subiam 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,549 @@
1
+ # subiam which forked from subiam doesn't use delete
2
+ xdescribe 'delete' do
3
+ let(:dsl) do
4
+ <<-RUBY
5
+ user "bob", :path=>"/devloper/" do
6
+ login_profile :password_reset_required=>true
7
+
8
+ groups(
9
+ "Admin",
10
+ "SES"
11
+ )
12
+
13
+ policy "S3" do
14
+ {"Statement"=>
15
+ [{"Action"=>
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ "Effect"=>"Allow",
19
+ "Resource"=>"*"}]}
20
+ end
21
+ end
22
+
23
+ user "mary", :path=>"/staff/" do
24
+ policy "S3" do
25
+ {"Statement"=>
26
+ [{"Action"=>
27
+ ["s3:Get*",
28
+ "s3:List*"],
29
+ "Effect"=>"Allow",
30
+ "Resource"=>"*"}]}
31
+ end
32
+ end
33
+
34
+ group "Admin", :path=>"/admin/" do
35
+ policy "Admin" do
36
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
37
+ end
38
+ end
39
+
40
+ group "SES", :path=>"/ses/" do
41
+ policy "ses-policy" do
42
+ {"Statement"=>
43
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
44
+ end
45
+ end
46
+
47
+ role "my-role", :path=>"/any/" do
48
+ instance_profiles(
49
+ "my-instance-profile"
50
+ )
51
+
52
+ assume_role_policy_document do
53
+ {"Version"=>"2012-10-17",
54
+ "Statement"=>
55
+ [{"Sid"=>"",
56
+ "Effect"=>"Allow",
57
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
58
+ "Action"=>"sts:AssumeRole"}]}
59
+ end
60
+
61
+ policy "role-policy" do
62
+ {"Statement"=>
63
+ [{"Action"=>
64
+ ["s3:Get*",
65
+ "s3:List*"],
66
+ "Effect"=>"Allow",
67
+ "Resource"=>"*"}]}
68
+ end
69
+ end
70
+
71
+ instance_profile "my-instance-profile", :path=>"/profile/"
72
+ RUBY
73
+ end
74
+
75
+ let(:expected) do
76
+ {:users=>
77
+ {"bob"=>
78
+ {:path=>"/devloper/",
79
+ :groups=>["Admin", "SES"],
80
+ :attached_managed_policies=>[],
81
+ :policies=>
82
+ {"S3"=>
83
+ {"Statement"=>
84
+ [{"Action"=>["s3:Get*", "s3:List*"],
85
+ "Effect"=>"Allow",
86
+ "Resource"=>"*"}]}},
87
+ :login_profile=>{:password_reset_required=>true}},
88
+ "mary"=>
89
+ {:path=>"/staff/",
90
+ :groups=>[],
91
+ :attached_managed_policies=>[],
92
+ :policies=>
93
+ {"S3"=>
94
+ {"Statement"=>
95
+ [{"Action"=>["s3:Get*", "s3:List*"],
96
+ "Effect"=>"Allow",
97
+ "Resource"=>"*"}]}}}},
98
+ :groups=>
99
+ {"Admin"=>
100
+ {:path=>"/admin/",
101
+ :attached_managed_policies=>[],
102
+ :policies=>
103
+ {"Admin"=>
104
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
105
+ "SES"=>
106
+ {:path=>"/ses/",
107
+ :attached_managed_policies=>[],
108
+ :policies=>
109
+ {"ses-policy"=>
110
+ {"Statement"=>
111
+ [{"Effect"=>"Allow",
112
+ "Action"=>"ses:SendRawEmail",
113
+ "Resource"=>"*"}]}}}},
114
+ :policies => {},
115
+ :roles=>
116
+ {"my-role"=>
117
+ {:path=>"/any/",
118
+ :assume_role_policy_document=>
119
+ {"Version"=>"2012-10-17",
120
+ "Statement"=>
121
+ [{"Sid"=>"",
122
+ "Effect"=>"Allow",
123
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
124
+ "Action"=>"sts:AssumeRole"}]},
125
+ :instance_profiles=>["my-instance-profile"],
126
+ :attached_managed_policies=>[],
127
+ :policies=>
128
+ {"role-policy"=>
129
+ {"Statement"=>
130
+ [{"Action"=>["s3:Get*", "s3:List*"],
131
