Skip to content

Commit

Permalink
Fix some changes to the API gateway iam policies (#1952)
Browse files Browse the repository at this point in the history
  • Loading branch information
@kddejong
kddejong authored Mar 23, 2021
1 parent a8853c8 commit 3a651a9
Show file tree
Hide file tree
Showing 3 changed files with 118 additions and 26 deletions.
132 changes: 109 additions & 23 deletions src/cfnlint/data/AdditionalSpecs/Policies.json
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5997,6 +5997,100 @@
"HasResource": true,
"StringPrefix": "execute-api"
},
"Amazon API Gateway Management": {
"ARNFormat": "arn:aws:apigateway:${Region}::${ApiGatewayResourcePath}",
"ARNRegex": "^arn:aws:apigateway:.+",
"Actions": [
"AddCertificateToDomain",
"DELETE",
"GET",
"PATCH",
"POST",
"PUT",
"RemoveCertificateFromDomain",
"SetWebACL",
"UpdateRestApiPolicy",
"HEAD",
"OPTIONS"
],
"HasResource": true,
"StringPrefix": "apigateway",
"conditionKeys": [
"apigateway:Request/AccessLoggingDestination",
"apigateway:Request/AccessLoggingFormat",
"apigateway:Request/ApiKeyRequired",
"apigateway:Request/ApiName",
"apigateway:Request/AuthorizerType",
"apigateway:Request/AuthorizerUri",
"apigateway:Request/DisableExecuteApiEndpoint",
"apigateway:Request/EndpointType",
"apigateway:Request/MtlsTrustStoreUri",
"apigateway:Request/MtlsTrustStoreVersion",
"apigateway:Request/RouteAuthorizationType",
"apigateway:Request/SecurityPolicy",
"apigateway:Request/StageName",
"apigateway:Resource/AccessLoggingDestination",
"apigateway:Resource/AccessLoggingFormat",
"apigateway:Resource/ApiKeyRequired",
"apigateway:Resource/ApiName",
"apigateway:Resource/AuthorizerType",
"apigateway:Resource/AuthorizerUri",
"apigateway:Resource/DisableExecuteApiEndpoint",
"apigateway:Resource/EndpointType",
"apigateway:Resource/MtlsTrustStoreUri",
"apigateway:Resource/MtlsTrustStoreVersion",
"apigateway:Resource/RouteAuthorizationType",
"apigateway:Resource/SecurityPolicy",
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys"
]
},
"Amazon API Gateway Management V2": {
"ARNFormat": "arn:aws:apigateway:${Region}::${ApiGatewayResourcePath}",
"ARNRegex": "^arn:aws:apigateway:.+",
"Actions": [
"DELETE",
"GET",
"PATCH",
"POST",
"PUT",
"HEAD",
"OPTIONS"
],
"HasResource": true,
"StringPrefix": "apigateway",
"conditionKeys": [
"apigateway:Request/AccessLoggingDestination",
"apigateway:Request/AccessLoggingFormat",
"apigateway:Request/ApiKeyRequired",
"apigateway:Request/ApiName",
"apigateway:Request/AuthorizerType",
"apigateway:Request/AuthorizerUri",
"apigateway:Request/DisableExecuteApiEndpoint",
"apigateway:Request/EndpointType",
"apigateway:Request/MtlsTrustStoreUri",
"apigateway:Request/MtlsTrustStoreVersion",
"apigateway:Request/RouteAuthorizationType",
"apigateway:Request/SecurityPolicy",
"apigateway:Request/StageName",
"apigateway:Resource/AccessLoggingDestination",
"apigateway:Resource/AccessLoggingFormat",
"apigateway:Resource/ApiKeyRequired",
"apigateway:Resource/ApiName",
"apigateway:Resource/AuthorizerType",
"apigateway:Resource/AuthorizerUri",
"apigateway:Resource/DisableExecuteApiEndpoint",
"apigateway:Resource/EndpointType",
"apigateway:Resource/MtlsTrustStoreUri",
"apigateway:Resource/MtlsTrustStoreVersion",
"apigateway:Resource/RouteAuthorizationType",
"apigateway:Resource/SecurityPolicy",
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys"
]
},
"Amazon AppFlow": {
"ARNFormat": "arn:aws:appflow:<region>:<account-id>:<resource-type>/<resource_name>",
"ARNRegex": "^arn:aws:appflow:.+:.+:.+",
Expand Down Expand Up @@ -6127,13 +6221,16 @@
"BatchGetQueryExecution",
"CreateDataCatalog",
"CreateNamedQuery",
"CreatePreparedStatement",
"CreateWorkGroup",
"DeleteDataCatalog",
"DeleteNamedQuery",
"DeletePreparedStatement",
"DeleteWorkGroup",
"GetDataCatalog",
"GetDatabase",
"GetNamedQuery",
"GetPreparedStatement",
"GetQueryExecution",
"GetQueryResults",
"GetQueryResultsStream",
Expand All @@ -6143,6 +6240,7 @@
"ListDatabases",
"ListEngineVersions",
"ListNamedQueries",
"ListPreparedStatements",
"ListQueryExecutions",
"ListTableMetadata",
"ListTagsForResource",
Expand All @@ -6152,6 +6250,7 @@
"TagResource",
"UntagResource",
"UpdateDataCatalog",
"UpdatePreparedStatement",
"UpdateWorkGroup"
],
"HasResource": true,
Expand Down Expand Up @@ -8303,14 +8402,23 @@
"GetRepositoryCatalogData",
"GetRepositoryPolicy",
"InitiateLayerUpload",
"ListTagsForResource",
"PutImage",
"PutRegistryCatalogData",
"PutRepositoryCatalogData",
"SetRepositoryPolicy",
"TagResource",
"UntagResource",
"UploadLayerPart"
],
"HasResource": true,
"StringPrefix": "ecr-public"
"StringPrefix": "ecr-public",
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys",
"ecr-public:ResourceTag/${TagKey}"
]
},
"Amazon Elastic Container Service": {
"ARNFormat": "arn:aws:ecs:<region>:<account_ID>:<resource_type>/<relative_ID>",
Expand Down Expand Up @@ -13115,28 +13223,6 @@
"HasResource": false,
"StringPrefix": "launchwizard"
},
"Manage Amazon API Gateway": {
"ARNFormat": "arn:aws:apigateway:<region>::<api_gateway_resource_path>",
"ARNRegex": "^arn:aws:apigateway:.+",
"Actions": [
"DELETE",
"GET",
"PATCH",
"POST",
"PUT",
"SetWebACL",
"UpdateRestApiPolicy",
"HEAD",
"OPTIONS"
],
"HasResource": true,
"StringPrefix": "apigateway",
"conditionKeys": [
"aws:RequestTag/${TagKey}",
"aws:ResourceTag/${TagKey}",
"aws:TagKeys"
]
},
"Network Manager": {
"ARNFormat": "arn:aws:networkmanager::<account-id>:<resource-type>/<resource_name>",
"ARNRegex": "^arn:aws:networkmanager::.+:.+",
Expand Down
5 changes: 4 additions & 1 deletion src/cfnlint/maintenance.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -234,7 +234,10 @@ def update_iam_policies():

