1414from main import (
1515 ADF_JUMP_MANAGED_POLICY_ARN ,
1616 ADF_TEST_BOOTSTRAP_ROLE_NAME ,
17+ CHARS_PER_ACCOUNT_ID ,
1718 CROSS_ACCOUNT_ACCESS_ROLE_NAME ,
1819 INCLUDE_NEW_ACCOUNTS_IF_JOINED_IN_LAST_HOURS ,
20+ MAX_MANAGED_POLICY_LENGTH ,
1921 MAX_NUMBER_OF_ACCOUNTS ,
2022 MAX_POLICY_VERSIONS ,
23+ MAX_ROLE_NAME_LENGTH ,
2124 POLICY_VALID_DURATION_IN_HOURS ,
25+ ZERO_ACCOUNTS_POLICY_LENGTH ,
2226 _build_summary ,
2327 _delete_old_policy_versions ,
2428 _generate_policy_document ,
@@ -65,7 +69,7 @@ def mock_organizations():
6569
6670
6771def test_max_number_of_accounts ():
68- assert MAX_NUMBER_OF_ACCOUNTS == 391
72+ assert MAX_NUMBER_OF_ACCOUNTS == 361
6973
7074
7175def test_max_policy_versions ():
@@ -674,6 +678,7 @@ def test_generate_policy_document_no_accounts_to_bootstrap(get_mock):
674678 assert policy == expected_policy
675679
676680
681+ @patch ("main.CROSS_ACCOUNT_ACCESS_ROLE_NAME" , "z" * MAX_ROLE_NAME_LENGTH )
677682@patch ("main._get_valid_until" )
678683def test_generate_policy_document (get_mock ):
679684 end_time = '2024-04-03T14:00:00Z'
@@ -683,6 +688,7 @@ def test_generate_policy_document(get_mock):
683688 '222222222222' ,
684689 '333333333333' ,
685690 ]
691+ role_name = "z" * MAX_ROLE_NAME_LENGTH
686692 expected_policy = {
687693 "Version" : "2012-10-17" ,
688694 "Statement" : [
@@ -691,7 +697,7 @@ def test_generate_policy_document(get_mock):
691697 "Effect" : "Allow" ,
692698 "Action" : ["sts:AssumeRole" ],
693699 "Resource" : [
694- f"arn:aws:iam::*:role/{ CROSS_ACCOUNT_ACCESS_ROLE_NAME } ,
700+ f"arn:aws:iam::*:role/{ role_name } ,
695701 ],
696702 "Condition" : {
697703 "DateLessThan" : {
@@ -707,6 +713,45 @@ def test_generate_policy_document(get_mock):
707713
708714 policy = _generate_policy_document (non_bootstrapped_account_ids )
709715 assert policy == expected_policy
716+ assert len (json .dumps (policy )) == (
717+ ZERO_ACCOUNTS_POLICY_LENGTH
718+ + CHARS_PER_ACCOUNT_ID * len (non_bootstrapped_account_ids )
719+ - 2 # characters for the last account, as that does not include ", "
720+ )
721+
722+
723+ @patch ("main.CROSS_ACCOUNT_ACCESS_ROLE_NAME" , "z" * MAX_ROLE_NAME_LENGTH )
724+ @patch ("main._get_valid_until" )
725+ def test_generate_policy_document_max_length (get_mock ):
726+ end_time = '2024-04-03T14:00:00Z'
727+ get_mock .return_value = end_time
728+ non_bootstrapped_account_ids = ['111111111111' ] * MAX_NUMBER_OF_ACCOUNTS
729+ role_name = "z" * MAX_ROLE_NAME_LENGTH
730+ expected_policy = {
731+ "Version" : "2012-10-17" ,
732+ "Statement" : [
733+ {
734+ "Sid" : "AllowNonBootstrappedAccounts" ,
735+ "Effect" : "Allow" ,
736+ "Action" : ["sts:AssumeRole" ],
737+ "Resource" : [
738+ f"arn:aws:iam::*:role/{ role_name } ,
739+ ],
740+ "Condition" : {
741+ "DateLessThan" : {
742+ "aws:CurrentTime" : end_time ,
743+ },
744+ "StringEquals" : {
745+ "aws:ResourceAccount" : non_bootstrapped_account_ids ,
746+ },
747+ }
748+ }
749+ ]
750+ }
751+
752+ policy = _generate_policy_document (non_bootstrapped_account_ids )
753+ assert policy == expected_policy
754+ assert len (json .dumps (policy )) < MAX_MANAGED_POLICY_LENGTH
710755# ---------------------------------------------------------
711756
712757
@@ -1196,4 +1241,4 @@ def test_verify_bootstrap_exists_failure(logger, mock_sts):
11961241 ADF_TEST_BOOTSTRAP_ROLE_NAME ,
11971242 account_id ,
11981243 error ,
1199- )
1244+ )
0 commit comments