kms key to use default property policy_documents (#93)

Co-authored-by: Ramon <[email protected]>

CHANGELOG.md

@@ -1,6 +1,12 @@
 # Change Log
 All notable changes to this project will be documented in this file.
 
+## 0.17.0 - [2022-03-02]
+### Additions
+- `KMSKey` to use default `policy_documents` property instead of returning an empty list.
+### Updates
+- Update `CLOUDFORMATION_ACTIONS`.
+
 ## 0.16.3 - [2022-02-24]
 ### Fixes
 - Fix `resolve` for `bool`s that can be `str` such as `"true"` or `"false"` or similar, by making `ResolvableBool` to be resolvable to `SemiStrictBool`.

pycfmodel/cloudformation_actions.py

@@ -4547,6 +4547,7 @@
     "events:UpdateApiDestination",
     "events:UpdateArchive",
     "events:UpdateConnection",
+    "evidently:BatchEvaluateFeature",
     "evidently:CreateExperiment",
     "evidently:CreateFeature",
     "evidently:CreateLaunch",
@@ -4555,6 +4556,7 @@
     "evidently:DeleteFeature",
     "evidently:DeleteLaunch",
     "evidently:DeleteProject",
+    "evidently:EvaluateFeature",
     "evidently:GetExperiment",
     "evidently:GetExperimentResults",
     "evidently:GetFeature",
@@ -4565,6 +4567,7 @@
     "evidently:ListLaunches",
     "evidently:ListProjects",
     "evidently:ListTagsForResource",
+    "evidently:PutProjectEvents",
     "evidently:StartExperiment",
     "evidently:StartLaunch",
     "evidently:StopExperiment",
@@ -8297,13 +8300,15 @@
     "outposts:CancelOrder",
     "outposts:CreateOrder",
     "outposts:CreateOutpost",
+    "outposts:CreatePrivateConnectivityConfig",
     "outposts:CreateSite",
     "outposts:DeleteOutpost",
     "outposts:DeleteSite",
     "outposts:GetCatalogItem",
     "outposts:GetOrder",
     "outposts:GetOutpost",
     "outposts:GetOutpostInstanceTypes",
+    "outposts:GetPrivateConnectivityConfig",
     "outposts:GetSite",
     "outposts:GetSiteAddress",
     "outposts:ListCatalogItems",
@@ -9636,12 +9641,14 @@
     "s3:GetMultiRegionAccessPointPolicyStatus",
     "s3:GetObject",
     "s3:GetObjectAcl",
+    "s3:GetObjectAttributes",
     "s3:GetObjectLegalHold",
     "s3:GetObjectRetention",
     "s3:GetObjectTagging",
     "s3:GetObjectTorrent",
     "s3:GetObjectVersion",
     "s3:GetObjectVersionAcl",
+    "s3:GetObjectVersionAttributes",
     "s3:GetObjectVersionForReplication",
     "s3:GetObjectVersionTagging",
     "s3:GetObjectVersionTorrent",
@@ -11135,6 +11142,7 @@
     "support:RefreshTrustedAdvisorCheck",
     "support:ResolveCase",
     "support:SearchForCases",
+    "sustainability:GetCarbonFootprintSummary",
     "swf:CancelTimer",
     "swf:CancelWorkflowExecution",
     "swf:CompleteWorkflowExecution",
@@ -11270,6 +11278,7 @@
     "transcribe:ListLanguageModels",
     "transcribe:ListMedicalTranscriptionJobs",
     "transcribe:ListMedicalVocabularies",
+    "transcribe:ListTagsForResource",
     "transcribe:ListTranscriptionJobs",
     "transcribe:ListVocabularies",
     "transcribe:ListVocabularyFilters",
@@ -11280,6 +11289,8 @@
     "transcribe:StartStreamTranscription",
     "transcribe:StartStreamTranscriptionWebSocket",
     "transcribe:StartTranscriptionJob",
+    "transcribe:TagResource",
+    "transcribe:UntagResource",
     "transcribe:UpdateCallAnalyticsCategory",
     "transcribe:UpdateMedicalVocabulary",
     "transcribe:UpdateVocabulary",
@@ -11340,7 +11351,11 @@
     "trustedadvisor:DescribeOrganization",
     "trustedadvisor:DescribeOrganizationAccounts",
     "trustedadvisor:DescribeReports",
+    "trustedadvisor:DescribeRisk",
+    "trustedadvisor:DescribeRiskResources",
+    "trustedadvisor:DescribeRisks",
     "trustedadvisor:DescribeServiceMetadata",
+    "trustedadvisor:DownloadRisk",
     "trustedadvisor:ExcludeCheckItems",
     "trustedadvisor:GenerateReport",
     "trustedadvisor:IncludeCheckItems",
@@ -11351,6 +11366,7 @@
     "trustedadvisor:SetAccountAccess",
     "trustedadvisor:SetOrganizationAccess",
     "trustedadvisor:UpdateNotificationPreferences",
+    "trustedadvisor:UpdateRiskStatus",
     "voiceid:CreateDomain",
     "voiceid:DeleteDomain",
     "voiceid:DeleteFraudster",

