def test_create_fortress_no_bastion():
aws_env = AWSEnv(regions=['us-east-1'], stub=True)
with default_region('us-east-1'):
stub = aws_env.stub('ec2', region='us-east-1')
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
stub.add_response(
'describe_images', {
'Images': [{
'ImageId': 'ami-1234',
'RootDeviceName': '/dev/sda1',
'Tags': []
}]
}, {'ImageIds': ANY})
d = PolicyDocument().append(
Allow(to='s3:GetObject',
on=['arn:aws:s3:::mybucket', 'arn:aws:s3:::mybucket/*']))
p = Policy('InternalPolicy', d)
f = Fortress('myfortress', bastion_ami=None, internal_server_policy=p)
f += Bucket('Bucket2')
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(['mybucket', f['Bucket2']])
# allow https
f.add_network_access('https')
f.add_private_server(AMI('ami-1234'), ['server1', 'server2'])
assert f.body
def test_create_fortress(enable_github, requests_mock):
if enable_github:
requests_mock.get("https://api.github.com/meta", json=GITHUB_API_RANGE)
requests_mock.get("https://ip-ranges.amazonaws.com/ip-ranges.json",
json=AWS_IP_RANGES)
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress(
"myfortress",
allow_ssh_from="0.0.0.0/0",
bastion_ami=AMI("ami-1234"),
internal_server_policy=p,
)
f += Bucket("Bucket2")
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])
# Allow access to a secret throught a secretsmanager endpoint
f.add_secret_access("arn_secret")
# Allow access to lambdas throught lambda endpoints
f.add_secret_access(["arn_lambda_1", "arn_lambda_2"])
# allow https
f.add_network_access("https")
f.add_private_server(AMI("ami-1234"), ["server1", "server2"],
github_access=enable_github)
assert f.body
def test_create_bucket():
b = Bucket(
"mybucket",
access_control=AccessControl.PRIVATE,
bucket_name="myname",
versioning=True,
)
assert b.properties
def test_create_bucket_policy():
p = PolicyDocument().append((Allow(to='s3:GetObject',
on=['arn:aws:s3:::mybucket'])))
b = BucketPolicy(name='mypolicy', bucket='mybucket', policy_document=p)
assert b.properties
b = BucketPolicy(name='mypolicy',
bucket=Bucket(name='mybucket'),
policy_document=p)
assert b.properties
def test_create_bucket_policy():
p = PolicyDocument().append((Allow(to="s3:GetObject",
on=["arn:aws:s3:::mybucket"])))
b = BucketPolicy(name="mypolicy", bucket="mybucket", policy_document=p)
assert b.properties
b = BucketPolicy(name="mypolicy",
bucket=Bucket(name="mybucket"),
policy_document=p)
assert b.properties
def test_create_instance_profile():
"""Create a basic instance role that get access to a bucket."""
s = Bucket("MyBucket")
policy_document = PolicyDocument()
policy_document.append(Allow().to(
["s3:ListBucket", "s3:GetObject", "s3:ListObjects"]).on(s.arn))
instance_profile = InstanceRole("InstRole")
instance_profile.add_policy(Policy("Pol", policy_document))
assert instance_profile.body
def test_create_instance_profile():
"""Create a basic instance role that get access to a bucket."""
s = Bucket('MyBucket')
policy_document = PolicyDocument()
policy_document.append(
Allow().to(['s3:ListBucket',
's3:GetObject',
's3:ListObjects']).on(s.arn))
instance_profile = InstanceRole('InstRole')
instance_profile.add_policy(Policy('Pol', policy_document))
assert instance_profile.body
def test_create_fortress_no_bastion():
aws_env = AWSEnv(regions=["us-east-1"], stub=True)
with default_region("us-east-1"):
stub = aws_env.stub("ec2", region="us-east-1")
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
stub.add_response(
"describe_images",
{
"Images": [{
"ImageId": "ami-1234",
"RootDeviceName": "/dev/sda1",
"Tags": []
}]
},
{"ImageIds": ANY},
)
d = PolicyDocument().append(
Allow(
to="s3:GetObject",
on=["arn:aws:s3:::mybucket", "arn:aws:s3:::mybucket/*"],
))
p = Policy("InternalPolicy", d)
f = Fortress("myfortress", bastion_ami=None, internal_server_policy=p)
f += Bucket("Bucket2")
# Allow access to mybucket through a s3 endpoint
f.private_subnet.add_bucket_access(["mybucket", f["Bucket2"]])
# Allow access to a secret throught a secretsmanager endpoint
f.add_secret_access("arn_secret")
# allow https
f.add_network_access("https")
f.add_private_server(AMI("ami-1234"), ["server1", "server2"])
assert f.body
def test_stack_compose():
s = Stack(name='teststack')
s2 = Stack(name='teststack2')
s2.add(Bucket('bucket1')).add(Bucket('bucket2'))
s += s2
assert len(s.export()['Resources']) == 2
def test_create_bucket():
b = Bucket('mybucket',
access_control=AccessControl.PRIVATE,
bucket_name='myname',
versioning=True)
assert b.properties
def test_stack_compose():
s = Stack(name="teststack")
s2 = Stack(name="teststack2")
s2.add(Bucket("bucket1")).add(Bucket("bucket2"))
s += s2
assert len(s.export()["Resources"]) == 2