describe 'delete' do let(:dsl) do <<-RUBY user "bob", :path=>"/developer/" do login_profile :password_reset_required=>true groups( "Admin", "SES" ) policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end group "SES", :path=>"/ses/" do policy "ses-policy" do {"Statement"=> [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]} end end role "my-role", :path=>"/any/" do instance_profiles( "my-instance-profile" ) assume_role_policy_document do {"Version"=>"2012-10-17", "Statement"=> [{"Sid"=>"", "Effect"=>"Allow", "Principal"=>{"Service"=>"ec2.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]} end policy "role-policy" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end instance_profile "my-instance-profile", :path=>"/profile/" RUBY end let(:expected) do {:users=> {"bob"=> {:path=>"/developer/", :groups=>["Admin", "SES"], :attached_managed_policies=>[], :policies=> {"S3"=> {"Statement"=> [{"Action"=>["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]}}, :login_profile=>{:password_reset_required=>true}}, "mary"=> {:path=>"/staff/", :groups=>[], :attached_managed_policies=>[], :policies=> {"S3"=> {"Statement"=> [{"Action"=>["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]}}}}, :groups=> {"Admin"=> {:path=>"/admin/", :attached_managed_policies=>[], :policies=> {"Admin"=> {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]}}}, "SES"=> {:path=>"/ses/", :attached_managed_policies=>[], :policies=> {"ses-policy"=> {"Statement"=> [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]}}}}, :policies => {}, :roles=> {"my-role"=> {:path=>"/any/", :assume_role_policy_document=> {"Version"=>"2012-10-17", "Statement"=> [{"Sid"=>"", "Effect"=>"Allow", "Principal"=>{"Service"=>"ec2.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]}, :instance_profiles=>["my-instance-profile"], :attached_managed_policies=>[], :policies=> {"role-policy"=> {"Statement"=> [{"Action"=>["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]}}}}, :instance_profiles=>{"my-instance-profile"=>{:path=>"/profile/"}}} end before(:each) do apply { dsl } end context 'when delete group' do let(:delete_group_dsl) do <<-RUBY user "bob", :path=>"/developer/" do login_profile :password_reset_required=>true groups( "Admin" ) policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end role "my-role", :path=>"/any/" do instance_profiles( "my-instance-profile" ) assume_role_policy_document do {"Version"=>"2012-10-17", "Statement"=> [{"Sid"=>"", "Effect"=>"Allow", "Principal"=>{"Service"=>"ec2.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]} end policy "role-policy" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end instance_profile "my-instance-profile", :path=>"/profile/" RUBY end subject { client } it do updated = apply(subject) { delete_group_dsl } expect(updated).to be_truthy expected[:users]["bob"][:groups] = ["Admin"] expected[:groups].delete("SES") expect(export).to eq expected end end context 'when delete user' do let(:delete_user_dsl) do <<-RUBY user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end group "SES", :path=>"/ses/" do policy "ses-policy" do {"Statement"=> [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]} end end role "my-role", :path=>"/any/" do instance_profiles( "my-instance-profile" ) assume_role_policy_document do {"Version"=>"2012-10-17", "Statement"=> [{"Sid"=>"", "Effect"=>"Allow", "Principal"=>{"Service"=>"ec2.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]} end policy "role-policy" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end instance_profile "my-instance-profile", :path=>"/profile/" RUBY end subject { client } it do updated = apply(subject) { delete_user_dsl } expect(updated).to be_truthy expected[:users].delete("bob") expect(export).to eq expected end end context 'when delete user_and_group' do let(:delete_user_and_group_dsl) do <<-RUBY user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end role "my-role", :path=>"/any/" do instance_profiles( "my-instance-profile" ) assume_role_policy_document do {"Version"=>"2012-10-17", "Statement"=> [{"Sid"=>"", "Effect"=>"Allow", "Principal"=>{"Service"=>"ec2.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]} end policy "role-policy" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end instance_profile "my-instance-profile", :path=>"/profile/" RUBY end context 'when apply' do subject { client } it do updated = apply(subject) { delete_user_and_group_dsl } expect(updated).to be_truthy expected[:users].delete("bob") expected[:groups].delete("SES") expect(export).to eq expected end end context 'when dry-run' do subject { client(dry_run: true) } it do updated = apply(subject) { delete_user_and_group_dsl } expect(updated).to be_falsey expect(export).to eq expected end end end context 'when delete instance_profile' do let(:delete_instance_profiles_dsl) do <<-RUBY user "bob", :path=>"/developer/" do login_profile :password_reset_required=>true groups( "Admin", "SES" ) policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end group "SES", :path=>"/ses/" do policy "ses-policy" do {"Statement"=> [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]} end end role "my-role", :path=>"/any/" do instance_profiles( ) assume_role_policy_document do {"Version"=>"2012-10-17", "Statement"=> [{"Sid"=>"", "Effect"=>"Allow", "Principal"=>{"Service"=>"ec2.amazonaws.com"}, "Action"=>"sts:AssumeRole"}]} end policy "role-policy" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end RUBY end subject { client } it do updated = apply(subject) { delete_instance_profiles_dsl } expect(updated).to be_truthy expected[:roles]["my-role"][:instance_profiles] = [] expected[:instance_profiles].delete("my-instance-profile") expect(export).to eq expected end end context 'when delete role' do let(:delete_role_dsl) do <<-RUBY user "bob", :path=>"/developer/" do login_profile :password_reset_required=>true groups( "Admin", "SES" ) policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end group "SES", :path=>"/ses/" do policy "ses-policy" do {"Statement"=> [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]} end end instance_profile "my-instance-profile", :path=>"/profile/" RUBY end subject { client } it do updated = apply(subject) { delete_role_dsl } expect(updated).to be_truthy expected[:roles].delete("my-role") expect(export).to eq expected end end context 'when delete role and instance_profile' do let(:delete_role_and_instance_profile_dsl) do <<-RUBY user "bob", :path=>"/developer/" do login_profile :password_reset_required=>true groups( "Admin", "SES" ) policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end user "mary", :path=>"/staff/" do policy "S3" do {"Statement"=> [{"Action"=> ["s3:Get*", "s3:List*"], "Effect"=>"Allow", "Resource"=>"*"}]} end end group "Admin", :path=>"/admin/" do policy "Admin" do {"Statement"=>[{"Effect"=>"Allow", "Action"=>"*", "Resource"=>"*"}]} end end group "SES", :path=>"/ses/" do policy "ses-policy" do {"Statement"=> [{"Effect"=>"Allow", "Action"=>"ses:SendRawEmail", "Resource"=>"*"}]} end end RUBY end subject { client } it do updated = apply(subject) { delete_role_and_instance_profile_dsl } expect(updated).to be_truthy expected[:roles].delete("my-role") expected[:instance_profiles].delete("my-instance-profile") expect(export).to eq expected end end end