subiam 1.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (41) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +19 -0
  3. data/.rspec +4 -0
  4. data/Gemfile +4 -0
  5. data/LICENSE.txt +48 -0
  6. data/README.md +408 -0
  7. data/Rakefile +5 -0
  8. data/bin/subiam +189 -0
  9. data/lib/subiam/client.rb +565 -0
  10. data/lib/subiam/driver.rb +466 -0
  11. data/lib/subiam/dsl/context/group.rb +35 -0
  12. data/lib/subiam/dsl/context/managed_policy.rb +23 -0
  13. data/lib/subiam/dsl/context/role.rb +59 -0
  14. data/lib/subiam/dsl/context/user.rb +43 -0
  15. data/lib/subiam/dsl/context.rb +101 -0
  16. data/lib/subiam/dsl/converter.rb +202 -0
  17. data/lib/subiam/dsl/helper/arn.rb +22 -0
  18. data/lib/subiam/dsl.rb +9 -0
  19. data/lib/subiam/exporter.rb +278 -0
  20. data/lib/subiam/ext/array_ext.rb +13 -0
  21. data/lib/subiam/ext/hash_ext.rb +41 -0
  22. data/lib/subiam/ext/string_ext.rb +25 -0
  23. data/lib/subiam/logger.rb +27 -0
  24. data/lib/subiam/password_manager.rb +41 -0
  25. data/lib/subiam/template_helper.rb +20 -0
  26. data/lib/subiam/utils.rb +31 -0
  27. data/lib/subiam/version.rb +3 -0
  28. data/lib/subiam.rb +36 -0
  29. data/spec/spec_helper.rb +95 -0
  30. data/spec/subiam/attach_detach_policy_spec.rb +389 -0
  31. data/spec/subiam/create_spec.rb +271 -0
  32. data/spec/subiam/custom_managed_policy_spec.rb +232 -0
  33. data/spec/subiam/delete_spec.rb +549 -0
  34. data/spec/subiam/hash_ext_spec.rb +61 -0
  35. data/spec/subiam/ignore_login_profile_spec.rb +73 -0
  36. data/spec/subiam/rename_spec.rb +476 -0
  37. data/spec/subiam/style_spec.rb +189 -0
  38. data/spec/subiam/target_spec.rb +150 -0
  39. data/spec/subiam/update_spec.rb +911 -0
  40. data/subiam.gemspec +32 -0
  41. metadata +251 -0
data/spec/subiam/create_spec.rb ADDED
@@ -0,0 +1,271 @@
1
+ describe 'create' do
2
+ context 'when empty' do
3
+ subject { client }
4
+
5
+ it do
6
+ updated = apply(subject) { 'target /.*/' }
7
+ expect(updated).to be_falsey
8
+ expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
9
+ end
10
+ end
11
+
12
+ context 'when create user and group' do
13
+ let(:dsl) do
14
+ <<-RUBY
15
+ target /^iam-test-/
16
+
17
+ user "iam-test-bob", :path=>"/devloper/" do
18
+ login_profile :password_reset_required=>true
19
+
20
+ groups(
21
+ "iam-test-Admin",
22
+ "iam-test-SES"
23
+ )
24
+
25
+ policy "S3" do
26
+ {"Statement"=>
27
+ [{"Action"=>
28
+ ["s3:Get*",
29
+ "s3:List*"],
30
+ "Effect"=>"Allow",
31
+ "Resource"=>"*"}]}
32
+ end
33
+ end
34
+
35
+ user "iam-test-mary", :path=>"/staff/" do
36
+ policy "S3" do
37
+ {"Statement"=>
38
+ [{"Action"=>
39
+ ["s3:Get*",
40
+ "s3:List*"],
41
+ "Effect"=>"Allow",
42
+ "Resource"=>"*"}]}
43
+ end
44
+ end
45
+
46
+ group "iam-test-Admin", :path=>"/admin/" do
47
+ policy "Admin" do
48
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
49
+ end
50
+ end
51
+
52
+ group "iam-test-SES", :path=>"/ses/" do
53
+ policy "ses-policy" do
54
+ {"Statement"=>
55
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
56
+ end
57
+ end
58
+
59
+ role "iam-test-my-role", :path=>"/any/" do
60
+ instance_profiles(
61
+ "iam-test-my-instance-profile"
62
+ )
63
+
64
+ assume_role_policy_document do
65
+ {"Version"=>"2012-10-17",
66
+ "Statement"=>
67
+ [{"Sid"=>"",
68
+ "Effect"=>"Allow",
69
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
70
+ "Action"=>"sts:AssumeRole"}]}
71
+ end
72
+
73
+ policy "role-policy" do
74
+ {"Statement"=>
75
+ [{"Action"=>
76
+ ["s3:Get*",
77
+ "s3:List*"],
78
+ "Effect"=>"Allow",
79
+ "Resource"=>"*"}]}
80
+ end
81
+ end
82
+
83
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
84
+ RUBY
85
+ end
86
+
87
+ context 'when apply' do
88
