From ef2fe97e6c02b378832b2db43736011d6a6ad1e2 Mon Sep 17 00:00:00 2001 From: Ramon Date: Wed, 2 Mar 2022 13:45:45 +0100 Subject: [PATCH] kms key to use default property policy_documents (#93) Co-authored-by: Ramon --- CHANGELOG.md | 6 +++ pycfmodel/cloudformation_actions.py | 16 ++++++ pycfmodel/model/resources/kms_key.py | 6 --- setup.py | 2 +- .../properties/test_policy_document.py | 2 + tests/resources/test_kms_key.py | 50 ++++++++++++++++++- 6 files changed, 74 insertions(+), 8 deletions(-) diff --git a/CHANGELOG.md b/CHANGELOG.md index a4ad1296..284ccb81 100644 --- a/CHANGELOG.md +++ b/CHANGELOG.md @@ -1,6 +1,12 @@ # Change Log All notable changes to this project will be documented in this file. +## 0.17.0 - [2022-03-02] +### Additions +- `KMSKey` to use default `policy_documents` property instead of returning an empty list. +### Updates +- Update `CLOUDFORMATION_ACTIONS`. + ## 0.16.3 - [2022-02-24] ### Fixes - Fix `resolve` for `bool`s that can be `str` such as `"true"` or `"false"` or similar, by making `ResolvableBool` to be resolvable to `SemiStrictBool`. diff --git a/pycfmodel/cloudformation_actions.py b/pycfmodel/cloudformation_actions.py index 8b560b2b..a815474a 100644 --- a/pycfmodel/cloudformation_actions.py +++ b/pycfmodel/cloudformation_actions.py @@ -4547,6 +4547,7 @@ "events:UpdateApiDestination", "events:UpdateArchive", "events:UpdateConnection", + "evidently:BatchEvaluateFeature", "evidently:CreateExperiment", "evidently:CreateFeature", "evidently:CreateLaunch", @@ -4555,6 +4556,7 @@ "evidently:DeleteFeature", "evidently:DeleteLaunch", "evidently:DeleteProject", + "evidently:EvaluateFeature", "evidently:GetExperiment", "evidently:GetExperimentResults", "evidently:GetFeature", @@ -4565,6 +4567,7 @@ "evidently:ListLaunches", "evidently:ListProjects", "evidently:ListTagsForResource", + "evidently:PutProjectEvents", "evidently:StartExperiment", "evidently:StartLaunch", "evidently:StopExperiment", @@ -8297,6 +8300,7 @@ "outposts:CancelOrder", "outposts:CreateOrder", "outposts:CreateOutpost", + "outposts:CreatePrivateConnectivityConfig", "outposts:CreateSite", "outposts:DeleteOutpost", "outposts:DeleteSite", @@ -8304,6 +8308,7 @@ "outposts:GetOrder", "outposts:GetOutpost", "outposts:GetOutpostInstanceTypes", + "outposts:GetPrivateConnectivityConfig", "outposts:GetSite", "outposts:GetSiteAddress", "outposts:ListCatalogItems", @@ -9636,12 +9641,14 @@ "s3:GetMultiRegionAccessPointPolicyStatus", "s3:GetObject", "s3:GetObjectAcl", + "s3:GetObjectAttributes", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", + "s3:GetObjectVersionAttributes", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", @@ -11135,6 +11142,7 @@ "support:RefreshTrustedAdvisorCheck", "support:ResolveCase", "support:SearchForCases", + "sustainability:GetCarbonFootprintSummary", "swf:CancelTimer", "swf:CancelWorkflowExecution", "swf:CompleteWorkflowExecution", @@ -11270,6 +11278,7 @@ "transcribe:ListLanguageModels", "transcribe:ListMedicalTranscriptionJobs", "transcribe:ListMedicalVocabularies", + "transcribe:ListTagsForResource", "transcribe:ListTranscriptionJobs", "transcribe:ListVocabularies", "transcribe:ListVocabularyFilters", @@ -11280,6 +11289,8 @@ "transcribe:StartStreamTranscription", "transcribe:StartStreamTranscriptionWebSocket", "transcribe:StartTranscriptionJob", + "transcribe:TagResource", + "transcribe:UntagResource", "transcribe:UpdateCallAnalyticsCategory", "transcribe:UpdateMedicalVocabulary", "transcribe:UpdateVocabulary", @@ -11340,7 +11351,11 @@ "trustedadvisor:DescribeOrganization", "trustedadvisor:DescribeOrganizationAccounts", "trustedadvisor:DescribeReports", + "trustedadvisor:DescribeRisk", + "trustedadvisor:DescribeRiskResources", + "trustedadvisor:DescribeRisks", "trustedadvisor:DescribeServiceMetadata", + "trustedadvisor:DownloadRisk", "trustedadvisor:ExcludeCheckItems", "trustedadvisor:GenerateReport", "trustedadvisor:IncludeCheckItems", @@ -11351,6 +11366,7 @@ "trustedadvisor:SetAccountAccess", "trustedadvisor:SetOrganizationAccess", "trustedadvisor:UpdateNotificationPreferences", + "trustedadvisor:UpdateRiskStatus", "voiceid:CreateDomain", "voiceid:DeleteDomain", "voiceid:DeleteFraudster", diff --git a/pycfmodel/model/resources/kms_key.py b/pycfmodel/model/resources/kms_key.py index 69d15b0c..ee4370a3 100644 --- a/pycfmodel/model/resources/kms_key.py +++ b/pycfmodel/model/resources/kms_key.py @@ -5,7 +5,6 @@ from pycfmodel.model.resources.properties.tag import Tag from pycfmodel.model.resources.resource import Resource from pycfmodel.model.types import Resolvable, ResolvableBool, ResolvableInt, ResolvableStr -from pycfmodel.model.utils import OptionallyNamedPolicyDocument class KMSKeyProperties(CustomModel): @@ -48,8 +47,3 @@ class KMSKey(Resource): TYPE_VALUE: ClassVar = "AWS::KMS::Key" Type: str = TYPE_VALUE Properties: Resolvable[KMSKeyProperties] - - @property - def policy_documents(self) -> List[OptionallyNamedPolicyDocument]: - # Key policies are a bit different than most policies and would raise issues if treated equally - return [] diff --git a/setup.py b/setup.py index ad19ead4..bb2b3b10 100644 --- a/setup.py +++ b/setup.py @@ -21,7 +21,7 @@ setup( name="pycfmodel", - version="0.16.3", + version="0.17.0", description="A python model for CloudFormation scripts", author="Skyscanner Product Security", author_email="security@skyscanner.net", diff --git a/tests/resources/properties/test_policy_document.py b/tests/resources/properties/test_policy_document.py index 8c7e2be7..1b5a2a12 100644 --- a/tests/resources/properties/test_policy_document.py +++ b/tests/resources/properties/test_policy_document.py @@ -264,12 +264,14 @@ def test_get_allowed_actions(policy_document_not_principal): "iam:DeleteVirtualMFADevice", "s3:GetObject", "s3:GetObjectAcl", + "s3:GetObjectAttributes", "s3:GetObjectLegalHold", "s3:GetObjectRetention", "s3:GetObjectTagging", "s3:GetObjectTorrent", "s3:GetObjectVersion", "s3:GetObjectVersionAcl", + "s3:GetObjectVersionAttributes", "s3:GetObjectVersionForReplication", "s3:GetObjectVersionTagging", "s3:GetObjectVersionTorrent", diff --git a/tests/resources/test_kms_key.py b/tests/resources/test_kms_key.py index 21830352..4985682a 100644 --- a/tests/resources/test_kms_key.py +++ b/tests/resources/test_kms_key.py @@ -1,6 +1,8 @@ import pytest from pycfmodel.model.resources.kms_key import KMSKey +from pycfmodel.model.resources.properties.policy_document import PolicyDocument +from pycfmodel.model.utils import OptionallyNamedPolicyDocument @pytest.fixture() @@ -115,4 +117,50 @@ def test_actions(kms_key): def test_kms_policy_documents(kms_key): - assert kms_key.policy_documents == [] + assert kms_key.policy_documents == [ + OptionallyNamedPolicyDocument( + name=None, + policy_document=PolicyDocument( + **{ + "Version": "2012-10-17", + "Id": "key-default-1", + "Statement": [ + { + "Sid": "Enable IAM User Permissions", + "Effect": "Allow", + "Principal": {"AWS": "arn:aws:iam::111122223333:root"}, + "Action": "kms:*", + "Resource": "*", + }, + { + "Sid": "Allow administration of the key", + "Effect": "Allow", + "Principal": {"AWS": "arn:aws:iam::111122223333:role/Admin"}, + "Action": [ + "kms:Create*", + "kms:Describe*", + "kms:Enable*", + "kms:List*", + "kms:Put*", + "kms:Update*", + "kms:Revoke*", + "kms:Disable*", + "kms:Get*", + "kms:Delete*", + "kms:ScheduleKeyDeletion", + "kms:CancelKeyDeletion", + ], + "Resource": "*", + }, + { + "Sid": "Allow use of the key", + "Effect": "Allow", + "Principal": {"AWS": "arn:aws:iam::111122223333:role/Developer"}, + "Action": ["kms:Sign", "kms:Verify", "kms:DescribeKey"], + "Resource": "*", + }, + ], + } + ), + ) + ]