subiam 1.2.1

Sign up to get free protection for your applications and to get access to all the features.
Files changed (41) hide show
  1. checksums.yaml +7 -0
  2. data/.gitignore +19 -0
  3. data/.rspec +4 -0
  4. data/Gemfile +4 -0
  5. data/LICENSE.txt +48 -0
  6. data/README.md +408 -0
  7. data/Rakefile +5 -0
  8. data/bin/subiam +189 -0
  9. data/lib/subiam/client.rb +565 -0
  10. data/lib/subiam/driver.rb +466 -0
  11. data/lib/subiam/dsl/context/group.rb +35 -0
  12. data/lib/subiam/dsl/context/managed_policy.rb +23 -0
  13. data/lib/subiam/dsl/context/role.rb +59 -0
  14. data/lib/subiam/dsl/context/user.rb +43 -0
  15. data/lib/subiam/dsl/context.rb +101 -0
  16. data/lib/subiam/dsl/converter.rb +202 -0
  17. data/lib/subiam/dsl/helper/arn.rb +22 -0
  18. data/lib/subiam/dsl.rb +9 -0
  19. data/lib/subiam/exporter.rb +278 -0
  20. data/lib/subiam/ext/array_ext.rb +13 -0
  21. data/lib/subiam/ext/hash_ext.rb +41 -0
  22. data/lib/subiam/ext/string_ext.rb +25 -0
  23. data/lib/subiam/logger.rb +27 -0
  24. data/lib/subiam/password_manager.rb +41 -0
  25. data/lib/subiam/template_helper.rb +20 -0
  26. data/lib/subiam/utils.rb +31 -0
  27. data/lib/subiam/version.rb +3 -0
  28. data/lib/subiam.rb +36 -0
  29. data/spec/spec_helper.rb +95 -0
  30. data/spec/subiam/attach_detach_policy_spec.rb +389 -0
  31. data/spec/subiam/create_spec.rb +271 -0
  32. data/spec/subiam/custom_managed_policy_spec.rb +232 -0
  33. data/spec/subiam/delete_spec.rb +549 -0
  34. data/spec/subiam/hash_ext_spec.rb +61 -0
  35. data/spec/subiam/ignore_login_profile_spec.rb +73 -0
  36. data/spec/subiam/rename_spec.rb +476 -0
  37. data/spec/subiam/style_spec.rb +189 -0
  38. data/spec/subiam/target_spec.rb +150 -0
  39. data/spec/subiam/update_spec.rb +911 -0
  40. data/subiam.gemspec +32 -0
  41. metadata +251 -0
data/spec/subiam/rename_spec.rb ADDED
@@ -0,0 +1,476 @@
1
+ # subiam which forked from subiam doesn't use top level entity rename
2
+ xdescribe 'update' do
3
+ let(:dsl) do
4
+ <<-RUBY
5
+ user "iam-test-bob", :path=>"/devloper/" do
6
+ login_profile :password_reset_required=>true
7
+
8
+ groups(
9
+ "iam-test-Admin",
10
+ "iam-test-SES"
11
+ )
12
+
13
+ policy "S3" do
14
+ {"Statement"=>
15
+ [{"Action"=>
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ "Effect"=>"Allow",
19
+ "Resource"=>"*"}]}
20
+ end
21
+ end
22
+
23
+ user "iam-test-mary", :path=>"/staff/" do
24
+ policy "S3" do
25
+ {"Statement"=>
26
+ [{"Action"=>
27
+ ["s3:Get*",
28
+ "s3:List*"],
29
+ "Effect"=>"Allow",
30
+ "Resource"=>"*"}]}
31
+ end
32
+ end
33
+
34
+ group "iam-test-Admin", :path=>"/admin/" do
35
+ policy "Admin" do
36
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
37
+ end
38
+ end
39
+
40
+ group "iam-test-SES", :path=>"/ses/" do
41
+ policy "ses-policy" do
42
+ {"Statement"=>
43
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
44
+ end
45
+ end
46
+
47
+ role "iam-test-my-role", :path=>"/any/" do
48
+ instance_profiles(
49
+ "iam-test-my-instance-profile"
50
+ )
51
+
52
+ assume_role_policy_document do
53
+ {"Version"=>"2012-10-17",
54
+ "Statement"=>
55
+ [{"Sid"=>"",
56
+ "Effect"=>"Allow",
57
