subiam 1.2.1

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
@@ -0,0 +1,476 @@
1
+ # subiam which forked from subiam doesn't use top level entity rename
2
+ xdescribe 'update' do
3
+ let(:dsl) do
4
+ <<-RUBY
5
+ user "iam-test-bob", :path=>"/devloper/" do
6
+ login_profile :password_reset_required=>true
7
+
8
+ groups(
9
+ "iam-test-Admin",
10
+ "iam-test-SES"
11
+ )
12
+
13
+ policy "S3" do
14
+ {"Statement"=>
15
+ [{"Action"=>
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ "Effect"=>"Allow",
19
+ "Resource"=>"*"}]}
20
+ end
21
+ end
22
+
23
+ user "iam-test-mary", :path=>"/staff/" do
24
+ policy "S3" do
25
+ {"Statement"=>
26
+ [{"Action"=>
27
+ ["s3:Get*",
28
+ "s3:List*"],
29
+ "Effect"=>"Allow",
30
+ "Resource"=>"*"}]}
31
+ end
32
+ end
33
+
34
+ group "iam-test-Admin", :path=>"/admin/" do
35
+ policy "Admin" do
36
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
37
+ end
38
+ end
39
+
40
+ group "iam-test-SES", :path=>"/ses/" do
41
+ policy "ses-policy" do
42
+ {"Statement"=>
43
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
44
+ end
45
+ end
46
+
47
+ role "iam-test-my-role", :path=>"/any/" do
48
+ instance_profiles(
49
+ "iam-test-my-instance-profile"
50
+ )
51
+
52
+ assume_role_policy_document do
53
+ {"Version"=>"2012-10-17",
54
+ "Statement"=>
55
+ [{"Sid"=>"",
56
+ "Effect"=>"Allow",
57
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
58
+ "Action"=>"sts:AssumeRole"}]}
59
+ end
60
+
61
+ policy "role-policy" do
62
+ {"Statement"=>
63
+ [{"Action"=>
64
+ ["s3:Get*",
65
+ "s3:List*"],
66
+ "Effect"=>"Allow",
67
+ "Resource"=>"*"}]}
68
+ end
69
+ end
70
+
71
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
72
+ RUBY
73
+ end
74
+
75
+ let(:expected) do
76
+ {:users=>
77
+ {"iam-test-bob"=>
78
+ {:path=>"/devloper/",
79
+ :groups=>["iam-test-Admin", "iam-test-SES"],
80
+ :attached_managed_policies=>[],
81
+ :policies=>
82
+ {"S3"=>
83
+ {"Statement"=>
84
+ [{"Action"=>["s3:Get*", "s3:List*"],
85
+ "Effect"=>"Allow",
86
+ "Resource"=>"*"}]}},
87
+ :login_profile=>{:password_reset_required=>true}},
88
+ "iam-test-mary"=>
89
+ {:path=>"/staff/",
90
+ :groups=>[],
91
+ :attached_managed_policies=>[],
92
+ :policies=>
93
+ {"S3"=>
94
+ {"Statement"=>
95
+ [{"Action"=>["s3:Get*", "s3:List*"],
96
+ "Effect"=>"Allow",
97
+ "Resource"=>"*"}]}}}},
98
+ :groups=>
99
+ {"iam-test-Admin"=>
100
+ {:path=>"/admin/",
101
+ :attached_managed_policies=>[],
102
+ :policies=>
103
+ {"Admin"=>
104
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
105
+ "iam-test-SES"=>
106
+ {:path=>"/ses/",
107
+ :attached_managed_policies=>[],
108
+ :policies=>
109
+ {"ses-policy"=>
110
+ {"Statement"=>
111
+ [{"Effect"=>"Allow",
112
+ "Action"=>"ses:SendRawEmail",
113
+ "Resource"=>"*"}]}}}},
114
+ :policies => {},
115
+ :roles=>
116
+ {"iam-test-my-role"=>
117
+ {:path=>"/any/",
118
+ :assume_role_policy_document=>
119
+ {"Version"=>"2012-10-17",
120
+ "Statement"=>
121
+ [{"Sid"=>"",
122
+ "Effect"=>"Allow",
123
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
124
+ "Action"=>"sts:AssumeRole"}]},
125
+ :instance_profiles=>["iam-test-my-instance-profile"],
126
+ :attached_managed_policies=>[],
127
+ :policies=>
128
+ {"role-policy"=>
129
+ {"Statement"=>
130
+ [{"Action"=>["s3:Get*", "s3:List*"],
131
+ "Effect"=>"Allow",
132
+ "Resource"=>"*"}]}}}},
133
+ :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
134
+ end
135
+
136
+ before(:each) do
