def test_can_update_managed_role(self):
role = models.ManagedIAMRole(
resource_name='resource_name',
role_name='myrole',
trust_policy={},
policy=models.AutoGenIAMPolicy(document={'role': 'policy'}),
)
self.remote_state.declare_resource_exists(role, role_arn='myrole:arn')
plan = self.determine_plan(role)
assert plan[0] == models.StoreValue(name='myrole_role_arn',
value='myrole:arn')
self.assert_apicall_equals(
plan[1],
models.APICall(
method_name='put_role_policy',
params={
'role_name': 'myrole',
'policy_name': 'myrole',
'policy_document': {
'role': 'policy'
}
},
))
assert plan[-2].variable_name == 'myrole_role_arn'
assert plan[-1].value == 'myrole'
assert list(self.last_plan.messages.values()) == [
'Updating policy for IAM role: myrole\n'
]
def test_can_plan_for_iam_role_creation(self):
self.remote_state.declare_no_resources_exists()
resource = models.ManagedIAMRole(
resource_name='default-role',
role_name='myrole',
trust_policy={'trust': 'policy'},
policy=models.AutoGenIAMPolicy(document={'iam': 'policy'}),
)
plan = self.determine_plan(resource)
expected = models.APICall(
method_name='create_role',
params={
'name': 'myrole',
'trust_policy': {
'trust': 'policy'
},
'policy': {
'iam': 'policy'
}
},
)
self.assert_apicall_equals(plan[0], expected)
assert list(self.last_plan.messages.values()) == [
'Creating IAM role: myrole\n'
]
def _create_role_reference(self, config, stage_name, function_name):
# type: (Config, str, str) -> models.IAMRole
# First option, the user doesn't want us to manage
# the role at all.
if not config.manage_iam_role:
# We've already validated the iam_role_arn is provided
# if manage_iam_role is set to False.
return models.PreCreatedIAMRole(role_arn=config.iam_role_arn, )
policy = models.IAMPolicy()
if not config.autogen_policy:
resource_name = 'role-%s' % function_name
role_name = '%s-%s-%s' % (config.app_name, stage_name,
function_name)
if config.iam_policy_file is not None:
filename = os.path.join(config.project_dir, '.chalice',
config.iam_policy_file)
else:
filename = os.path.join(config.project_dir, '.chalice',
'policy-%s.json' % stage_name)
policy = models.FileBasedIAMPolicy(filename=filename)
else:
resource_name = 'default-role'
role_name = '%s-%s' % (config.app_name, stage_name)
policy = models.AutoGenIAMPolicy(
document=models.Placeholder.BUILD_STAGE)
return models.ManagedIAMRole(
resource_name=resource_name,
role_name=role_name,
trust_policy=LAMBDA_TRUST_POLICY,
policy=policy,
)
def test_sam_injects_policy(self, sample_app):
function = models.LambdaFunction(
resource_name='foo',
function_name='app-dev-foo',
environment_variables={},
runtime='python27',
handler='app.app',
tags={'foo': 'bar'},
timeout=120,
memory_size=128,
deployment_package=models.DeploymentPackage(filename='foo.zip'),
role=models.ManagedIAMRole(
resource_name='role',
role_name='app-role',
trust_policy={},
policy=models.AutoGenIAMPolicy(document={'iam': 'policy'}),
),
security_group_ids=[],
subnet_ids=[],
)
template = self.template_gen.generate_sam_template([function])
cfn_resource = list(template['Resources'].values())[0]
assert cfn_resource == {
'Type': 'AWS::Serverless::Function',
'Properties': {
'CodeUri': 'foo.zip',
'Handler': 'app.app',
'MemorySize': 128,
'Role': {'Fn::GetAtt': ['Role', 'Arn']},
'Runtime': 'python27',
'Tags': {'foo': 'bar'},
'Timeout': 120
},
}
def test_can_create_plan_for_filebased_role(self):
self.remote_state.declare_no_resources_exists()
resource = models.ManagedIAMRole(
resource_name='default-role',
role_name='myrole',
trust_policy={'trust': 'policy'},
policy=models.FileBasedIAMPolicy(filename='foo.json'),
)
self.osutils.get_file_contents.return_value = '{"iam": "policy"}'
plan = self.determine_plan(resource)
expected = models.APICall(
method_name='create_role',
params={
'name': 'myrole',
'trust_policy': {
'trust': 'policy'
},
'policy': {
'iam': 'policy'
}
},
)
self.assert_apicall_equals(plan[0], expected)
assert list(self.last_plan.messages.values()) == [
'Creating IAM role: myrole\n'
]
def test_role_exists(self):
self.client.get_role_arn_for_name.return_value = 'role:arn'
role = models.ManagedIAMRole('my_role',
role_name='app-dev',
trust_policy={},
