Revert/1952 (#1954)

* Revert PR 1952 as policies changed back * Future proof any oddness with iam policy patching
aws-cloudformation · Mar 24, 2021 · 213ac6b · 213ac6b
1 parent e51b011
commit 213ac6b
Show file tree

Hide file tree

Showing 3 changed files with 58 additions and 134 deletions.
diff --git a/src/cfnlint/data/AdditionalSpecs/Policies.json b/src/cfnlint/data/AdditionalSpecs/Policies.json
@@ -3376,6 +3376,27 @@
         "iotevents:keyValue"
       ]
     },
+    "AWS IoT Fleet Hub for Device Management": {
+      "ARNFormat": "arn:aws:iotfleethub:<region>:<account-id>:<resource-type>/<resource_name>",
+      "ARNRegex": "^arn:aws:iotfleethub:.+:.+:.+",
+      "Actions": [
+        "CreateApplication",
+        "DeleteApplication",
+        "DescribeApplication",
+        "ListApplications",
+        "ListTagsForResource",
+        "TagResource",
+        "UntagResource",
+        "UpdateApplication"
+      ],
+      "HasResource": true,
+      "StringPrefix": "iotfleethub",
+      "conditionKeys": [
+        "aws:RequestTag/${TagKey}",
+        "aws:ResourceTag/${TagKey}",
+        "aws:TagKeys"
+      ]
+    },
     "AWS IoT Greengrass": {
       "ARNFormat": "arn:${Partition}:greengrass:${Region}:${Account}:/greengrass/${resourceType}/${resourcePath}",
       "ARNRegex": "^arn:${Partition}:greengrass:.+:[0-9]+:.+",
@@ -5997,100 +6018,6 @@
       "HasResource": true,
       "StringPrefix": "execute-api"
     },
-    "Amazon API Gateway Management": {
-      "ARNFormat": "arn:aws:apigateway:${Region}::${ApiGatewayResourcePath}",
-      "ARNRegex": "^arn:aws:apigateway:.+",
-      "Actions": [
-        "AddCertificateToDomain",
-        "DELETE",
-        "GET",
-        "PATCH",
-        "POST",
-        "PUT",
-        "RemoveCertificateFromDomain",
-        "SetWebACL",
-        "UpdateRestApiPolicy",
-        "HEAD",
-        "OPTIONS"
-      ],
-      "HasResource": true,
-      "StringPrefix": "apigateway",
-      "conditionKeys": [
-        "apigateway:Request/AccessLoggingDestination",
-        "apigateway:Request/AccessLoggingFormat",
-        "apigateway:Request/ApiKeyRequired",
-        "apigateway:Request/ApiName",
-        "apigateway:Request/AuthorizerType",
-        "apigateway:Request/AuthorizerUri",
-        "apigateway:Request/DisableExecuteApiEndpoint",
-        "apigateway:Request/EndpointType",
-        "apigateway:Request/MtlsTrustStoreUri",
-        "apigateway:Request/MtlsTrustStoreVersion",
-        "apigateway:Request/RouteAuthorizationType",
-        "apigateway:Request/SecurityPolicy",
-        "apigateway:Request/StageName",
-        "apigateway:Resource/AccessLoggingDestination",
-        "apigateway:Resource/AccessLoggingFormat",
-        "apigateway:Resource/ApiKeyRequired",
-        "apigateway:Resource/ApiName",
-        "apigateway:Resource/AuthorizerType",
-        "apigateway:Resource/AuthorizerUri",
-        "apigateway:Resource/DisableExecuteApiEndpoint",
-        "apigateway:Resource/EndpointType",
-        "apigateway:Resource/MtlsTrustStoreUri",
-        "apigateway:Resource/MtlsTrustStoreVersion",
-        "apigateway:Resource/RouteAuthorizationType",
-        "apigateway:Resource/SecurityPolicy",
-        "aws:RequestTag/${TagKey}",
-        "aws:ResourceTag/${TagKey}",
-        "aws:TagKeys"
-      ]
-    },
-    "Amazon API Gateway Management V2": {
-      "ARNFormat": "arn:aws:apigateway:${Region}::${ApiGatewayResourcePath}",
-      "ARNRegex": "^arn:aws:apigateway:.+",
-      "Actions": [
-        "DELETE",
-        "GET",
-        "PATCH",
-        "POST",
