UNPKG

@aws-cdk-testing/cli-integ

Version:

Integration tests for the AWS CDK CLI

github.com/aws/aws-cdk

aws/aws-cdk-cli-testing

78 lines (69 loc) 3.02 kB
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
import { DescribeStacksCommand } from '@aws-sdk/client-cloudformation'; import { CreatePolicyCommand, DeletePolicyCommand, GetRoleCommand } from '@aws-sdk/client-iam'; import { integTest, withoutBootstrap } from '../../lib'; import eventually from '../../lib/eventually'; jest.setTimeout(2 * 60 * 60_000); // Includes the time to acquire locks, worst-case single-threaded runtime integTest('can remove customPermissionsBoundary', withoutBootstrap(async (fixture) => { const bootstrapStackName = fixture.bootstrapStackName; const policyName = `${bootstrapStackName}-pb`; let policyArn; try { const policy = await fixture.aws.iam.send( new CreatePolicyCommand({ PolicyName: policyName, PolicyDocument: JSON.stringify({ Version: '2012-10-17', Statement: { Action: ['*'], Resource: ['*'], Effect: 'Allow', }, }), }), ); policyArn = policy.Policy?.Arn; // Policy creation and consistency across regions is "almost immediate" // See: https://docs.aws.amazon.com/IAM/latest/UserGuide/troubleshoot_general.html#troubleshoot_general_eventual-consistency // We will put this in an `eventually` block to retry stack creation with a reasonable timeout const createStackWithPermissionBoundary = async (): Promise<void> => { await fixture.cdkBootstrapModern({ // toolkitStackName doesn't matter for this particular invocation toolkitStackName: bootstrapStackName, customPermissionsBoundary: policyName, }); const response = await fixture.aws.cloudFormation.send( new DescribeStacksCommand({ StackName: bootstrapStackName }), ); expect( response.Stacks?.[0].Parameters?.some( param => (param.ParameterKey === 'InputPermissionsBoundary' && param.ParameterValue === policyName), )).toEqual(true); }; await eventually(createStackWithPermissionBoundary, { maxAttempts: 3 }); await fixture.cdkBootstrapModern({ // toolkitStackName doesn't matter for this particular invocation toolkitStackName: bootstrapStackName, usePreviousParameters: false, }); const response2 = await fixture.aws.cloudFormation.send( new DescribeStacksCommand({ StackName: bootstrapStackName }), ); expect( response2.Stacks?.[0].Parameters?.some( param => (param.ParameterKey === 'InputPermissionsBoundary' && !param.ParameterValue), )).toEqual(true); const region = fixture.aws.region; const account = await fixture.aws.account(); const role = await fixture.aws.iam.send( new GetRoleCommand({ RoleName: `cdk-${fixture.qualifier}-cfn-exec-role-${account}-${region}` }), ); if (!role.Role) { throw new Error('Role not found'); } expect(role.Role.PermissionsBoundary).toBeUndefined(); } finally { if (policyArn) { await fixture.aws.iam.send(new DeletePolicyCommand({ PolicyArn: policyArn })); } } }));