+ subject { client }
89
+
90
+ let(:expected) do
91
+ {:users=>
92
+ {"iam-test-bob"=>
93
+ {:path=>"/devloper/",
94
+ :groups=>["iam-test-Admin", "iam-test-SES"],
95
+ :attached_managed_policies=>[],
96
+ :policies=>
97
+ {"S3"=>
98
+ {"Statement"=>
99
+ [{"Action"=>["s3:Get*", "s3:List*"],
100
+ "Effect"=>"Allow",
101
+ "Resource"=>"*"}]}},
102
+ :login_profile=>{:password_reset_required=>true}},
103
+ "iam-test-mary"=>
104
+ {:path=>"/staff/",
105
+ :groups=>[],
106
+ :attached_managed_policies=>[],
107
+ :policies=>
108
+ {"S3"=>
109
+ {"Statement"=>
110
+ [{"Action"=>["s3:Get*", "s3:List*"],
111
+ "Effect"=>"Allow",
112
+ "Resource"=>"*"}]}}}},
113
+ :groups=>
114
+ {"iam-test-Admin"=>
115
+ {:path=>"/admin/",
116
+ :attached_managed_policies=>[],
117
+ :policies=>
118
+ {"Admin"=>
119
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
120
+ "iam-test-SES"=>
121
+ {:path=>"/ses/",
122
+ :attached_managed_policies=>[],
123
+ :policies=>
124
+ {"ses-policy"=>
125
+ {"Statement"=>
126
+ [{"Effect"=>"Allow",
127
+ "Action"=>"ses:SendRawEmail",
128
+ "Resource"=>"*"}]}}}},
129
+ :policies => {},
130
+ :roles=>
131
+ {"iam-test-my-role"=>
132
+ {:path=>"/any/",
133
+ :assume_role_policy_document=>
134
+ {"Version"=>"2012-10-17",
135
+ "Statement"=>
136
+ [{"Sid"=>"",
137
+ "Effect"=>"Allow",
138
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
139
+ "Action"=>"sts:AssumeRole"}]},
140
+ :instance_profiles=>["iam-test-my-instance-profile"],
141
+ :attached_managed_policies=>[],
142
+ :policies=>
143
+ {"role-policy"=>
144
+ {"Statement"=>
145
+ [{"Action"=>["s3:Get*", "s3:List*"],
146
+ "Effect"=>"Allow",
147
+ "Resource"=>"*"}]}}}},
148
+ :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
149
+ end
150
+
151
+ it do
152
+ updated = apply(subject) { dsl }
153
+ expect(updated).to be_truthy
154
+ expect(export).to eq expected
155
+ end
156
+
157
+ context 'when using template' do
158
+ let(:dsl) do
159
+ <<-RUBY
160
+ target /^iam-test-/
161
+
162
+ template "iam-test-bob" do
163
+ login_profile :password_reset_required=>true
164
+
165
+ groups(
166
+ "iam-test-Admin",
167
+ "iam-test-SES"
168
+ )
169
+
170
+ policy "S3" do
171
+ {"Statement"=>
172
+ [{"Action"=>
173
+ ["s3:Get*",
174
+ "s3:List*"],
175
+ "Effect"=>"Allow",
176
+ "Resource"=>"*"}]}
177
+ end
178
+ end
179
+
180
+ template "iam-test-mary" do
181
+ policy "S3" do
182
+ {"Statement"=>
183
+ [{"Action"=>
184
+ ["s3:Get*",
185
+ "s3:List*"],
186
+ "Effect"=>"Allow",
187
+ "Resource"=>"*"}]}
188
+ end
189
+ end
190
+
191
+ user "iam-test-bob", :path=>"/devloper/" do
192
+ include_template context.user_name
193
+ end
194
+
195
+ user "iam-test-mary", :path=>"/staff/" do
196
+ include_template context.user_name
197
+ end
198
+
199
+ template "iam-test-Admin" do
200
+ policy context.policy_name do
201
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
202
+ end
203
+ end
204
+
205
+ template "iam-test-SES" do
206
+ policy context.policy_name do
207
+ {"Statement"=>
208
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
209
+ end
210
+ end
211
+
212
+ group "iam-test-Admin", :path=>"/admin/" do
213
+ include_template context.group_name, policy_name: "Admin"
214
+ end
215
+
216
+ group "iam-test-SES", :path=>"/ses/" do
217
+ context.policy_name = "ses-policy"
218
+ include_template context.group_name
219
+ end
220
+
221
+ template "iam-test-my-role" do
222
+ instance_profiles(
223
+ "iam-test-my-instance-profile"
224
+ )
225
+
226
+ assume_role_policy_document do
227
+ {"Version"=>"2012-10-17",
228
+ "Statement"=>
229
+ [{"Sid"=>"",
230
+ "Effect"=>"Allow",
231
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
232
+ "Action"=>"sts:AssumeRole"}]}
233
+ end
234
