Skip to content

Commit 632f9f4

Browse files
hoffahoffa
authored
chore: add Policies test with every type (#3155)
1 parent 0b875f6 commit 632f9f4

File tree

4 files changed

+821
-0
lines changed

4 files changed

+821
-0
lines changed

tests/translator/input/managed_policies_everything.yaml

Lines changed: 65 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,65 @@
1+
Parameters:
2+
SomeParameter:
3+
Type: String
4+
Conditions:
5+
SomeCondition: !Equals [!Ref SomeParameter, true]
6+
Resources:
7+
MyQueue:
8+
Type: AWS::SQS::Queue
9+
MyManagedPolicy:
10+
Type: AWS::IAM::ManagedPolicy
11+
Properties:
12+
PolicyDocument: {}
13+
MyFunction:
14+
Type: AWS::Serverless::Function
15+
Properties:
16+
Runtime: python3.8
17+
Handler: foo
18+
InlineCode: bar
19+
Policies:
20+
# Valid AWS managed policy name (converted to ARN)
21+
- AmazonS3FullAccess
22+
- AmazonAPIGatewayPushToCloudWatchLogs
23+
# Unknown managed policy name (pass-through)
24+
- AnyNonOfficialManagedPolicy
25+
# ARN (pass-through)
26+
- arn:aws:iam::aws:policy/ThisIsPassedThroughAsIs
27+
- arn:aws-cn:iam::aws:policy/ThisIsAlsoPassedThrough
28+
- arn:looks:like::an/arn-also-passed-through
29+
# Intrinsic (pass-through)
30+
- !Sub "${MyQueue}WhateverPassThrough"
31+
- !If [SomeCondition, !Ref MyManagedPolicy, !Ref MyManagedPolicy]
32+
# Policy template (added to Policies property of Role)
33+
- SQSPollerPolicy:
34+
QueueName: !Ref MyQueue
35+
# Dynamic references (pass-through)
36+
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
37+
- '{{resolve:ssm:passedthrough:2}}'
38+
# Inline statement (added to Policies property of Role)
39+
- {Statement: {Effect: Allow, Action: '*', Resource: '*'}}
40+
41+
MyStateMachine:
42+
Type: AWS::Serverless::StateMachine
43+
Properties:
44+
DefinitionUri: s3://foo/bar
45+
Policies:
46+
# Valid AWS managed policy name (converted to ARN)
47+
- AmazonS3FullAccess
48+
- AmazonAPIGatewayPushToCloudWatchLogs
49+
# Unknown managed policy name (pass-through)
50+
- AnyNonOfficialManagedPolicy
51+
# ARN (pass-through)
52+
- arn:aws:iam::aws:policy/ThisIsPassedThroughAsIs
53+
- arn:aws-cn:iam::aws:policy/ThisIsAlsoPassedThrough
54+
- arn:looks:like::an/arn-also-passed-through
55+
# Intrinsic (pass-through)
56+
- !Sub "${MyQueue}WhateverPassThrough"
57+
- !If [SomeCondition, !Ref MyManagedPolicy, !Ref MyManagedPolicy]
58+
# Policy template (added to Policies property of Role)
59+
- SQSPollerPolicy:
60+
QueueName: !Ref MyQueue
61+
# Dynamic references (pass-through)
62+
# https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/dynamic-references.html
63+
- '{{resolve:ssm:passedthrough:2}}'
64+
# Inline statement (added to Policies property of Role)
65+
- {Statement: {Effect: Allow, Action: '*', Resource: '*'}}