137
+ apply { dsl }
138
+ end
139
+
140
+ context 'when rename user' do
141
+ let(:rename_user_dsl) do
142
+ <<-RUBY
143
+ user "iam-test-bob2", :path=>"/devloper/", :renamed_from=>"iam-test-bob" do
144
+ login_profile :password_reset_required=>true
145
+
146
+ groups(
147
+ "iam-test-Admin",
148
+ "iam-test-SES"
149
+ )
150
+
151
+ policy "S3" do
152
+ {"Statement"=>
153
+ [{"Action"=>
154
+ ["s3:Get*",
155
+ "s3:List*"],
156
+ "Effect"=>"Allow",
157
+ "Resource"=>"*"}]}
158
+ end
159
+ end
160
+
161
+ user "iam-test-mary", :path=>"/staff/" do
162
+ policy "S3" do
163
+ {"Statement"=>
164
+ [{"Action"=>
165
+ ["s3:Get*",
166
+ "s3:List*"],
167
+ "Effect"=>"Allow",
168
+ "Resource"=>"*"}]}
169
+ end
170
+ end
171
+
172
+ group "iam-test-Admin", :path=>"/admin/" do
173
+ policy "Admin" do
174
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
175
+ end
176
+ end
177
+
178
+ group "iam-test-SES", :path=>"/ses/" do
179
+ policy "ses-policy" do
180
+ {"Statement"=>
181
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
182
+ end
183
+ end
184
+
185
+ role "iam-test-my-role", :path=>"/any/" do
186
+ instance_profiles(
187
+ "iam-test-my-instance-profile"
188
+ )
189
+
190
+ assume_role_policy_document do
191
+ {"Version"=>"2012-10-17",
192
+ "Statement"=>
193
+ [{"Sid"=>"",
194
+ "Effect"=>"Allow",
195
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
196
+ "Action"=>"sts:AssumeRole"}]}
197
+ end
198
+
199
+ policy "role-policy" do
200
+ {"Statement"=>
201
+ [{"Action"=>
202
+ ["s3:Get*",
203
+ "s3:List*"],
204
+ "Effect"=>"Allow",
205
+ "Resource"=>"*"}]}
206
+ end
207
+ end
208
+
209
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
210
+ RUBY
211
+ end
212
+
213
+ subject { client }
214
+
215
+ it do
216
+ updated = apply(subject) { rename_user_dsl }
217
+ expect(updated).to be_truthy
218
+ expected[:users]["iam-test-bob2"] = expected[:users].delete("iam-test-bob")
219
+ expect(export).to eq expected
220
+ end
221
+ end
222
+
223
+ context 'when rename group' do
224
+ let(:rename_group_dsl) do
225
+ <<-RUBY
226
+ user "iam-test-bob", :path=>"/devloper/" do
227
+ login_profile :password_reset_required=>true
228
+
229
+ groups(
230
+ "iam-test-Admin",
231
+ "iam-test-SES2"
232
+ )
233
+
234
+ policy "S3" do
235
+ {"Statement"=>
236
+ [{"Action"=>
237
+ ["s3:Get*",
238
+ "s3:List*"],
239
+ "Effect"=>"Allow",
240
+ "Resource"=>"*"}]}
241
+ end
242
+ end
243
+
244
+ user "iam-test-mary", :path=>"/staff/" do
245
+ policy "S3" do
246
+ {"Statement"=>
247
+ [{"Action"=>
248
+ ["s3:Get*",
249
+ "s3:List*"],
250
+ "Effect"=>"Allow",
251
+ "Resource"=>"*"}]}
252
+ end
253
+ end
254
+
255
+ group "iam-test-Admin", :path=>"/admin/" do
256
+ policy "Admin" do
257
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
258
+ end
259
+ end
260
+
261
+ group "iam-test-SES2", :path=>"/ses/", :renamed_from=>"iam-test-SES2" do
262
+ policy "ses-policy" do
263
+ {"Statement"=>
264
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
265
+ end
266
+ end
267
+
268
+ role "iam-test-my-role", :path=>"/any/" do
269
+ instance_profiles(
270
+ "iam-test-my-instance-profile"
271
+ )
272
+
273
+ assume_role_policy_document do
274
+ {"Version"=>"2012-10-17",
275
+ "Statement"=>
276
+ [{"Sid"=>"",
277
+ "Effect"=>"Allow",
278
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
279
+ "Action"=>"sts:AssumeRole"}]}
280
+ end
281
+
282
+ policy "role-policy" do
283
+ {"Statement"=>
284
+ [{"Action"=>