+
235
+ policy "role-policy" do
236
+ {"Statement"=>
237
+ [{"Action"=>
238
+ ["s3:Get*",
239
+ "s3:List*"],
240
+ "Effect"=>"Allow",
241
+ "Resource"=>"*"}]}
242
+ end
243
+ end
244
+
245
+ role "iam-test-my-role", :path=>"/any/" do
246
+ include_template context.role_name
247
+ end
248
+
249
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
250
+ RUBY
251
+ end
252
+
253
+ it do
254
+ updated = apply(subject) { dsl }
255
+ expect(updated).to be_truthy
256
+ expect(export).to eq expected
257
+ end
258
+ end
259
+ end
260
+
261
+ context 'when dry-run' do
262
+ subject { client(dry_run: true) }
263
+
264
+ it do
265
+ updated = apply(subject) { dsl }
266
+ expect(updated).to be_falsey
267
+ expect(export).to eq({:users=>{}, :groups=>{}, :roles=>{}, :instance_profiles=>{}, :policies => {}})
268
+ end
269
+ end
270
+ end
271
+ end
data/spec/subiam/custom_managed_policy_spec.rb ADDED
@@ -0,0 +1,232 @@
1
+ describe 'custom managed policy' do
2
+ let(:dsl) do
3
+ <<-RUBY
4
+ target /^iam-test-/
5
+
6
+ managed_policy "iam-test-my-policy", :path=>"/" do
7
+ {"Version"=>"2012-10-17",
8
+ "Statement"=>
9
+ [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
10
+ end
11
+
12
+ user "iam-test-mary", :path=>"/staff/" do
13
+ policy "S3" do
14
+ {"Statement"=>
15
+ [{"Action"=>
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ "Effect"=>"Allow",
19
+ "Resource"=>"*"}]}
20
+ end
21
+
22
+ attached_managed_policies(
23
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"
24
+ )
25
+ end
26
+ RUBY
27
+ end
28
+
29
+ let(:expected) do
30
+ {:users=>
31
+ {"iam-test-mary"=>
32
+ {:path=>"/staff/",
33
+ :groups=>[],
34
+ :attached_managed_policies=>[
35
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"],
36
+ :policies=>
37
+ {"S3"=>
38
+ {"Statement"=>
39
+ [{"Action"=>["s3:Get*", "s3:List*"],
40
+ "Effect"=>"Allow",
41
+ "Resource"=>"*"}]}}}},
42
+ :groups=>{},
43
+ :instance_profiles=>{},
44
+ :policies=>
45
+ {"iam-test-my-policy"=>
46
+ {:path=>"/",
47
+ :document=>
48
+ {"Version"=>"2012-10-17",
49
+ "Statement"=>
50
+ [{"Effect"=>"Allow",
51
+ "Action"=>"directconnect:Describe*",
52
+ "Resource"=>"*"}]}}},
53
+ :roles=>{}}
54
+ end
55
+
56
+ before(:each) do
57
+ apply { dsl }
58
+ end
59
+
60
+ context 'when no change' do
61
+ subject { client }
62
+
63
+ it do
64
+ updated = apply(subject) { dsl }
65
+ expect(updated).to be_falsey
66
+ expect(export).to eq expected
67
+ end
68
+ end
69
+
70
+ context 'when create and attach' do
71
+ subject { client }
72
+
73
+ it do
74
+ updated = apply(subject) {
75
+ <<-RUBY
76
+ target /^iam-test-/
77
+
78
+ managed_policy "iam-test-my-policy", :path=>"/" do
79
+ {"Version"=>"2012-10-17",
80
+ "Statement"=>
81
+ [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
82
+ end
83
+
84
+ managed_policy "iam-test-my-policy2", :path=>"/" do
85
+ {"Version"=>"2012-10-17",
86
+ "Statement"=>
87
+ [{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
88
+ end
89
+
90
+ user "iam-test-mary", :path=>"/staff/" do
91
+ policy "S3" do
92
+ {"Statement"=>
93
+ [{"Action"=>
94
+ ["s3:Get*",
95
+ "s3:List*"],
96
+ "Effect"=>"Allow",
97
+ "Resource"=>"*"}]}
98
+ end
99
+
100
+ attached_managed_policies(
101
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy",
102
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"
103
+ )
104
+ end
105
+ RUBY
106
+ }
107
+
108
+ expect(updated).to be_truthy
109
+ expected[:policies]["iam-test-my-policy2"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}
110
+ expected[:users]["iam-test-mary"][:attached_managed_policies] << "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"
111
+ expected[:users]["iam-test-mary"][:attached_managed_policies].sort!