+ "Effect"=>"Allow",
132
+ "Resource"=>"*"}]}}}},
133
+ :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}}
134
+ end
135
+
136
+ before(:each) do
137
+ apply { dsl }
138
+ end
139
+
140
+ context 'when delete group' do
141
+ let(:delete_group_dsl) do
142
+ <<-RUBY
143
+ user "bob", :path=>"/devloper/" do
144
+ login_profile :password_reset_required=>true
145
+
146
+ groups(
147
+ "Admin"
148
+ )
149
+
150
+ policy "S3" do
151
+ {"Statement"=>
152
+ [{"Action"=>
153
+ ["s3:Get*",
154
+ "s3:List*"],
155
+ "Effect"=>"Allow",
156
+ "Resource"=>"*"}]}
157
+ end
158
+ end
159
+
160
+ user "mary", :path=>"/staff/" do
161
+ policy "S3" do
162
+ {"Statement"=>
163
+ [{"Action"=>
164
+ ["s3:Get*",
165
+ "s3:List*"],
166
+ "Effect"=>"Allow",
167
+ "Resource"=>"*"}]}
168
+ end
169
+ end
170
+
171
+ group "Admin", :path=>"/admin/" do
172
+ policy "Admin" do
173
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
174
+ end
175
+ end
176
+
177
+ role "my-role", :path=>"/any/" do
178
+ instance_profiles(
179
+ "my-instance-profile"
180
+ )
181
+
182
+ assume_role_policy_document do
183
+ {"Version"=>"2012-10-17",
184
+ "Statement"=>
185
+ [{"Sid"=>"",
186
+ "Effect"=>"Allow",
187
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
188
+ "Action"=>"sts:AssumeRole"}]}
189
+ end
190
+
191
+ policy "role-policy" do
192
+ {"Statement"=>
193
+ [{"Action"=>
194
+ ["s3:Get*",
195
+ "s3:List*"],
196
+ "Effect"=>"Allow",
197
+ "Resource"=>"*"}]}
198
+ end
199
+ end
200
+
201
+ instance_profile "my-instance-profile", :path=>"/profile/"
202
+ RUBY
203
+ end
204
+
205
+ subject { client }
206
+
207
+ it do
208
+ updated = apply(subject) { delete_group_dsl }
209
+ expect(updated).to be_truthy
210
+ expected[:users]["bob"][:groups] = ["Admin"]
211
+ expected[:groups].delete("SES")
212
+ expect(export).to eq expected
213
+ end
214
+ end
215
+
216
+ context 'when delete user' do
217
+ let(:delete_user_dsl) do
218
+ <<-RUBY
219
+ user "mary", :path=>"/staff/" do
220
+ policy "S3" do
221
+ {"Statement"=>
222
+ [{"Action"=>
223
+ ["s3:Get*",
224
+ "s3:List*"],
225
+ "Effect"=>"Allow",
226
+ "Resource"=>"*"}]}
227
+ end
228
+ end
229
+
230
+ group "Admin", :path=>"/admin/" do
231
+ policy "Admin" do
232
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
233
+ end
234
+ end
235
+
236
+ group "SES", :path=>"/ses/" do
237
+ policy "ses-policy" do
238
+ {"Statement"=>
239
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
240
+ end
241
+ end
242
+
243
+ role "my-role", :path=>"/any/" do
244
+ instance_profiles(
245
+ "my-instance-profile"
246
+ )
247
+
248
+ assume_role_policy_document do
249
+ {"Version"=>"2012-10-17",
250
+ "Statement"=>
251
+ [{"Sid"=>"",
252
+ "Effect"=>"Allow",
253
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
254
+ "Action"=>"sts:AssumeRole"}]}
255
+ end
256
+
257
+ policy "role-policy" do
258
+ {"Statement"=>
259
+ [{"Action"=>
260
+ ["s3:Get*",
261
+ "s3:List*"],
262
+ "Effect"=>"Allow",
263
+ "Resource"=>"*"}]}
264
+ end
265
+ end
266
+
267
+ instance_profile "my-instance-profile", :path=>"/profile/"
268
+ RUBY
269
+ end
270
+
271
+ subject { client }
272
+
273
