EC2: create_vpc_endpoint() should use default policy document if not provided (#6022)

2023-03-06 23:21:02 -01:00 · 2023-03-06 23:21:02 -01:00 · adfbff1095
commit adfbff1095
parent 33ce02056d
2 changed files with 40 additions and 2 deletions
--- a/moto/ec2/models/vpcs.py
+++ b/moto/ec2/models/vpcs.py
@ -40,6 +40,14 @@ DEFAULT_VPC_ENDPOINT_SERVICES: List[Dict[str, str]] = []


 class VPCEndPoint(TaggedEC2Resource, CloudFormationModel):
+
+    DEFAULT_POLICY = {
+        "Version": "2008-10-17",
+        "Statement ": [
+            {"Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*"}
+        ],
+    }
+
    def __init__(
        self,
        ec2_backend: Any,
@ -64,7 +72,7 @@ class VPCEndPoint(TaggedEC2Resource, CloudFormationModel):
        self.service_name = service_name
        self.endpoint_type = endpoint_type
        self.state = "available"
-        self.policy_document = policy_document
+        self.policy_document = policy_document or json.dumps(VPCEndPoint.DEFAULT_POLICY)
        self.route_table_ids = route_table_ids
        self.network_interface_ids = network_interface_ids or []
        self.subnet_ids = subnet_ids
--- a/tests/test_ec2/test_vpcs.py
+++ b/tests/test_ec2/test_vpcs.py
@ -2,7 +2,7 @@ import pytest
 from botocore.exceptions import ClientError

 import boto3
-
+import json
 import sure  # noqa # pylint: disable=unused-import
 import random

@ -1006,6 +1006,36 @@ def test_describe_classic_link_dns_support_multiple():
    )


+@mock_ec2
+def test_create_vpc_endpoint__policy():
+    ec2 = boto3.client("ec2", region_name="us-west-1")
+    vpc_id = ec2.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]["VpcId"]
+    # create without policy --> verify the default policy is created
+    default_policy = {
+        "Version": "2008-10-17",
+        "Statement ": [
+            {"Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*"}
+        ],
+    }
+    vpc_end_point = ec2.create_vpc_endpoint(
+        VpcId=vpc_id,
+        ServiceName="com.amazonaws.us-east-1.s3",
+        VpcEndpointType="Gateway",
+    )["VpcEndpoint"]
+
+    vpc_end_point.should.have.key("PolicyDocument")
+    json.loads(vpc_end_point["PolicyDocument"]).should.equal(default_policy)
+
+    # create with policy --> verify the passed policy is returned
+    vpc_end_point = ec2.create_vpc_endpoint(
+        VpcId=vpc_id,
+        ServiceName="com.amazonaws.us-east-1.s3",
+        PolicyDocument="my policy document",
+        VpcEndpointType="Gateway",
+    )["VpcEndpoint"]
+    vpc_end_point.should.have.key("PolicyDocument").equals("my policy document")
+
+
@mock_ec2
 def test_describe_vpc_gateway_end_points():
    ec2 = boto3.client("ec2", region_name="us-west-1")