subiam 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (41) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +19 -0
  3. data/.rspec +4 -0
  4. data/Gemfile +4 -0
  5. data/LICENSE.txt +48 -0
  6. data/README.md +408 -0
  7. data/Rakefile +5 -0
  8. data/bin/subiam +189 -0
  9. data/lib/subiam/client.rb +565 -0
  10. data/lib/subiam/driver.rb +466 -0
  11. data/lib/subiam/dsl/context/group.rb +35 -0
  12. data/lib/subiam/dsl/context/managed_policy.rb +23 -0
  13. data/lib/subiam/dsl/context/role.rb +59 -0
  14. data/lib/subiam/dsl/context/user.rb +43 -0
  15. data/lib/subiam/dsl/context.rb +101 -0
  16. data/lib/subiam/dsl/converter.rb +202 -0
  17. data/lib/subiam/dsl/helper/arn.rb +22 -0
  18. data/lib/subiam/dsl.rb +9 -0
  19. data/lib/subiam/exporter.rb +278 -0
  20. data/lib/subiam/ext/array_ext.rb +13 -0
  21. data/lib/subiam/ext/hash_ext.rb +41 -0
  22. data/lib/subiam/ext/string_ext.rb +25 -0
  23. data/lib/subiam/logger.rb +27 -0
  24. data/lib/subiam/password_manager.rb +41 -0
  25. data/lib/subiam/template_helper.rb +20 -0
  26. data/lib/subiam/utils.rb +31 -0
  27. data/lib/subiam/version.rb +3 -0
  28. data/lib/subiam.rb +36 -0
  29. data/spec/spec_helper.rb +95 -0
  30. data/spec/subiam/attach_detach_policy_spec.rb +389 -0
  31. data/spec/subiam/create_spec.rb +271 -0
  32. data/spec/subiam/custom_managed_policy_spec.rb +232 -0
  33. data/spec/subiam/delete_spec.rb +549 -0
  34. data/spec/subiam/hash_ext_spec.rb +61 -0
  35. data/spec/subiam/ignore_login_profile_spec.rb +73 -0
  36. data/spec/subiam/rename_spec.rb +476 -0
  37. data/spec/subiam/style_spec.rb +189 -0
  38. data/spec/subiam/target_spec.rb +150 -0
  39. data/spec/subiam/update_spec.rb +911 -0
  40. data/subiam.gemspec +32 -0
  41. metadata +251 -0
data/spec/subiam/create_spec.rb ADDED
@@ -0,0 +1,271 @@
1
+ describe 'create' do
2
+ context 'when empty' do
3
+ subject { client }
4
+
5
+ it do
6
+ updated = apply(subject) { 'target /.*/' }
7
+ expect(updated).to be_falsey
8
+ expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
9
+ end
10
+ end
11
+
12
+ context 'when create user and group' do
13
+ let(:dsl) do
14
+ <<-RUBY
15
+ target /^iam-test-/
16
+
17
+ user "iam-test-bob", :path=>"/devloper/" do
18
+ login_profile :password_reset_required=>true
19
+
20
+ groups(
21
+ "iam-test-Admin",
22
+ "iam-test-SES"
23
+ )
24
+
25
+ policy "S3" do
26
+ {"Statement"=>
27
+ [{"Action"=>
28
+ ["s3:Get*",
29
+ "s3:List*"],
30
+ "Effect"=>"Allow",
31
+ "Resource"=>"*"}]}
32
+ end
33
+ end
34
+
35
+ user "iam-test-mary", :path=>"/staff/" do
36
+ policy "S3" do
37
+ {"Statement"=>
38
+ [{"Action"=>
39
+ ["s3:Get*",
40
+ "s3:List*"],
41
+ "Effect"=>"Allow",
42
+ "Resource"=>"*"}]}
43
+ end
44
+ end
45
+
46
+ group "iam-test-Admin", :path=>"/admin/" do
47
+ policy "Admin" do
48
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
49
+ end
50
+ end
51
+
52
+ group "iam-test-SES", :path=>"/ses/" do
53
+ policy "ses-policy" do
54
+ {"Statement"=>
55
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
56
+ end
57
+ end
58
+
59
+ role "iam-test-my-role", :path=>"/any/" do
60
+ instance_profiles(
61
+ "iam-test-my-instance-profile"
62
+ )
63
+
64
+ assume_role_policy_document do
65
+ {"Version"=>"2012-10-17",
66
+ "Statement"=>
67
+ [{"Sid"=>"",
68
+ "Effect"=>"Allow",
69
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
70
+ "Action"=>"sts:AssumeRole"}]}
71
+ end
72
+
73
+ policy "role-policy" do
74
+ {"Statement"=>
75
+ [{"Action"=>
76
+ ["s3:Get*",
77
+ "s3:List*"],
78
+ "Effect"=>"Allow",
79
+ "Resource"=>"*"}]}
80
+ end
81
+ end
82
+
83
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
84
+ RUBY
85
+ end
86
+
87
+ context 'when apply' do
