151
+ context 'when update policy' do
152
+ let(:update_policy_dsl) do
153
+ <<-RUBY
154
+ target /^iam-test-/
155
+
156
+ user "iam-test-bob", :path=>"/devloper/" do
157
+ login_profile :password_reset_required=>true
158
+
159
+ groups(
160
+ "iam-test-Admin",
161
+ "iam-test-SES"
162
+ )
163
+
164
+ policy "S3" do
165
+ {"Statement"=>
166
+ [{"Action"=>
167
+ ["s3:Get*",
168
+ "s3:List*"],
169
+ "Effect"=>"Allow",
170
+ "Resource"=>"*"}]}
171
+ end
172
+ end
173
+
174
+ user "iam-test-mary", :path=>"/staff/" do
175
+ policy "S3" do
176
+ {"Statement"=>
177
+ [{"Action"=>
178
+ ["s3:Get*",
179
+ "s3:Put*",
180
+ "s3:List*"],
181
+ "Effect"=>"Allow",
182
+ "Resource"=>"*"}]}
183
+ end
184
+ end
185
+
186
+ group "iam-test-Admin", :path=>"/admin/" do
187
+ policy "Admin" do
188
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
189
+ end
190
+ end
191
+
192
+ group "iam-test-SES", :path=>"/ses/" do
193
+ policy "ses-policy" do
194
+ {"Statement"=>
195
+ [{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
196
+ end
197
+ end
198
+
199
+ role "iam-test-my-role", :path=>"/any/" do
200
+ instance_profiles(
201
+ "iam-test-my-instance-profile"
202
+ )
203
+
204
+ assume_role_policy_document do
205
+ {"Version"=>"2012-10-17",
206
+ "Statement"=>
207
+ [{"Sid"=>"",
208
+ "Effect"=>"Allow",
209
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
210
+ "Action"=>"sts:AssumeRole"}]}
211
+ end
212
+
213
+ policy "role-policy" do
214
+ {"Statement"=>
215
+ [{"Action"=>
216
+ ["s3:Get*",
217
+ "s3:Put*",
218
+ "s3:List*"],
219
+ "Effect"=>"Allow",
220
+ "Resource"=>"*"}]}
221
+ end
222
+ end
223
+
224
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
225
+ RUBY
226
+ end
227
+
228
+ subject { client }
229
+
230
+ it do
231
+ updated = apply(subject) { update_policy_dsl }
232
+ expect(updated).to be_truthy
233
+ expected[:users]["iam-test-mary"][:policies]["S3"]["Statement"][0]["Action"] = ["s3:Get*", "s3:List*", "s3:Put*"]
234
+ expected[:groups]["iam-test-SES"][:policies]["ses-policy"]["Statement"][0]["Action"] = "*"
235
+ expected[:roles]["iam-test-my-role"][:policies]["role-policy"]["Statement"][0]["Action"] = ["s3:Get*", "s3:List*", "s3:Put*"]
236
+ expect(export).to eq expected
237
+ end
238
+ end
239
+
240
+ context 'when update path' do
241
+ let(:update_path_dsl) do
242
+ <<-RUBY
243
+ target /^iam-test-/
244
+
245
+ user "iam-test-bob", :path=>"/devloper/" do
246
+ login_profile :password_reset_required=>true
247
+
248
+ groups(
249
+ "iam-test-Admin",
250
+ "iam-test-SES"
251
+ )
252
+
253
+ policy "S3" do
254
+ {"Statement"=>
255
+ [{"Action"=>
256
+ ["s3:Get*",
257
+ "s3:List*"],
258
+ "Effect"=>"Allow",
259
+ "Resource"=>"*"}]}
260
+ end
261
+ end
262
+
263
+ user "iam-test-mary", :path=>"/xstaff/" do
264
+ policy "S3" do
265
+ {"Statement"=>
266
+ [{"Action"=>
267
+ ["s3:Get*",
268
+ "s3:List*"],
269
+ "Effect"=>"Allow",
270
+ "Resource"=>"*"}]}
271
+ end
272
+ end
273
+
274
+ group "iam-test-Admin", :path=>"/admin/" do
275
+ policy "Admin" do
276
