subiam 1.2.1

data/spec/subiam/delete_spec.rb

@@ -0,0 +1,549 @@
+# subiam which forked from subiam doesn't use delete
+xdescribe 'delete' do
+  let(:dsl) do
+    <<-RUBY
+      user "bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+
+        groups(
+          "Admin",
+          "SES"
+        )
+
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+
+      user "mary", :path=>"/staff/" do
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+
+      group "Admin", :path=>"/admin/" do
+        policy "Admin" do
+          {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+        end
+      end
+
+      group "SES", :path=>"/ses/" do
+        policy "ses-policy" do
+          {"Statement"=>
+            [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+        end
+      end
+
+      role "my-role", :path=>"/any/" do
+        instance_profiles(
+          "my-instance-profile"
+        )
+
+        assume_role_policy_document do
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]}
+        end
+
+        policy "role-policy" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+
+      instance_profile "my-instance-profile", :path=>"/profile/"
+    RUBY
+  end
+
+  let(:expected) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>["Admin", "SES"],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :login_profile=>{:password_reset_required=>true}},
+       "mary"=>
+        {:path=>"/staff/",
+         :groups=>[],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :groups=>
+      {"Admin"=>
+        {:path=>"/admin/",
+         :attached_managed_policies=>[],
+         :policies=>
+          {"Admin"=>
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
+       "SES"=>
+        {:path=>"/ses/",
+         :attached_managed_policies=>[],
+         :policies=>
+          {"ses-policy"=>
+            {"Statement"=>
+              [{"Effect"=>"Allow",
+                "Action"=>"ses:SendRawEmail",
+                "Resource"=>"*"}]}}}},
+     :policies => {},
+     :roles=>
+      {"my-role"=>
+        {:path=>"/any/",
+         :assume_role_policy_document=>
+          {"Version"=>"2012-10-17",
+           "Statement"=>
+            [{"Sid"=>"",
+              "Effect"=>"Allow",
+              "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+              "Action"=>"sts:AssumeRole"}]},
+         :instance_profiles=>["my-instance-profile"],
+         :attached_managed_policies=>[],
+         :policies=>
+          {"role-policy"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}}}},
+     :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}}
+  end
+
+  before(:each) do
+    apply { dsl }
+  end
+
+  context 'when delete group' do
+    let(:delete_group_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_group_dsl }
+      expect(updated).to be_truthy
+      expected[:users]["bob"][:groups] = ["Admin"]
+      expected[:groups].delete("SES")
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when delete user' do
+    let(:delete_user_dsl) do
+      <<-RUBY
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_user_dsl }
+      expect(updated).to be_truthy
+      expected[:users].delete("bob")
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when delete user_and_group' do
+    let(:delete_user_and_group_dsl) do
+      <<-RUBY
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+            "my-instance-profile"
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    context 'when apply' do
+      subject { client }
+
+      it do
+        updated = apply(subject) { delete_user_and_group_dsl }
+        expect(updated).to be_truthy
+        expected[:users].delete("bob")
+        expected[:groups].delete("SES")
+        expect(export).to eq expected
+      end
+    end
+
+    context 'when dry-run' do
+      subject { client(dry_run: true) }
+
+      it do
+        updated = apply(subject) { delete_user_and_group_dsl }
+        expect(updated).to be_falsey
+        expect(export).to eq expected
+      end
+    end
+  end
+
+  context 'when delete instance_profile' do
+    let(:delete_instance_profiles_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin",
+            "SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+
+        role "my-role", :path=>"/any/" do
+          instance_profiles(
+          )
+
+          assume_role_policy_document do
+            {"Version"=>"2012-10-17",
+             "Statement"=>
+              [{"Sid"=>"",
+                "Effect"=>"Allow",
+                "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+                "Action"=>"sts:AssumeRole"}]}
+          end
+
+          policy "role-policy" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_instance_profiles_dsl }
+      expect(updated).to be_truthy
+      expected[:roles]["my-role"][:instance_profiles] = []
+      expected[:instance_profiles].delete("my-instance-profile")
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when delete role' do
+    let(:delete_role_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin",
+            "SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+
+        instance_profile "my-instance-profile", :path=>"/profile/"
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_role_dsl }
+      expect(updated).to be_truthy
+      expected[:roles].delete("my-role")
+      expect(export).to eq expected
+    end
+  end
+
+  context 'when delete role and instance_profile' do
+    let(:delete_role_and_instance_profile_dsl) do
+      <<-RUBY
+        user "bob", :path=>"/devloper/" do
+          login_profile :password_reset_required=>true
+
+          groups(
+            "Admin",
+            "SES"
+          )
+
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        user "mary", :path=>"/staff/" do
+          policy "S3" do
+            {"Statement"=>
+              [{"Action"=>
+                 ["s3:Get*",
+                  "s3:List*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}
+          end
+        end
+
+        group "Admin", :path=>"/admin/" do
+          policy "Admin" do
+            {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+          end
+        end
+
+        group "SES", :path=>"/ses/" do
+          policy "ses-policy" do
+            {"Statement"=>
+              [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
+          end
+        end
+      RUBY
+    end
+
+    subject { client }
+
+    it do
+      updated = apply(subject) { delete_role_and_instance_profile_dsl }
+      expect(updated).to be_truthy
+      expected[:roles].delete("my-role")
+      expected[:instance_profiles].delete("my-instance-profile")
+      expect(export).to eq expected
+    end
+  end
+end