88
+ subject { client }
89
+
90
+ let(:expected) do
91
+ {:users=>
92
+ {"iam-test-bob"=>
93
+ {:path=>"/devloper/",
94
+ :groups=>["iam-test-Admin", "iam-test-SES"],
95
+ :attached_managed_policies=>[],
96
+ :policies=>
97
+ {"S3"=>
98
+ {"Statement"=>
99
+ [{"Action"=>["s3:Get*", "s3:List*"],
100
+ "Effect"=>"Allow",
101
+ "Resource"=>"*"}]}},
102
+ :login_profile=>{:password_reset_required=>true}},
103
+ "iam-test-mary"=>
104
+ {:path=>"/staff/",
105
+ :groups=>[],
106
+ :attached_managed_policies=>[],
107
+ :policies=>
108
+ {"S3"=>
109
+ {"Statement"=>
110
+ [{"Action"=>["s3:Get*", "s3:List*"],
111
+ "Effect"=>"Allow",
112
+ "Resource"=>"*"}]}}}},
113
+ :groups=>
114
+ {"iam-test-Admin"=>
115
+ {:path=>"/admin/",
116
+ :attached_managed_policies=>[],
117
+ :policies=>
118
+ {"Admin"=>
119
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
120
+ "iam-test-SES"=>
121
+ {:path=>"/ses/",
122
+ :attached_managed_policies=>[],
123
+ :policies=>
124
+ {"ses-policy"=>
125
+ {"Statement"=>
126
+ [{"Effect"=>"Allow",
127
+ "Action"=>"ses:SendRawEmail",
128
+ "Resource"=>"*"}]}}}},
129
+ :policies => {},
130
+ :roles=>
131
+ {"iam-test-my-role"=>
132
+ {:path=>"/any/",
133
+ :assume_role_policy_document=>
134
+ {"Version"=>"2012-10-17",
135
+ "Statement"=>
136
+ [{"Sid"=>"",
137
+ "Effect"=>"Allow",
138
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
139
+ "Action"=>"sts:AssumeRole"}]},
140
+ :instance_profiles=>["iam-test-my-instance-profile"],
141
+ :attached_managed_policies=>[],
142
+ :policies=>
143
+ {"role-policy"=>
144
+ {"Statement"=>
145
+ [{"Action"=>["s3:Get*", "s3:List*"],
146
+ "Effect"=>"Allow",
147
+ "Resource"=>"*"}]}}}},
148
+ :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
149
+ end
150
+
151
+ it do
152
+ updated = apply(subject) { dsl }
153
+ expect(updated).to be_truthy
154
+ expect(export).to eq expected
155
+ end
156
+
157
+ context 'when using template' do
158
+ let(:dsl) do
159
+ <<-RUBY
160
+ target /^iam-test-/
161
+
162
+ template "iam-test-bob" do
163
+ login_profile :password_reset_required=>true
164
+
165
+ groups(
166
+ "iam-test-Admin",
167
+ "iam-test-SES"
168
+ )
169
+
170
+ policy "S3" do
171
+ {"Statement"=>
172
+ [{"Action"=>
173
+ ["s3:Get*",
174
+ "s3:List*"],
175
+ "Effect"=>"Allow",
176
+ "Resource"=>"*"}]}
177
+ end
178
+ end
179
+
180
+ template "iam-test-mary" do
181
+ policy "S3" do
182
+ {"Statement"=>
183
+ [{"Action"=>
184
+ ["s3:Get*",
185
+ "s3:List*"],
186
+ "Effect"=>"Allow",
187
+ "Resource"=>"*"}]}
188
+ end
189
+ end
190
+
191
+ user "iam-test-bob", :path=>"/devloper/" do
192
+ include_template context.user_name
193
+ end
194
+
195
+ user "iam-test-mary", :path=>"/staff/" do
196
+ include_template context.user_name
197
+ end
198
+
199
+ template "iam-test-Admin" do
200
+ policy context.policy_name do
201
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
202
+ end
203
+ end
204
+
205
+ template "iam-test-SES" do
206
+ policy context.policy_name do
207
+ {"Statement"=>
208
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
209
+ end
210
+ end
211
+
212
+ group "iam-test-Admin", :path=>"/admin/" do
213
+ include_template context.group_name, policy_name: "Admin"
214
+ end
215
+
216
+ group "iam-test-SES", :path=>"/ses/" do
217
+ context.policy_name = "ses-policy"
218
+ include_template context.group_name
219
+ end
220
+
221
+ template "iam-test-my-role" do
222
+ instance_profiles(
223
+ "iam-test-my-instance-profile"
224
+ )
225
+
226
+ assume_role_policy_document do
227
+ {"Version"=>"2012-10-17",
228
+ "Statement"=>
229
+ [{"Sid"=>"",
230
+ "Effect"=>"Allow",
231
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
232