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
277
+ end
278
+ end
279
+
280
+ group "iam-test-SES", :path=>"/ses/ses/" do
281
+ policy "ses-policy" do
282
+ {"Statement"=>
283
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
284
+ end
285
+ end
286
+
287
+ role "iam-test-my-role", :path=>"/any/" do
288
+ instance_profiles(
289
+ "iam-test-my-instance-profile"
290
+ )
291
+
292
+ assume_role_policy_document do
293
+ {"Version"=>"2012-10-17",
294
+ "Statement"=>
295
+ [{"Sid"=>"",
296
+ "Effect"=>"Allow",
297
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
298
+ "Action"=>"sts:AssumeRole"}]}
299
+ end
300
+
301
+ policy "role-policy" do
302
+ {"Statement"=>
303
+ [{"Action"=>
304
+ ["s3:Get*",
305
+ "s3:List*"],
306
+ "Effect"=>"Allow",
307
+ "Resource"=>"*"}]}
308
+ end
309
+ end
310
+
311
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
312
+ RUBY
313
+ end
314
+
315
+ subject { client }
316
+
317
+ it do
318
+ updated = apply(subject) { update_path_dsl }
319
+ expect(updated).to be_truthy
320
+ expected[:users]["iam-test-mary"][:path] = "/xstaff/"
321
+ expected[:groups]["iam-test-SES"][:path] = "/ses/ses/"
322
+ expect(export).to eq expected
323
+ end
324
+ end
325
+
326
+ context 'when update path (role, instance_profile)' do
327
+ let(:cannot_update_path_dsl) do
328
+ <<-RUBY
329
+ target /^iam-test-/
330
+
331
+ user "iam-test-bob", :path=>"/devloper/" do
332
+ login_profile :password_reset_required=>true
333
+
334
+ groups(
335
+ "iam-test-Admin",
336
+ "iam-test-SES"
337
+ )
338
+
339
+ policy "S3" do
340
+ {"Statement"=>
341
+ [{"Action"=>
342
+ ["s3:Get*",
343
+ "s3:List*"],
344
+ "Effect"=>"Allow",
345
+ "Resource"=>"*"}]}
346
+ end
347
+ end
348
+
349
+ user "iam-test-mary", :path=>"/staff/" do
350
+ policy "S3" do
351
+ {"Statement"=>
352
+ [{"Action"=>
353
+ ["s3:Get*",
354
+ "s3:List*"],
355
+ "Effect"=>"Allow",
356
+ "Resource"=>"*"}]}
357
+ end
358
+ end
359
+
360
+ group "iam-test-Admin", :path=>"/admin/" do
361
+ policy "Admin" do
362
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
363
+ end
364
+ end
365
+
366
+ group "iam-test-SES", :path=>"/ses/" do
367
+ policy "ses-policy" do
368
+ {"Statement"=>
369
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
370
+ end
371
+ end
372
+
373
+ role "iam-test-my-role", :path=>"/any/xxx/" do
374
+ instance_profiles(
375
+ "iam-test-my-instance-profile"
376
+ )
377
+
378
+ assume_role_policy_document do
379
+ {"Version"=>"2012-10-17",
380
+ "Statement"=>
381
+ [{"Sid"=>"",
382
+ "Effect"=>"Allow",
383
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
384
+ "Action"=>"sts:AssumeRole"}]}
385
+ end
386
+
387
+ policy "role-policy" do
388
+ {"Statement"=>
389
+ [{"Action"=>
390
+ ["s3:Get*",
391
+ "s3:List*"],
392
+ "Effect"=>"Allow",
393
+ "Resource"=>"*"}]}
394
+ end
395
+ end
396
+
397
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/xxx/"
398
+ RUBY
399
+ end
400
+
401
+ let(:logger) do
402
+ logger = Logger.new('/dev/null')
403
+ expect(logger).to receive(:warn).with("[WARN] Role `iam-test-my-role`: 'path' cannot be updated")