285
+ ["s3:Get*",
286
+ "s3:List*"],
287
+ "Effect"=>"Allow",
288
+ "Resource"=>"*"}]}
289
+ end
290
+ end
291
+
292
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
293
+ RUBY
294
+ end
295
+
296
+ subject { client }
297
+
298
+ it do
299
+ updated = apply(subject) { rename_group_dsl }
300
+ expect(updated).to be_truthy
301
+ expected[:users]["iam-test-bob"][:groups] = ["iam-test-Admin", "iam-test-SES2"]
302
+ expected[:groups]["iam-test-SES2"] = expected[:groups].delete("iam-test-SES")
303
+ expect(export).to eq expected
304
+ end
305
+ end
306
+
307
+ context 'when rename without renamed_from' do
308
+ let(:rename_without_renamed_from_dsl) do
309
+ <<-RUBY
310
+ user "iam-test-bob2", :path=>"/devloper/" do
311
+ login_profile :password_reset_required=>true
312
+
313
+ groups(
314
+ "iam-test-Admin",
315
+ "iam-test-SES2"
316
+ )
317
+
318
+ policy "S3" do
319
+ {"Statement"=>
320
+ [{"Action"=>
321
+ ["s3:Get*",
322
+ "s3:List*"],
323
+ "Effect"=>"Allow",
324
+ "Resource"=>"*"}]}
325
+ end
326
+ end
327
+
328
+ user "iam-test-mary", :path=>"/staff/" do
329
+ policy "S3" do
330
+ {"Statement"=>
331
+ [{"Action"=>
332
+ ["s3:Get*",
333
+ "s3:List*"],
334
+ "Effect"=>"Allow",
335
+ "Resource"=>"*"}]}
336
+ end
337
+ end
338
+
339
+ group "iam-test-Admin", :path=>"/admin/" do
340
+ policy "Admin" do
341
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
342
+ end
343
+ end
344
+
345
+ group "iam-test-SES2", :path=>"/ses/" do
346
+ policy "ses-policy" do
347
+ {"Statement"=>
348
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
349
+ end
350
+ end
351
+
352
+ role "iam-test-my-role", :path=>"/any/" do
353
+ instance_profiles(
354
+ "iam-test-my-instance-profile"
355
+ )
356
+
357
+ assume_role_policy_document do
358
+ {"Version"=>"2012-10-17",
359
+ "Statement"=>
360
+ [{"Sid"=>"",
361
+ "Effect"=>"Allow",
362
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
363
+ "Action"=>"sts:AssumeRole"}]}
364
+ end
365
+
366
+ policy "role-policy" do
367
+ {"Statement"=>
368
+ [{"Action"=>
369
+ ["s3:Get*",
370
+ "s3:List*"],
371
+ "Effect"=>"Allow",
372
+ "Resource"=>"*"}]}
373
+ end
374
+ end
375
+
376
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
377
+ RUBY
378
+ end
379
+
380
+ subject { client }
381
+
382
+ it do
383
+ updated = apply(subject) { rename_without_renamed_from_dsl }
384
+ expect(updated).to be_truthy
385
+ expected[:users]["iam-test-bob"][:groups] = ["iam-test-Admin", "iam-test-SES2"]
386
+ expected[:users]["iam-test-bob2"] = expected[:users].delete("iam-test-bob")
387
+ expected[:groups]["iam-test-SES2"] = expected[:groups].delete("iam-test-SES")
388
+ expect(export).to eq expected
389
+ end
390
+ end
391
+
392
+ context 'when rename role and instance_profile' do
393
+ let(:rename_role_and_instance_profile_dsl) do
394
+ <<-RUBY
395
+ user "iam-test-bob", :path=>"/devloper/" do
396
+ login_profile :password_reset_required=>true
397
+
398
+ groups(
399
+ "iam-test-Admin",
400
+ "iam-test-SES"
401
+ )
402
+
403
+ policy "S3" do
404
+ {"Statement"=>
405
+ [{"Action"=>
406
+ ["s3:Get*",
407
+ "s3:List*"],
408
+ "Effect"=>"Allow",
409
+ "Resource"=>"*"}]}
410
+ end
411
+ end
412
+
413
+ user "iam-test-mary", :path=>"/staff/" do
414
+ policy "S3" do
415
+ {"Statement"=>
416
+ [{"Action"=>
417
+ ["s3:Get*",
418
+ "s3:List*"],
419
+ "Effect"=>"Allow",
420
+ "Resource"=>"*"}]}
421
+ end
422
+ end
423
+
424
+ group "iam-test-Admin", :path=>"/admin/" do
