Skip to content

Commit

Permalink
feat: adjust logic, unittests & add readme
Browse files Browse the repository at this point in the history
  • Loading branch information
bearaujus committed Dec 20, 2024
1 parent 6bd8fdf commit a308082
Show file tree
Hide file tree
Showing 3 changed files with 242 additions and 46 deletions.
242 changes: 242 additions & 0 deletions plugins/providers/alicloud_ram/README.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,242 @@
# Features
### Ram Account
- Grant & Revoke single permission to RAM account
- Grant & Revoke multiple permission to RAM account
- Grant & Revoke single permission to RAM account CROSS
- Grant & Revoke multiple permission to RAM account CROSS

### RAM Role
- Grant & Revoke single permission to RAM role
- Grant & Revoke multiple permission to RAM role
- Grant & Revoke single permission to RAM role CROSS
- Grant & Revoke multiple permission to RAM role CROSS

# Policy Requirements For Each Provider
### Standalone RAM Account
- Custom Policy
```json
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:ListPolicies",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:AttachPolicyToUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DetachPolicyFromUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:AttachPolicyToRole",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DetachPolicyFromRole",
"Resource": "*"
}
]
}
```

### Controller RAM Account
- Custom Policy
```json
{
"Version": "1",
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Resource": "*"
}
]
}
```

### Role That Will Be Assumed by Controller RAM Account
- Trust Policy
```json
{
"Statement": [
{
"Action": "sts:AssumeRole",
"Effect": "Allow",
"Principal": {
"RAM": [
"acs:ram::{CONTROLLER_MAIN_ACCOUNT_ID}:root"
]
}
}
],
"Version": "1"
}
```

- Custom Policy
```json
{
"Version": "1",
"Statement": [
{
"Effect": "Allow",
"Action": "ram:ListPolicies",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:AttachPolicyToUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DetachPolicyFromUser",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:AttachPolicyToRole",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": "ram:DetachPolicyFromRole",
"Resource": "*"
}
]
}
```

# Standard For Each Provider Creation
### For Standalone Provider
```json
{
"type": "alicloud_ram",
"urn": "al-xxxx-id-x:500xxxxxxxxxxxxx", // using self main account id
"allowed_account_types": [
"ramUser",
"ramRole"
],
"credentials": {
"main_account_id": "500xxxxxxxxxxxxx", // using self main account id
"access_key_id": "access_key_id (in base64)",
"access_key_secret": "access_key_secret (in base64)",
},
"appeal": {
"allow_permanent_access": false,
"allow_active_access_extension_in": "336h"
},
"resources": [
{
"type": "account",
"policy": {
"id": "alicloud_account_policy",
"version": 1
},
"roles": [
{
"id": "sample-role",
"name": "Sample Role",
"description": "Description for Sample Role",
"permissions": [
{
"name": "AliyunOSSReadOnlyAccess",
"type": "System"
},
{
"name": "AliyunOSSFullAccess",
"type": "System"
},
{
"name": "AliyunECSFullAccess",
"type": "System"
}
]
},
{
"id": "sample-role-2",
"name": "Sample Role 2",
"description": "Description for Sample Role 2",
"permissions": [
{
"name": "AliyunCloudMonitorFullAccess",
"type": "System"
}
]
}
]
}
]
}
```

### For CROSS Provider
```json
{
"type": "alicloud_ram",
"urn": "al-xxxx-id-x:501xxxxxxxxxxxxx", // using role main account id
"allowed_account_types": [
"ramUser",
"ramRole"
],
"credentials": {
"main_account_id": "501xxxxxxxxxxxxx", // using role main account id
"access_key_id": "access_key_id (in base64)",
"access_key_secret": "access_key_secret (in base64)",
"ram_role": "acs:ram::501xxxxxxxxxxxxx:role/role-name" // using role main account id
},
"appeal": {
"allow_permanent_access": false,
"allow_active_access_extension_in": "336h"
},
"resources": [
{
"type": "account",
"policy": {
"id": "alicloud_account_policy",
"version": 1
},
"roles": [
{
"id": "sample-role",
"name": "Sample Role",
"description": "Description for Sample Role",
"permissions": [
{
"name": "AliyunOSSReadOnlyAccess",
"type": "System"
},
{
"name": "AliyunOSSFullAccess",
"type": "System"
},
{
"name": "AliyunECSFullAccess",
"type": "System"
}
]
},
{
"id": "sample-role-2",
"name": "Sample Role 2",
"description": "Description for Sample Role 2",
"permissions": [
{
"name": "AliyunCloudMonitorFullAccess",
"type": "System"
}
]
}
]
}
]
}
```
8 changes: 0 additions & 8 deletions plugins/providers/alicloud_ram/config.go
Original file line number Diff line number Diff line change
Expand Up @@ -70,14 +70,6 @@ type Permission struct {
Type string `mapstructure:"type" json:"type" validate:"required,oneof=System Custom"`
}

func (p Permission) String() string {
str := p.Name
if p.Type != "" {
str += fmt.Sprintf("@%s", p.Type)
}
return str
}

type Config struct {
ProviderConfig *domain.ProviderConfig
valid bool
Expand Down
38 changes: 0 additions & 38 deletions plugins/providers/alicloud_ram/config_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -2,7 +2,6 @@ package alicloud_ram_test

import (
"errors"
"fmt"
"testing"

"github.com/goto/guardian/domain"
Expand Down Expand Up @@ -195,43 +194,6 @@ func TestCredentials_Decrypt(t *testing.T) {
}
}

func TestPermission_String(t *testing.T) {
type fields struct {
Name string
Type string
}
tests := []struct {
name string
fields fields
want string
}{
{
name: "success",
fields: fields{
Name: "oss:ListObjects",
Type: alicloud_ram.PolicyTypeSystem,
},
want: fmt.Sprintf("oss:ListObjects@%s", alicloud_ram.PolicyTypeSystem),
},
{
name: "success without type",
fields: fields{
Name: "oss:ListObjects",
},
want: "oss:ListObjects",
},
}
for _, tt := range tests {
t.Run(tt.name, func(t *testing.T) {
p := alicloud_ram.Permission{
Name: tt.fields.Name,
Type: tt.fields.Type,
}
assert.Equalf(t, tt.want, p.String(), "String()")
})
}
}

func TestNewConfig(t *testing.T) {
type args struct {
pc *domain.ProviderConfig
Expand Down

0 comments on commit a308082

Please sign in to comment.