+ it do
274
+ updated = apply(subject) { delete_user_dsl }
275
+ expect(updated).to be_truthy
276
+ expected[:users].delete("bob")
277
+ expect(export).to eq expected
278
+ end
279
+ end
280
+
281
+ context 'when delete user_and_group' do
282
+ let(:delete_user_and_group_dsl) do
283
+ <<-RUBY
284
+ user "mary", :path=>"/staff/" do
285
+ policy "S3" do
286
+ {"Statement"=>
287
+ [{"Action"=>
288
+ ["s3:Get*",
289
+ "s3:List*"],
290
+ "Effect"=>"Allow",
291
+ "Resource"=>"*"}]}
292
+ end
293
+ end
294
+
295
+ group "Admin", :path=>"/admin/" do
296
+ policy "Admin" do
297
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
298
+ end
299
+ end
300
+
301
+ role "my-role", :path=>"/any/" do
302
+ instance_profiles(
303
+ "my-instance-profile"
304
+ )
305
+
306
+ assume_role_policy_document do
307
+ {"Version"=>"2012-10-17",
308
+ "Statement"=>
309
+ [{"Sid"=>"",
310
+ "Effect"=>"Allow",
311
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
312
+ "Action"=>"sts:AssumeRole"}]}
313
+ end
314
+
315
+ policy "role-policy" do
316
+ {"Statement"=>
317
+ [{"Action"=>
318
+ ["s3:Get*",
319
+ "s3:List*"],
320
+ "Effect"=>"Allow",
321
+ "Resource"=>"*"}]}
322
+ end
323
+ end
324
+
325
+ instance_profile "my-instance-profile", :path=>"/profile/"
326
+ RUBY
327
+ end
328
+
329
+ context 'when apply' do
330
+ subject { client }
331
+
332
+ it do
333
+ updated = apply(subject) { delete_user_and_group_dsl }
334
+ expect(updated).to be_truthy
335
+ expected[:users].delete("bob")
336
+ expected[:groups].delete("SES")
337
+ expect(export).to eq expected
338
+ end
339
+ end
340
+
341
+ context 'when dry-run' do
342
+ subject { client(dry_run: true) }
343
+
344
+ it do
345
+ updated = apply(subject) { delete_user_and_group_dsl }
346
+ expect(updated).to be_falsey
347
+ expect(export).to eq expected
348
+ end
349
+ end
350
+ end
351
+
352
+ context 'when delete instance_profile' do
353
+ let(:delete_instance_profiles_dsl) do
354
+ <<-RUBY
355
+ user "bob", :path=>"/devloper/" do
356
+ login_profile :password_reset_required=>true
357
+
358
+ groups(
359
+ "Admin",
360
+ "SES"
361
+ )
362
+
363
+ policy "S3" do
364
+ {"Statement"=>
365
+ [{"Action"=>
366
+ ["s3:Get*",
367
+ "s3:List*"],
368
+ "Effect"=>"Allow",
369
+ "Resource"=>"*"}]}
370
+ end
371
+ end
372
+
373
+ user "mary", :path=>"/staff/" do
374
+ policy "S3" do
375
+ {"Statement"=>
376
+ [{"Action"=>
377
+ ["s3:Get*",
378
+ "s3:List*"],
379
+ "Effect"=>"Allow",
380
+ "Resource"=>"*"}]}
381
+ end
382
+ end
383
+
384
+ group "Admin", :path=>"/admin/" do
385
+ policy "Admin" do
386
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
387
+ end
388
+ end
389
+
390
+ group "SES", :path=>"/ses/" do
391
+ policy "ses-policy" do
392
+ {"Statement"=>
393
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
394
+ end
395
+ end
396
+
397
+ role "my-role", :path=>"/any/" do
398
+ instance_profiles(
399
+ )
400
+
401
+ assume_role_policy_document do
402
+ {"Version"=>"2012-10-17",
403
+ "Statement"=>
404
+ [{"Sid"=>"",
405
+ "Effect"=>"Allow",
406
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
407
+ "Action"=>"sts:AssumeRole"}]}