404
+ expect(logger).to receive(:warn).with("[WARN] InstanceProfile `iam-test-my-instance-profile`: 'path' cannot be updated")
405
+ logger
406
+ end
407
+
408
+ subject { client(logger: logger) }
409
+
410
+ it do
411
+ updated = apply(subject) { cannot_update_path_dsl }
412
+ expect(updated).to be_falsey
413
+ expect(export).to eq expected
414
+ end
415
+ end
416
+
417
+ context 'when update assume_role_policy' do
418
+ let(:update_assume_role_policy_dsl) do
419
+ <<-RUBY
420
+ target /^iam-test-/
421
+
422
+ user "iam-test-bob", :path=>"/devloper/" do
423
+ login_profile :password_reset_required=>true
424
+
425
+ groups(
426
+ "iam-test-Admin",
427
+ "iam-test-SES"
428
+ )
429
+
430
+ policy "S3" do
431
+ {"Statement"=>
432
+ [{"Action"=>
433
+ ["s3:Get*",
434
+ "s3:List*"],
435
+ "Effect"=>"Allow",
436
+ "Resource"=>"*"}]}
437
+ end
438
+ end
439
+
440
+ user "iam-test-mary", :path=>"/staff/" do
441
+ policy "S3" do
442
+ {"Statement"=>
443
+ [{"Action"=>
444
+ ["s3:Get*",
445
+ "s3:List*"],
446
+ "Effect"=>"Allow",
447
+ "Resource"=>"*"}]}
448
+ end
449
+ end
450
+
451
+ group "iam-test-Admin", :path=>"/admin/" do
452
+ policy "Admin" do
453
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
454
+ end
455
+ end
456
+
457
+ group "iam-test-SES", :path=>"/ses/" do
458
+ policy "ses-policy" do
459
+ {"Statement"=>
460
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
461
+ end
462
+ end
463
+
464
+ role "iam-test-my-role", :path=>"/any/" do
465
+ instance_profiles(
466
+ "iam-test-my-instance-profile"
467
+ )
468
+
469
+ assume_role_policy_document do
470
+ {"Version"=>"2012-10-17",
471
+ "Statement"=>
472
+ [{"Sid"=>"SID",
473
+ "Effect"=>"Allow",
474
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
475
+ "Action"=>"sts:AssumeRole"}]}
476
+ end
477
+
478
+ policy "role-policy" do
479
+ {"Statement"=>
480
+ [{"Action"=>
481
+ ["s3:Get*",
482
+ "s3:List*"],
483
+ "Effect"=>"Allow",
484
+ "Resource"=>"*"}]}
485
+ end
486
+ end
487
+
488
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
489
+ RUBY
490
+ end
491
+
492
+ subject { client }
493
+
494
+ it do
495
+ updated = apply(subject) { update_assume_role_policy_dsl }
496
+ expect(updated).to be_truthy
497
+ expected[:roles]["iam-test-my-role"][:assume_role_policy_document]["Statement"][0]["Sid"] = "SID"
498
+ expect(export).to eq expected
499
+ end
500
+ end
501
+
502
+ context 'when update groups' do
503
+ let(:update_groups_dsl) do
504
+ <<-RUBY
505
+ target /^iam-test-/
506
+
507
+ user "iam-test-bob", :path=>"/devloper/" do
508
+ login_profile :password_reset_required=>true
509
+
510
+ groups(
511
+ "iam-test-Admin"
512
+ )
513
+
514
+ policy "S3" do
515
+ {"Statement"=>
516
+ [{"Action"=>
517
+ ["s3:Get*",
518
+ "s3:List*"],
519
+ "Effect"=>"Allow",
520
+ "Resource"=>"*"}]}
521
+ end
522
+ end
523
+
524
+ user "iam-test-mary", :path=>"/staff/" do
525
+ groups(
526
+ "iam-test-Admin",
527
+ "iam-test-SES"
528
+ )
529
+
530
+ policy "S3" do
531
+ {"Statement"=>
532
