Skip to content

Commit

Permalink
fixed the tests
Browse files Browse the repository at this point in the history
  • Loading branch information
@jnayak-moj
jnayak-moj committed Dec 3, 2024
1 parent ce9d653 commit c160d16
Show file tree
Hide file tree
Showing 8 changed files with 22 additions and 12 deletions.
2 changes: 1 addition & 1 deletion README.md
View file
Original file line number Diff line number Diff line change
Expand Up @@ -57,7 +57,7 @@ secrets: true

secretsmanager:
read_only:
- test_secret_name
- test_secret

s3:
read_only:
Expand Down
1 change: 1 addition & 0 deletions iam_builder/schemas/iam_schema.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -96,6 +96,7 @@
"type": "string"
}
}
}
},
"bedrock": {
"description": "bedrock must be set to true to allow role to interact with Amazon Bedrock.",
Expand Down
9 changes: 7 additions & 2 deletions iam_builder/templates.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -449,7 +449,12 @@ def get_kms_permissions(kms_arns: list) -> dict:
}
return policy

def get_secretsmanager_read_only_policy(secret_name: str) -> str:
def get_secretsmanager_read_only_policy(secret_name: list) -> dict:
# prepare segments that depend on dump bucket name
allow_list_of_secrets = []
allow_list_of_secrets.extend([
"arn:aws:secretsmanager:*:*:secret:" + secret + "*" for secret in secret_name
])
policy = {
"Sid": "readSecrets",
"Action": [
Expand All @@ -458,6 +463,6 @@ def get_secretsmanager_read_only_policy(secret_name: str) -> str:
"secretsmanager:ListSecrets",
],
"Effect": "Allow",
"Resource": f"arn:aws:secretsmanager:*:*:secret:{secret_name}*",
"Resource": allow_list_of_secrets
}
return policy
8 changes: 3 additions & 5 deletions tests/expected_policy/secretsmanager_read_only.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,16 +2,14 @@
"Version": "2012-10-17",
"Statement": [
{
"Sid": "readSecretsmanager",
"Effect": "Allow",
"Sid": "readSecrets",
"Action": [
"secretsmanager:GetSecretValue",
"secretsmanager:DescribeSecret",
"secretsmanager:ListSecrets"
],
"Resource": [
"arn:aws:secretsmanager:*:*:secret:test_secret"
]
"Effect": "Allow",
"Resource": ["arn:aws:secretsmanager:*:*:secret:test_secret*"]
}
]
}
4 changes: 3 additions & 1 deletion tests/test_config/bad_secretsmanager_read_write.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
iam_role_name: an_iam_role_name

secretsmanager: read_write
secretsmanager:
read_write:

Check failure on line 4 in tests/test_config/bad_secretsmanager_read_write.yaml

View workflow job for this annotation

GitHub Actions / build 

4:14 [trailing-spaces] trailing spaces
- test_secret
4 changes: 3 additions & 1 deletion tests/test_config/bad_secretsmanager_write_only.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,3 +1,5 @@
iam_role_name: an_iam_role_name

secretsmanager: write_only
secretsmanager:
write_only:

Check failure on line 4 in tests/test_config/bad_secretsmanager_write_only.yaml

View workflow job for this annotation

GitHub Actions / build 

4:14 [trailing-spaces] trailing spaces
- test_secret
4 changes: 2 additions & 2 deletions tests/test_config/secretsmanager_read_only.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,5 +1,5 @@
iam_role_name: an_iam_role_name

secretsmanager:
read_only:
- test/test_secret
read_only:

Check failure on line 4 in tests/test_config/secretsmanager_read_only.yaml

View workflow job for this annotation

GitHub Actions / build 

4:13 [trailing-spaces] trailing spaces
- test_secret
2 changes: 2 additions & 0 deletions tests/test_iam_builder.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -25,6 +25,8 @@ def assert_config_as_expected(ut, config_name):
expected = json.load(f)

out = build_iam_policy(config)
print(expected)
print(out)
ut.assertDictEqual(out, expected)


Expand Down

0 comments on commit c160d16

Please sign in to comment.