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
58
+ "Action"=>"sts:AssumeRole"}]}
59
+ end
60
+
61
+ policy "role-policy" do
62
+ {"Statement"=>
63
+ [{"Action"=>
64
+ ["s3:Get*",
65
+ "s3:List*"],
66
+ "Effect"=>"Allow",
67
+ "Resource"=>"*"}]}
68
+ end
69
+ end
70
+
71
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
72
+ RUBY
73
+ end
74
+
75
+ let(:expected) do
76
+ {:users=>
77
+ {"iam-test-bob"=>
78
+ {:path=>"/devloper/",
79
+ :groups=>["iam-test-Admin", "iam-test-SES"],
80
+ :attached_managed_policies=>[],
81
+ :policies=>
82
+ {"S3"=>
83
+ {"Statement"=>
84
+ [{"Action"=>["s3:Get*", "s3:List*"],
85
+ "Effect"=>"Allow",
86
+ "Resource"=>"*"}]}},
87
+ :login_profile=>{:password_reset_required=>true}},
88
+ "iam-test-mary"=>
89
+ {:path=>"/staff/",
90
+ :groups=>[],
91
+ :attached_managed_policies=>[],
92
+ :policies=>
93
+ {"S3"=>
94
+ {"Statement"=>
95
+ [{"Action"=>["s3:Get*", "s3:List*"],
96
+ "Effect"=>"Allow",
97
+ "Resource"=>"*"}]}}}},
98
+ :groups=>
99
+ {"iam-test-Admin"=>
100
+ {:path=>"/admin/",
101
+ :attached_managed_policies=>[],
102
+ :policies=>
103
+ {"Admin"=>
104
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}},
105
+ "iam-test-SES"=>
106
+ {:path=>"/ses/",
107
+ :attached_managed_policies=>[],
108
+ :policies=>
109
+ {"ses-policy"=>
110
+ {"Statement"=>
111
+ [{"Effect"=>"Allow",
112
+ "Action"=>"ses:SendRawEmail",
113
+ "Resource"=>"*"}]}}}},
114
+ :policies => {},
115
+ :roles=>
116
+ {"iam-test-my-role"=>
117
+ {:path=>"/any/",
118
+ :assume_role_policy_document=>
119
+ {"Version"=>"2012-10-17",
120
+ "Statement"=>
121
+ [{"Sid"=>"",
122
+ "Effect"=>"Allow",
123
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
124
+ "Action"=>"sts:AssumeRole"}]},
125
+ :instance_profiles=>["iam-test-my-instance-profile"],
126
+ :attached_managed_policies=>[],
127
+ :policies=>
128
+ {"role-policy"=>
129
+ {"Statement"=>
130
+ [{"Action"=>["s3:Get*", "s3:List*"],
131
+ "Effect"=>"Allow",
132
+ "Resource"=>"*"}]}}}},
133
+ :instance_profiles=>{"iam-test-my-instance-profile"=>{:path=>"/profile/"}}}
134
+ end
135
+
136
+ before(:each) do
137
+ apply { dsl }
138
+ end
139
+
140
+ context 'when rename user' do
141
+ let(:rename_user_dsl) do
142
+ <<-RUBY
143
+ user "iam-test-bob2", :path=>"/devloper/", :renamed_from=>"iam-test-bob" do
144
+ login_profile :password_reset_required=>true
145
+
146
+ groups(
147
+ "iam-test-Admin",
148
+ "iam-test-SES"
149
+ )
150
+
151
+ policy "S3" do
152
+ {"Statement"=>
153
+ [{"Action"=>
154
+ ["s3:Get*",
155
+ "s3:List*"],
156
+ "Effect"=>"Allow",
157
+ "Resource"=>"*"}]}
158
+ end
159
+ end
160
+
161
+ user "iam-test-mary", :path=>"/staff/" do
162
+ policy "S3" do
163
+ {"Statement"=>
164
+ [{"Action"=>
165
+ ["s3:Get*",
166
+ "s3:List*"],
167
+ "Effect"=>"Allow",
168
+ "Resource"=>"*"}]}
169
+ end
170
+ end
171
+
172
+ group "iam-test-Admin", :path=>"/admin/" do
173
+ policy "Admin" do
174
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
175
+ end
176
+ end
177
+
178
+ group "iam-test-SES", :path=>"/ses/" do
179
+ policy "ses-policy" do
180
+ {"Statement"=>
181
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
182
+ end
183
+ end
184
+
185
+ role "iam-test-my-role", :path=>"/any/" do