425
+ policy "Admin" do
426
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
427
+ end
428
+ end
429
+
430
+ group "iam-test-SES", :path=>"/ses/" do
431
+ policy "ses-policy" do
432
+ {"Statement"=>
433
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
434
+ end
435
+ end
436
+
437
+ role "iam-test-my-role2", :path=>"/any/" do
438
+ instance_profiles(
439
+ "iam-test-my-instance-profile2"
440
+ )
441
+
442
+ assume_role_policy_document do
443
+ {"Version"=>"2012-10-17",
444
+ "Statement"=>
445
+ [{"Sid"=>"",
446
+ "Effect"=>"Allow",
447
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
448
+ "Action"=>"sts:AssumeRole"}]}
449
+ end
450
+
451
+ policy "role-policy" do
452
+ {"Statement"=>
453
+ [{"Action"=>
454
+ ["s3:Get*",
455
+ "s3:List*"],
456
+ "Effect"=>"Allow",
457
+ "Resource"=>"*"}]}
458
+ end
459
+ end
460
+
461
+ instance_profile "iam-test-my-instance-profile2", :path=>"/profile/"
462
+ RUBY
463
+ end
464
+
465
+ subject { client }
466
+
467
+ it do
468
+ updated = apply(subject) { rename_role_and_instance_profile_dsl }
469
+ expect(updated).to be_truthy
470
+ expected[:roles]["iam-test-my-role"][:instance_profiles] = ["iam-test-my-instance-profile2"]
471
+ expected[:roles]["iam-test-my-role2"] = expected[:roles].delete("iam-test-my-role")
472
+ expected[:instance_profiles]["iam-test-my-instance-profile2"] = expected[:instance_profiles].delete("iam-test-my-instance-profile")
473
+ expect(export).to eq expected
474
+ end
475
+ end
476
+ end
@@ -0,0 +1,189 @@
1
+ describe 'style' do
2
+ context 'Symbol keys in policies' do
3
+ let(:dsl) do
4
+ <<-RUBY
5
+ user "iam-test-bob", :path=>"/devloper/" do
6
+ login_profile :password_reset_required=>true
7
+
8
+ groups(
9
+ "iam-test-Admin",
10
+ "iam-test-SES"
11
+ )
12
+
13
+ policy "S3" do
14
+ {Statement:
15
+ [{Action:
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ Effect: "Allow",
19
+ Resource: "*"}]}
20
+ end
21
+ end
22
+
23
+ user "iam-test-mary", :path=>"/staff/" do
24
+ policy "S3" do
25
+ {Statement:
26
+ [{Action:
27
+ ["s3:Get*",
28
+ "s3:List*"],
29
+ Effect: "Allow",
30
+ Resource: "*"}]}
31
+ end
32
+ end
33
+
34
+ group "iam-test-Admin", :path=>"/admin/" do
35
+ policy "Admin" do
36
+ {Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
37
+ end
38
+ end
39
+
40
+ group "iam-test-SES", :path=>"/ses/" do
41
+ policy "ses-policy" do
42
+ {Statement:
43
+ [{Effect: "Allow", Action: "ses:SendRawEmail", Resource: "*"}]}
44
+ end
45
+ end
46
+
47
+ role "iam-test-my-role", :path=>"/any/" do
48
+ instance_profiles(
49
+ "iam-test-my-instance-profile"
50
+ )
51
+
52
+ assume_role_policy_document do
53
+ {Version: "2012-10-17",
54
+ Statement:
55
+ [{Sid: "",
56
+ Effect: "Allow",
57
+ Principal: {"Service"=>"ec2.amazonaws.com"},
58
+ Action: "sts:AssumeRole"}]}
59
+ end
60
+
61
+ policy "role-policy" do
62
+ {Statement:
63
+ [{Action:
64
+ ["s3:Get*",
65
+ "s3:List*"],
66
+ Effect: "Allow",
67
+ Resource: "*"}]}
68
+ end
69
+ end
70
+
71
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
72
+ RUBY
73
+ end
74
+
75
+ let(:expected) do
76
+ {:users =>
77
+ {"iam-test-bob" =>
78
+ {:path => "/devloper/",
79
+ :groups => ["iam-test-Admin", "iam-test-SES"],
80
+ :attached_managed_policies => [],
81
+ :policies =>
82
+ {"S3" =>
83
+ {"Statement" =>
84
+ [{"Action" => ["s3:Get*", "s3:List*"],
85
+ "Effect" => "Allow",
86
+ "Resource" => "*"}]}},
87
+ :login_profile => {:password_reset_required => true}},
