subiam 1.2.1

checksums.yaml

@@ -0,0 +1,7 @@
+---
+SHA1:
+  metadata.gz: 5f32814fa2db9f3e157767104fe4da0752b40120
+  data.tar.gz: 677bf6d1e8fdbf6b0a9e13e7527add9ad8f8b69d
+SHA512:
+  metadata.gz: e3cc7e53244ab488c971c4f7ff583db303889cb76e951e2254174642e3a16d9663f7a009569e595101b397293fa4e9e3835236b2c055f2d4880f9f17c6ddd5f9
+  data.tar.gz: 6c74f7af2951620201979b7f16551724c95c8df036b47f76f8896ad0845310c7beb257b6c8ca1ad214c5f8da9017efab3989486bec2208800d9d51b8e20f3f00

data/.gitignore

@@ -0,0 +1,19 @@
+/.bundle/
+/.yardoc
+/Gemfile.lock
+/_yardoc/
+/coverage/
+/doc/
+/pkg/
+/spec/reports/
+/tmp/
+*.bundle
+*.so
+*.o
+*.a
+mkmf.log
+test.rb
+IAMfile
+*.iam
+account.csv
+*.json

data/.rspec

@@ -0,0 +1,4 @@
+--require rspec/instafail
+--format RSpec::Instafail
+--colour
+--require spec_helper

data/Gemfile

@@ -0,0 +1,4 @@
+source 'https://rubygems.org'
+
+# Specify your gem's dependencies in subiam.gemspec
+gemspec

data/LICENSE.txt

@@ -0,0 +1,48 @@
+Copyright (c) 2016 GREE, Inc.
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.
+
+Subiam is forked from Miam, which is published with the same license.
+Here is the original copyright notice for Miam:
+
+Copyright (c) 2014 Genki Sugawara
+
+MIT License
+
+Permission is hereby granted, free of charge, to any person obtaining
+a copy of this software and associated documentation files (the
+"Software"), to deal in the Software without restriction, including
+without limitation the rights to use, copy, modify, merge, publish,
+distribute, sublicense, and/or sell copies of the Software, and to
+permit persons to whom the Software is furnished to do so, subject to
+the following conditions:
+
+The above copyright notice and this permission notice shall be
+included in all copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
+EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
+MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
+NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE
+LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION
+OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION
+WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE.

