diff options
| author | Michael De La Rue <butigh.margoteen@dfgh.net> | 2017-05-19 23:37:39 +0200 |
|---|---|---|
| committer | scottb <dharmabumstead@users.noreply.github.com> | 2017-05-19 23:37:39 +0200 |
| commit | e9e661ebbbf59c1ab397ab386517242a37e9f857 (patch) | |
| tree | 9966835700cff2203404f55e2fbbf7bfe3d6c786 /hacking/aws_config | |
| parent | fixed minor py3 compliance issue in ec2_vpn_nacl (#24758) (diff) | |
| download | ansible-e9e661ebbbf59c1ab397ab386517242a37e9f857.tar.xz ansible-e9e661ebbbf59c1ab397ab386517242a37e9f857.zip | |
aws integration tests - provide an IAM policy for running (#24725)
* aws integration tests - provide an IAM policy that can be used for running them
* move documentation of aws policies into main integration testing documentation + some updates there
* Update testing_integration.rst
Edits
Diffstat (limited to 'hacking/aws_config')
| -rw-r--r-- | hacking/aws_config/testing-iam-policy.json.j2 | 246 |
1 files changed, 246 insertions, 0 deletions
diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2 new file mode 100644 index 0000000000..d5534a41e8 --- /dev/null +++ b/hacking/aws_config/testing-iam-policy.json.j2 @@ -0,0 +1,246 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowDescribeAllEC2", + "Effect": "Allow", + "Action": [ + "ec2:Describe*" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "MiscPrivilegesNeededByEC2Tests", + "Effect": "Allow", + "Action": [ + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:DeleteKeyPair", + "ec2:ImportKeyPair", + "ec2:RunInstances", + "ec2:CreateTags", + "ec2:TerminateInstances", + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:DisassociateAddress", + "ec2:ReleaseAddress", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:CreateRouteTable", + "ec2:ModifyRouteTable", + "ec2:DescribeRouteTable", + "ec2:AssociateRouteTable", + "ec2:DisassociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:CreateInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DeleteNatGateway" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "AllowManageSecurityGroupsForSetup", + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroups", + "ec2:CreateSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*" + ] + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "AllowReadAllLoadBalancers", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeInstanceHealth" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*" + ] + }, + { + "Sid": "AllowManagementofOwnLoadBalancers", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*" + ] + }, + { + "Sid": "AllowCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + }, + { + "Sid": "AllowOldRDSModule", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSModuleCompatibilityTests", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSInstanceManageOwnInstance", + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AllowRDSSnapshotManageSnapshots", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBSnapshots", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots", + "rds:DeleteDBInstance", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:CreateDBInstanceReadReplica" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AlowS3AnsibleTestBuckets", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteBucket", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::ansible_test_*", + "arn:aws:s3:::ansible_test_*/*" + ] + }, + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:us-east-1::*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::459030870916:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight", + "Effect": "Allow", + "Action": [ + "lambda:*" + ], + "Resource": [ + "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + ] + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::459030870916:role/ansible_lambda_role" + ] + } + ] +} |