def _update_role_with_latest_policy(self, app_name, config):
# type: (str, Config) -> None
print("Updating IAM policy.")
app_policy = self._app_policy.generate_policy_from_app_source(config)
previous = self._app_policy.load_last_policy(config)
diff = policy.diff_policies(previous, app_policy)
if diff:
if diff.get('added', set([])):
print("\nThe following actions will be added to "
"the execution policy:\n")
for action in diff['added']:
print(action)
if diff.get('removed', set([])):
print("\nThe following action will be removed from "
"the execution policy:\n")
for action in diff['removed']:
print(action)
self._prompter.confirm("\nWould you like to continue? ",
default=True,
abort=True)
self._aws_client.delete_role_policy(role_name=app_name,
policy_name=app_name)
self._aws_client.put_role_policy(role_name=app_name,
policy_name=app_name,
policy_document=app_policy)
self._app_policy.record_policy(config, app_policy)
def _update_role_with_latest_policy(self, app_name, config):
# type: (str, Dict[str, Any]) -> None
print "Updating IAM policy."
app_policy = self._get_policy_from_source_code(config)
previous = self._load_last_policy(config)
diff = policy.diff_policies(previous, app_policy)
if diff:
if diff.get('added', []):
print ("\nThe following actions will be added to "
"the execution policy:\n")
for action in diff['added']:
print action
if diff.get('removed', []):
print ("\nThe following action will be removed from "
"the execution policy:\n")
for action in diff['removed']:
print action
self._prompter.confirm("\nWould you like to continue? ",
default=True, abort=True)
iam = self._client('iam')
iam.delete_role_policy(RoleName=app_name,
PolicyName=app_name)
iam.put_role_policy(RoleName=app_name,
PolicyName=app_name,
PolicyDocument=json.dumps(app_policy, indent=2))
self._record_policy(config, app_policy)
def _update_role_with_latest_policy(self, app_name, config):
# type: (str, Config) -> None
print "Updating IAM policy."
app_policy = self._get_policy_from_source_code(config)
previous = self._load_last_policy(config)
diff = policy.diff_policies(previous, app_policy)
if diff:
if diff.get('added', set([])):
print ("\nThe following actions will be added to "
"the execution policy:\n")
for action in diff['added']:
print action
if diff.get('removed', set([])):
print ("\nThe following action will be removed from "
"the execution policy:\n")
for action in diff['removed']:
print action
self._prompter.confirm("\nWould you like to continue? ",
default=True, abort=True)
self._aws_client.delete_role_policy(
role_name=app_name, policy_name=app_name)
self._aws_client.put_role_policy(role_name=app_name,
policy_name=app_name,
policy_document=app_policy)
self._record_policy(config, app_policy)
def _update_role_with_latest_policy(self, app_name, config):
# type: (str, Dict[str, Any]) -> None
print "Updating IAM policy."
app_policy = self._get_policy_from_source_code(config)
previous = self._load_last_policy(config)
diff = policy.diff_policies(previous, app_policy)
if diff:
if diff.get('added', []):
print(
"\nThe following actions will be added to "
"the execution policy:\n")
for action in diff['added']:
print action
if diff.get('removed', []):
print(
"\nThe following action will be removed from "
"the execution policy:\n")
for action in diff['removed']:
print action
self._prompter.confirm("\nWould you like to continue? ",
default=True,
abort=True)
iam = self._client('iam')
iam.delete_role_policy(RoleName=app_name, PolicyName=app_name)
iam.put_role_policy(RoleName=app_name,
PolicyName=app_name,
PolicyDocument=json.dumps(app_policy, indent=2))
self._record_policy(config, app_policy)
def test_can_diff_multiple_services():
first = iam_policy({
's3': {'list_buckets'},
'dynamodb': {'create_table'},
'cloudformation': {'create_stack', 'delete_stack'},
})
second = iam_policy({
's3': {'list_buckets', 'list_objects'},
'cloudformation': {'create_stack', 'update_stack'},
})
assert diff_policies(first, second) == {
'added': {'s3:ListBucket', 'cloudformation:UpdateStack'},
'removed': {'cloudformation:DeleteStack', 'dynamodb:CreateTable'},
}
def test_can_diff_multiple_services():
first = iam_policy({
's3': {'list_buckets'},
'dynamodb': {'create_table'},
'cloudformation': {'create_stack', 'delete_stack'},
})
second = iam_policy({
's3': {'list_buckets', 'list_objects'},
'cloudformation': {'create_stack', 'update_stack'},
})
assert diff_policies(first, second) == {
'added': {'s3:ListBucket', 'cloudformation:UpdateStack'},
'removed': {'cloudformation:DeleteStack', 'dynamodb:CreateTable'},
}
def test_can_diff_policy_added():
first = iam_policy({'s3': {'list_buckets'}})
second = iam_policy({'s3': {'list_buckets', 'list_objects'}})
assert diff_policies(first, second) == {'added': {'s3:ListBucket'}}
def test_no_changes():
first = iam_policy({'s3': {'list_buckets', 'list_objects'}})
second = iam_policy({'s3': {'list_buckets', 'list_objects'}})
assert diff_policies(first, second) == {}
def test_can_diff_policy_removed():
first = iam_policy({'s3': {'list_buckets', 'list_objects'}})
second = iam_policy({'s3': {'list_buckets'}})
assert diff_policies(first, second) == {'removed': {'s3:ListBucket'}}
def test_no_changes():
first = iam_policy({'s3': {'list_buckets', 'list_objects'}})
second = iam_policy({'s3': {'list_buckets', 'list_objects'}})
assert diff_policies(first, second) == {}