pycfmodel/model/resources/kms_key.py

@@ -5,7 +5,6 @@
 from pycfmodel.model.resources.properties.tag import Tag
 from pycfmodel.model.resources.resource import Resource
 from pycfmodel.model.types import Resolvable, ResolvableBool, ResolvableInt, ResolvableStr
-from pycfmodel.model.utils import OptionallyNamedPolicyDocument
 
 
 class KMSKeyProperties(CustomModel):
@@ -48,8 +47,3 @@ class KMSKey(Resource):
     TYPE_VALUE: ClassVar = "AWS::KMS::Key"
     Type: str = TYPE_VALUE
     Properties: Resolvable[KMSKeyProperties]
-
-    @property
-    def policy_documents(self) -> List[OptionallyNamedPolicyDocument]:
-        # Key policies are a bit different than most policies and would raise issues if treated equally
-        return []

setup.py

@@ -21,7 +21,7 @@
 
 setup(
     name="pycfmodel",
-    version="0.16.3",
+    version="0.17.0",
     description="A python model for CloudFormation scripts",
     author="Skyscanner Product Security",
     author_email="[email protected]",

tests/resources/properties/test_policy_document.py

@@ -264,12 +264,14 @@ def test_get_allowed_actions(policy_document_not_principal):
         "iam:DeleteVirtualMFADevice",
         "s3:GetObject",
         "s3:GetObjectAcl",
+        "s3:GetObjectAttributes",
         "s3:GetObjectLegalHold",
         "s3:GetObjectRetention",
         "s3:GetObjectTagging",
         "s3:GetObjectTorrent",
         "s3:GetObjectVersion",
         "s3:GetObjectVersionAcl",
+        "s3:GetObjectVersionAttributes",
         "s3:GetObjectVersionForReplication",
         "s3:GetObjectVersionTagging",
         "s3:GetObjectVersionTorrent",

tests/resources/test_kms_key.py

@@ -1,6 +1,8 @@
 import pytest
 
 from pycfmodel.model.resources.kms_key import KMSKey
+from pycfmodel.model.resources.properties.policy_document import PolicyDocument
+from pycfmodel.model.utils import OptionallyNamedPolicyDocument
 
 
 @pytest.fixture()
@@ -115,4 +117,50 @@ def test_actions(kms_key):
 
 
 def test_kms_policy_documents(kms_key):
-    assert kms_key.policy_documents == []
+    assert kms_key.policy_documents == [
+        OptionallyNamedPolicyDocument(
+            name=None,
+            policy_document=PolicyDocument(
+                **{
+                    "Version": "2012-10-17",
+                    "Id": "key-default-1",
+                    "Statement": [
+                        {
+                            "Sid": "Enable IAM User Permissions",
+                            "Effect": "Allow",
+                            "Principal": {"AWS": "arn:aws:iam::111122223333:root"},
+                            "Action": "kms:*",
+                            "Resource": "*",
+                        },
+                        {
+                            "Sid": "Allow administration of the key",
+                            "Effect": "Allow",
+                            "Principal": {"AWS": "arn:aws:iam::111122223333:role/Admin"},
+                            "Action": [
+                                "kms:Create*",
+                                "kms:Describe*",
+                                "kms:Enable*",
+                                "kms:List*",
+                                "kms:Put*",
+                                "kms:Update*",
+                                "kms:Revoke*",
+                                "kms:Disable*",
+                                "kms:Get*",
+                                "kms:Delete*",
+                                "kms:ScheduleKeyDeletion",
+                                "kms:CancelKeyDeletion",
+                            ],
+                            "Resource": "*",
+                        },
+                        {
+                            "Sid": "Allow use of the key",
+                            "Effect": "Allow",
+                            "Principal": {"AWS": "arn:aws:iam::111122223333:role/Developer"},
+                            "Action": ["kms:Sign", "kms:Verify", "kms:DescribeKey"],
+                            "Resource": "*",
+                        },
+                    ],
+                }
+            ),
+        )
+    ]