data/README.md

@@ -0,0 +1,408 @@
+# Subiam
+
+Subiam is a tool to manage IAM.
+
+It defines the state of IAM using DSL, and updates IAM according to DSL.
+
+It's forked from Miam. Miam is designed to manage all IAM entities in the AWS account. Subiam is not so. Subiam is designed to manage sub part of IAM entities in the AWS account. For example around MySQL instances / around web servers / around lambda functions / around monitoring systems.
+
+**Notice**
+* `>= 1.2.0`
+  * Add helper methods: `arn_policy_by_aws`, `arn_policy_by_current_account`
+
+* `>= 1.1.0`
+  * Rename `require` DSL command to `import` to avoid override Kernel#require
+  * Allow Symbols alternative to Strings at Hash keys. It's a bit easy to write!
+
+* `>= 1.0.0`
+  * Forked from miam
+  * Required to specify `target` in DSL or json
+  * `instance_profile` also follow target (bug fix)
+  * don't delete top level entity (user, group, role, instance_profile) by default. Use the `--enable-delete` option.
+
+## Installation
+
+Add this line to your application's Gemfile:
+
+```ruby
+gem 'subiam'
+```
+
+And then execute:
+
+    $ bundle
+
+Or install it yourself as:
+
+    $ gem install subiam
+
+## Usage
+
+```sh
+export AWS_ACCESS_KEY_ID='...'
+export AWS_SECRET_ACCESS_KEY='...'
+export AWS_REGION='us-east-1'
+vi subiam-xxx.rb
+subiam -a --dry-run subiam-xxx.rb
+subiam -a subiam-xxx.rb
+```
+
+## Help
+
+```
+Usage: subiam [options]
+    -p, --profile PROFILE_NAME
+        --credentials-path PATH
+    -k, --access-key ACCESS_KEY
+    -s, --secret-key SECRET_KEY
+    -r, --region REGION
+    -a, --apply
+    -f, --file FILE
+        --dry-run
+        --account-output FILE
+    -e, --export
+    -o, --output FILE
+        --split
+        --split-more
+        --format=FORMAT
+        --export-concurrency N
+        --ignore-login-profile
+        --no-color
+        --no-progress
+        --debug
+        --enable-delete
+```
+
+## IAM definition files example
+subiam_mytool.rb
+
+```ruby
+import 'subiam_ec2_assume_role_attrs.rb'
+
+target /^mytool/ # required!!!
+
+role 'mytool', path: '/' do
+  context.version = '2012-10-17'
+
+  include_template 'ec2-assume-role-attrs'
+
+  instance_profiles(
+    'mytool'
+  )
+
+  policy 'mytool-role-policy' do
+    {
+      Version: context.version,
+      Statement: [
+        {
+          Effect: "Allow",
+          Action: [
+            "ec2:DescribeInstances",
+            "ec2:DescribeVpcs"
+          ],
+          Resource: [
+            "*"
+          ]
+        },
+        {
+          Effect: "Allow",
+          Action: [
+            "route53:Get*",
+            "route53:List*",
+            "route53:ChangeResourceRecordSets*"
+          ],
+          Resource: [
+            "*"
+          ]
+        },
+      ],
+    }
+  end
+end
+
+instance_profile 'mytool', path: '/'
+
+```
+
+subiam_ec2_assume_role_attrs.rb
+
+```ruby
+template "ec2-assume-role-attrs" do
+  assume_role_policy_document do
+    {
+      Version: context.version,
+      Statement: [
+        {
+          Sid: "",
+          Effect: "Allow",
+          Principal: {Service: "ec2.amazonaws.com"},
+          Action: "sts:AssumeRole",
+        },
+      ],
+    }
+  end
+end
+```
+
+
+## Use management policy
+
+```ruby
+user "foo", path: '/' do
+  attached_managed_policies(
+    'arn:aws:iam::0123456789:policy/MyPolicy',
+
+    arn_policy_by_current_account("MyPolicy2"),
+    # == "arn:aws:iam::0123456789:policy/MyPolicy2'
+
+    arn_policy_by_aws("AdministratorAccess")
+    # == 'arn:aws:iam::aws:policy/AdministratorAccess'
+  )
+end
+```
+
+
+---
+old examples (but works if add `target`)
+
+```ruby
+import 'other/iamfile'
+
+target /^monitoring-/
+
+user "monitoring-bob", :path => "/monitoring-user/" do
+  login_profile :password_reset_required=>true
+
+  groups(
+    "Admin"
+  )
+
+  policy "bob-policy" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Action"=>
+         ["s3:Get*",
+          "s3:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+
