From adfbff1095e611eeff417321559db048f072478a Mon Sep 17 00:00:00 2001 From: Bert Blommers Date: Mon, 6 Mar 2023 23:21:02 -0100 Subject: [PATCH] EC2: create_vpc_endpoint() should use default policy document if not provided (#6022) --- moto/ec2/models/vpcs.py | 10 +++++++++- tests/test_ec2/test_vpcs.py | 32 +++++++++++++++++++++++++++++++- 2 files changed, 40 insertions(+), 2 deletions(-) diff --git a/moto/ec2/models/vpcs.py b/moto/ec2/models/vpcs.py index 5ccdcbf02..f56d6fc5f 100644 --- a/moto/ec2/models/vpcs.py +++ b/moto/ec2/models/vpcs.py @@ -40,6 +40,14 @@ DEFAULT_VPC_ENDPOINT_SERVICES: List[Dict[str, str]] = [] class VPCEndPoint(TaggedEC2Resource, CloudFormationModel): + + DEFAULT_POLICY = { + "Version": "2008-10-17", + "Statement ": [ + {"Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*"} + ], + } + def __init__( self, ec2_backend: Any, @@ -64,7 +72,7 @@ class VPCEndPoint(TaggedEC2Resource, CloudFormationModel): self.service_name = service_name self.endpoint_type = endpoint_type self.state = "available" - self.policy_document = policy_document + self.policy_document = policy_document or json.dumps(VPCEndPoint.DEFAULT_POLICY) self.route_table_ids = route_table_ids self.network_interface_ids = network_interface_ids or [] self.subnet_ids = subnet_ids diff --git a/tests/test_ec2/test_vpcs.py b/tests/test_ec2/test_vpcs.py index f7c8759a6..475d311aa 100644 --- a/tests/test_ec2/test_vpcs.py +++ b/tests/test_ec2/test_vpcs.py @@ -2,7 +2,7 @@ import pytest from botocore.exceptions import ClientError import boto3 - +import json import sure # noqa # pylint: disable=unused-import import random @@ -1006,6 +1006,36 @@ def test_describe_classic_link_dns_support_multiple(): ) +@mock_ec2 +def test_create_vpc_endpoint__policy(): + ec2 = boto3.client("ec2", region_name="us-west-1") + vpc_id = ec2.create_vpc(CidrBlock="10.0.0.0/16")["Vpc"]["VpcId"] + # create without policy --> verify the default policy is created + default_policy = { + "Version": "2008-10-17", + "Statement ": [ + {"Effect": "Allow", "Principal": "*", "Action": "*", "Resource": "*"} + ], + } + vpc_end_point = ec2.create_vpc_endpoint( + VpcId=vpc_id, + ServiceName="com.amazonaws.us-east-1.s3", + VpcEndpointType="Gateway", + )["VpcEndpoint"] + + vpc_end_point.should.have.key("PolicyDocument") + json.loads(vpc_end_point["PolicyDocument"]).should.equal(default_policy) + + # create with policy --> verify the passed policy is returned + vpc_end_point = ec2.create_vpc_endpoint( + VpcId=vpc_id, + ServiceName="com.amazonaws.us-east-1.s3", + PolicyDocument="my policy document", + VpcEndpointType="Gateway", + )["VpcEndpoint"] + vpc_end_point.should.have.key("PolicyDocument").equals("my policy document") + + @mock_ec2 def test_describe_vpc_gateway_end_points(): ec2 = boto3.client("ec2", region_name="us-west-1")