+ "Action"=>"sts:AssumeRole"}]}
233
+ end
234
+
235
+ policy "role-policy" do
236
+ {"Statement"=>
237
+ [{"Action"=>
238
+ ["s3:Get*",
239
+ "s3:List*"],
240
+ "Effect"=>"Allow",
241
+ "Resource"=>"*"}]}
242
+ end
243
+ end
244
+
245
+ role "iam-test-my-role", :path=>"/any/" do
246
+ include_template context.role_name
247
+ end
248
+
249
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
250
+ RUBY
251
+ end
252
+
253
+ it do
254
+ updated = apply(subject) { dsl }
255
+ expect(updated).to be_truthy
256
+ expect(export).to eq expected
257
+ end
258
+ end
259
+ end
260
+
261
+ context 'when dry-run' do
262
+ subject { client(dry_run: true) }
263
+
264
+ it do
265
+ updated = apply(subject) { dsl }
266
+ expect(updated).to be_falsey
267
+ expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
268
+ end
269
+ end
270
+ end
271
+ end
data/spec/subiam/custom_managed_policy_spec.rb ADDED
@@ -0,0 +1,232 @@
1
+ describe 'custom managed policy' do
2
+ let(:dsl) do
3
+ <<-RUBY
4
+ target /^iam-test-/
5
+
6
+ managed_policy "iam-test-my-policy", :path=>"/" do
7
+ {"Version"=>"2012-10-17",
8
+ "Statement"=>
9
+ [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
10
+ end
11
+
12
+ user "iam-test-mary", :path=>"/staff/" do
13
+ policy "S3" do
14
+ {"Statement"=>
15
+ [{"Action"=>
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ "Effect"=>"Allow",
19
+ "Resource"=>"*"}]}
20
+ end
21
+
22
+ attached_managed_policies(
23
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"
24
+ )
25
+ end
26
+ RUBY
27
+ end
28
+
29
+ let(:expected) do
30
+ {:users=>
31
+ {"iam-test-mary"=>
32
+ {:path=>"/staff/",
33
+ :groups=>[],
34
+ :attached_managed_policies=>[
35
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"],
36
+ :policies=>
37
+ {"S3"=>
38
+ {"Statement"=>
39
+ [{"Action"=>["s3:Get*", "s3:List*"],
40
+ "Effect"=>"Allow",
41
+ "Resource"=>"*"}]}}}},
42
+ :groups=>{},
43
+ :instance_profiles=>{},
44
+ :policies=>
45
+ {"iam-test-my-policy"=>
46
+ {:path=>"/",
47
+ :document=>
48
+ {"Version"=>"2012-10-17",
49
+ "Statement"=>
50
+ [{"Effect"=>"Allow",
51
+ "Action"=>"directconnect:Describe*",
52
+ "Resource"=>"*"}]}}},
53
+ :roles=>{}}
54
+ end
55
+
56
+ before(:each) do
57
+ apply { dsl }
58
+ end
59
+
60
+ context 'when no change' do
61
+ subject { client }
62
+
63
+ it do
64
+ updated = apply(subject) { dsl }
65
+ expect(updated).to be_falsey
66
+ expect(export).to eq expected
67
+ end
68
+ end
69
+
70
+ context 'when create and attach' do
71
+ subject { client }
72
+
73
+ it do
74
+ updated = apply(subject) {
75
+ <<-RUBY
76
+ target /^iam-test-/
77
+
78
+ managed_policy "iam-test-my-policy", :path=>"/" do
79
+ {"Version"=>"2012-10-17",
80
+ "Statement"=>
81
+ [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
82
+ end
83
+
84
+ managed_policy "iam-test-my-policy2", :path=>"/" do
85
+ {"Version"=>"2012-10-17",
86
+ "Statement"=>
87
+ [{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
88
+ end
89
+
90
+ user "iam-test-mary", :path=>"/staff/" do
91
+ policy "S3" do
92
+ {"Statement"=>
93
+ [{"Action"=>
94
+ ["s3:Get*",
95
+ "s3:List*"],
96
+ "Effect"=>"Allow",
97
+ "Resource"=>"*"}]}
98
+ end
99
+
100
+ attached_managed_policies(
101
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy",
102
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"
103
+ )
104
+ end
105
+ RUBY
106
+ }
107
+
108
+ expect(updated).to be_truthy
109
+ expected[:policies]["iam-test-my-policy2"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}
110
+ expected[:users]["iam-test-mary"][:attached_managed_policies] << "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"
111
+ expected[:users]["iam-test-mary"][:attached_managed_policies].sort!
