-
Notifications
You must be signed in to change notification settings - Fork 3.7k
/
immutable-role.test.ts
116 lines (100 loc) · 2.77 KB
/
immutable-role.test.ts
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
import '@aws-cdk/assert/jest';
import { Construct, Stack } from '@aws-cdk/core';
import * as iam from '../lib';
// tslint:disable:object-literal-key-quotes
describe('ImmutableRole', () => {
let stack: Stack;
let mutableRole: iam.Role;
let immutableRole: iam.IRole;
beforeEach(() => {
stack = new Stack();
mutableRole = new iam.Role(stack, 'MutableRole', {
assumedBy: new iam.AnyPrincipal(),
});
immutableRole = mutableRole.withoutPolicyUpdates();
});
test('ignores calls to attachInlinePolicy', () => {
const user = new iam.User(stack, 'User');
const policy = new iam.Policy(stack, 'Policy', {
statements: [new iam.PolicyStatement({
resources: ['*'],
actions: ['s3:*'],
})],
users: [user],
});
immutableRole.attachInlinePolicy(policy);
expect(stack).toHaveResource('AWS::IAM::Policy', {
"PolicyDocument": {
"Statement": [
{
"Action": "s3:*",
"Resource": "*",
"Effect": "Allow",
},
],
"Version": "2012-10-17",
},
"PolicyName": "Policy23B91518",
"Users": [
{
"Ref": "User00B015A1",
},
],
});
});
test('ignores calls to addManagedPolicy', () => {
mutableRole.addManagedPolicy({ managedPolicyArn: 'Arn1' });
immutableRole.addManagedPolicy({ managedPolicyArn: 'Arn2' });
expect(stack).toHaveResourceLike('AWS::IAM::Role', {
"ManagedPolicyArns": [
'Arn1',
],
});
});
test('ignores calls to addToPolicy', () => {
immutableRole.addToPolicy(new iam.PolicyStatement({
resources: ['*'],
actions: ['iam:*'],
}));
mutableRole.addToPolicy(new iam.PolicyStatement({
resources: ['*'],
actions: ['s3:*'],
}));
expect(stack).toHaveResource('AWS::IAM::Policy', {
"PolicyDocument": {
"Version": "2012-10-17",
"Statement": [
{
"Resource": "*",
"Action": "s3:*",
"Effect": "Allow",
},
],
},
});
});
test('ignores grants', () => {
iam.Grant.addToPrincipal({
grantee: immutableRole,
actions: ['s3:*'],
resourceArns: ['*'],
});
expect(stack).not.toHaveResourceLike('AWS::IAM::Policy', {
"PolicyDocument": {
"Statement": [
{
"Resource": "*",
"Action": "s3:*",
"Effect": "Allow",
},
],
},
});
});
// this pattern is used here:
// aws-codepipeline-actions/lib/cloudformation/pipeline-actions.ts#L517
test('immutable role is a construct', () => {
new Construct(immutableRole as unknown as Construct, 'Child');
new Construct(mutableRole.withoutPolicyUpdates() as unknown as Construct, 'Child2');
});
});