Skip to content

Commit 2e2a52c

Browse files
TylerGillsonTylerGillson
committed
handle conditions in IAM policies; add spectro policies
1 parent 63ae972 commit 2e2a52c

11 files changed

Lines changed: 806 additions & 52 deletions

api/v1alpha1/awsvalidator_types.go

Lines changed: 19 additions & 6 deletions
Original file line numberDiff line numberDiff line change
@@ -17,6 +17,8 @@ limitations under the License.
1717
package v1alpha1
1818

1919
import (
20+
"fmt"
21+
2022
valid8orv1alpha1 "github.com/spectrocloud-labs/valid8or/api/v1alpha1"
2123
metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
2224
)
@@ -36,20 +38,31 @@ type AwsAuth struct {
3638
}
3739

3840
type IamRule struct {
39-
IamRole string `json:"iamRole,omitempty"`
40-
// Policies []awspolicy.AwsPolicy `json:"iamPolicies,omitempty"`
41-
Policies []PolicyDocument `json:"iamPolicies,omitempty"`
41+
IamRole string `json:"iamRole"`
42+
Policies []PolicyDocument `json:"iamPolicies"`
4243
}
4344

4445
type PolicyDocument struct {
46+
Name string `json:"name"`
4547
Version string `json:"version"`
4648
Statements []StatementEntry `json:"statements"`
4749
}
4850

4951
type StatementEntry struct {
50-
Effect string `json:"effect"`
51-
Actions []string `json:"actions"`
52-
Resource string `json:"resource"`
52+
Condition *Condition `json:"condition,omitempty"`
53+
Effect string `json:"effect"`
54+
Actions []string `json:"actions"`
55+
Resources []string `json:"resources"`
56+
}
57+
58+
type Condition struct {
59+
Type string `json:"type"`
60+
Key string `json:"key"`
61+
Values []string `json:"values"`
62+
}
63+
64+
func (c *Condition) String() string {
65+
return fmt.Sprintf("%s: %s=%s", c.Type, c.Key, c.Values)
5366
}
5467

5568
type TagRule struct {

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 30 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.

config/crd/bases/validation.spectrocloud.labs_awsvalidators.yaml

Lines changed: 26 additions & 4 deletions
Original file line numberDiff line numberDiff line change
@@ -47,35 +47,57 @@ spec:
4747
items:
4848
properties:
4949
iamPolicies:
50-
description: Policies []awspolicy.AwsPolicy `json:"iamPolicies,omitempty"`
5150
items:
5251
properties:
52+
name:
53+
type: string
5354
statements:
5455
items:
5556
properties:
5657
actions:
5758
items:
5859
type: string
5960
type: array
61+
condition:
62+
properties:
63+
key:
64+
type: string
65+
type:
66+
type: string
67+
values:
68+
items:
69+
type: string
70+
type: array
71+
required:
72+
- key
73+
- type
74+
- values
75+
type: object
6076
effect:
6177
type: string
62-
resource:
63-
type: string
78+
resources:
79+
items:
80+
type: string
81+
type: array
6482
required:
6583
- actions
6684
- effect
67-
- resource
85+
- resources
6886
type: object
6987
type: array
7088
version:
7189
type: string
7290
required:
91+
- name
7392
- statements
7493
- version
7594
type: object
7695
type: array
7796
iamRole:
7897
type: string
98+
required:
99+
- iamPolicies
100+
- iamRole
79101
type: object
80102
type: array
81103
tagRules:

config/samples/awsvalidator-iam-fail.yaml

Lines changed: 14 additions & 3 deletions
Original file line numberDiff line numberDiff line change
@@ -5,13 +5,24 @@ metadata:
55
spec:
66
auth:
77
secretName: aws-creds
8-
region: us-west-2
98
iamRules:
109
- iamPolicies:
11-
- statements:
10+
- name: Failing Policy
11+
statements:
1212
- actions:
1313
- "cognito-sync:ListDatasets"
1414
effect: Allow
15-
resource: "*"
15+
resources:
16+
- "*"
17+
- actions:
18+
- "iam:PassRole"
19+
condition:
20+
type: StringEquals
21+
key: "iam:PassedToService"
22+
values:
23+
- fake.amazonaws.com
24+
effect: Allow
25+
resources:
26+
- "*"
1627
version: "2012-10-17"
1728
iamRole: SpectroCloudRole

config/samples/awsvalidator-iam-pass.yaml

Lines changed: 0 additions & 17 deletions
This file was deleted.

0 commit comments

Comments
 (0)