Merge pull request #230 from adanaja/feat

adanaja · web-flow · commit 2f4496077e54 · 2023-10-02T14:26:43.000+02:00
Add read/write_trusted_accounts parameters
diff --git a/src/e3/aws/troposphere/s3/__init__.py b/src/e3/aws/troposphere/s3/__init__.py
@@ -22,10 +22,12 @@ def __init__(
         name: str,
         iam_names_prefix: str,
         iam_path: str,
-        trusted_accounts: list[str],
+        trusted_accounts: list[str] | None = None,
         iam_read_root_name: str = "Read",
         iam_write_root_name: str = "Write",
         bucket_exists: bool | None = None,
+        read_trusted_accounts: list[str] | None = None,
+        write_trusted_accounts: list[str] | None = None,
         **bucket_kwargs: Any,
     ) -> None:
         """Initialize BucketWithRoles instance.
@@ -37,11 +39,19 @@ def __init__(
         :param iam_read_root_name: root name for read access roles and policy
         :param iam_write_root_name: root name for write access roles and policy
         :param bucket_exists: if True then the bucket is not created
+        :param read_trusted_accounts: additional trusted accounts for read access
+        :param write_trusted_accounts: additional trusted accounts for write access
         :param bucket_kwargs: keyword arguments to pass to the bucket constructor
         """
         self.name = name
         self.iam_names_prefix = iam_names_prefix
-        self.trusted_accounts = trusted_accounts
+        self.trusted_accounts = trusted_accounts if trusted_accounts is not None else []
+        self.read_trusted_accounts = (
+            read_trusted_accounts if read_trusted_accounts is not None else []
+        )
+        self.write_trusted_accounts = (
+            write_trusted_accounts if write_trusted_accounts is not None else []
+        )
         self.bucket_exists = bucket_exists
 
