describe 'custom managed policy' do
let(:dsl) do
<<-RUBY
managed_policy "my-policy", :path=>"/" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
end
user "mary", :path=>"/staff/" do
policy "S3" do
{"Statement"=>
[{"Action"=>
["s3:Get*",
"s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}
end
attached_managed_policies(
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
)
end
RUBY
end
let(:expected) do
{:users=>
{"mary"=>
{:path=>"/staff/",
:groups=>[],
:attached_managed_policies=>[
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"],
:policies=>
{"S3"=>
{"Statement"=>
[{"Action"=>["s3:Get*", "s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}}}},
:groups=>{},
:instance_profiles=>{},
:policies=>
{"my-policy"=>
{:path=>"/",
:document=>
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Allow",
"Action"=>"directconnect:Describe*",
"Resource"=>"*"}]}}},
:roles=>{}}
end
before(:each) do
apply { dsl }
end
context 'when no change' do
subject { client }
it do
updated = apply(subject) { dsl }
expect(updated).to be_falsey
expect(export).to eq expected
end
end
context 'when create and attach' do
subject { client }
it do
updated = apply(subject) {
<<-RUBY
managed_policy "my-policy", :path=>"/" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Allow", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
end
managed_policy "my-policy2", :path=>"/" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
end
user "mary", :path=>"/staff/" do
policy "S3" do
{"Statement"=>
[{"Action"=>
["s3:Get*",
"s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}
end
attached_managed_policies(
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy",
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
)
end
RUBY
}
expect(updated).to be_truthy
expected[:policies]["my-policy2"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}
expected[:users]["mary"][:attached_managed_policies] << "arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
expected[:users]["mary"][:attached_managed_policies].sort!
actual = export
actual[:users]["mary"][:attached_managed_policies].sort!
expect(actual).to eq expected
end
end
context 'when create and delete' do
subject { client }
it do
updated = apply(subject) {
<<-RUBY
managed_policy "my-policy2", :path=>"/" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}
end
user "mary", :path=>"/staff/" do
policy "S3" do
{"Statement"=>
[{"Action"=>
["s3:Get*",
"s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}
end
attached_managed_policies(
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"
)
end
RUBY
}
expect(updated).to be_truthy
expected[:policies] = {"my-policy2" => {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:Describe*", "Resource"=>"*"}]}}}
expected[:users]["mary"][:attached_managed_policies] = ["arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy2"]
expect(export).to eq expected
end
end
context 'when update' do
subject { client }
it do
updated = apply(subject) {
<<-RUBY
managed_policy "my-policy", :path=>"/" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
end
user "mary", :path=>"/staff/" do
policy "S3" do
{"Statement"=>
[{"Action"=>
["s3:Get*",
"s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}
end
attached_managed_policies(
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
)
end
RUBY
}
expect(updated).to be_truthy
expected[:policies]["my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
expect(export).to eq expected
end
end
context 'when update 7 times' do
subject { client }
it do
4.times do
apply(subject) { dsl }
apply(subject) {
<<-RUBY
managed_policy "my-policy", :path=>"/" do
{"Version"=>"2012-10-17",
"Statement"=>
[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}
end
user "mary", :path=>"/staff/" do
policy "S3" do
{"Statement"=>
[{"Action"=>
["s3:Get*",
"s3:List*"],
"Effect"=>"Allow",
"Resource"=>"*"}]}
end
attached_managed_policies(
"arn:aws:iam::#{MIAM_TEST_ACCOUNT_ID}:policy/my-policy"
)
end
RUBY
}
end
expected[:policies]["my-policy"] = {:path=>"/", :document=>{"Version"=>"2012-10-17", "Statement"=>[{"Effect"=>"Deny", "Action"=>"directconnect:*", "Resource"=>"*"}]}}
expect(export).to eq expected
end
end
end