tests/translator/output/aws-cn/managed_policies_everything.json

Lines changed: 252 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,252 @@
1+
{
2+
"Conditions": {
3+
"SomeCondition": {
4+
"Fn::Equals": [
5+
{
6+
"Ref": "SomeParameter"
7+
},
8+
true
9+
]
10+
}
11+
},
12+
"Parameters": {
13+
"SomeParameter": {
14+
"Type": "String"
15+
}
16+
},
17+
"Resources": {
18+
"MyFunction": {
19+
"Properties": {
20+
"Code": {
21+
"ZipFile": "bar"
22+
},
23+
"Handler": "foo",
24+
"Role": {
25+
"Fn::GetAtt": [
26+
"MyFunctionRole",
27+
"Arn"
28+
]
29+
},
30+
"Runtime": "python3.8",
31+
"Tags": [
32+
{
33+
"Key": "lambda:createdBy",
34+
"Value": "SAM"
35+
}
36+
]
37+
},
38+
"Type": "AWS::Lambda::Function"
39+
},
40+
"MyFunctionRole": {
41+
"Properties": {
42+
"AssumeRolePolicyDocument": {
43+
"Statement": [
44+
{
45+
"Action": [
46+
"sts:AssumeRole"
47+
],
48+
"Effect": "Allow",
49+
"Principal": {
50+
"Service": [
51+
"lambda.amazonaws.com"
52+
]
53+
}
54+
}
55+
],
56+
"Version": "2012-10-17"
57+
},
58+
"ManagedPolicyArns": [
59+
"arn:aws-cn:iam::aws:policy/service-role/AWSLambdaBasicExecutionRole",
60+
"arn:aws-cn:iam::aws:policy/AmazonS3FullAccess",
61+
"arn:aws-cn:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
62+
"AnyNonOfficialManagedPolicy",
63+
"arn:aws:iam::aws:policy/ThisIsPassedThroughAsIs",
64+
"arn:aws-cn:iam::aws:policy/ThisIsAlsoPassedThrough",
65+
"arn:looks:like::an/arn-also-passed-through",
66+
{
67+
"Fn::Sub": "${MyQueue}WhateverPassThrough"
68+
},
69+
{
70+
"Fn::If": [
71+
"SomeCondition",
72+
{
73+
"Ref": "MyManagedPolicy"
74+
},
75+
{
76+
"Ref": "MyManagedPolicy"
77+
}
78+
]
79+
},
80+
"{{resolve:ssm:passedthrough:2}}"
81+
],
82+
"Policies": [
83+
{
84+
"PolicyDocument": {
85+
"Statement": [
86+
{
87+
"Action": [
88+
"sqs:ChangeMessageVisibility",
89+
"sqs:ChangeMessageVisibilityBatch",
90+
"sqs:DeleteMessage",
91+
"sqs:DeleteMessageBatch",
92+
"sqs:GetQueueAttributes",
93+
"sqs:ReceiveMessage"
94+
],
95+
"Effect": "Allow",
96+
"Resource": {
97+
"Fn::Sub": [
98+
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
99+
{
100+
"queueName": {
101+
"Ref": "MyQueue"
102+
}
103+
}
104+
]
105+
}
106+
}
107+
]
108+
},
109+
"PolicyName": "MyFunctionRolePolicy8"
110+
},
111+
{
112+
"PolicyDocument": {
113+
"Statement": {
114+
"Action": "*",
115+
"Effect": "Allow",
116+
"Resource": "*"
117+
}
118+
},
119+
"PolicyName": "MyFunctionRolePolicy10"
120+
}
121+
],
122+
"Tags": [
123+
{
124+
"Key": "lambda:createdBy",
125+
"Value": "SAM"
126+
}
127+
]
128+
},
129+
"Type": "AWS::IAM::Role"
130+
},
131+
"MyManagedPolicy": {
132+
"Properties": {
133+
"PolicyDocument": {}
134+
},
135+
"Type": "AWS::IAM::ManagedPolicy"
136+
},
137+
"MyQueue": {
138+
"Type": "AWS::SQS::Queue"
139+
},
140+
"MyStateMachine": {
141+
"Properties": {
142+
"DefinitionS3Location": {
143+
"Bucket": "foo",
144+
"Key": "bar"
145+
},
146+
"RoleArn": {
147+
"Fn::GetAtt": [
148+
"MyStateMachineRole",
149+
"Arn"
150+
]
151+
},
152+
"Tags": [
153+
{
154+
"Key": "stateMachine:createdBy",
155+
"Value": "SAM"
156+
}
157+
]
158+
},
159+
"Type": "AWS::StepFunctions::StateMachine"
160+
},
161+
"MyStateMachineRole": {
162+
"Properties": {
163+
"AssumeRolePolicyDocument": {
164+
"Statement": [
165+
{
166+
"Action": [
167+
"sts:AssumeRole"
168+
],
169+
"Effect": "Allow",
170+
"Principal": {
171+
"Service": [
172+
"states.amazonaws.com"
173+
]
174+
}
175+
}
176+
],
177+
"Version": "2012-10-17"
178+
},
179+
"ManagedPolicyArns": [
180+
"arn:aws-cn:iam::aws:policy/AmazonS3FullAccess",
181+
"arn:aws-cn:iam::aws:policy/service-role/AmazonAPIGatewayPushToCloudWatchLogs",
182+
"AnyNonOfficialManagedPolicy",
183+
"arn:aws:iam::aws:policy/ThisIsPassedThroughAsIs",
184+
"arn:aws-cn:iam::aws:policy/ThisIsAlsoPassedThrough",
185+
"arn:looks:like::an/arn-also-passed-through",
186+
{
187+
"Fn::Sub": "${MyQueue}WhateverPassThrough"
188+
},
189+
{
190+
"Fn::If": [
191+
"SomeCondition",
192+
{
193+
"Ref": "MyManagedPolicy"
194+
},
195+
{
196+
"Ref": "MyManagedPolicy"
197+
}
198+
]
199+
},
200+
"{{resolve:ssm:passedthrough:2}}"
201+
],
202+
"Policies": [
203+
{
204+
"PolicyDocument": {
205+
"Statement": [
206+
{
207+
"Action": [
208+
"sqs:ChangeMessageVisibility",
209+
"sqs:ChangeMessageVisibilityBatch",
210+
"sqs:DeleteMessage",
211+
"sqs:DeleteMessageBatch",
212+
"sqs:GetQueueAttributes",
213+
"sqs:ReceiveMessage"
214+
],
215+
"Effect": "Allow",
216+
"Resource": {
217+
"Fn::Sub": [
218+
"arn:${AWS::Partition}:sqs:${AWS::Region}:${AWS::AccountId}:${queueName}",
219+
{
220+
"queueName": {
221+
"Ref": "MyQueue"
222+
}
223+
}
224+
]
225+
}
226+
}
227+
]
228+
},
229+
"PolicyName": "MyStateMachineRolePolicy8"
230+
},
231+
{
232+
"PolicyDocument": {
233+
"Statement": {
234+
"Action": "*",
235+
"Effect": "Allow",
236+
"Resource": "*"
237+
}
238+
},
239+
"PolicyName": "MyStateMachineRolePolicy10"
240+
}
241+
],
242+
"Tags": [
243+
{
244+
"Key": "stateMachine:createdBy",
245+
"Value": "SAM"
246+
}
247+
]
248+
},
249+
"Type": "AWS::IAM::Role"
250+
}
251+
}
252+
}

0 commit comments

Comments
 (0)