policy=None)
assert self.remote_state.resource_exists(role)
self.client.get_role_arn_for_name.assert_called_with('app-dev')
def test_role_does_not_exist(self):
client = self.client
client.get_role_arn_for_name.side_effect = ResourceDoesNotExistError()
role = models.ManagedIAMRole('my_role',
role_name='app-dev',
trust_policy={},
policy=None)
assert not self.remote_state.resource_exists(role)
self.client.get_role_arn_for_name.assert_called_with('app-dev')
def test_error_raised_when_filebased_policy_not_exist(self):
self.remote_state.declare_no_resources_exists()
resource = models.ManagedIAMRole(
resource_name='default-role',
role_name='myrole',
trust_policy={'trust': 'policy'},
policy=models.FileBasedIAMPolicy(filename='foo.json'),
)
self.osutils.get_file_contents.side_effect = IOError(
"File does not exist")
with pytest.raises(RuntimeError):
self.determine_plan(resource)
def test_can_set_variables_when_needed(self):
function = create_function_resource('function_name')
self.remote_state.declare_no_resources_exists()
function.role = models.ManagedIAMRole(
resource_name='myrole',
role_name='myrole-dev',
trust_policy={'trust': 'policy'},
policy=models.FileBasedIAMPolicy(filename='foo.json'),
)
plan = self.determine_plan(function)
call = plan[0]
assert call.method_name == 'create_function'
# The params are verified in test_can_create_function,
# we just care about how the role_arn Variable is constructed.
role_arn = call.params['role_arn']
assert isinstance(role_arn, Variable)
assert role_arn.name == 'myrole-dev_role_arn'
def test_autogen_policy_for_function(self, sample_app_lambda_only):
# This test is just a sanity test that verifies all the params
# for an ManagedIAMRole. The various combinations for role
# configuration is all tested via RoleTestCase.
config = self.create_config(sample_app_lambda_only,
autogen_policy=True)
builder = ApplicationGraphBuilder()
application = builder.build(config, stage_name='dev')
function = application.resources[0]
role = function.role
# We should have linked a ManagedIAMRole
assert isinstance(role, models.ManagedIAMRole)
assert role == models.ManagedIAMRole(
resource_name='default-role',
role_name='lambda-only-dev',
trust_policy=LAMBDA_TRUST_POLICY,
policy=models.AutoGenIAMPolicy(models.Placeholder.BUILD_STAGE),
)
def test_managed_iam_role(self):
role = models.ManagedIAMRole(
resource_name='default_role',
role_name='app-dev',
trust_policy=LAMBDA_TRUST_POLICY,
policy=models.AutoGenIAMPolicy(document={'iam': 'policy'}),
)
template = self.template_gen.generate_sam_template([role])
resources = template['Resources']
assert len(resources) == 1
cfn_role = resources['DefaultRole']
assert cfn_role['Type'] == 'AWS::IAM::Role'
assert cfn_role['Properties']['Policies'] == [
{'PolicyName': 'DefaultRolePolicy',
'PolicyDocument': {'iam': 'policy'}}
]
# Ensure the RoleName is not in the resource properties
# so we don't require CAPABILITY_NAMED_IAM.
assert 'RoleName' not in cfn_role['Properties']
def test_dynamically_lookup_iam_role(self):
remote_state = RemoteState(
self.client,
DeployedResources(
{'resources': [{
'name': 'rest_api',
'rest_api_id': 'foo'
}]}))
resource = models.ManagedIAMRole(
resource_name='default-role',
role_name='myrole',
trust_policy={'trust': 'policy'},
policy=models.AutoGenIAMPolicy(document={'iam': 'policy'}),
)
self.client.get_role_arn_for_name.return_value = 'my-role-arn'
values = remote_state.resource_deployed_values(resource)
assert values == {
'name': 'default-role',
'resource_type': 'iam_role',
'role_arn': 'my-role-arn',
'role_name': 'myrole'
}
def test_can_update_file_based_policy(self):
role = models.ManagedIAMRole(
resource_name='resource_name',
role_name='myrole',
trust_policy={},
policy=models.FileBasedIAMPolicy(filename='foo.json',
document={'iam': 'policy'}),
)
self.remote_state.declare_resource_exists(role, role_arn='myrole:arn')
plan = self.determine_plan(role)
assert plan[0] == models.StoreValue(name='myrole_role_arn',
value='myrole:arn')
self.assert_apicall_equals(
plan[1],
models.APICall(
method_name='put_role_policy',
params={
'role_name': 'myrole',
'policy_name': 'myrole',
'policy_document': {
'iam': 'policy'
}
},
))