content = content.split('app.PolicyEditorConfig=')[1]
content = json.loads(content)
content['serviceMap']['Manage Amazon API Gateway']['Actions'].extend(
content['serviceMap']['Amazon API Gateway Management']['Actions'].extend(
['HEAD', 'OPTIONS']
)
content['serviceMap']['Amazon API Gateway Management V2']['Actions'].extend(
['HEAD', 'OPTIONS']
)
content['serviceMap']['Amazon Kinesis Video Streams']['Actions'].append(
Expand Down
7 changes: 5 additions & 2 deletions test/unit/module/maintenance/test_update_iam_policies.py
View file
Original file line number Diff line number Diff line change
Expand Up @@ -19,7 +19,7 @@ class TestUpdateIamPolicies(BaseTestCase):
def test_update_iam_policies(self, mock_json_dump, mock_content):
"""Success update iam policies"""

mock_content.return_value = 'app.PolicyEditorConfig={"serviceMap":{"Manage Amazon API Gateway":{"Actions":[]},"Amazon Kinesis Video Streams":{"Actions":[]}}}'
mock_content.return_value = 'app.PolicyEditorConfig={"serviceMap":{"Amazon API Gateway Management":{"Actions":[]},"Amazon API Gateway Management V2":{"Actions":[]},"Amazon Kinesis Video Streams":{"Actions":[]}}}'

if sys.version_info.major == 3:
builtin_module_name = 'builtins'
Expand All @@ -31,7 +31,10 @@ def test_update_iam_policies(self, mock_json_dump, mock_content):
mock_json_dump.assert_called_with(
{
'serviceMap': {
'Manage Amazon API Gateway': {
'Amazon API Gateway Management': {
'Actions': ['HEAD', 'OPTIONS']
},
'Amazon API Gateway Management V2': {
'Actions': ['HEAD', 'OPTIONS']
},
'Amazon Kinesis Video Streams': {
Expand Down

0 comments on commit 3a651a9

Please sign in to comment.