+ [{"Action"=>
533
+ ["s3:Get*",
534
+ "s3:List*"],
535
+ "Effect"=>"Allow",
536
+ "Resource"=>"*"}]}
537
+ end
538
+ end
539
+
540
+ group "iam-test-Admin", :path=>"/admin/" do
541
+ policy "Admin" do
542
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
543
+ end
544
+ end
545
+
546
+ group "iam-test-SES", :path=>"/ses/" do
547
+ policy "ses-policy" do
548
+ {"Statement"=>
549
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
550
+ end
551
+ end
552
+
553
+ role "iam-test-my-role", :path=>"/any/" do
554
+ instance_profiles(
555
+ "iam-test-my-instance-profile"
556
+ )
557
+
558
+ assume_role_policy_document do
559
+ {"Version"=>"2012-10-17",
560
+ "Statement"=>
561
+ [{"Sid"=>"",
562
+ "Effect"=>"Allow",
563
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
564
+ "Action"=>"sts:AssumeRole"}]}
565
+ end
566
+
567
+ policy "role-policy" do
568
+ {"Statement"=>
569
+ [{"Action"=>
570
+ ["s3:Get*",
571
+ "s3:List*"],
572
+ "Effect"=>"Allow",
573
+ "Resource"=>"*"}]}
574
+ end
575
+ end
576
+
577
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
578
+ RUBY
579
+ end
580
+
581
+ subject { client }
582
+
583
+ it do
584
+ updated = apply(subject) { update_groups_dsl }
585
+ expect(updated).to be_truthy
586
+ expected[:users]["iam-test-bob"][:groups] = ["iam-test-Admin"]
587
+ expected[:users]["iam-test-mary"][:groups] = ["iam-test-Admin", "iam-test-SES"]
588
+ expect(export).to eq expected
589
+ end
590
+ end
591
+
592
+ context 'when update login_profile' do
593
+ let(:update_login_profile_dsl) do
594
+ <<-RUBY
595
+ target /^iam-test-/
596
+
597
+ user "iam-test-bob", :path=>"/devloper/" do
598
+ login_profile :password_reset_required=>false
599
+
600
+ groups(
601
+ "iam-test-Admin",
602
+ "iam-test-SES"
603
+ )
604
+
605
+ policy "S3" do
606
+ {"Statement"=>
607
+ [{"Action"=>
608
+ ["s3:Get*",
609
+ "s3:List*"],
610
+ "Effect"=>"Allow",
611
+ "Resource"=>"*"}]}
612
+ end
613
+ end
614
+
615
+ user "iam-test-mary", :path=>"/staff/" do
616
+ policy "S3" do
617
+ {"Statement"=>
618
+ [{"Action"=>
619
+ ["s3:Get*",
620
+ "s3:List*"],
621
+ "Effect"=>"Allow",
622
+ "Resource"=>"*"}]}
623
+ end
624
+ end
625
+
626
+ group "iam-test-Admin", :path=>"/admin/" do
627
+ policy "Admin" do
628
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
629
+ end
630
+ end
631
+
632
+ group "iam-test-SES", :path=>"/ses/" do
633
+ policy "ses-policy" do
634
+ {"Statement"=>
635
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
636
+ end
637
+ end
638
+
639
+ role "iam-test-my-role", :path=>"/any/" do
640
+ instance_profiles(
641
+ "iam-test-my-instance-profile"
642
+ )
643
+
644
+ assume_role_policy_document do
645
+ {"Version"=>"2012-10-17",
646
+ "Statement"=>
647
+ [{"Sid"=>"",
648
+ "Effect"=>"Allow",
649
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
650
+ "Action"=>"sts:AssumeRole"}]}
651
+ end
652
+
653
+ policy "role-policy" do
654
+ {"Statement"=>
655
+ [{"Action"=>
656
+ ["s3:Get*",
657
+ "s3:List*"],
658
+ "Effect"=>"Allow",
659
+ "Resource"=>"*"}]}
660
+ end
