Class: Wonk::PolicyValidators::AwsEC2::HasRoleWithRule

Inherits:

Object

• Object
• Wonk::PolicyValidators::AwsEC2::HasRoleWithRule

Defined in:

lib/wonk/policy_validators/aws_ec2/has_role_with_rule.rb

Instance Attribute Summary

• #name ⇒ Object readonly

  Returns the value of attribute name.

Instance Method Summary

• #initialize(parameters) ⇒ HasRoleWithRule constructor

  A new instance of HasRoleWithRule.

• #try_match(instance, identity) ⇒ Object

Constructor Details

#initialize(parameters) ⇒ HasRoleWithRule

Returns a new instance of HasRoleWithRule.

# File 'lib/wonk/policy_validators/aws_ec2/has_role_with_rule.rb', line 9

def initialize(parameters)
  @name = Regexp.new(parameters[:name]) if parameters[:name]

  @iam_rsrc = Aws::IAM::Resource.new(region: Wonk.aws_region)
end

Instance Attribute Details

#name ⇒ Object (readonly)

Returns the value of attribute name.

# File 'lib/wonk/policy_validators/aws_ec2/has_role_with_rule.rb', line 7

def name
  @name
end

Instance Method Details

#try_match(instance, identity) ⇒ Object

# File 'lib/wonk/policy_validators/aws_ec2/has_role_with_rule.rb', line 15

def try_match(instance, identity)
  if instance.iam_instance_profile.nil?
    RuleResult.new(successful: false)
  else
    instance_profile =
      @iam_rsrc.instance_profile(instance.iam_instance_profile.arn.split('/').last)

    roles = instance_profile.roles

    match_role = roles.map do |role|
      if @name.nil?
        [ role, true, {} ]
      else
        match = @name.match(role.name)

        if !match.nil?
          [ role, true, Hash[match.names.zip(match.captures)] ]
        else
          [ role, false, {} ]
        end
      end
    end.find { |rt| rt[1] == true }

    RuleResult.new(successful: !match_role.nil?,
                   captures: match_role[2] || {})
  end
end