82 lines
3.6 KiB
PowerShell
82 lines
3.6 KiB
PowerShell
|
. $PSScriptRoot\..\..\Load-PesterModules.ps1
|
||
|
|
$here = Split-Path -Parent $MyInvocation.MyCommand.Path
|
||
|
|
$sut = (Split-Path -Leaf $MyInvocation.MyCommand.Path) -replace '\.tests\.', '.'
|
||
|
|
$global:functionPath = Join-Path -Path $here -ChildPath $sut
|
||
|
|
|
||
|
|
InModuleScope -ModuleName Alkami.DevOps.SystemEngineering -ScriptBlock {
|
||
|
|
Write-Host "InModuleScope - Overriding SUT: $global:functionPath"
|
||
|
|
Import-Module $global:functionPath -Force
|
||
|
|
$inScopeModule = "Alkami.DevOps.SystemEngineering"
|
||
|
|
|
||
|
|
Describe "Get-AlkamiSecretResourcePolicyString" {
|
||
|
|
|
||
|
|
Mock -CommandName Import-AWSModule -ModuleName $inScopeModule -MockWith {}
|
||
|
|
Mock -CommandName Get-STSCallerIdentity -ModuleName $inScopeModule -MockWith {
|
||
|
|
return @{ Account = '123456' }
|
||
|
|
}
|
||
|
|
|
||
|
|
Context "Parameter Validation" {
|
||
|
|
|
||
|
|
It "Throws if ProfileName is Null" {
|
||
|
|
{ Get-AlkamiSecretResourcePolicyString -ProfileName $null } | Should -Throw
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Throws if ProfileName is Empty" {
|
||
|
|
{ Get-AlkamiSecretResourcePolicyString -ProfileName '' } | Should -Throw
|
||
|
|
}
|
||
|
|
}
|
||
|
|
|
||
|
|
Context "Logic" {
|
||
|
|
|
||
|
|
It "Returns a String" {
|
||
|
|
|
||
|
|
(Get-Command Get-AlkamiSecretResourcePolicyString).OutputType.Type.ToString() | Should -BeExactly "System.String"
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Returns a String With a Valid JSON Conversion" {
|
||
|
|
|
||
|
|
{ ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test') } | Should -Not -Throw
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Includes CLI-SRE-Admin Role By Default" {
|
||
|
|
|
||
|
|
$searchTerm = 'role/CLI-SRE-Admin'
|
||
|
|
$jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
|
||
|
|
$searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_.EndsWith($searchTerm) }
|
||
|
|
$searchResult | Should -Not -BeNull
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Includes DAG-AWS-Admins Role By Default" {
|
||
|
|
|
||
|
|
$searchTerm = 'role/DAG-AWS-Admins'
|
||
|
|
$jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
|
||
|
|
$searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_.EndsWith($searchTerm) }
|
||
|
|
$searchResult | Should -Not -BeNull
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Includes Account Root User By Default" {
|
||
|
|
|
||
|
|
$searchTerm = 'root'
|
||
|
|
$jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
|
||
|
|
$searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_.EndsWith($searchTerm) }
|
||
|
|
$searchResult | Should -Not -BeNull
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Includes No Other AWS Entites By Default" {
|
||
|
|
|
||
|
|
$exclusionTerms = 'CLI-SRE-Admin|CLI-SRE-SysAdministrator|DAG-AWS-Admins|DAG-AWS-SRE-Infrastructure|root'
|
||
|
|
$jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test')
|
||
|
|
$searchResult = $jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Where-Object { $_ -notmatch $exclusionTerms }
|
||
|
|
$searchResult | Should -BeNull
|
||
|
|
}
|
||
|
|
|
||
|
|
It "Includes Extra Parameter Values If Provided" {
|
||
|
|
|
||
|
|
$searchTerm = "TestArn"
|
||
|
|
$jsonResult = ConvertFrom-Json (Get-AlkamiSecretResourcePolicyString -ProfileName 'test' -SecretAccessExtraArns @($searchTerm))
|
||
|
|
$jsonResult.Statement.Condition.ArnNotEquals.'aws:PrincipalArn' | Should -Contain $searchTerm
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|
||
|
|
}
|