186
+ instance_profiles(
187
+ "iam-test-my-instance-profile"
188
+ )
189
+
190
+ assume_role_policy_document do
191
+ {"Version"=>"2012-10-17",
192
+ "Statement"=>
193
+ [{"Sid"=>"",
194
+ "Effect"=>"Allow",
195
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
196
+ "Action"=>"sts:AssumeRole"}]}
197
+ end
198
+
199
+ policy "role-policy" do
200
+ {"Statement"=>
201
+ [{"Action"=>
202
+ ["s3:Get*",
203
+ "s3:List*"],
204
+ "Effect"=>"Allow",
205
+ "Resource"=>"*"}]}
206
+ end
207
+ end
208
+
209
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
210
+ RUBY
211
+ end
212
+
213
+ subject { client }
214
+
215
+ it do
216
+ updated = apply(subject) { rename_user_dsl }
217
+ expect(updated).to be_truthy
218
+ expected[:users]["iam-test-bob2"] = expected[:users].delete("iam-test-bob")
219
+ expect(export).to eq expected
220
+ end
221
+ end
222
+
223
+ context 'when rename group' do
224
+ let(:rename_group_dsl) do
225
+ <<-RUBY
226
+ user "iam-test-bob", :path=>"/devloper/" do
227
+ login_profile :password_reset_required=>true
228
+
229
+ groups(
230
+ "iam-test-Admin",
231
+ "iam-test-SES2"
232
+ )
233
+
234
+ policy "S3" do
235
+ {"Statement"=>
236
+ [{"Action"=>
237
+ ["s3:Get*",
238
+ "s3:List*"],
239
+ "Effect"=>"Allow",
240
+ "Resource"=>"*"}]}
241
+ end
242
+ end
243
+
244
+ user "iam-test-mary", :path=>"/staff/" do
245
+ policy "S3" do
246
+ {"Statement"=>
247
+ [{"Action"=>
248
+ ["s3:Get*",
249
+ "s3:List*"],
250
+ "Effect"=>"Allow",
251
+ "Resource"=>"*"}]}
252
+ end
253
+ end
254
+
255
+ group "iam-test-Admin", :path=>"/admin/" do
256
+ policy "Admin" do
257
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
258
+ end
259
+ end
260
+
261
+ group "iam-test-SES2", :path=>"/ses/", :renamed_from=>"iam-test-SES2" do
262
+ policy "ses-policy" do
263
+ {"Statement"=>
264
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
265
+ end
266
+ end
267
+
268
+ role "iam-test-my-role", :path=>"/any/" do
269
+ instance_profiles(
270
+ "iam-test-my-instance-profile"
271
+ )
272
+
273
+ assume_role_policy_document do
274
+ {"Version"=>"2012-10-17",
275
+ "Statement"=>
276
+ [{"Sid"=>"",
277
+ "Effect"=>"Allow",
278
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
279
+ "Action"=>"sts:AssumeRole"}]}
280
+ end
281
+
282
+ policy "role-policy" do
283
+ {"Statement"=>
284
+ [{"Action"=>
285
+ ["s3:Get*",
286
+ "s3:List*"],
287
+ "Effect"=>"Allow",
288
+ "Resource"=>"*"}]}
289
+ end
290
+ end
291
+
292
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
293
+ RUBY
294
+ end
295
+
296
+ subject { client }
297
+
298
+ it do
299
+ updated = apply(subject) { rename_group_dsl }
300
+ expect(updated).to be_truthy
301
+ expected[:users]["iam-test-bob"][:groups] = ["iam-test-Admin", "iam-test-SES2"]
302
+ expected[:groups]["iam-test-SES2"] = expected[:groups].delete("iam-test-SES")
303
+ expect(export).to eq expected
304
+ end
305
+ end
306
+
307
+ context 'when rename without renamed_from' do
308
+ let(:rename_without_renamed_from_dsl) do
309
+ <<-RUBY
310
+ user "iam-test-bob2", :path=>"/devloper/" do
311
+ login_profile :password_reset_required=>true
312
+
313
+ groups(
314
+ "iam-test-Admin",
