From 1b2d51be489264ea54880533f11efd983f365526 Mon Sep 17 00:00:00 2001 From: Britton Hayes Date: Mon, 6 Feb 2023 12:21:24 -0800 Subject: [PATCH] feat: added updated iam policy and role validations --- .eslintrc.json | 4 +- .projenrc.ts | 4 +- LICENSE | 2 +- src/aws/iam-policy.ts | 15 ++++- src/aws/{role.ts => iam-role.ts} | 3 +- src/aws/index.ts | 3 +- src/integ.default.ts | 5 ++ test/aws.test.ts | 96 ++++++++++++++++++++++++++++++++ test/default.test.ts | 23 -------- 9 files changed, 124 insertions(+), 31 deletions(-) rename src/aws/{role.ts => iam-role.ts} (84%) create mode 100644 test/aws.test.ts delete mode 100644 test/default.test.ts diff --git a/.eslintrc.json b/.eslintrc.json index f5a139d..fe787bd 100644 --- a/.eslintrc.json +++ b/.eslintrc.json @@ -134,10 +134,10 @@ } ], "jsdoc/require-param-type": "off", - "jsdoc/require-description": "error", + "jsdoc/require-description": "warn", "jsdoc/require-returns-type": "off", "jsdoc/require-jsdoc": [ - "error", + "warn", { "require": { "ArrowFunctionExpression": true, diff --git a/.projenrc.ts b/.projenrc.ts index 24c9f72..4669cdd 100644 --- a/.projenrc.ts +++ b/.projenrc.ts @@ -56,10 +56,10 @@ project.eslint?.addPlugins("jsdoc"); project.eslint?.addExtends("plugin:jsdoc/recommended"); project.eslint?.addRules({ "jsdoc/require-param-type": "off", - "jsdoc/require-description": "error", + "jsdoc/require-description": "warn", "jsdoc/require-returns-type": "off", "jsdoc/require-jsdoc": [ - "error", + "warn", { require: { ArrowFunctionExpression: true, diff --git a/LICENSE b/LICENSE index f537564..85a6b96 100644 --- a/LICENSE +++ b/LICENSE @@ -1,4 +1,4 @@ -Copyright (c) 2022 Slalom Build +Copyright (c) 2023 Slalom Build Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal diff --git a/src/aws/iam-policy.ts b/src/aws/iam-policy.ts index 6a5fb54..039c42b 100644 --- a/src/aws/iam-policy.ts +++ b/src/aws/iam-policy.ts @@ -19,7 +19,20 @@ export class IamPolicy extends Construct implements FusionConstruct { */ constructor(scope: Construct, id: string, options: IamPolicyProps) { super(scope, id); - this.construct = new iam.IamPolicy(this, "iam-policy", options); + this.node.addValidation({ + /** + * + */ + validate: () => { + let errors = []; + if (this.construct.path === "*") { + errors.push( + `IAM Policy path "${this.construct.path}" for ${this.construct.friendlyUniqueId} may be overly permissive.` + ); + } + return errors; + }, + }); } } diff --git a/src/aws/role.ts b/src/aws/iam-role.ts similarity index 84% rename from src/aws/role.ts rename to src/aws/iam-role.ts index 23d3ef2..ff670e4 100644 --- a/src/aws/role.ts +++ b/src/aws/iam-role.ts @@ -1,9 +1,10 @@ import * as iam from "@cdktf/provider-aws/lib/iam"; import { Construct } from "constructs"; +import { FusionConstruct } from "../@types"; export interface IamRoleProps extends iam.IamRoleConfig {} -export class IamRole extends Construct { +export class IamRole extends Construct implements FusionConstruct { readonly construct: iam.IamRole; /** diff --git a/src/aws/index.ts b/src/aws/index.ts index 2febe1d..fed5bf2 100644 --- a/src/aws/index.ts +++ b/src/aws/index.ts @@ -1,3 +1,4 @@ export * from "./security-group"; -export * from "./role"; +export * from "./iam-role"; +export * from "./iam-policy"; export * from "./s3-bucket"; diff --git a/src/integ.default.ts b/src/integ.default.ts index 1a2b12c..42e915c 100644 --- a/src/integ.default.ts +++ b/src/integ.default.ts @@ -18,4 +18,9 @@ new fusionaws.S3Bucket(stack, "bucket", { encryptionKey: security.NOT_SECURE, }); +new fusionaws.IamPolicy(stack, "iam-policy", { + path: "*", + policy: "", +}); + app.synth(); diff --git a/test/aws.test.ts b/test/aws.test.ts new file mode 100644 index 0000000..ee95b27 --- /dev/null +++ b/test/aws.test.ts @@ -0,0 +1,96 @@ +import { AwsProvider } from "@cdktf/provider-aws"; +import { TerraformStack, Testing } from "cdktf"; +import "cdktf/lib/testing/adapters/jest"; +import { fusionaws } from "../src"; +import { NOT_SECURE } from "../src/@types/security"; + +Testing.setupJest(); + +describe("AWS", () => { + describe("Security group", () => { + const app = Testing.app(); + const stack = new TerraformStack(app, "test"); + new AwsProvider(stack, "provider"); + + it("should produce valid terraform", () => { + const properties: fusionaws.SecurityGroupProps = { + name: "my-security-group", + }; + + new fusionaws.SecurityGroup(stack, "test-security-group", properties); + expect(Testing.fullSynth(stack)).toBeValidTerraform(); + }); + }); + + describe("s3 bucket", () => { + const app = Testing.app(); + const stack = new TerraformStack(app, "test"); + + new AwsProvider(stack, "provider"); + + it("should produce valid terraform", () => { + const properties: fusionaws.S3BucketProps = { + bucket: "my-bucket", + encryptionKey: NOT_SECURE, + }; + + new fusionaws.S3Bucket(stack, "test-s3-bucket", properties); + expect(Testing.fullSynth(stack)).toBeValidTerraform(); + }); + }); + + describe("IAM role", () => { + const app = Testing.app(); + const stack = new TerraformStack(app, "test"); + new AwsProvider(stack, "provider"); + + it("should produce valid terraform", () => { + const properties: fusionaws.IamRoleProps = { + name: "my-iam-role", + assumeRolePolicy: JSON.stringify({ + Version: "2012-10-17", + Statement: [ + { + Action: "sts:AssumeRole", + Principal: { + Service: "ec2.amazonaws.com", + }, + Effect: "Allow", + }, + ], + }), + }; + + new fusionaws.IamRole(stack, "test-iam-role", properties); + expect(Testing.fullSynth(stack)).toBeValidTerraform(); + }); + }); + + describe("IAM policy", () => { + const app = Testing.app(); + const stack = new TerraformStack(app, "test"); + new AwsProvider(stack, "provider"); + + it("should produce valid terraform", () => { + const properties: fusionaws.IamPolicyProps = { + name: "my-iam-policy", + path: "*", + policy: JSON.stringify({ + Version: "2012-10-17", + Statement: [ + { + Action: "sts:AssumeRole", + Principal: { + Service: "ec2.amazonaws.com", + }, + Effect: "Allow", + }, + ], + }), + }; + + new fusionaws.IamPolicy(stack, "test-iam-policy", properties); + expect(Testing.fullSynth(stack)).toBeValidTerraform(); + }); + }); +}); diff --git a/test/default.test.ts b/test/default.test.ts deleted file mode 100644 index 4e45508..0000000 --- a/test/default.test.ts +++ /dev/null @@ -1,23 +0,0 @@ -import { AwsProvider } from "@cdktf/provider-aws"; -import { TerraformStack, Testing } from "cdktf"; -import "cdktf/lib/testing/adapters/jest"; -import { fusionaws } from "../src"; - -Testing.setupJest(); - -describe("AWS", () => { - describe("Security group", () => { - const app = Testing.app(); - const stack = new TerraformStack(app, "test"); - new AwsProvider(stack, "provider"); - - it("should produce valid terraform", () => { - const properties: fusionaws.SecurityGroupProps = { - name: "my-security-group", - }; - - new fusionaws.SecurityGroup(stack, "test-security-group", properties); - expect(Testing.fullSynth(stack)).toBeValidTerraform(); - }); - }); -});