661
+ end
662
+
663
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
664
+ RUBY
665
+ end
666
+
667
+ subject { client }
668
+
669
+ it do
670
+ updated = apply(subject) { update_login_profile_dsl }
671
+ expect(updated).to be_truthy
672
+ expected[:users]["iam-test-bob"][:login_profile][:password_reset_required] = false
673
+ expect(export).to eq expected
674
+ end
675
+ end
676
+
677
+ context 'when delete login_profile' do
678
+ let(:delete_login_profile_dsl) do
679
+ <<-RUBY
680
+ target /^iam-test-/
681
+
682
+ user "iam-test-bob", :path=>"/devloper/" do
683
+ groups(
684
+ "iam-test-Admin",
685
+ "iam-test-SES"
686
+ )
687
+
688
+ policy "S3" do
689
+ {"Statement"=>
690
+ [{"Action"=>
691
+ ["s3:Get*",
692
+ "s3:List*"],
693
+ "Effect"=>"Allow",
694
+ "Resource"=>"*"}]}
695
+ end
696
+ end
697
+
698
+ user "iam-test-mary", :path=>"/staff/" do
699
+ policy "S3" do
700
+ {"Statement"=>
701
+ [{"Action"=>
702
+ ["s3:Get*",
703
+ "s3:List*"],
704
+ "Effect"=>"Allow",
705
+ "Resource"=>"*"}]}
706
+ end
707
+ end
708
+
709
+ group "iam-test-Admin", :path=>"/admin/" do
710
+ policy "Admin" do
711
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
712
+ end
713
+ end
714
+
715
+ group "iam-test-SES", :path=>"/ses/" do
716
+ policy "ses-policy" do
717
+ {"Statement"=>
718
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
719
+ end
720
+ end
721
+
722
+ role "iam-test-my-role", :path=>"/any/" do
723
+ instance_profiles(
724
+ "iam-test-my-instance-profile"
725
+ )
726
+
727
+ assume_role_policy_document do
728
+ {"Version"=>"2012-10-17",
729
+ "Statement"=>
730
+ [{"Sid"=>"",
731
+ "Effect"=>"Allow",
732
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
733
+ "Action"=>"sts:AssumeRole"}]}
734
+ end
735
+
736
+ policy "role-policy" do
737
+ {"Statement"=>
738
+ [{"Action"=>
739
+ ["s3:Get*",
740
+ "s3:List*"],
741
+ "Effect"=>"Allow",
742
+ "Resource"=>"*"}]}
743
+ end
744
+ end
745
+
746
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
747
+ RUBY
748
+ end
749
+
750
+ subject { client }
751
+
752
+ it do
753
+ updated = apply(subject) { delete_login_profile_dsl }
754
+ expect(updated).to be_truthy
755
+ expected[:users]["iam-test-bob"].delete(:login_profile)
756
+ expect(export).to eq expected
757
+ end
758
+ end
759
+
760
+ context 'when delete policy' do
761
+ let(:delete_policy_dsl) do
762
+ <<-RUBY
763
+ target /^iam-test-/
764
+
765
+ user "iam-test-bob", :path=>"/devloper/" do
766
+ login_profile :password_reset_required=>true
767
+
768
+ groups(
769
+ "iam-test-Admin",
770
+ "iam-test-SES"
771
+ )
772
+ end
773
+
774
+ user "iam-test-mary", :path=>"/staff/" do
775
+ policy "S3" do
776
+ {"Statement"=>
777
+ [{"Action"=>
778
+ ["s3:Get*",
779
+ "s3:List*"],
780
+ "Effect"=>"Allow",
781
+ "Resource"=>"*"}]}
782
+ end
783
+ end
784
+
785
+ group "iam-test-Admin", :path=>"/admin/" do
786
+ policy "Admin" do
787
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
788
+ end
789
+ end
790
+
791
+ group "iam-test-SES", :path=>"/ses/" do
792
+ end
793
+
794