315
+ "iam-test-SES2"
316
+ )
317
+
318
+ policy "S3" do
319
+ {"Statement"=>
320
+ [{"Action"=>
321
+ ["s3:Get*",
322
+ "s3:List*"],
323
+ "Effect"=>"Allow",
324
+ "Resource"=>"*"}]}
325
+ end
326
+ end
327
+
328
+ user "iam-test-mary", :path=>"/staff/" do
329
+ policy "S3" do
330
+ {"Statement"=>
331
+ [{"Action"=>
332
+ ["s3:Get*",
333
+ "s3:List*"],
334
+ "Effect"=>"Allow",
335
+ "Resource"=>"*"}]}
336
+ end
337
+ end
338
+
339
+ group "iam-test-Admin", :path=>"/admin/" do
340
+ policy "Admin" do
341
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
342
+ end
343
+ end
344
+
345
+ group "iam-test-SES2", :path=>"/ses/" do
346
+ policy "ses-policy" do
347
+ {"Statement"=>
348
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
349
+ end
350
+ end
351
+
352
+ role "iam-test-my-role", :path=>"/any/" do
353
+ instance_profiles(
354
+ "iam-test-my-instance-profile"
355
+ )
356
+
357
+ assume_role_policy_document do
358
+ {"Version"=>"2012-10-17",
359
+ "Statement"=>
360
+ [{"Sid"=>"",
361
+ "Effect"=>"Allow",
362
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
363
+ "Action"=>"sts:AssumeRole"}]}
364
+ end
365
+
366
+ policy "role-policy" do
367
+ {"Statement"=>
368
+ [{"Action"=>
369
+ ["s3:Get*",
370
+ "s3:List*"],
371
+ "Effect"=>"Allow",
372
+ "Resource"=>"*"}]}
373
+ end
374
+ end
375
+
376
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
377
+ RUBY
378
+ end
379
+
380
+ subject { client }
381
+
382
+ it do
383
+ updated = apply(subject) { rename_without_renamed_from_dsl }
384
+ expect(updated).to be_truthy
385
+ expected[:users]["iam-test-bob"][:groups] = ["iam-test-Admin", "iam-test-SES2"]
386
+ expected[:users]["iam-test-bob2"] = expected[:users].delete("iam-test-bob")
387
+ expected[:groups]["iam-test-SES2"] = expected[:groups].delete("iam-test-SES")
388
+ expect(export).to eq expected
389
+ end
390
+ end
391
+
392
+ context 'when rename role and instance_profile' do
393
+ let(:rename_role_and_instance_profile_dsl) do
394
+ <<-RUBY
395
+ user "iam-test-bob", :path=>"/devloper/" do
396
+ login_profile :password_reset_required=>true
397
+
398
+ groups(
399
+ "iam-test-Admin",
400
+ "iam-test-SES"
401
+ )
402
+
403
+ policy "S3" do
404
+ {"Statement"=>
405
+ [{"Action"=>
406
+ ["s3:Get*",
407
+ "s3:List*"],
408
+ "Effect"=>"Allow",
409
+ "Resource"=>"*"}]}
410
+ end
411
+ end
412
+
413
+ user "iam-test-mary", :path=>"/staff/" do
414
+ policy "S3" do
415
+ {"Statement"=>
416
+ [{"Action"=>
417
+ ["s3:Get*",
418
+ "s3:List*"],
419
+ "Effect"=>"Allow",
420
+ "Resource"=>"*"}]}
421
+ end
422
+ end
423
+
424
+ group "iam-test-Admin", :path=>"/admin/" do
425
+ policy "Admin" do
426
+ {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
427
+ end
428
+ end
429
+
430
+ group "iam-test-SES", :path=>"/ses/" do
431
+ policy "ses-policy" do
432
+ {"Statement"=>
433
+ [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}
434
+ end
435
+ end
436
+
437
+ role "iam-test-my-role2", :path=>"/any/" do
438
+ instance_profiles(
439
+ "iam-test-my-instance-profile2"
440
+ )
441
+
442
+ assume_role_policy_document do
443
+ {"Version"=>"2012-10-17",
444
+ "Statement"=>
445
+ [{"Sid"=>"",
446
+ "Effect"=>"Allow",
447