         self.bucket = Bucket(name=self.name, **bucket_kwargs)
@@ -57,7 +67,7 @@ def __init__(
         self.read_role = Role(
             name=f"{self.iam_names_prefix}{iam_read_root_name}Role",
             description=f"Role with read access to {self.name} bucket.",
-            trust=Trust(accounts=self.trusted_accounts),
+            trust=Trust(accounts=self.trusted_accounts + self.read_trusted_accounts),
             managed_policy_arns=[self.read_policy.arn],
             path=iam_path,
         )
@@ -75,7 +85,7 @@ def __init__(
         self.push_role = Role(
             name=f"{self.iam_names_prefix}{iam_write_root_name}Role",
             description=f"Role with read and write access to {self.name} bucket.",
-            trust=Trust(accounts=self.trusted_accounts),
+            trust=Trust(accounts=self.trusted_accounts + self.write_trusted_accounts),
             managed_policy_arns=[self.push_policy.arn, self.read_policy.arn],
             path=iam_path,
         )
diff --git a/tests/tests_e3_aws/troposphere/s3/bucket-with-roles-trusted-accounts.json b/tests/tests_e3_aws/troposphere/s3/bucket-with-roles-trusted-accounts.json
@@ -0,0 +1,195 @@
+{
+    "TestBucketWithRoles": {
+        "Properties": {
+            "BucketName": "test-bucket-with-roles",
+            "BucketEncryption": {
+                "ServerSideEncryptionConfiguration": [
+                    {
+                        "ServerSideEncryptionByDefault": {
+                            "SSEAlgorithm": "AES256"
+                        }
+                    }
+                ]
+            },
+            "PublicAccessBlockConfiguration": {
+                "BlockPublicAcls": true,
+                "BlockPublicPolicy": true,
+                "IgnorePublicAcls": true,
+                "RestrictPublicBuckets": true
+            },
+            "VersioningConfiguration": {
+                "Status": "Enabled"
+            }
+        },
+        "Type": "AWS::S3::Bucket"
+    },
+    "TestBucketWithRolesPolicy": {
+        "Properties": {
+            "Bucket": {
+                "Ref": "TestBucketWithRoles"
+            },
+            "PolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Deny",
+                        "Principal": {
+                            "AWS": "*"
+                        },
+                        "Action": "s3:*",
+                        "Resource": "arn:aws:s3:::test-bucket-with-roles/*",
+                        "Condition": {
+                            "Bool": {
+                                "aws:SecureTransport": "false"
+                            }
+                        }
+                    },
+                    {
+                        "Effect": "Deny",
+                        "Principal": {
+                            "AWS": "*"
+                        },
+                        "Action": "s3:PutObject",
+                        "Resource": "arn:aws:s3:::test-bucket-with-roles/*",
+                        "Condition": {
+                            "StringNotEquals": {
+                                "s3:x-amz-server-side-encryption": "AES256"
+                            }
+                        }
+                    },
+                    {
+                        "Effect": "Deny",
+                        "Principal": {
+                            "AWS": "*"
+                        },
+                        "Action": "s3:PutObject",
+                        "Resource": "arn:aws:s3:::test-bucket-with-roles/*",
+                        "Condition": {
+                            "Null": {
+                                "s3:x-amz-server-side-encryption": "true"
+                            }
+                        }
+                    }
+                ]
+            }
+        },
+        "Type": "AWS::S3::BucketPolicy"
+    },
+    "TestBucketRestorePolicy": {
+        "Properties": {
+            "Description": "Grants read access permissions to test-bucket-with-roles bucket",
+            "ManagedPolicyName": "TestBucketRestorePolicy",
+            "PolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Action": [
+                            "s3:GetObject"
+                        ],
+                        "Resource": "arn:aws:s3:::test-bucket-with-roles/*"
+                    },
+                    {
+                        "Effect": "Allow",
+                        "Action": [
+                            "s3:ListBucket"
+                        ],
+                        "Resource": "arn:aws:s3:::test-bucket-with-roles"
+                    }
+                ]
+            },
+            "Path": "/test/"
+        },
+        "Type": "AWS::IAM::ManagedPolicy"
+    },
+    "TestBucketRestoreRole": {
+        "Properties": {
+            "RoleName": "TestBucketRestoreRole",
+            "Description": "Role with read access to test-bucket-with-roles bucket.",
+            "ManagedPolicyArns": [
+                {
+                    "Ref": "TestBucketRestorePolicy"
+                }
+            ],
+            "AssumeRolePolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Action": "sts:AssumeRole",
+                        "Principal": {
+                            "AWS": [
+                                "arn:aws:iam::123456789:root"
+                            ]
+                        }
+                    }
+                ]
+            },
+            "Tags": [
+                {
+                    "Key": "Name",
+                    "Value": "TestBucketRestoreRole"
+                }
+            ],
+            "Path": "/test/"
+        },
+        "Type": "AWS::IAM::Role"
+    },
+    "TestBucketPushPolicy": {
+        "Properties": {
+            "Description": "Grants write access permissions to test-bucket-with-roles bucket",
+            "ManagedPolicyName": "TestBucketPushPolicy",
+            "PolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Action": [
+                            "s3:PutObject",
+                            "s3:DeleteObject"
+                        ],
+                        "Resource": "arn:aws:s3:::test-bucket-with-roles/*"
+                    }
+                ]
+            },
+            "Path": "/test/"
+        },
+        "Type": "AWS::IAM::ManagedPolicy"
+    },
+    "TestBucketPushRole": {
+        "Properties": {
+            "RoleName": "TestBucketPushRole",
+            "Description": "Role with read and write access to test-bucket-with-roles bucket.",
+            "ManagedPolicyArns": [
+                {
+                    "Ref": "TestBucketPushPolicy"
+                },
+                {
+                    "Ref": "TestBucketRestorePolicy"
+                }
+            ],
+            "AssumeRolePolicyDocument": {
+                "Version": "2012-10-17",
+                "Statement": [
+                    {
+                        "Effect": "Allow",
+                        "Action": "sts:AssumeRole",
+                        "Principal": {
+                            "AWS": [
+                                "arn:aws:iam::987654321:root"
+                            ]
+                        }
+                    }
+                ]
+            },
+            "Tags": [
+                {
+                    "Key": "Name",
+                    "Value": "TestBucketPushRole"
+                }
+            ],
+            "Path": "/test/"
+        },
+        "Type": "AWS::IAM::Role"
+    }
+}
diff --git a/tests/tests_e3_aws/troposphere/s3/s3_test.py b/tests/tests_e3_aws/troposphere/s3/s3_test.py
@@ -87,6 +87,25 @@ def test_bucket_with_roles_exists(stack: Stack) -> None:
     assert stack.export()["Resources"] == expected_template
 
 
+def test_bucket_with_roles_trusted_accounts(stack: Stack) -> None:
+    """Test BucketWithRoles with additional trusted accounts."""
+    bucket = BucketWithRoles(
+        name="test-bucket-with-roles",
+        iam_names_prefix="TestBucket",
+        iam_read_root_name="Restore",
+        iam_write_root_name="Push",
+        iam_path="/test/",
+        read_trusted_accounts=["123456789"],
+        write_trusted_accounts=["987654321"],
+    )
+    stack.add(bucket)
+
+    with open(os.path.join(TEST_DIR, "bucket-with-roles-trusted-accounts.json")) as fd:
+        expected_template = json.load(fd)
+
+    assert stack.export()["Resources"] == expected_template
+
+
 def test_bucket_multi_encryption(stack: Stack) -> None:
     """Test bucket accepting multiple types of encryptions and without default."""
     bucket = Bucket(
