Merge pull request #110 from zalando-stups/additional_attached_policies

Create additional_attached_policies config
zalando-stups · Apr 27, 2021 · 5285e92 · 5285e92
2 parents 91d79a3 + 4762b79
commit 5285e92
Show file tree

Hide file tree

Showing 3 changed files with 57 additions and 3 deletions.
diff --git a/sevenseconds/cli.py b/sevenseconds/cli.py
@@ -14,7 +14,7 @@
 from .config.configure import start_configuration, start_cleanup
 
 CONTEXT_SETTINGS = dict(help_option_names=['-h', '--help'])
-SUPPORTED_CONFIG_VERSION = 8
+SUPPORTED_CONFIG_VERSION = 9
 
 
 def print_version(ctx, param, value):

diff --git a/sevenseconds/config/iam.py b/sevenseconds/config/iam.py
@@ -36,6 +36,19 @@ def effective_roles(config):
     return roles
 
 
+def effective_attached_policies(config, role_name, role_cfg):
+    """Merge the attached_policies for a role and
+    additional_attached_policies found in the account config for the
+    given role. Note it might return duplicates."""
+    attached_policies = role_cfg.get("attached_policies", [])
+    additional_attached_policies = []
+    for additional_attached_policy in config.get("additional_attached_policies", []):
+        role = additional_attached_policy["role"]
+        if role == role_name:
+            additional_attached_policies += additional_attached_policy.get("policies", [])
+    return attached_policies + additional_attached_policies
+
+
 def configure_iam_policy(account: AccountData):
     iam = account.session.resource('iam')
     sts = account.session.client('sts')
@@ -100,9 +113,11 @@ def configure_iam_policy(account: AccountData):
                     updated_assume_role_policy_document = json.dumps(expected_assume_role_policy_document)
                     iam.AssumeRolePolicy(role_name).update(PolicyDocument=updated_assume_role_policy_document)
 
+            configured_attached_policies = effective_attached_policies(account.config, role_name, role_cfg)
             attached_policies = set(p.arn for p in role.attached_policies.all())
-            expected_attached_policies = set(policy.replace('{account_id}', account.id)
-                                             for policy in role_cfg.get("attached_policies", []))
+            expected_attached_policies = set(
+                policy.replace("{account_id}", account.id) for policy in configured_attached_policies
+            )
             if attached_policies != expected_attached_policies:
                 with ActionOnExit('Updating attached policies for {role_name}..', **vars()) as act:
                     for arn in attached_policies - expected_attached_policies:

diff --git a/tests/test_iam.py b/tests/test_iam.py
@@ -4,6 +4,9 @@
 
 SAMPLE_ROLES = {
     "Shibboleth-Administrator": {
+        "attached_policies": [
+            "arn:aws:iam::aws:policy/AdminDefaultPolicy"
+        ],
         "policy": {
             "Statement": [
                 {"Effect": "Allow", "Resource": "Test", "Action": "foo:*"},
@@ -12,6 +15,9 @@
         }
     },
     "Shibboleth-PowerUser": {
+        "attached_policies": [
+            "arn:aws:iam::aws:policy/PowerUserDefaultPolicy"
+        ],
         "policy": {
             "Statement": [{"Effect": "Allow", "Resource": "Test", "Action": "baz:*"},]
         }
@@ -29,6 +35,13 @@
     },
 ]
 
+SAMPLE_ATTACHED_POLICIES = [
+    {
+        "role": "Shibboleth-PowerUser",
+        "policies": ["arn:aws:iam::aws:policy/PolicyA", "arn:aws:iam::aws:policy/PolicyB"],
+    }
+]
+
 
 def test_effective_policies_merge():
     config = {
@@ -37,6 +50,9 @@ def test_effective_policies_merge():
     }
     expected = {
         "Shibboleth-Administrator": {
+            "attached_policies": [
+               "arn:aws:iam::aws:policy/AdminDefaultPolicy"
+            ],
             "policy": {
                 "Statement": [
                     {"Effect": "Allow", "Resource": "Test", "Action": "foo:*"},
@@ -47,6 +63,9 @@ def test_effective_policies_merge():
             }
         },
         "Shibboleth-PowerUser": {
+            "attached_policies": [
+               "arn:aws:iam::aws:policy/PowerUserDefaultPolicy",
+            ],
             "policy": {
                 "Statement": [
                     {"Effect": "Allow", "Resource": "Test", "Action": "baz:*"},
@@ -61,6 +80,26 @@ def test_effective_policies_merge():
     assert 2 == len(config["roles"]["Shibboleth-Administrator"]["policy"]["Statement"])
 
 
+def test_effective_attached_policies_merge():
+    config = {
+        "roles": SAMPLE_ROLES,
+        "additional_attached_policies": SAMPLE_ATTACHED_POLICIES,
+    }
+    expected = {
+        "Shibboleth-Administrator": [
+            "arn:aws:iam::aws:policy/AdminDefaultPolicy",
+        ],
+        "Shibboleth-PowerUser": [
+           "arn:aws:iam::aws:policy/PowerUserDefaultPolicy",
+            "arn:aws:iam::aws:policy/PolicyA",
+            "arn:aws:iam::aws:policy/PolicyB"
+        ]
+    }
+
+    for role_name, role_cfg in SAMPLE_ROLES.items():
+        assert expected[role_name] == iam.effective_attached_policies(config, role_name,role_cfg)
+
+
 @pytest.mark.parametrize(
     "roles",
     [