+ "Principal"=>{"Service"=>"ec2.amazonaws.com"},
448
+ "Action"=>"sts:AssumeRole"}]}
449
+ end
450
+
451
+ policy "role-policy" do
452
+ {"Statement"=>
453
+ [{"Action"=>
454
+ ["s3:Get*",
455
+ "s3:List*"],
456
+ "Effect"=>"Allow",
457
+ "Resource"=>"*"}]}
458
+ end
459
+ end
460
+
461
+ instance_profile "iam-test-my-instance-profile2", :path=>"/profile/"
462
+ RUBY
463
+ end
464
+
465
+ subject { client }
466
+
467
+ it do
468
+ updated = apply(subject) { rename_role_and_instance_profile_dsl }
469
+ expect(updated).to be_truthy
470
+ expected[:roles]["iam-test-my-role"][:instance_profiles] = ["iam-test-my-instance-profile2"]
471
+ expected[:roles]["iam-test-my-role2"] = expected[:roles].delete("iam-test-my-role")
472
+ expected[:instance_profiles]["iam-test-my-instance-profile2"] = expected[:instance_profiles].delete("iam-test-my-instance-profile")
473
+ expect(export).to eq expected
474
+ end
475
+ end
476
+ end
data/spec/subiam/style_spec.rb ADDED
@@ -0,0 +1,189 @@
1
+ describe 'style' do
2
+ context 'Symbol keys in policies' do
3
+ let(:dsl) do
4
+ <<-RUBY
5
+ user "iam-test-bob", :path=>"/devloper/" do
6
+ login_profile :password_reset_required=>true
7
+
8
+ groups(
9
+ "iam-test-Admin",
10
+ "iam-test-SES"
11
+ )
12
+
13
+ policy "S3" do
14
+ {Statement:
15
+ [{Action:
16
+ ["s3:Get*",
17
+ "s3:List*"],
18
+ Effect: "Allow",
19
+ Resource: "*"}]}
20
+ end
21
+ end
22
+
23
+ user "iam-test-mary", :path=>"/staff/" do
24
+ policy "S3" do
25
+ {Statement:
26
+ [{Action:
27
+ ["s3:Get*",
28
+ "s3:List*"],
29
+ Effect: "Allow",
30
+ Resource: "*"}]}
31
+ end
32
+ end
33
+
34
+ group "iam-test-Admin", :path=>"/admin/" do
35
+ policy "Admin" do
36
+ {Statement: [{Effect: "Allow", Action: "*", Resource: "*"}]}
37
+ end
38
+ end
39
+
40
+ group "iam-test-SES", :path=>"/ses/" do
41
+ policy "ses-policy" do
42
+ {Statement:
43
+ [{Effect: "Allow", Action: "ses:SendRawEmail", Resource: "*"}]}
44
+ end
45
+ end
46
+
47
+ role "iam-test-my-role", :path=>"/any/" do
48
+ instance_profiles(
49
+ "iam-test-my-instance-profile"
50
+ )
51
+
52
+ assume_role_policy_document do
53
+ {Version: "2012-10-17",
54
+ Statement:
55
+ [{Sid: "",
56
+ Effect: "Allow",
57
+ Principal: {"Service"=>"ec2.amazonaws.com"},
58
+ Action: "sts:AssumeRole"}]}
59
+ end
60
+
61
+ policy "role-policy" do
62
+ {Statement:
63
+ [{Action:
64
+ ["s3:Get*",
65
+ "s3:List*"],
66
+ Effect: "Allow",
67
+ Resource: "*"}]}
68
+ end
69
+ end
70
+
71
+ instance_profile "iam-test-my-instance-profile", :path=>"/profile/"
72
+ RUBY
73
+ end
74
+
75
+ let(:expected) do
76
+ {:users =>
77
+ {"iam-test-bob" =>
78
+ {:path => "/devloper/",
79
+ :groups => ["iam-test-Admin", "iam-test-SES"],
80
+ :attached_managed_policies => [],
81
+ :policies =>
82
+ {"S3" =>
83
+ {"Statement" =>
84
+ [{"Action" => ["s3:Get*", "s3:List*"],
85
+ "Effect" => "Allow",
86
+ "Resource" => "*"}]}},
87
+ :login_profile => {:password_reset_required => true}},
88
+ "iam-test-mary" =>
89
+ {:path => "/staff/",
90
+ :groups => [],
91
+ :attached_managed_policies => [],
92
+ :policies =>
93
+ {"S3" =>
94
+ {"Statement" =>
95
+ [{"Action" => ["s3:Get*", "s3:List*"],
96
+ "Effect" => "Allow",
97
