Skip to content

Commit

Permalink
Move CI test into its own script. (#34)
Browse files Browse the repository at this point in the history 
* Move CI test into its own script.

* Test both IAM and SSO sync/grant/revoke.
  • Loading branch information
@ggreer
ggreer authored Aug 27, 2024
1 parent a726839 commit 810f166
Show file tree
Hide file tree
Showing 2 changed files with 62 additions and 29 deletions.
45 changes: 16 additions & 29 deletions .github/workflows/ci.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -66,38 +66,25 @@ jobs:
- name: Build baton
working-directory: ./baton
run: go build ./cmd/baton
- name: Grant entitlements
- name: Test grant/revoking IAM entitlements
env:
BATON: ./baton/baton
BATON_AWS: ./baton-aws
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user'
- name: Check for grant before revoking
BATON_ENTITLEMENT: "group:arn:aws:iam::737118012813:group/ci-test-group:member"
BATON_PRINCIPAL: "arn:aws:iam::737118012813:user/ci-test-user"
BATON_PRINCIPAL_TYPE: "iam_user"
BATON_GRANT: "group:arn:aws:iam::737118012813:group/ci-test-group:member:iam_user:arn:aws:iam::737118012813:user/ci-test-user"
run: ./test/grant-revoke.sh
- name: Test grant/revoking SSO entitlements
env:
BATON: ./baton/baton
BATON_AWS: ./baton-aws
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::737118012813:user/ci-test-user"'
- name: Grant already-granted entitlement
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user'
- name: Revoke grants
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws --revoke-grant 'group:arn:aws:iam::737118012813:group/ci-test-group:member:iam_user:arn:aws:iam::737118012813:user/ci-test-user'
- name: Check grant was revoked
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status 'if .grants then .grants[]?.principal.id.resource != "arn:aws:iam::737118012813:user/ci-test-user" else . end'
- name: Grant entitlements
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws --grant-entitlement 'group:arn:aws:iam::737118012813:group/ci-test-group:member' --grant-principal 'arn:aws:iam::737118012813:user/ci-test-user' --grant-principal-type 'iam_user'
- name: Check grant was re-granted
env:
BATON_GLOBAL_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
BATON_GLOBAL_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: ./baton-aws && ./baton/baton grants --entitlement='group:arn:aws:iam::737118012813:group/ci-test-group:member' --output-format=json | jq --exit-status '.grants[].principal.id.resource == "arn:aws:iam::737118012813:user/ci-test-user"'
BATON_ENTITLEMENT: "sso_group:arn:aws:identitystore:us-east-1::d-90679d1878/group/9458d408-40b1-709f-4f45-92be754928e5:member"
BATON_PRINCIPAL: "arn:aws:identitystore:us-east-1::d-90679d1878/user/54982488-f0d1-70c1-1dd5-6db47f7add45"
BATON_PRINCIPAL_TYPE: "sso_user"
BATON_GRANT: "8418c428-1061-70cc-01da-b38b652ab0e6"
run: ./test/grant-revoke.sh
46 changes: 46 additions & 0 deletions test/grant-revoke.sh
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,46 @@
#!/bin/bash

set -exo pipefail

# CI test for use with CI AWS account
if [ -z "$BATON_AWS" ]; then
echo "BATON_AWS not set. using baton-aws"
BATON_AWS=baton-aws
fi
if [ -z "$BATON" ]; then
echo "BATON not set. using baton"
BATON=baton
fi

# Error on unbound variables now that we've set BATON & BATON_AWS
set -u

# Sync
$BATON_AWS

# Grant entitlement
$BATON_AWS --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"

# Check for grant before revoking
$BATON_AWS
$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" )"

# Grant already-granted entitlement
$BATON_AWS --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"

# Get grant ID
BATON_GRANT=$($BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --raw-output --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" ).grant.id")

# Revoke grants
$BATON_AWS --revoke-grant="$BATON_GRANT"

# Check grant was revoked
$BATON_AWS
$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status "if .grants then [ .grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" ) ] | length == 0 else . end"

# Re-grant entitlement
$BATON_AWS --grant-entitlement="$BATON_ENTITLEMENT" --grant-principal="$BATON_PRINCIPAL" --grant-principal-type="$BATON_PRINCIPAL_TYPE"

# Check grant was re-granted
$BATON_AWS
$BATON grants --entitlement="$BATON_ENTITLEMENT" --output-format=json | jq --exit-status ".grants[] | select( .principal.id.resource == \"$BATON_PRINCIPAL\" )"

0 comments on commit 810f166

Please sign in to comment.