+  attached_managed_policies(
+    # attached_managed_policy
+  )
+end
+
+user "mary", :path => "/staff/" do
+  # login_profile :password_reset_required=>true
+
+  groups(
+    # no group
+  )
+
+  policy "s3-readonly" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Action"=>
+         ["s3:Get*",
+          "s3:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+
+  policy "route53-readonly" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Action"=>
+         ["route53:Get*",
+          "route53:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+
+  attached_managed_policies(
+    "arn:aws:iam::aws:policy/AdministratorAccess",
+    "arn:aws:iam::123456789012:policy/my_policy"
+  )
+end
+
+group "Admin", :path => "/admin/" do
+  policy "Admin" do
+    {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+  end
+end
+
+role "S3", :path => "/" do
+  instance_profiles(
+    "S3"
+  )
+
+  assume_role_policy_document do
+    {"Version"=>"2012-10-17",
+     "Statement"=>
+      [{"Sid"=>"",
+        "Effect"=>"Allow",
+        "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+        "Action"=>"sts:AssumeRole"}]}
+  end
+
+  policy "S3-role-policy" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+  end
+end
+
+instance_profile "S3", :path => "/"
+```
+
+## Rename
+
+```ruby
+import 'other/iamfile'
+
+user "bob2", :path => "/developer/", :renamed_from => "bob" do
+  # ...
+end
+
+group "Admin2", :path => "/admin/". :renamed_from => "Admin" do
+  # ...
+end
+```
+
+## Managed Policy attach/detach
+
+```ruby
+user "bob", :path => "/developer/" do
+  login_profile :password_reset_required=>true
+
+  groups(
+    "Admin"
+  )
+
+  policy "bob-policy" do
+    # ...
+  end
+
+  attached_managed_policies(
+    "arn:aws:iam::aws:policy/AmazonElastiCacheReadOnlyAccess"
+  )
+end
+```
+
+## Custom Managed Policy
+
+```ruby
+managed_policy "my-policy", :path=>"/" do
+  {"Version"=>"2012-10-17",
+   "Statement"=>
+    [{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
+end
+
+user "bob", :path => "/developer/" do
+  login_profile :password_reset_required=>true
+
+  groups(
+    "Admin"
+  )
+
+  policy "bob-policy" do
+    # ...
+  end
+
+  attached_managed_policies(
+    "arn:aws:iam::123456789012:policy/my-policy"
+  )
+end
+```
+
+## Use JSON
+
+```sh
+$ subiam -e -o iam.json
+   ᗧ 100%
+Export IAM to `iam.json`
+
+$ cat iam.json
+{
+  "users": {
+    "bob": {
+      "path": "/",
+      "groups": [
+        "Admin"
+      ],
+      "policies": {
+      ...
+
+$ subiam -a -f iam.json --dry-run
+Apply `iam.json` to IAM (dry-run)
+   ᗧ 100%
+No change
+```
+
+## Use Template
+
+```ruby
+template "common-policy" do
+  policy "my-policy" do
+    {"Version"=>context.version,
+     "Statement"=>
+      [{"Action"=>
+         ["s3:Get*",
+          "s3:List*"],
+        "Effect"=>"Allow",
+        "Resource"=>"*"}]}
+  end
+end
+
+template "common-role-attrs" do
+  assume_role_policy_document do
+    {"Version"=>context.version,
+     "Statement"=>
+      [{"Sid"=>"",
+        "Effect"=>"Allow",
+        "Principal"=>{"Service"=>"ec2.amazonaws.com"},
+        "Action"=>"sts:AssumeRole"}]}
+  end
+end
+
+user "bob", :path => "/developer/" do
+  login_profile :password_reset_required=>true
+
+  groups(
+    "Admin"
+  )
+
+  include_template "common-policy", version: "2012-10-17"
+end
+
+user "mary", :path => "/staff/" do
+  # login_profile :password_reset_required=>true
+
+  groups(
+    # no group
+  )
+
+  context.version = "2012-10-17"
+  include_template "common-policy"
+
+  attached_managed_policies(
+    "arn:aws:iam::aws:policy/AdministratorAccess",
+    "arn:aws:iam::123456789012:policy/my_policy"
+  )
+end
+
+role "S3", :path => "/" do
+  instance_profiles(
+    "S3"
+  )
+
+  include_template "common-role-attrs"
+
+  policy "S3-role-policy" do
+    {"Version"=>"2012-10-17",
+     "Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}
+  end
+end
+```
+
+## Similar tools
+* [Codenize.tools](http://codenize.tools/)