112
+ actual = export
113
+ actual[:users]["iam-test-mary"][:attached_managed_policies].sort!
114
+ expect(actual).to eq expected
115
+ end
116
+ end
117
+
118
+ context 'when create and delete' do
119
+ subject { client }
120
+
121
+ it do
122
+ updated = apply(subject) {
123
+ <<-RUBY
124
+ target /^iam-test-/
125
+
126
+ managed_policy "iam-test-my-policy2", :path=>"/" do
127
+ {"Version"=>"2012-10-17",
128
+ "Statement"=>
129
+ [{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
130
+ end
131
+
132
+ user "iam-test-mary", :path=>"/staff/" do
133
+ policy "S3" do
134
+ {"Statement"=>
135
+ [{"Action"=>
136
+ ["s3:Get*",
137
+ "s3:List*"],
138
+ "Effect"=>"Allow",
139
+ "Resource"=>"*"}]}
140
+ end
141
+
142
+ attached_managed_policies(
143
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"
144
+ )
145
+ end
146
+ RUBY
147
+ }
148
+
149
+ expect(updated).to be_truthy
150
+ expected[:policies] = {"iam-test-my-policy2" => {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}}
151
+ expected[:users]["iam-test-mary"][:attached_managed_policies] = ["arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy2"]
152
+ expect(export).to eq expected
153
+ end
154
+ end
155
+
156
+ context 'when update' do
157
+ subject { client }
158
+
159
+ it do
160
+ updated = apply(subject) {
161
+ <<-RUBY
162
+ target /^iam-test-/
163
+
164
+ managed_policy "iam-test-my-policy", :path=>"/" do
165
+ {"Version"=>"2012-10-17",
166
+ "Statement"=>
167
+ [{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
168
+ end
169
+
170
+ user "iam-test-mary", :path=>"/staff/" do
171
+ policy "S3" do
172
+ {"Statement"=>
173
+ [{"Action"=>
174
+ ["s3:Get*",
175
+ "s3:List*"],
176
+ "Effect"=>"Allow",
177
+ "Resource"=>"*"}]}
178
+ end
179
+
180
+ attached_managed_policies(
181
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"
182
+ )
183
+ end
184
+ RUBY
185
+ }
186
+
187
+ expect(updated).to be_truthy
188
+ expected[:policies]["iam-test-my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
189
+ expect(export).to eq expected
190
+ end
191
+ end
192
+
193
+ context 'when update 7 times' do
194
+ subject { client }
195
+
196
+ it do
197
+ 4.times do
198
+ apply(subject) { dsl }
199
+
200
+ apply(subject) {
201
+ <<-RUBY
202
+ target /^iam-test-/
203
+
204
+ managed_policy "iam-test-my-policy", :path=>"/" do
205
+ {"Version"=>"2012-10-17",
206
+ "Statement"=>
207
+ [{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
208
+ end
209
+
210
+ user "iam-test-mary", :path=>"/staff/" do
211
+ policy "S3" do
212
+ {"Statement"=>
213
+ [{"Action"=>
214
+ ["s3:Get*",
215
+ "s3:List*"],
216
+ "Effect"=>"Allow",
217
+ "Resource"=>"*"}]}
218
+ end
219
+
220
+ attached_managed_policies(
221
+ "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/iam-test-my-policy"
222
+ )
223
+ end
224
+ RUBY
225
+ }
226
+ end
227
+
228
+ expected[:policies]["iam-test-my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
229
+ expect(export).to eq expected
230
+ end
231
+ end
232
+ end