New Resource aws_iam_policy

[rx294]

Test iam policies (suggestion: use filter tables)

Feature 1
support for cis-aws-foundations-1.18
aws iam get-policy-version --policy-arn arn:aws:iam::484747447281:policy/iam-master --version-id v1

{
"PolicyVersion": {
"CreateDate": "2018-01-08T15:21:24Z",
"VersionId": "v1",
"Document": {
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:AddUserToGroup",
"iam:AttachGroupPolicy",
"iam:DeleteGroupPolicy",
"iam:DeleteUserPolicy"
],
"Resource": "",
"Effect": "Allow",
"Condition": {
"Bool": {
"aws:MultiFactorAuthPresent": "true"
}
}
},
{
"Action": [
"iam:CreateGroup",
"iam:CreatePolicy",
"iam:CreatePolicyVersion"
],
"Resource": "",
"Effect": "Deny"
}
]
},
"IsDefaultVersion": true
}
}

Enable tests such as

  describe aws_iam_policy(IAM_MASTER_POLICY).where(Effect: "Allow") do
    its("Action") { should match_array allow_actions_array }
    its("Condition") { should be mfa_condition }
  end

  describe aws_iam_policy(IAM_MASTER_POLICY).where(Effect: "Deny") do
    its("Action") { should match_array deny_actions_array }
    its("Condition") { should be mfa_condition }
  end

Feature 2
in support for cis-aws-foundations-1.22

arn:aws:iam::484747447281:policy/iam-master

{
"PolicyGroups": [],
"PolicyUsers": [],
"PolicyRoles": [
{
"RoleName": "cis.role_for_ec2_with_role",
"RoleId": "AROAIOG3FWH62CKPX6IMQ"
}
]
}

Enable tests such as 

  describe aws_iam_policy('AWSSupportAccess') do
    it{ should be_attached }
  end

which tests of the role is attached to any groups,users,or roles

[rx294]

Ref chef-boneyard#76