408
+ end
409
+
410
+ policy "role-policy" do
411
+ {"Statement"=>
412
+ [{"Action"=>
413
+ ["s3:Get*",
414
+ "s3:List*"],
415
+ "Effect"=>"Allow",
416
+ "Resource"=>"*"}]}
417
+ end
418
+ end
419
+ RUBY
420
+ end
421
+
422
+ subject { client }
423
+
424
+ it do
425
+ updated = apply(subject) { delete_instance_profiles_dsl }
426
+ expect(updated).to be_truthy
427
+ expected[:roles]["my-role"][:instance_profiles] = []
428
+ expected[:instance_profiles].delete("my-instance-profile")
429
+ expect(export).to eq expected
430
+ end
431
+ end
432
+
433
+ context 'when delete role' do
434
+ let(:delete_role_dsl) do
435
+ <<-RUBY
436
+ user "bob", :path=>"/devloper/" do
437
+ login_profile :password_reset_required=>true
438
+
439
+ groups(
440
+ "Admin",
441
+ "SES"
442
+ )
443
+
444
+ policy "S3" do
445
+ {"Statement"=>
446
+ [{"Action"=>
447
+ ["s3:Get*",
448
+ "s3:List*"],
449
+ "Effect"=>"Allow",
450
+ "Resource"=>"*"}]}
451
+ end
452
+ end
453
+
454
+ user "mary", :path=>"/staff/" do
455
+ policy "S3" do
456
+ {"Statement"=>
457
+ [{"Action"=>
458
+ ["s3:Get*",
459
+ "s3:List*"],
460
+ "Effect"=>"Allow",
461
+ "Resource"=>"*"}]}
462
+ end
463
+ end
464
+
465
+ group "Admin", :path=>"/admin/" do
466
+ policy "Admin" do
467
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
468
+ end
469
+ end
470
+
471
+ group "SES", :path=>"/ses/" do
472
+ policy "ses-policy" do
473
+ {"Statement"=>
474
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
475
+ end
476
+ end
477
+
478
+ instance_profile "my-instance-profile", :path=>"/profile/"
479
+ RUBY
480
+ end
481
+
482
+ subject { client }
483
+
484
+ it do
485
+ updated = apply(subject) { delete_role_dsl }
486
+ expect(updated).to be_truthy
487
+ expected[:roles].delete("my-role")
488
+ expect(export).to eq expected
489
+ end
490
+ end
491
+
492
+ context 'when delete role and instance_profile' do
493
+ let(:delete_role_and_instance_profile_dsl) do
494
+ <<-RUBY
495
+ user "bob", :path=>"/devloper/" do
496
+ login_profile :password_reset_required=>true
497
+
498
+ groups(
499
+ "Admin",
500
+ "SES"
501
+ )
502
+
503
+ policy "S3" do
504
+ {"Statement"=>
505
+ [{"Action"=>
506
+ ["s3:Get*",
507
+ "s3:List*"],
508
+ "Effect"=>"Allow",
509
+ "Resource"=>"*"}]}
510
+ end
511
+ end
512
+
513
+ user "mary", :path=>"/staff/" do
514
+ policy "S3" do
515
+ {"Statement"=>
516
+ [{"Action"=>
517
+ ["s3:Get*",
518
+ "s3:List*"],
519
+ "Effect"=>"Allow",
520
+ "Resource"=>"*"}]}
521
+ end
522
+ end
523
+
524
+ group "Admin", :path=>"/admin/" do
525
+ policy "Admin" do
526
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
527
+ end
528
+ end
529
+
530
+ group "SES", :path=>"/ses/" do
531
+ policy "ses-policy" do
532
+ {"Statement"=>
533
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
534
+ end
535
+ end
536
+ RUBY
537
+ end
538
+
539
+ subject { client }
540
+
541
+ it do
542
+ updated = apply(subject) { delete_role_and_instance_profile_dsl }
543
+ expect(updated).to be_truthy
544
+ expected[:roles].delete("my-role")
545
+ expected[:instance_profiles].delete("my-instance-profile")
546
+ expect(export).to eq expected
547
+ end