112
+ actual = export
113
+ actual[:users]["iam-test-mary"][:attached_managed_policies].sort!
114
+ expect(actual).to eq expected
115
+ end
116
+ end
117
+
118
+ context 'when create and delete' do
119
+ subject { client }
120
+
121
+ it do
122
+ updated = apply(subject) {
123
+ <<-RUBY
124
+ target /^iam-test-/
125
+
126
+ managed_policy "iam-test-my-policy2", :path=>"/" do
127
+ {"Version"=>"2012-10-17",
128
+ "Statement"=>
129
+ [{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
130
+ end
131
+
132
+ user "iam-test-mary", :path=>"/staff/" do
133
+ policy "S3" do
134
+ {"Statement"=>
135
+ [{"Action"=>
136
+ ["s3:Get*",
137
+ "s3:List*"],
138
+ "Effect"=>"Allow",
139
+ "Resource"=>"*"}]}
140
+ end
141
+
142
+ attached_managed_policies(
143
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"
144
+ )
145
+ end
146
+ RUBY
147
+ }
148
+
149
+ expect(updated).to be_truthy
150
+ expected[:policies] = {"iam-test-my-policy2" => {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}}
151
+ expected[:users]["iam-test-mary"][:attached_managed_policies] = ["arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"]
152
+ expect(export).to eq expected
153
+ end
154
+ end
155
+
156
+ context 'when update' do
157
+ subject { client }
158
+
159
+ it do
160
+ updated = apply(subject) {
161
+ <<-RUBY
162
+ target /^iam-test-/
163
+
164
+ managed_policy "iam-test-my-policy", :path=>"/" do
165
+ {"Version"=>"2012-10-17",
166
+ "Statement"=>
167
+ [{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
168
+ end
169
+
170
+ user "iam-test-mary", :path=>"/staff/" do
171
+ policy "S3" do
172
+ {"Statement"=>
173
+ [{"Action"=>
174
+ ["s3:Get*",
175
+ "s3:List*"],
176
+ "Effect"=>"Allow",
177
+ "Resource"=>"*"}]}
178
+ end
179
+
180
+ attached_managed_policies(
181
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"
182
+ )
183
+ end
184
+ RUBY
185
+ }
186
+
187
+ expect(updated).to be_truthy
188
+ expected[:policies]["iam-test-my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
189
+ expect(export).to eq expected
190
+ end
191
+ end
192
+
193
+ context 'when update 7 times' do
194
+ subject { client }
195
+
196
+ it do
197
+ 4.times do
198
+ apply(subject) { dsl }
199
+
200
+ apply(subject) {
201
+ <<-RUBY
202
+ target /^iam-test-/
203
+
204
+ managed_policy "iam-test-my-policy", :path=>"/" do
205
+ {"Version"=>"2012-10-17",
206
+ "Statement"=>
207
+ [{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
208
+ end
209
+
210
+ user "iam-test-mary", :path=>"/staff/" do
211
+ policy "S3" do
212
+ {"Statement"=>
213
+ [{"Action"=>
214
+ ["s3:Get*",
215
+ "s3:List*"],
216
+ "Effect"=>"Allow",
217
+ "Resource"=>"*"}]}
218
+ end
219
+
220
+ attached_managed_policies(
221
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"
222
+ )
223
+ end
224
+ RUBY
225
+ }
226
+ end
227
+
228
+ expected[:policies]["iam-test-my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
229
+ expect(export).to eq expected
230
+ end
231
+ end
232
+ end