Add AssumeRolePolicyDocument statement conditions to `all_statement…

…s_condition` property (#94) * property updated for to include statements on * Update cloudformation actions to fix unit tests * Seperate properties out and assert value of conditions in unit tests Co-authored-by: Oliver Crawford <[email protected]>
Skyscanner · Mar 3, 2022 · 430c276 · 430c276
1 parent ef2fe97
commit 430c276
Show file tree

Hide file tree

Showing 5 changed files with 54 additions and 2 deletions.
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -1,6 +1,11 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 0.17.1 - [2022-03-02]
+### Additions
+- Add `assume_role_statement_conditions` property for `IAMRole` to include statements on `AssumeRolePolicyDocuments`.
+- Update `CLOUDFORMATION_ACTIONS`.
+
 ## 0.17.0 - [2022-03-02]
 ### Additions
 - `KMSKey` to use default `policy_documents` property instead of returning an empty list.

diff --git a/pycfmodel/cloudformation_actions.py b/pycfmodel/cloudformation_actions.py
@@ -3801,6 +3801,7 @@
     "ec2:ImportKeyPair",
     "ec2:ImportSnapshot",
     "ec2:ImportVolume",
+    "ec2:ListImagesInRecycleBin",
     "ec2:ListSnapshotsInRecycleBin",
     "ec2:ModifyAddressAttribute",
     "ec2:ModifyAvailabilityZoneGroup",
@@ -3895,6 +3896,7 @@
     "ec2:ResetNetworkInterfaceAttribute",
     "ec2:ResetSnapshotAttribute",
     "ec2:RestoreAddressToClassic",
+    "ec2:RestoreImageFromRecycleBin",
     "ec2:RestoreManagedPrefixListVersion",
     "ec2:RestoreSnapshotFromRecycleBin",
     "ec2:RestoreSnapshotTier",

diff --git a/pycfmodel/model/resources/iam_role.py b/pycfmodel/model/resources/iam_role.py
@@ -3,6 +3,7 @@
 from pycfmodel.model.base import CustomModel
 from pycfmodel.model.resources.properties.policy import Policy
 from pycfmodel.model.resources.properties.policy_document import PolicyDocument
+from pycfmodel.model.resources.properties.statement_condition import StatementCondition
 from pycfmodel.model.resources.resource import OptionallyNamedPolicyDocument, Resource
 from pycfmodel.model.types import Resolvable, ResolvableIntOrStr, ResolvableStr
 
@@ -51,3 +52,11 @@ def policy_documents(self) -> List[OptionallyNamedPolicyDocument]:
         for policy in policies:
             result.append(OptionallyNamedPolicyDocument(name=policy.PolicyName, policy_document=policy.PolicyDocument))
         return result
+
+    @property
+    def assume_role_statement_conditions(self) -> List[StatementCondition]:
+        return [
+            statement.Condition
+            for statement in self.Properties.AssumeRolePolicyDocument.statement_as_list()
+            if statement.Condition
+        ]
diff --git a/setup.py b/setup.py
@@ -21,7 +21,7 @@
 
 setup(
     name="pycfmodel",
-    version="0.17.0",
+    version="0.17.1",
     description="A python model for CloudFormation scripts",
     author="Skyscanner Product Security",
     author_email="[email protected]",

diff --git a/tests/resources/test_iam_role.py b/tests/resources/test_iam_role.py
@@ -16,6 +16,13 @@ def iam_role():
                         "Effect": "Allow",
                         "Principal": {"Service": ["ec2.amazonaws.com"], "AWS": "arn:aws:iam::111111111111:root"},
                         "Action": ["sts:AssumeRole"],
+                        "Condition": {
+                            "StringLike": {
+                                "iam:AssociatedResourceARN": [
+                                    "arn:aws:ec2:us-east-1:999999999999:instance/*",
+                                ]
+                            },
+                        },
                     },
                 },
                 "Path": "/",
@@ -24,7 +31,20 @@ def iam_role():
                         "PolicyName": "root",
                         "PolicyDocument": {
                             "Version": "2012-10-17",
-                            "Statement": {"Effect": "Allow", "Action": "*", "Resource": "*"},
+                            "Statement": {
+                                "Effect": "Allow",
+                                "Action": "*",
+                                "Resource": "*",
+                                "Condition": {
+                                    "StringEquals": {"iam:PassedToService": "ec2.amazonaws.com"},
+                                    "StringLike": {
+                                        "iam:AssociatedResourceARN": [
+                                            "arn:aws:ec2:us-east-1:111122223333:instance/*",
+                                            "arn:aws:ec2:us-west-1:111122223333:instance/*",
+                                        ]
+                                    },
+                                },
+                            },
                         },
                     }
                 ],
@@ -39,6 +59,22 @@ def test_policies(iam_role):
     assert policies[0].PolicyName == "root"
 
 
+def test_all_conditions(iam_role):
+    assert iam_role.all_statement_conditions[0].StringEquals == {"iam:PassedToService": "ec2.amazonaws.com"}
+    assert iam_role.all_statement_conditions[0].StringLike == {
+        "iam:AssociatedResourceARN": [
+            "arn:aws:ec2:us-east-1:111122223333:instance/*",
+            "arn:aws:ec2:us-west-1:111122223333:instance/*",
+        ]
+    }
+
+    assert iam_role.assume_role_statement_conditions[0].StringLike == {
+        "iam:AssociatedResourceARN": [
+            "arn:aws:ec2:us-east-1:999999999999:instance/*",
+        ]
+    }
+
+
 def test_iamrole_policy_documents(iam_role):
     assert iam_role.policy_documents == [
         OptionallyNamedPolicyDocument(name="root", policy_document=iam_role.Properties.Policies[0].PolicyDocument)