added tests

moj-analytical-services · Dec 2, 2024 · 4ffed5b · 4ffed5b
1 parent 42b720a
commit 4ffed5b
Show file tree

Hide file tree

Showing 8 changed files with 179 additions and 137 deletions.
diff --git a/README.md b/README.md
@@ -55,6 +55,10 @@ glue_job: true
 
 secrets: true
 
+secretsmanager: 
+  read_only:
+    - test_secret_name
+
 s3:
   read_only:
     - test_bucket_read_only/*
@@ -125,7 +129,7 @@ Whilst the example json (`iam_config.json`) looks like this:
   - **deny:** A list of s3 paths that the iam_role should _not_ be able to access. This should be used to add exceptions to wildcarded access to folders, for example excluding sensitive tables in order to provide basic access to a database. Each item in the list should either be a path to a object or finish with `/*` to denote that it can access everything within that directory. _Note the S3 paths don't start with `s3://` in the config._
 
 - **kms:** A list of kms arns that the iam_role should be able to access. Can call the DescribeKey, GenerateDataKey, Decrypt, Encrypt and ReEncrypt
-  operations.
+- **secretsmanager:** A secret that the iam_role should be able to access. Can call the GetSecretValue, DescribeSecret and ListSecrets operations.
 
 - **bedrock:** Boolean; must be set to `true` to allow role to interact with Amazon Bedrock. If `false` or absent role will not be able to interact with Amazon Bedrock.
 

diff --git a/iam_builder/iam_builder.py b/iam_builder/iam_builder.py
@@ -99,11 +99,11 @@ def build_iam_policy(config: dict) -> dict:  # noqa: C901
                 config["secretsmanager"]["read_only"]
             )
             iam["Statement"].append(secretsmanager_read_only)
-
-        # Deal with write only access
-        if "write_only" in config["secretsmanager"]:
+        else:
             raise ValueError(
-                "These levels of access have not been implemented in iam_builder."
+                f"requested access level {config["secretsmanager"]} is not yet "
+                "implemented for SecretsManager in iam_builder, try specifying ‘"
+                "read_only’ instead."
             )
 
     if "kms" in config:

diff --git a/poetry.lock b/poetry.lock
diff --git a/pyproject.toml b/pyproject.toml
@@ -1,6 +1,6 @@
 [tool.poetry]
 name = "iam_builder"
-version = "4.9.0"
+version = "4.9.1"
 description = "A lil python package to generate iam policies"
 authors = ["Karik Isichei <[email protected]>"]
 license = "MIT"

diff --git a/tests/expected_policy/secretsmanager_read_only.json b/tests/expected_policy/secretsmanager_read_only.json
@@ -0,0 +1,17 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "readSecretsmanager",
+            "Effect": "Allow",
+            "Action": [
+                "secretsmanager:GetSecretValue",
+                "secretsmanager:DescribeSecret",
+                "secretsmanager:ListSecrets"
+            ],
+            "Resource": [
+                "arn:aws:secretsmanager:*:*:secret:test_secret"
+            ]
+        }
+    ]
+}
diff --git a/tests/test_config/bad_secrestmanager_read_write.yaml b/tests/test_config/bad_secrestmanager_read_write.yaml
@@ -0,0 +1,3 @@
+iam_role_name: an_iam_role_name
+
+secretsmanager: read_write
diff --git a/tests/test_config/bad_secrestmanager_write_only.yaml b/tests/test_config/bad_secrestmanager_write_only.yaml
@@ -0,0 +1,3 @@
+iam_role_name: an_iam_role_name
+
+secretsmanager: write_only
diff --git a/tests/test_config/secrestmanager_read_only.yaml b/tests/test_config/secrestmanager_read_only.yaml
@@ -0,0 +1,3 @@
+iam_role_name: an_iam_role_name
+
+secretsmanager: read_only
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		iam_role_name: an_iam_role_name

		secretsmanager: read_write
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		iam_role_name: an_iam_role_name

		secretsmanager: write_only
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,3 @@
		iam_role_name: an_iam_role_name

		secretsmanager: read_only