-        "PUT",
-        "HEAD",
-        "OPTIONS"
-      ],
-      "HasResource": true,
-      "StringPrefix": "apigateway",
-      "conditionKeys": [
-        "apigateway:Request/AccessLoggingDestination",
-        "apigateway:Request/AccessLoggingFormat",
-        "apigateway:Request/ApiKeyRequired",
-        "apigateway:Request/ApiName",
-        "apigateway:Request/AuthorizerType",
-        "apigateway:Request/AuthorizerUri",
-        "apigateway:Request/DisableExecuteApiEndpoint",
-        "apigateway:Request/EndpointType",
-        "apigateway:Request/MtlsTrustStoreUri",
-        "apigateway:Request/MtlsTrustStoreVersion",
-        "apigateway:Request/RouteAuthorizationType",
-        "apigateway:Request/SecurityPolicy",
-        "apigateway:Request/StageName",
-        "apigateway:Resource/AccessLoggingDestination",
-        "apigateway:Resource/AccessLoggingFormat",
-        "apigateway:Resource/ApiKeyRequired",
-        "apigateway:Resource/ApiName",
-        "apigateway:Resource/AuthorizerType",
-        "apigateway:Resource/AuthorizerUri",
-        "apigateway:Resource/DisableExecuteApiEndpoint",
-        "apigateway:Resource/EndpointType",
-        "apigateway:Resource/MtlsTrustStoreUri",
-        "apigateway:Resource/MtlsTrustStoreVersion",
-        "apigateway:Resource/RouteAuthorizationType",
-        "apigateway:Resource/SecurityPolicy",
-        "aws:RequestTag/${TagKey}",
-        "aws:ResourceTag/${TagKey}",
-        "aws:TagKeys"
-      ]
-    },
     "Amazon AppFlow": {
       "ARNFormat": "arn:aws:appflow:<region>:<account-id>:<resource-type>/<resource_name>",
       "ARNRegex": "^arn:aws:appflow:.+:.+:.+",
@@ -13003,32 +12930,6 @@
       "HasResource": false,
       "StringPrefix": "elemental-support-content"
     },
-    "Fleet Hub for AWS IoT Device Management": {
-      "ARNFormat": "arn:aws:iotfleethub:<region>:<account-id>:<resource-type>/<resource_name>",
-      "ARNRegex": "^arn:aws:iotfleethub:.+:.+:.+",
-      "Actions": [
-        "CreateApplication",
-        "CreateDashboard",
-        "DeleteApplication",
-        "DeleteDashboard",
-        "DescribeApplication",
-        "DescribeDashboard",
-        "ListApplications",
-        "ListDashboards",
-        "ListTagsForResource",
-        "TagResource",
-        "UntagResource",
-        "UpdateApplication",
-        "UpdateDashboard"
-      ],
-      "HasResource": true,
-      "StringPrefix": "iotfleethub",
-      "conditionKeys": [
-        "aws:RequestTag/${TagKey}",
-        "aws:ResourceTag/${TagKey}",
-        "aws:TagKeys"
-      ]
-    },
     "Identity And Access Management": {
       "ARNFormat": "arn:aws:iam::<namespace>:<relative-id>",
       "ARNRegex": "^arn:aws:iam::.+",
@@ -13223,6 +13124,28 @@
       "HasResource": false,
       "StringPrefix": "launchwizard"
     },
+    "Manage Amazon API Gateway": {
+      "ARNFormat": "arn:aws:apigateway:<region>::<api_gateway_resource_path>",
+      "ARNRegex": "^arn:aws:apigateway:.+",
+      "Actions": [
+        "DELETE",
+        "GET",
+        "PATCH",
+        "POST",
+        "PUT",
+        "SetWebACL",
+        "UpdateRestApiPolicy",
+        "HEAD",
+        "OPTIONS"
+      ],
+      "HasResource": true,
+      "StringPrefix": "apigateway",
+      "conditionKeys": [
+        "aws:RequestTag/${TagKey}",
+        "aws:ResourceTag/${TagKey}",
+        "aws:TagKeys"
+      ]
+    },
     "Network Manager": {
       "ARNFormat": "arn:aws:networkmanager::<account-id>:<resource-type>/<resource_name>",
       "ARNRegex": "^arn:aws:networkmanager::.+:.+",