data/spec/subiam/hash_ext_spec.rb

@@ -0,0 +1,61 @@
+describe 'Hash#sort_array!' do
+  let(:hash) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Put*", "s3:List*", "s3:Get*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess",
+          "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess"],
+         :login_profile=>{:password_reset_required=>true}}}}
+  end
+
+  let(:expected_hash) do
+    {:users=>
+      {"bob"=>
+        {:path=>"/devloper/",
+         :groups=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*", "s3:Put*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :attached_managed_policies=>[
+          "arn:aws:iam::aws:policy/AmazonEC2ReadOnlyAccess",
+          "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"],
+         :login_profile=>{:password_reset_required=>true}}}}
+  end
+
+  subject { hash.sort_array! }
+
+  it { is_expected.to eq expected_hash }
+end
+
+describe 'Hash#keys_to_s_recursive' do
+  let(:hash) do
+    {S3:
+         {Statement:
+              [{Action: ["s3:Put*", "s3:List*", "s3:Get*"],
+                Effect: "Allow",
+                Resource: "*"}]}}
+  end
+
+  let(:expected_hash) do
+    {"S3" =>
+         {"Statement" =>
+              [{"Action" => ["s3:Put*", "s3:List*", "s3:Get*"],
+                "Effect" => "Allow",
+                "Resource" => "*"}]}}
+  end
+
+  subject { hash.keys_to_s_recursive }
+
+  it { is_expected.to eq expected_hash }
+end

data/spec/subiam/ignore_login_profile_spec.rb

@@ -0,0 +1,73 @@
+describe 'ignore login profile' do
+  let(:dsl) do
+    <<-RUBY
+      target /^iam-test-/
+
+      user "iam-test-bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>true
+
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+    RUBY
+  end
+
+  let(:update_dsl) do
+    <<-RUBY
+      target /^iam-test-/
+
+      user "iam-test-bob", :path=>"/devloper/" do
+        login_profile :password_reset_required=>false
+
+        policy "S3" do
+          {"Statement"=>
+            [{"Action"=>
+               ["s3:Get*",
+                "s3:List*",
+                "s3:Put*"],
+              "Effect"=>"Allow",
+              "Resource"=>"*"}]}
+        end
+      end
+    RUBY
+  end
+
+  let(:expected) do
+    {:users=>
+      {"iam-test-bob"=>
+        {:path=>"/devloper/",
+         :groups=>[],
+         :policies=>
+          {"S3"=>
+            {"Statement"=>
+              [{"Action"=>["s3:Get*", "s3:List*", "s3:Put*"],
+                "Effect"=>"Allow",
+                "Resource"=>"*"}]}},
+         :attached_managed_policies=>[],
+         :login_profile=>{:password_reset_required=>true}}},
+     :groups=>{},
+     :policies=>{},
+     :roles=>{},
+     :instance_profiles=>{}}
+  end
+
+  before(:each) do
+    apply { dsl }
+  end
+
+  context 'when no change' do
+    subject { client(ignore_login_profile: true) }
+
+    it do
+      updated = apply(subject) { update_dsl }
+      expect(updated).to be_truthy
+      expect(export).to eq expected
+    end
+  end
+end