From a308082b2c39c978fc9ff30943874ee8c13e2fd1 Mon Sep 17 00:00:00 2001 From: Haryo Bagas Assyafah Date: Fri, 20 Dec 2024 23:50:23 +0700 Subject: [PATCH] feat: adjust logic, unittests & add readme --- plugins/providers/alicloud_ram/README.md | 242 ++++++++++++++++++ plugins/providers/alicloud_ram/config.go | 8 - plugins/providers/alicloud_ram/config_test.go | 38 --- 3 files changed, 242 insertions(+), 46 deletions(-) create mode 100644 plugins/providers/alicloud_ram/README.md diff --git a/plugins/providers/alicloud_ram/README.md b/plugins/providers/alicloud_ram/README.md new file mode 100644 index 00000000..0308bc83 --- /dev/null +++ b/plugins/providers/alicloud_ram/README.md @@ -0,0 +1,242 @@ +# Features +### Ram Account +- Grant & Revoke single permission to RAM account +- Grant & Revoke multiple permission to RAM account +- Grant & Revoke single permission to RAM account CROSS +- Grant & Revoke multiple permission to RAM account CROSS + +### RAM Role +- Grant & Revoke single permission to RAM role +- Grant & Revoke multiple permission to RAM role +- Grant & Revoke single permission to RAM role CROSS +- Grant & Revoke multiple permission to RAM role CROSS + +# Policy Requirements For Each Provider +### Standalone RAM Account +- Custom Policy +```json +{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": "ram:ListPolicies", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:AttachPolicyToUser", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:DetachPolicyFromUser", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:AttachPolicyToRole", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:DetachPolicyFromRole", + "Resource": "*" + } + ] +} +``` + +### Controller RAM Account +- Custom Policy +```json +{ + "Version": "1", + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Resource": "*" + } + ] +} +``` + +### Role That Will Be Assumed by Controller RAM Account +- Trust Policy +```json +{ + "Statement": [ + { + "Action": "sts:AssumeRole", + "Effect": "Allow", + "Principal": { + "RAM": [ + "acs:ram::{CONTROLLER_MAIN_ACCOUNT_ID}:root" + ] + } + } + ], + "Version": "1" +} +``` + +- Custom Policy +```json +{ + "Version": "1", + "Statement": [ + { + "Effect": "Allow", + "Action": "ram:ListPolicies", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:AttachPolicyToUser", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:DetachPolicyFromUser", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:AttachPolicyToRole", + "Resource": "*" + }, + { + "Effect": "Allow", + "Action": "ram:DetachPolicyFromRole", + "Resource": "*" + } + ] +} +``` + +# Standard For Each Provider Creation +### For Standalone Provider +```json +{ + "type": "alicloud_ram", + "urn": "al-xxxx-id-x:500xxxxxxxxxxxxx", // using self main account id + "allowed_account_types": [ + "ramUser", + "ramRole" + ], + "credentials": { + "main_account_id": "500xxxxxxxxxxxxx", // using self main account id + "access_key_id": "access_key_id (in base64)", + "access_key_secret": "access_key_secret (in base64)", + }, + "appeal": { + "allow_permanent_access": false, + "allow_active_access_extension_in": "336h" + }, + "resources": [ + { + "type": "account", + "policy": { + "id": "alicloud_account_policy", + "version": 1 + }, + "roles": [ + { + "id": "sample-role", + "name": "Sample Role", + "description": "Description for Sample Role", + "permissions": [ + { + "name": "AliyunOSSReadOnlyAccess", + "type": "System" + }, + { + "name": "AliyunOSSFullAccess", + "type": "System" + }, + { + "name": "AliyunECSFullAccess", + "type": "System" + } + ] + }, + { + "id": "sample-role-2", + "name": "Sample Role 2", + "description": "Description for Sample Role 2", + "permissions": [ + { + "name": "AliyunCloudMonitorFullAccess", + "type": "System" + } + ] + } + ] + } + ] +} +``` + +### For CROSS Provider +```json +{ + "type": "alicloud_ram", + "urn": "al-xxxx-id-x:501xxxxxxxxxxxxx", // using role main account id + "allowed_account_types": [ + "ramUser", + "ramRole" + ], + "credentials": { + "main_account_id": "501xxxxxxxxxxxxx", // using role main account id + "access_key_id": "access_key_id (in base64)", + "access_key_secret": "access_key_secret (in base64)", + "ram_role": "acs:ram::501xxxxxxxxxxxxx:role/role-name" // using role main account id + }, + "appeal": { + "allow_permanent_access": false, + "allow_active_access_extension_in": "336h" + }, + "resources": [ + { + "type": "account", + "policy": { + "id": "alicloud_account_policy", + "version": 1 + }, + "roles": [ + { + "id": "sample-role", + "name": "Sample Role", + "description": "Description for Sample Role", + "permissions": [ + { + "name": "AliyunOSSReadOnlyAccess", + "type": "System" + }, + { + "name": "AliyunOSSFullAccess", + "type": "System" + }, + { + "name": "AliyunECSFullAccess", + "type": "System" + } + ] + }, + { + "id": "sample-role-2", + "name": "Sample Role 2", + "description": "Description for Sample Role 2", + "permissions": [ + { + "name": "AliyunCloudMonitorFullAccess", + "type": "System" + } + ] + } + ] + } + ] +} +``` diff --git a/plugins/providers/alicloud_ram/config.go b/plugins/providers/alicloud_ram/config.go index cf92f635..3af4212d 100644 --- a/plugins/providers/alicloud_ram/config.go +++ b/plugins/providers/alicloud_ram/config.go @@ -70,14 +70,6 @@ type Permission struct { Type string `mapstructure:"type" json:"type" validate:"required,oneof=System Custom"` } -func (p Permission) String() string { - str := p.Name - if p.Type != "" { - str += fmt.Sprintf("@%s", p.Type) - } - return str -} - type Config struct { ProviderConfig *domain.ProviderConfig valid bool diff --git a/plugins/providers/alicloud_ram/config_test.go b/plugins/providers/alicloud_ram/config_test.go index 4cbfe461..c9b4ef3d 100644 --- a/plugins/providers/alicloud_ram/config_test.go +++ b/plugins/providers/alicloud_ram/config_test.go @@ -2,7 +2,6 @@ package alicloud_ram_test import ( "errors" - "fmt" "testing" "github.com/goto/guardian/domain" @@ -195,43 +194,6 @@ func TestCredentials_Decrypt(t *testing.T) { } } -func TestPermission_String(t *testing.T) { - type fields struct { - Name string - Type string - } - tests := []struct { - name string - fields fields - want string - }{ - { - name: "success", - fields: fields{ - Name: "oss:ListObjects", - Type: alicloud_ram.PolicyTypeSystem, - }, - want: fmt.Sprintf("oss:ListObjects@%s", alicloud_ram.PolicyTypeSystem), - }, - { - name: "success without type", - fields: fields{ - Name: "oss:ListObjects", - }, - want: "oss:ListObjects", - }, - } - for _, tt := range tests { - t.Run(tt.name, func(t *testing.T) { - p := alicloud_ram.Permission{ - Name: tt.fields.Name, - Type: tt.fields.Type, - } - assert.Equalf(t, tt.want, p.String(), "String()") - }) - } -} - func TestNewConfig(t *testing.T) { type args struct { pc *domain.ProviderConfig