88
+ "iam-test-mary" =>
89
+ {:path => "/staff/",
90
+ :groups => [],
91
+ :attached_managed_policies => [],
92
+ :policies =>
93
+ {"S3" =>
94
+ {"Statement" =>
95
+ [{"Action" => ["s3:Get*", "s3:List*"],
96
+ "Effect" => "Allow",
97
+ "Resource" => "*"}]}}}},
98
+ :groups =>
99
+ {"iam-test-Admin" =>
100
+ {:path => "/admin/",
101
+ :attached_managed_policies => [],
102
+ :policies =>
103
+ {"Admin" =>
104
+ {"Statement" => [{"Effect" => "Allow", "Action" => "*", "Resource" => "*"}]}}},
105
+ "iam-test-SES" =>
106
+ {:path => "/ses/",
107
+ :attached_managed_policies => [],
108
+ :policies =>
109
+ {"ses-policy" =>
110
+ {"Statement" =>
111
+ [{"Effect" => "Allow",
112
+ "Action" => "ses:SendRawEmail",
113
+ "Resource" => "*"}]}}}},
114
+ :policies => {},
115
+ :roles =>
116
+ {"iam-test-my-role" =>
117
+ {:path => "/any/",
118
+ :assume_role_policy_document =>
119
+ {"Version" => "2012-10-17",
120
+ "Statement" =>
121
+ [{"Sid" => "",
122
+ "Effect" => "Allow",
123
+ "Principal" => {"Service" => "ec2.amazonaws.com"},
124
+ "Action" => "sts:AssumeRole"}]},
125
+ :instance_profiles => ["iam-test-my-instance-profile"],
126
+ :attached_managed_policies => [],
127
+ :policies =>
128
+ {"role-policy" =>
129
+ {"Statement" =>
130
+ [{"Action" => ["s3:Get*", "s3:List*"],
131
+ "Effect" => "Allow",
132
+ "Resource" => "*"}]}}}},
133
+ :instance_profiles => {"iam-test-my-instance-profile" => {:path => "/profile/"}}}
134
+ end
135
+
136
+ it "should coverted to String keys" do
137
+ parsed = parse { dsl }
138
+ parsed.delete(:target)
139
+ expect(parsed).to eq expected
140
+ end
141
+ end
142
+
143
+ context 'ARN helpers' do
144
+ let(:dsl) do
145
+ <<-RUBY
146
+ user "iam-test-bob", :path=>"/devloper/" do
147
+ attached_managed_policies(
148
+ arn_policy_by_aws("AdministratorAccess"),
149
+ arn_policy_by_current_account("MyPolicy")
150
+ )
151
+ end
152
+
153
+ group "iam-test-Admin", :path=>"/admin/" do
154
+ attached_managed_policies(
155
+ arn_policy_by_aws("AdministratorAccess"),
156
+ arn_policy_by_current_account("MyPolicy")
157
+ )
158
+ end
159
+
160
+ role "iam-test-my-role", :path=>"/any/" do
161
+ attached_managed_policies(
162
+ arn_policy_by_aws("AdministratorAccess"),
163
+ arn_policy_by_current_account("MyPolicy")
164
+ )
165
+
166
+ assume_role_policy_document do
167
+ {Version: "2012-10-17",
168
+ Statement:
169
+ [{Sid: "",
170
+ Effect: "Allow",
171
+ Principal: {"Service"=>"ec2.amazonaws.com"},
172
+ Action: "sts:AssumeRole"}]}
173
+ end
174
+ end
175
+ RUBY
176
+ end
177
+
178
+ it "should convert policy names to arn" do
179
+ parsed = parse { dsl }
180
+ expect(parsed[:users]["iam-test-bob"][:attached_managed_policies][0]).to eq "arn:aws:iam::aws:policy/AdministratorAccess"
181
+ expect(parsed[:groups]["iam-test-Admin"][:attached_managed_policies][0]).to eq "arn:aws:iam::aws:policy/AdministratorAccess"
182
+ expect(parsed[:roles]["iam-test-my-role"][:attached_managed_policies][0]).to eq "arn:aws:iam::aws:policy/AdministratorAccess"
183
+
184
+ expect(parsed[:users]["iam-test-bob"][:attached_managed_policies][1]).to match %r(arn:aws:iam::\d+:policy/MyPolicy)
185
+ expect(parsed[:groups]["iam-test-Admin"][:attached_managed_policies][1]).to match %r(arn:aws:iam::\d+:policy/MyPolicy)
186
+ expect(parsed[:roles]["iam-test-my-role"][:attached_managed_policies][1]).to match %r(arn:aws:iam::\d+:policy/MyPolicy)
187
+ end
188
+ end
189
+ end