def _update_role_with_latest_policy(self, app_name, config): # type: (str, Config) -> None print("Updating IAM policy.") app_policy = self._app_policy.generate_policy_from_app_source(config) previous = self._app_policy.load_last_policy(config) diff = policy.diff_policies(previous, app_policy) if diff: if diff.get('added', set([])): print("\nThe following actions will be added to " "the execution policy:\n") for action in diff['added']: print(action) if diff.get('removed', set([])): print("\nThe following action will be removed from " "the execution policy:\n") for action in diff['removed']: print(action) self._prompter.confirm("\nWould you like to continue? ", default=True, abort=True) self._aws_client.delete_role_policy(role_name=app_name, policy_name=app_name) self._aws_client.put_role_policy(role_name=app_name, policy_name=app_name, policy_document=app_policy) self._app_policy.record_policy(config, app_policy)
def _update_role_with_latest_policy(self, app_name, config): # type: (str, Dict[str, Any]) -> None print "Updating IAM policy." app_policy = self._get_policy_from_source_code(config) previous = self._load_last_policy(config) diff = policy.diff_policies(previous, app_policy) if diff: if diff.get('added', []): print ("\nThe following actions will be added to " "the execution policy:\n") for action in diff['added']: print action if diff.get('removed', []): print ("\nThe following action will be removed from " "the execution policy:\n") for action in diff['removed']: print action self._prompter.confirm("\nWould you like to continue? ", default=True, abort=True) iam = self._client('iam') iam.delete_role_policy(RoleName=app_name, PolicyName=app_name) iam.put_role_policy(RoleName=app_name, PolicyName=app_name, PolicyDocument=json.dumps(app_policy, indent=2)) self._record_policy(config, app_policy)
def _update_role_with_latest_policy(self, app_name, config): # type: (str, Config) -> None print "Updating IAM policy." app_policy = self._get_policy_from_source_code(config) previous = self._load_last_policy(config) diff = policy.diff_policies(previous, app_policy) if diff: if diff.get('added', set([])): print ("\nThe following actions will be added to " "the execution policy:\n") for action in diff['added']: print action if diff.get('removed', set([])): print ("\nThe following action will be removed from " "the execution policy:\n") for action in diff['removed']: print action self._prompter.confirm("\nWould you like to continue? ", default=True, abort=True) self._aws_client.delete_role_policy( role_name=app_name, policy_name=app_name) self._aws_client.put_role_policy(role_name=app_name, policy_name=app_name, policy_document=app_policy) self._record_policy(config, app_policy)
def _update_role_with_latest_policy(self, app_name, config): # type: (str, Dict[str, Any]) -> None print "Updating IAM policy." app_policy = self._get_policy_from_source_code(config) previous = self._load_last_policy(config) diff = policy.diff_policies(previous, app_policy) if diff: if diff.get('added', []): print( "\nThe following actions will be added to " "the execution policy:\n") for action in diff['added']: print action if diff.get('removed', []): print( "\nThe following action will be removed from " "the execution policy:\n") for action in diff['removed']: print action self._prompter.confirm("\nWould you like to continue? ", default=True, abort=True) iam = self._client('iam') iam.delete_role_policy(RoleName=app_name, PolicyName=app_name) iam.put_role_policy(RoleName=app_name, PolicyName=app_name, PolicyDocument=json.dumps(app_policy, indent=2)) self._record_policy(config, app_policy)
def test_can_diff_multiple_services(): first = iam_policy({ 's3': {'list_buckets'}, 'dynamodb': {'create_table'}, 'cloudformation': {'create_stack', 'delete_stack'}, }) second = iam_policy({ 's3': {'list_buckets', 'list_objects'}, 'cloudformation': {'create_stack', 'update_stack'}, }) assert diff_policies(first, second) == { 'added': {'s3:ListBucket', 'cloudformation:UpdateStack'}, 'removed': {'cloudformation:DeleteStack', 'dynamodb:CreateTable'}, }
def test_can_diff_policy_added(): first = iam_policy({'s3': {'list_buckets'}}) second = iam_policy({'s3': {'list_buckets', 'list_objects'}}) assert diff_policies(first, second) == {'added': {'s3:ListBucket'}}
def test_no_changes(): first = iam_policy({'s3': {'list_buckets', 'list_objects'}}) second = iam_policy({'s3': {'list_buckets', 'list_objects'}}) assert diff_policies(first, second) == {}
def test_can_diff_policy_removed(): first = iam_policy({'s3': {'list_buckets', 'list_objects'}}) second = iam_policy({'s3': {'list_buckets'}}) assert diff_policies(first, second) == {'removed': {'s3:ListBucket'}}