Skip to content
This repository has been archived by the owner on Sep 9, 2022. It is now read-only.

Commit

Permalink
add iam_role_policy_attachment
Browse files Browse the repository at this point in the history
  • Loading branch information
nakamasato committed Nov 10, 2019
1 parent 518879d commit 4dc2401
Show file tree
Hide file tree
Showing 4 changed files with 170 additions and 0 deletions.
1 change: 1 addition & 0 deletions lib/terraforming.rb
Original file line number Diff line number Diff line change
Expand Up @@ -45,6 +45,7 @@
require "terraforming/resource/iam_policy_attachment"
require "terraforming/resource/iam_role"
require "terraforming/resource/iam_role_policy"
require "terraforming/resource/iam_role_policy_attachment"
require "terraforming/resource/iam_user"
require "terraforming/resource/iam_user_policy"
require "terraforming/resource/kms_alias"
Expand Down
72 changes: 72 additions & 0 deletions lib/terraforming/resource/iam_role_policy_attachment.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,72 @@
module Terraforming
module Resource
class IamRolePolicyAttachment
include Terraforming::Util

def self.tf(client: Aws::IAM::Client.new)
self.new(client).tf
end

def self.tfstate(client: Aws::IAM::Client.new)
self.new(client).tfstate
end

def initialize(client)
@client = client
end

def tf
apply_template(@client, "tf/iam_role_policy_attachment")
end

def tfstate
iam_role_policy_attachments.inject({}) do |resources, role_policy_attachment|
attributes = {
"id" => role_policy_attachment[:name],
"policy_arn" => role_policy_attachment[:policy_arn],
"role" => role_policy_attachment[:role]
}
resources["aws_iam_role_policy_attachment.#{module_name_of(role_policy_attachment)}"] = {
"type" => "aws_iam_role_policy_attachment",
"primary" => {
"id" => role_policy_attachment[:name],
"attributes" => attributes
}
}

resources
end
end

private

def attachment_name_from(role, policy)
"#{role.role_name}-#{policy.policy_name}-attachment"
end

def iam_roles
@client.list_roles.map(&:roles).flatten
end

def policies_attached_to(role)
@client.list_attached_role_policies(role_name: role.role_name).attached_policies
end

def iam_role_policy_attachments
iam_roles.map do |role|
policies_attached_to(role).map do |policy|
{
role: role.role_name,
policy_arn: policy.policy_arn,
name: attachment_name_from(role, policy)
}
end
end.flatten
end

def module_name_of(role_policy_attachment)
normalize_module_name(role_policy_attachment[:name])
end
end
end
end
7 changes: 7 additions & 0 deletions lib/terraforming/template/tf/iam_role_policy_attachment.erb
Original file line number Diff line number Diff line change
@@ -0,0 +1,7 @@
<% iam_role_policy_attachments.each do |role_policy_attachment| -%>
resource "aws_iam_role_policy_attachment" "<%= module_name_of(role_policy_attachment) %>" {
policy_arn = "<%= role_policy_attachment[:policy_arn] %>"
role = "<%= role_policy_attachment[:role] %>"
}

<% end -%>
90 changes: 90 additions & 0 deletions spec/lib/terraforming/resource/iam_role_policy_attachment_spec.rb
Original file line number Diff line number Diff line change
@@ -0,0 +1,90 @@
require "spec_helper"

module Terraforming
module Resource
describe IamRolePolicyAttachment do
let(:client) do
Aws::IAM::Client.new(stub_responses: true)
end

let(:roles) do
[
{
path: "/",
role_name: "hoge_role",
role_id: "ABCDEFGHIJKLMN1234567",
arn: "arn:aws:iam::123456789012:role/hoge_role",
create_date: Time.parse("2015-04-01 12:34:56 UTC"),
assume_role_policy_document: "%7B%22Version%22%3A%222008-10-17%22%2C%22Statement%22%3A%5B%7B%22Sid%22%3A%22%22%2C%22Effect%22%3A%22Allow%22%2C%22Principal%22%3A%7B%22Service%22%3A%22ec2.amazonaws.com%22%7D%2C%22Action%22%3A%22sts%3AAssumeRole%22%7D%5D%7D"
},
]
end

let(:list_attached_role_policies_hoge) do
{
attached_policies: [
{
policy_name: "hoge_policy",
policy_arn: "arn:aws:iam::123456789012:policy/hoge-policy"
},
{
policy_name: "fuga_policy",
policy_arn: "arn:aws:iam::345678901234:policy/fuga-policy"
}
]
}
end

before do
client.stub_responses(:list_roles, roles: roles)
client.stub_responses(:list_attached_role_policies, list_attached_role_policies_hoge)
end

describe ".tf" do
it "should generate tf" do
expect(described_class.tf(client: client)).to eq <<~EOS
resource "aws_iam_role_policy_attachment" "hoge_role-hoge_policy-attachment" {
policy_arn = "arn:aws:iam::123456789012:policy/hoge-policy"
role = "hoge_role"
}
resource "aws_iam_role_policy_attachment" "hoge_role-fuga_policy-attachment" {
policy_arn = "arn:aws:iam::345678901234:policy/fuga-policy"
role = "hoge_role"
}
EOS
end
end

describe ".tfstate" do
it "should generate tfstate" do
expect(described_class.tfstate(client: client)).to eq({
"aws_iam_role_policy_attachment.hoge_role-hoge_policy-attachment" => {
"type" => "aws_iam_role_policy_attachment",
"primary" => {
"id" => "hoge_role-hoge_policy-attachment",
"attributes" => {
"id" => "hoge_role-hoge_policy-attachment",
"policy_arn" => "arn:aws:iam::123456789012:policy/hoge-policy",
"role" => "hoge_role"
}
}
},
"aws_iam_role_policy_attachment.hoge_role-fuga_policy-attachment" => {
"type" => "aws_iam_role_policy_attachment",
"primary" => {
"id" => "hoge_role-fuga_policy-attachment",
"attributes" => {
"id" => "hoge_role-fuga_policy-attachment",
"policy_arn" => "arn:aws:iam::345678901234:policy/fuga-policy",
"role" => "hoge_role"
}
}
}
})
end
end
end
end
end

0 comments on commit 4dc2401

Please sign in to comment.