+ role "iam-test-my-role", :path=>"/any/" do
795
+ instance_profiles(
796
+ "iam-test-my-instance-profile"
797
+ )
798
+
799
+ assume_role_policy_document do
800
+ {"Version"=>"2012-10-17",
801
+ "Statement"=>
802
+ [{"Sid"=>"",
803
+ "Effect"=>"Allow",
804
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
805
+ "Action"=>"sts:AssumeRole"}]}
806
+ end
807
+ end
808
+
809
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
810
+ RUBY
811
+ end
812
+
813
+ subject { client }
814
+
815
+ it do
816
+ updated = apply(subject) { delete_policy_dsl }
817
+ expect(updated).to be_truthy
818
+ expected[:users]["iam-test-bob"][:policies].delete("S3")
819
+ expected[:groups]["iam-test-SES"][:policies].delete("ses-policy")
820
+ expected[:roles]["iam-test-my-role"][:policies].delete("role-policy")
821
+ expect(export).to eq expected
822
+ end
823
+ end
824
+
825
+ context 'when update instance_profiles' do
826
+ let(:update_instance_profiles_dsl) do
827
+ <<-RUBY
828
+ target /^iam-test-/
829
+
830
+ user "iam-test-bob", :path=>"/devloper/" do
831
+ login_profile :password_reset_required=>true
832
+
833
+ groups(
834
+ "iam-test-Admin",
835
+ "iam-test-SES"
836
+ )
837
+
838
+ policy "S3" do
839
+ {"Statement"=>
840
+ [{"Action"=>
841
+ ["s3:Get*",
842
+ "s3:List*"],
843
+ "Effect"=>"Allow",
844
+ "Resource"=>"*"}]}
845
+ end
846
+ end
847
+
848
+ user "iam-test-mary", :path=>"/staff/" do
849
+ policy "S3" do
850
+ {"Statement"=>
851
+ [{"Action"=>
852
+ ["s3:Get*",
853
+ "s3:List*"],
854
+ "Effect"=>"Allow",
855
+ "Resource"=>"*"}]}
856
+ end
857
+ end
858
+
859
+ group "iam-test-Admin", :path=>"/admin/" do
860
+ policy "Admin" do
861
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
862
+ end
863
+ end
864
+
865
+ group "iam-test-SES", :path=>"/ses/" do
866
+ policy "ses-policy" do
867
+ {"Statement"=>
868
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
869
+ end
870
+ end
871
+
872
+ role "iam-test-my-role", :path=>"/any/" do
873
+ instance_profiles(
874
+ "iam-test-my-instance-profile2"
875
+ )
876
+
877
+ assume_role_policy_document do
878
+ {"Version"=>"2012-10-17",
879
+ "Statement"=>
880
+ [{"Sid"=>"",
881
+ "Effect"=>"Allow",
882
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
883
+ "Action"=>"sts:AssumeRole"}]}
884
+ end
885
+
886
+ policy "role-policy" do
887
+ {"Statement"=>
888
+ [{"Action"=>
889
+ ["s3:Get*",
890
+ "s3:List*"],
891
+ "Effect"=>"Allow",
892
+ "Resource"=>"*"}]}
893
+ end
894
+ end
895
+
896
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
897
+ instance_profile "iam-test-my-instance-profile2", :path=>"/profile2/"
898
+ RUBY
899
+ end
900
+
901
+ subject { client }
902
+
903
+ it do
904
+ updated = apply(subject) { update_instance_profiles_dsl }
905
+ expect(updated).to be_truthy
906
+ expected[:roles]["iam-test-my-role"][:instance_profiles] = ["iam-test-my-instance-profile2"]
907
+ expected[:instance_profiles]["iam-test-my-instance-profile2"] = {:path=>"/profile2/"}
908
+ expect(export).to eq expected
909
+ end
910
+ end
911
+ end