diff --git a/test/files/test_gh_204_multiple_resource_types_wildcards.json b/test/files/test_gh_204_multiple_resource_types_wildcards.json deleted file mode 100644 index a85b65138..000000000 --- a/test/files/test_gh_204_multiple_resource_types_wildcards.json +++ /dev/null @@ -1,528 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "RdsReadDb", - "Effect": "Allow", - "Action": [ - "rds:DownloadDBLogFilePortion", - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadEs", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadOg", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadPg", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadProxy", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadRi", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadSecgrp", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadSnapshot", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadSubgrp", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsReadTargetgroup", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "MultMultNone", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "RdsWriteCluster", - "Effect": "Allow", - "Action": [ - "rds:AddRoleToDBCluster", - "rds:ApplyPendingMaintenanceAction", - "rds:BacktrackDBCluster", - "rds:CreateDBCluster", - "rds:CreateDBClusterEndpoint", - "rds:CreateDBClusterSnapshot", - "rds:CreateGlobalCluster", - "rds:DeleteDBCluster", - "rds:DeregisterDBProxyTargets", - "rds:FailoverDBCluster", - "rds:ModifyCurrentDBClusterCapacity", - "rds:ModifyDBCluster", - "rds:PromoteReadReplicaDBCluster", - "rds:RemoveFromGlobalCluster", - "rds:RemoveRoleFromDBCluster", - "rds:RestoreDBClusterFromS3", - "rds:RestoreDBClusterFromSnapshot", - "rds:RestoreDBClusterToPointInTime", - "rds:StartActivityStream", - "rds:StartDBCluster", - "rds:StopActivityStream", - "rds:StopDBCluster" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteDb", - "Effect": "Allow", - "Action": [ - "rds:AddRoleToDBInstance", - "rds:ApplyPendingMaintenanceAction", - "rds:CreateDBInstance", - "rds:CreateDBInstanceReadReplica", - "rds:CreateDBSnapshot", - "rds:DeleteDBInstance", - "rds:DeregisterDBProxyTargets", - "rds:ModifyDBInstance", - "rds:PromoteReadReplica", - "rds:RebootDBInstance", - "rds:RemoveRoleFromDBInstance", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:RestoreDBInstanceFromS3", - "rds:RestoreDBInstanceToPointInTime", - "rds:StartDBInstance", - "rds:StopDBInstance" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteEs", - "Effect": "Allow", - "Action": [ - "rds:AddSourceIdentifierToSubscription", - "rds:CreateEventSubscription", - "rds:DeleteEventSubscription", - "rds:ModifyEventSubscription", - "rds:RemoveSourceIdentifierFromSubscription" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteClusterpg", - "Effect": "Allow", - "Action": [ - "rds:CopyDBClusterParameterGroup", - "rds:CreateDBCluster", - "rds:CreateDBClusterParameterGroup", - "rds:DeleteDBClusterParameterGroup", - "rds:ModifyDBCluster", - "rds:ModifyDBClusterParameterGroup", - "rds:ResetDBClusterParameterGroup" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteClustersnapshot", - "Effect": "Allow", - "Action": [ - "rds:CopyDBClusterSnapshot", - "rds:CreateDBClusterSnapshot", - "rds:DeleteDBCluster", - "rds:DeleteDBClusterSnapshot", - "rds:ModifyDBClusterSnapshotAttribute", - "rds:RestoreDBClusterFromSnapshot" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWritePg", - "Effect": "Allow", - "Action": [ - "rds:CopyDBParameterGroup", - "rds:CreateDBInstance", - "rds:CreateDBParameterGroup", - "rds:DeleteDBParameterGroup", - "rds:ModifyDBInstance", - "rds:ModifyDBParameterGroup", - "rds:ResetDBParameterGroup" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteSnapshot", - "Effect": "Allow", - "Action": [ - "rds:CopyDBSnapshot", - "rds:CreateDBSnapshot", - "rds:DeleteDBSnapshot", - "rds:ModifyDBSnapshot", - "rds:ModifyDBSnapshotAttribute", - "rds:RestoreDBInstanceFromDBSnapshot" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteOg", - "Effect": "Allow", - "Action": [ - "rds:CopyOptionGroup", - "rds:CreateDBCluster", - "rds:CreateDBInstance", - "rds:CreateDBInstanceReadReplica", - "rds:CreateOptionGroup", - "rds:DeleteOptionGroup", - "rds:ModifyDBCluster", - "rds:ModifyDBInstance", - "rds:ModifyOptionGroup", - "rds:RestoreDBClusterFromSnapshot", - "rds:RestoreDBClusterToPointInTime", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:RestoreDBInstanceToPointInTime" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteSubgrp", - "Effect": "Allow", - "Action": [ - "rds:CreateDBCluster", - "rds:CreateDBInstance", - "rds:CreateDBInstanceReadReplica", - "rds:CreateDBSubnetGroup", - "rds:DeleteDBSubnetGroup", - "rds:ModifyDBSubnetGroup", - "rds:RestoreDBClusterToPointInTime", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:RestoreDBInstanceToPointInTime" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteClusterendpoint", - "Effect": "Allow", - "Action": [ - "rds:CreateDBClusterEndpoint", - "rds:DeleteDBClusterEndpoint", - "rds:ModifyDBClusterEndpoint" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteSecgrp", - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:CreateDBSecurityGroup", - "rds:DeleteDBSecurityGroup", - "rds:ModifyDBInstance", - "rds:RevokeDBSecurityGroupIngress" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteGlobalcluster", - "Effect": "Allow", - "Action": [ - "rds:CreateGlobalCluster", - "rds:DeleteGlobalCluster", - "rds:ModifyGlobalCluster", - "rds:RemoveFromGlobalCluster" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteProxy", - "Effect": "Allow", - "Action": [ - "rds:DeleteDBProxy", - "rds:DeregisterDBProxyTargets", - "rds:ModifyDBProxy" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteTargetgroup", - "Effect": "Allow", - "Action": [ - "rds:DeregisterDBProxyTargets", - "rds:ModifyDBProxyTargetGroup", - "rds:RegisterDBProxyTargets" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsWriteRi", - "Effect": "Allow", - "Action": [ - "rds:PurchaseReservedDBInstancesOffering" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListCluster", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBClusterBacktracks", - "rds:DescribeDBClusterEndpoints", - "rds:DescribeDBClusters", - "rds:DescribeDBProxyTargets", - "rds:DescribePendingMaintenanceActions" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListClusterendpoint", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBClusterEndpoints" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListClusterpg", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBClusterParameterGroups", - "rds:DescribeDBClusterParameters" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListClustersnapshot", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBClusterSnapshotAttributes", - "rds:DescribeDBClusterSnapshots" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListDb", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstanceAutomatedBackups", - "rds:DescribeDBInstances", - "rds:DescribeDBLogFiles", - "rds:DescribeDBProxyTargets", - "rds:DescribeDBSnapshots", - "rds:DescribePendingMaintenanceActions", - "rds:DescribeValidDBInstanceModifications" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListPg", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBParameterGroups", - "rds:DescribeDBParameters" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListProxy", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBProxies", - "rds:DescribeDBProxyTargetGroups", - "rds:DescribeDBProxyTargets" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListTargetgroup", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBProxyTargets" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListSecgrp", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBSecurityGroups" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListSnapshot", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBSnapshotAttributes", - "rds:DescribeDBSnapshots" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListSubgrp", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBSubnetGroups" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListEs", - "Effect": "Allow", - "Action": [ - "rds:DescribeEventSubscriptions" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListGlobalcluster", - "Effect": "Allow", - "Action": [ - "rds:DescribeGlobalClusters" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListOg", - "Effect": "Allow", - "Action": [ - "rds:DescribeOptionGroupOptions", - "rds:DescribeOptionGroups" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - }, - { - "Sid": "RdsListRi", - "Effect": "Allow", - "Action": [ - "rds:DescribeReservedDBInstances" - ], - "Resource": [ - "arn:aws:rds:us-east-1:123456789012:*:*" - ] - } - ] -} diff --git a/test/writing/test_write_policy_library_usage.py b/test/writing/test_write_policy_library_usage.py index 0323267ac..77aefcff5 100644 --- a/test/writing/test_write_policy_library_usage.py +++ b/test/writing/test_write_policy_library_usage.py @@ -336,20 +336,31 @@ def test_gh_204_multiple_resource_types_wildcards(self): 'list': ["arn:aws:rds:us-east-1:123456789012:*:*"] } - expected_results_file = os.path.abspath( - os.path.join( - os.path.dirname(__file__), - os.path.pardir, - "files", - "test_gh_204_multiple_resource_types_wildcards.json", - ) - ) - - with open(expected_results_file, "r") as yaml_file: - expected_results = json.load(yaml_file) - result = write_policy_with_template(crud_template) - # print(json.dumps(result, indent=4)) - self.assertDictEqual(result, expected_results) + # Let's only check the read level ones, or that will get exhausting. + expected_statement_ids = [ + "RdsReadDb", + "RdsReadEs", + "RdsReadOg", + "RdsReadPg", + "RdsReadProxy", + "RdsReadRi", + "RdsReadSecgrp", + "RdsReadSnapshot", + "RdsReadSubgrp", + "RdsReadTargetgroup", + "MultMultNone", + ] + # In the real world, we would want to minimize, but that would just result in two different Sids: + # RdsMult + # MultMultNone + # And in this test, we are trying to verify them individually to make sure they are not excluded. + # So we will skip --minimize just for this test. + policy = write_policy_with_template(crud_template) + statement_ids = [] + for statement in policy.get("Statement"): + statement_ids.append(statement.get("Sid")) + for expected_sid in expected_statement_ids: + self.assertTrue(expected_sid in statement_ids) def test_gh_237_ssm_arns_with_paths(self): """test_gh_237_ssm_arns_with_paths: Test GitHub issue #204 with resource ARN paths"""