548
+ end
549
+ end
@@ -0,0 +1,61 @@
1
+ describe 'Hash#sort_array!' do
2
+ let(:hash) do
3
+ {:users=>
4
+ {"bob"=>
5
+ {:path=>"/devloper/",
6
+ :groups=>[],
7
+ :policies=>
8
+ {"S3"=>
9
+ {"Statement"=>
10
+ [{"Action"=>["s3:Put*", "s3:List*", "s3:Get*"],
11
+ "Effect"=>"Allow",
12
+ "Resource"=>"*"}]}},
13
+ :attached_managed_policies=>[
14
+ "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
15
+ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"],
16
+ :login_profile=>{:password_reset_required=>true}}}}
17
+ end
18
+
19
+ let(:expected_hash) do
20
+ {:users=>
21
+ {"bob"=>
22
+ {:path=>"/devloper/",
23
+ :groups=>[],
24
+ :policies=>
25
+ {"S3"=>
26
+ {"Statement"=>
27
+ [{"Action"=>["s3:Get*", "s3:List*", "s3:Put*"],
28
+ "Effect"=>"Allow",
29
+ "Resource"=>"*"}]}},
30
+ :attached_managed_policies=>[
31
+ "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
32
+ "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
33
+ :login_profile=>{:password_reset_required=>true}}}}
34
+ end
35
+
36
+ subject { hash.sort_array! }
37
+
38
+ it { is_expected.to eq expected_hash }
39
+ end
40
+
41
+ describe 'Hash#keys_to_s_recursive' do
42
+ let(:hash) do
43
+ {S3:
44
+ {Statement:
45
+ [{Action: ["s3:Put*", "s3:List*", "s3:Get*"],
46
+ Effect: "Allow",
47
+ Resource: "*"}]}}
48
+ end
49
+
50
+ let(:expected_hash) do
51
+ {"S3" =>
52
+ {"Statement" =>
53
+ [{"Action" => ["s3:Put*", "s3:List*", "s3:Get*"],
54
+ "Effect" => "Allow",
55
+ "Resource" => "*"}]}}
56
+ end
57
+
58
+ subject { hash.keys_to_s_recursive }
59
+
60
+ it { is_expected.to eq expected_hash }
61
+ end
@@ -0,0 +1,73 @@
1
+ describe 'ignore login profile' do
2
+ let(:dsl) do
3
+ <<-RUBY
4
+ target /^iam-test-/
5
+
6
+ user "iam-test-bob", :path=>"/devloper/" do
7
+ login_profile :password_reset_required=>true
8
+
9
+ policy "S3" do
10
+ {"Statement"=>
11
+ [{"Action"=>
12
+ ["s3:Get*",
13
+ "s3:List*"],
14
+ "Effect"=>"Allow",
15
+ "Resource"=>"*"}]}
16
+ end
17
+ end
18
+ RUBY
19
+ end
20
+
21
+ let(:update_dsl) do
22
+ <<-RUBY
23
+ target /^iam-test-/
24
+
25
+ user "iam-test-bob", :path=>"/devloper/" do
26
+ login_profile :password_reset_required=>false
27
+
28
+ policy "S3" do
29
+ {"Statement"=>
30
+ [{"Action"=>
31
+ ["s3:Get*",
32
+ "s3:List*",
33
+ "s3:Put*"],
34
+ "Effect"=>"Allow",
35
+ "Resource"=>"*"}]}
36
+ end
37
+ end
38
+ RUBY
39
+ end
40
+
41
+ let(:expected) do
42
+ {:users=>
43
+ {"iam-test-bob"=>
44
+ {:path=>"/devloper/",
45
+ :groups=>[],
46
+ :policies=>
47
+ {"S3"=>
48
+ {"Statement"=>
49
+ [{"Action"=>["s3:Get*", "s3:List*", "s3:Put*"],
50
+ "Effect"=>"Allow",
51
+ "Resource"=>"*"}]}},
52
+ :attached_managed_policies=>[],
53
+ :login_profile=>{:password_reset_required=>true}}},
54
+ :groups=>{},
55
+ :policies=>{},
56
+ :roles=>{},
57
+ :instance_profiles=>{}}
58
+ end
59
+
60
+ before(:each) do
61
+ apply { dsl }
62
+ end
63
+
64
+ context 'when no change' do
65
+ subject { client(ignore_login_profile: true) }
66
+
67
+ it do
68
+ updated = apply(subject) { update_dsl }
69
+ expect(updated).to be_truthy
70
+ expect(export).to eq expected
71
+ end
72
+ end
73
+ end