+ "Resource" => "*"}]}}}},
98
+ :groups =>
99
+ {"iam-test-Admin" =>
100
+ {:path => "/admin/",
101
+ :attached_managed_policies => [],
102
+ :policies =>
103
+ {"Admin" =>
104
+ {"Statement" => [{"Effect" => "Allow", "Action" => "*", "Resource" => "*"}]}}},
105
+ "iam-test-SES" =>
106
+ {:path => "/ses/",
107
+ :attached_managed_policies => [],
108
+ :policies =>
109
+ {"ses-policy" =>
110
+ {"Statement" =>
111
+ [{"Effect" => "Allow",
112
+ "Action" => "ses:SendRawEmail",
113
+ "Resource" => "*"}]}}}},
114
+ :policies => {},
115
+ :roles =>
116
+ {"iam-test-my-role" =>
117
+ {:path => "/any/",
118
+ :assume_role_policy_document =>
119
+ {"Version" => "2012-10-17",
120
+ "Statement" =>
121
+ [{"Sid" => "",
122
+ "Effect" => "Allow",
123
+ "Principal" => {"Service" => "ec2.amazonaws.com"},
124
+ "Action" => "sts:AssumeRole"}]},
125
+ :instance_profiles => ["iam-test-my-instance-profile"],
126
+ :attached_managed_policies => [],
127
+ :policies =>
128
+ {"role-policy" =>
129
+ {"Statement" =>
130
+ [{"Action" => ["s3:Get*", "s3:List*"],
131
+ "Effect" => "Allow",
132
+ "Resource" => "*"}]}}}},
133
+ :instance_profiles => {"iam-test-my-instance-profile" => {:path => "/profile/"}}}
134
+ end
135
+
136
+ it "should coverted to String keys" do
137
+ parsed = parse { dsl }
138
+ parsed.delete(:target)
139
+ expect(parsed).to eq expected
140
+ end
141
+ end
142
+
143
+ context 'ARN helpers' do
144
+ let(:dsl) do
145
+ <<-RUBY
146
+ user "iam-test-bob", :path=>"/devloper/" do
147
+ attached_managed_policies(
148
+ arn_policy_by_aws("AdministratorAccess"),
149
+ arn_policy_by_current_account("MyPolicy")
150
+ )
151
+ end
152
+
153
+ group "iam-test-Admin", :path=>"/admin/" do
154
+ attached_managed_policies(
155
+ arn_policy_by_aws("AdministratorAccess"),
156
+ arn_policy_by_current_account("MyPolicy")
157
+ )
158
+ end
159
+
160
+ role "iam-test-my-role", :path=>"/any/" do
161
+ attached_managed_policies(
162
+ arn_policy_by_aws("AdministratorAccess"),
163
+ arn_policy_by_current_account("MyPolicy")
164
+ )
165
+
166
+ assume_role_policy_document do
167
+ {Version: "2012-10-17",
168
+ Statement:
169
+ [{Sid: "",
170
+ Effect: "Allow",
171
+ Principal: {"Service"=>"ec2.amazonaws.com"},
172
+ Action: "sts:AssumeRole"}]}
173
+ end
174
+ end
175
+ RUBY
176
+ end
177
+
178
+ it "should convert policy names to arn" do
179
+ parsed = parse { dsl }
180
+ expect(parsed[:users]["iam-test-bob"][:attached_managed_policies][0]).to eq "arn:aws:iam::aws:policy/AdministratorAccess"
181
+ expect(parsed[:groups]["iam-test-Admin"][:attached_managed_policies][0]).to eq "arn:aws:iam::aws:policy/AdministratorAccess"
182
+ expect(parsed[:roles]["iam-test-my-role"][:attached_managed_policies][0]).to eq "arn:aws:iam::aws:policy/AdministratorAccess"
183
+
184
+ expect(parsed[:users]["iam-test-bob"][:attached_managed_policies][1]).to match %r(arn:aws:iam::\d+:policy/MyPolicy)
185
+ expect(parsed[:groups]["iam-test-Admin"][:attached_managed_policies][1]).to match %r(arn:aws:iam::\d+:policy/MyPolicy)
186
+ expect(parsed[:roles]["iam-test-my-role"][:attached_managed_policies][1]).to match %r(arn:aws:iam::\d+:policy/MyPolicy)
187
+ end
188
+ end
189
+ end