def test_s3_bucket_with_name(self):
self.cloudformation["Resources"] = {
"TestResource": {
"Type": "AWS::S3::Bucket",
"BucketName": "my-test-bucket"
}
}
policy = RoleGenerator(self.cloudformation, "us-east-1",
"ABC123123").generate()
self.expected_cloud_formation["Resources"]["PolicyGeneratorRole"][
"Properties"]["Policies"] += [{
"PolicyDocument": {
"Statements": [{
"Sid": "Policy-Generator-S3-Bucket-TestResource",
"Statement": {
"Effect": "Allow",
"Action": ["s3:CreateBucket", "s3:DeleteBucket"],
"Resource": "arn:aws:s3:::my-test-bucket"
}
}],
"Version":
"2012-10-17"
},
"PolicyName":
"Policy-Generator-S3-Bucket-TestResource"
}]
self.assertEqual(self.expected_cloud_formation, policy)
def test_ec2_instance_with_image(self):
self.cloudformation["Resources"] = {
"TestResource": {
"Type": "AWS::EC2::Instance",
"ImageId": "TEST_IMAGE_ID"
}
}
policy = RoleGenerator(self.cloudformation, "us-east-1",
"ABC123123").generate()
self.expected_cloud_formation["Resources"]["PolicyGeneratorRole"][
"Properties"]["Policies"] += [{
"PolicyDocument": {
"Statements": [{
"Sid": "Policy-Generator-EC2-Instance-TestResource",
"Statement": {
"Effect":
"Allow",
"Action": ["ec2:RunInstances"],
"Resource":
"arn:aws:ec2:us-east-1::image/TEST_IMAGE_ID"
}
}],
"Version":
"2012-10-17"
},
"PolicyName":
"Policy-Generator-EC2-Instance-TestResource"
}]
self.assertEqual(self.expected_cloud_formation, policy)
def test_vpc_lambda(self):
self.cloudformation["Resources"] = {
"TestResource": {
"Type": "AWS::Lambda::Function",
"VpcConfig": "TEMP",
"Role": "MOCKED_ROLE_ARN"
}
}
policy = RoleGenerator(self.cloudformation, "us-east-1",
"ABC123123").generate()
self.expected_cloud_formation["Resources"]["PolicyGeneratorRole"][
"Properties"]["Policies"] += [{
"PolicyDocument": {
"Statements": [{
"Sid":
"Policy-Generator-Lambda-Function-TestResource-Global",
"Statement": {
"Effect":
"Allow",
"Action": [
"lambda:CreateFunction", "ec2:AllocateAddress",
"ec2:ReleaseAddress", "ec2:DescribeAddresses"
],
"Resource":
"*"
}
}, {
"Sid":
"Policy-Generator-Lambda-Function-TestResource-Role",
"Statement": {
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": "MOCKED_ROLE_ARN"
}
}, {
"Sid": "Policy-Generator-Lambda-Function-TestResource",
"Statement": {
"Effect": "Allow",
"Action": ["lambda:DeleteFunction"],
"Resource": "*"
}
}],
"Version":
"2012-10-17"
},
"PolicyName":
"Policy-Generator-Lambda-Function-TestResource"
}]
self.assertEqual(self.expected_cloud_formation, policy)
def test_lambda_with_name(self):
self.cloudformation["Resources"] = {
"TestResource": {
"Type": "AWS::Lambda::Function",
"FunctionName": "LambdaName",
"Role": "MOCKED_ROLE_ARN"
}
}
policy = RoleGenerator(self.cloudformation, "us-east-1",
"ABC123123").generate()
self.expected_cloud_formation["Resources"]["PolicyGeneratorRole"][
"Properties"]["Policies"] += [{
"PolicyDocument": {
"Statements": [{
"Sid":
"Policy-Generator-Lambda-Function-TestResource-Global",
"Statement": {
"Effect": "Allow",
"Action": ["lambda:CreateFunction"],
"Resource": "*"
}
}, {
"Sid":
"Policy-Generator-Lambda-Function-TestResource-Role",
"Statement": {
"Effect": "Allow",
"Action": ["iam:PassRole"],
"Resource": "MOCKED_ROLE_ARN"
}
}, {
"Sid": "Policy-Generator-Lambda-Function-TestResource",
"Statement": {
"Effect":
"Allow",
"Action": ["lambda:DeleteFunction"],
"Resource":
"arn:aws:lambda:us-east-1:ABC123123:function:LambdaName"
}
}],
"Version":
"2012-10-17"
},
"PolicyName":
"Policy-Generator-Lambda-Function-TestResource"
}]
self.assertEqual(self.expected_cloud_formation, policy)
def test_check_ref_params(self):
self.cloudformation["Parameters"] = {
"TestParam": {
"Description": "TEST_DESCRIPTION",
"Default": "TEST_DEFAULT",
"Type": "TEST_TYPE"
}
}
self.cloudformation["Resources"] = {
"TestResource": {
"Type": "AWS::S3::Bucket",
"BucketName": "!Ref TestParam"
}
}
role_cloud_formation = RoleGenerator(self.cloudformation, "us-east-1",
"ABC123123").generate()
self.assertEqual(self.cloudformation["Parameters"],
role_cloud_formation["Parameters"])
def test_ec2_instance_with_instance_profile(self):
self.cloudformation["Resources"] = {
"TestResource": {
"Type": "AWS::EC2::Instance",
"IamInstanceProfile": "TEST_INSTANCE_PROFILE"
}
}
policy = RoleGenerator(self.cloudformation, "us-east-1",
"ABC123123").generate()
self.expected_cloud_formation["Resources"]["PolicyGeneratorRole"][
"Properties"]["Policies"] += [{
"PolicyDocument": {
"Statements": [{
"Sid": "Policy-Generator-EC2-Instance-TestResource",
"Statement": {
"Effect": "Allow",
"Action": ["ec2:RunInstances"],
"Resource": "*"
}
}, {
"Sid":
"Policy-Generator-EC2-Instance-TestResource-Role",
"Statement": {
"Effect":
"Allow",
"Action": ["iam:PassRole"],
"Resource":
"arn:aws:iam::ABC123123:role/TEST_INSTANCE_PROFILE"
}
}],
"Version":
"2012-10-17"
},
"PolicyName":
"Policy-Generator-EC2-Instance-TestResource"
}]
self.assertEqual(self.expected_cloud_formation, policy)
required=True)
parser.add_argument("-a",
"--account",
help="AWS Account number",
required=True)
parser.add_argument("-cff",
"--cloud_formation_format",
help="json/yaml, default yaml",
default="yaml")
parser.add_argument("-o",
"--out",
help="Save output to the specified file")
args = parser.parse_args()
cloud_formation_dict = yaml.safe_load(open(args.file, "r"))
generated_policy = RoleGenerator(cloud_formation_dict, args.region,
args.account).generate()
if args.out is not None:
if args.cloud_formation_format == "yaml":
with open(args.out, "w") as outfile:
yaml.safe_dump(generated_policy,
outfile,
default_flow_style=False)
with open(args.out, "r+") as f:
content = f.read()
f.seek(0, 0)
f.write(
"# File generated by https://github.com/fulder/cloudformation-policy-generator\r\n"
+ content)