diff --git a/src/cfnlint/maintenance.py b/src/cfnlint/maintenance.py
@@ -234,15 +234,18 @@ def update_iam_policies():
 
     content = content.split('app.PolicyEditorConfig=')[1]
     content = json.loads(content)
-    content['serviceMap']['Amazon API Gateway Management']['Actions'].extend(
-        ['HEAD', 'OPTIONS']
-    )
-    content['serviceMap']['Amazon API Gateway Management V2']['Actions'].extend(
-        ['HEAD', 'OPTIONS']
-    )
-    content['serviceMap']['Amazon Kinesis Video Streams']['Actions'].append(
-        'StartStreamEncryption'
-    )
+
+    actions = {
+        'Manage Amazon API Gateway': ['HEAD', 'OPTIONS'],
+        'Amazon API Gateway Management': ['HEAD', 'OPTIONS'],
+        'Amazon API Gateway Management V2': ['HEAD', 'OPTIONS'],
+        'Amazon Kinesis Video Streams': ['StartStreamEncryption'],
+    }
+    for k, v in actions.items():
+        if content.get('serviceMap').get(k):
+            content['serviceMap'][k]['Actions'].extend(v)
+        else:
+            LOGGER.debug('"%s" was not found in the policies file', k)
 
     with open(filename, 'w') as f:
         json.dump(content, f, indent=2, sort_keys=True, separators=(',', ': '))

diff --git a/test/unit/module/maintenance/test_update_iam_policies.py b/test/unit/module/maintenance/test_update_iam_policies.py
@@ -14,12 +14,13 @@
 
 class TestUpdateIamPolicies(BaseTestCase):
     """Used for Testing Rules"""
+
     @patch('cfnlint.maintenance.get_url_content')
     @patch('cfnlint.maintenance.json.dump')
     def test_update_iam_policies(self, mock_json_dump, mock_content):
         """Success update iam policies"""
 
-        mock_content.return_value = 'app.PolicyEditorConfig={"serviceMap":{"Amazon API Gateway Management":{"Actions":[]},"Amazon API Gateway Management V2":{"Actions":[]},"Amazon Kinesis Video Streams":{"Actions":[]}}}'
+        mock_content.return_value = 'app.PolicyEditorConfig={"serviceMap":{"Manage Amazon API Gateway":{"Actions":[]},"Amazon Kinesis Video Streams":{"Actions":[]}}}'
 
         if sys.version_info.major == 3:
             builtin_module_name = 'builtins'
@@ -31,10 +32,7 @@ def test_update_iam_policies(self, mock_json_dump, mock_content):
             mock_json_dump.assert_called_with(
                 {
                     'serviceMap': {
-                        'Amazon API Gateway Management': {
-                            'Actions': ['HEAD', 'OPTIONS']
-                        },
-                        'Amazon API Gateway Management V2': {
+                        'Manage Amazon API Gateway': {
                             'Actions': ['HEAD', 'OPTIONS']
                         },
                         'Amazon Kinesis Video Streams': {