data/Rakefile

@@ -0,0 +1,5 @@
+require 'bundler/gem_tasks'
+require 'rspec/core/rake_task'
+
+RSpec::Core::RakeTask.new('spec')
+task :default => :spec

data/bin/subiam

@@ -0,0 +1,189 @@
+#!/usr/bin/env ruby
+$: << File.expand_path("#{File.dirname __FILE__}/../lib")
+require 'rubygems'
+require 'subiam'
+require 'fileutils'
+require 'optparse'
+
+Version = Subiam::VERSION
+DEFAULT_FILENAME = 'IAMfile'
+
+mode = nil
+file = DEFAULT_FILENAME
+output_file = '-'
+account_output = 'account.csv'
+split = false
+MAGIC_COMMENT = <<-EOS
+# -*- mode: ruby -*-
+# vi: set ft=ruby :
+EOS
+
+options = {
+  :dry_run => false,
+  :format  => :ruby,
+  :color   => true,
+  :debug   => false,
+}
+
+options[:password_manager] = Subiam::PasswordManager.new(account_output, options)
+
+ARGV.options do |opt|
+  begin
+    access_key = nil
+    secret_key = nil
+    region = nil
+    profile_name = nil
+    credentials_path = nil
+    format_passed = false
+
+    opt.on('-p', '--profile PROFILE_NAME')          {|v| profile_name                   = v                                     }
+    opt.on(''  , '--credentials-path PATH')         {|v| credentials_path               = v                                     }
+    opt.on('-k', '--access-key ACCESS_KEY')         {|v| access_key                     = v                                     }
+    opt.on('-s', '--secret-key SECRET_KEY')         {|v| secret_key                     = v                                     }
+    opt.on('-r', '--region REGION')                 {|v| region                         = v                                     }
+    opt.on('-a', '--apply')                         {    mode                           = :apply                                }
+    opt.on('-f', '--file FILE')                     {|v| file                           = v                                     }
+    opt.on(''  , '--dry-run')                       {    options[:dry_run]              = true                                  }
+    opt.on(''  , '--account-output FILE')           {|v| options[:password_manager]     = Subiam::PasswordManager.new(v, options) }
+    opt.on('-e', '--export')                        {    mode                           = :export                               }
+    opt.on('-o', '--output FILE')                   {|v| output_file                    = v                                     }
+    opt.on(''  , '--split')                         {    split                          = true                                  }
+    opt.on(''  , '--split-more')                    {    split                          = :more                                 }
+    opt.on('',   '--format=FORMAT', [:ruby, :json]) {|v| format_passed = true; options[:format] = v                             }
+    opt.on(''  , '--export-concurrency N', Integer) {|v| options[:export_concurrency]   = v                                     }
+    opt.on(''  , '--ignore-login-profile')          {    options[:ignore_login_profile] = true                                  }
+    opt.on(''  , '--no-color')                      {    options[:color]                = false                                 }
+    opt.on(''  , '--no-progress')                   {    options[:no_progress]          = true                                  }
+    opt.on(''  , '--debug')                         {    options[:debug]                = true                                  }
+    opt.on(''  , '--enable-delete')                 {    options[:enable_delete]        = true                                  }
+    opt.parse!
+
+    aws_opts = {}
+
+    if access_key and secret_key
+      aws_opts.update(
+        :access_key_id => access_key,
+        :secret_access_key => secret_key
+      )
+    elsif profile_name or credentials_path
+      credentials_opts = {}
+      credentials_opts[:profile_name] = profile_name if profile_name
+      credentials_opts[:path] = credentials_path if credentials_path
+      credentials = Aws::SharedCredentials.new(credentials_opts)
+      aws_opts[:credentials] = credentials
+    elsif (access_key and !secret_key) or (!access_key and secret_key) or mode.nil?
+      puts opt.help
+      exit 1
+    end
+
+    aws_opts[:region] = region if region
+    Aws.config.update(aws_opts)
+
+    if not format_passed and [file, output_file].any? {|i| i =~ /\.json\z/ }
+      options[:format] = :json
+    end
+  rescue => e
+    $stderr.puts("[ERROR] #{e.message}")
+    exit 1
+  end
+end
+
+String.colorize = options[:color]
+
+if options[:debug]
+  Aws.config.update(
+    :http_wire_trace => true,
+    :logger => Subiam::Logger.instance
+  )
+end
+
+begin
+  logger = Subiam::Logger.instance
+  logger.set_debug(options[:debug])
+  client = Subiam::Client.new(options)
+
+  case mode
+  when :export
+    if split
+      logger.info('Export IAM')
+      output_file = DEFAULT_FILENAME if output_file == '-'
+      requires = []
+
+      client.export(:split_more => (split == :more), :convert => (options[:format] == :ruby)) do |args|
+        type, dsl = args.values_at(:type, :dsl)
+        next if dsl.empty?
+
+        type = type.to_s
+        dir = File.dirname(output_file)
+
+        if split == :more
+          name = args[:name]
+          dir = File.join(dir, type)
+          FileUtils.mkdir_p(dir)
+          iam_filename =  "#{name}.iam"
+          iam_file = File.join(dir, iam_filename)
+          requires << File.join(type, iam_filename)
+        else
+          iam_filename = "#{type}.iam"
+          iam_file = File.join(dir, iam_filename)
+          requires << iam_filename
+        end
+
+        if options[:format] == :json
+          iam_file << '.json'
+        end
+
+        logger.info("  write `#{iam_file}`")
+
+        open(iam_file, 'wb') do |f|
+          f.puts MAGIC_COMMENT if options[:format] == :ruby
+          f.puts dsl
+        end
+      end
+
+      if options[:format] == :ruby
+        logger.info("  write `#{output_file}`")
+
+        open(output_file, 'wb') do |f|
+          f.puts MAGIC_COMMENT
+
+          requires.each do |iam_file|
+            f.puts "require '#{iam_file}'"
+          end
+        end
+      end
+    else
+      exported = client.export(:convert => (options[:format] == :ruby))
+
+      if output_file == '-'
+        logger.info('# Export IAM')
+        puts exported
+      else
+        logger.info("Export IAM to `#{output_file}`")
+        open(output_file, 'wb') do |f|
+          f.puts MAGIC_COMMENT if options[:format] == :ruby
+          f.puts exported
+        end
+      end
+    end
+  when :apply
+    unless File.exist?(file)
+      raise "No IAMfile found (looking for: #{file})"
+    end
+
+    msg = "Apply `#{file}` to IAM"
+    msg << ' (dry-run)' if options[:dry_run]
+    logger.info(msg)
+
+    updated = client.apply(file)
+
+    logger.info('No change'.intense_blue) unless updated
+  end
+rescue => e
+  if options[:debug]
+    raise e
+  else
+    $stderr.puts("[ERROR] #{e.message}".red)
+    exit 1
+  end
+end