summaryrefslogtreecommitdiffstats
path: root/hacking
diff options
context:
space:
mode:
authorWill Thames <will@thames.id.au>2019-07-04 21:25:19 +0200
committerSloane Hertel <shertel@redhat.com>2019-07-04 21:25:19 +0200
commit60fb9fc208adebdc10c8a0f5ff1b3d61f8d6516d (patch)
treea8480436f2afb09710954aaf2b55a6f15c85de54 /hacking
parentpostgresql_query module: add autocommit parameter (#58704) (diff)
downloadansible-60fb9fc208adebdc10c8a0f5ff1b3d61f8d6516d.tar.xz
ansible-60fb9fc208adebdc10c8a0f5ff1b3d61f8d6516d.zip
Fix EC2 test suite to work with testing policies (#44387)
* Update testing policies to ensure all required permissions are present * Tidy up security policies to reduce duplicate permissions * Make roles static so that they can be present before CI is run, meaning that role creation permission is not required by the CI itself, only by someone setting up the roles prior to testing * Move contents to cloudfront policy to network policy to ensure policy count (maximum of 10) stays low * Maintain compute policy below 6144 bytes
Diffstat (limited to 'hacking')
-rw-r--r--hacking/aws_config/setup-iam.yml1
-rw-r--r--hacking/aws_config/testing_policies/cloudfront-policy.json29
-rw-r--r--hacking/aws_config/testing_policies/compute-policy.json16
-rw-r--r--hacking/aws_config/testing_policies/container-policy.json1
-rw-r--r--hacking/aws_config/testing_policies/database-policy.json11
-rw-r--r--hacking/aws_config/testing_policies/iam-policy.json17
-rw-r--r--hacking/aws_config/testing_policies/network-policy.json24
-rw-r--r--hacking/aws_config/testing_policies/security-policy.json41
8 files changed, 51 insertions, 89 deletions
diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml
index 2740142959..9dfaca53c9 100644
--- a/hacking/aws_config/setup-iam.yml
+++ b/hacking/aws_config/setup-iam.yml
@@ -52,3 +52,4 @@
state: present
managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}"
profile: "{{ profile|default(omit) }}"
+ purge_policy: yes
diff --git a/hacking/aws_config/testing_policies/cloudfront-policy.json b/hacking/aws_config/testing_policies/cloudfront-policy.json
deleted file mode 100644
index 057cb586d6..0000000000
--- a/hacking/aws_config/testing_policies/cloudfront-policy.json
+++ /dev/null
@@ -1,29 +0,0 @@
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowCloudfrontUsage",
- "Effect": "Allow",
- "Action": [
- "cloudfront:CreateDistribution",
- "cloudfront:CreateDistributionWithTags",
- "cloudfront:CreateCloudFrontOriginAccessIdentity",
- "cloudfront:DeleteDistribution",
- "cloudfront:GetDistribution",
- "cloudfront:GetStreamingDistribution",
- "cloudfront:GetDistributionConfig",
- "cloudfront:GetStreamingDistributionConfig",
- "cloudfront:GetInvalidation",
- "cloudfront:ListDistributions",
- "cloudfront:ListDistributionsByWebACLId",
- "cloudfront:ListInvalidations",
- "cloudfront:ListStreamingDistributions",
- "cloudfront:ListTagsForResource",
- "cloudfront:TagResource",
- "cloudfront:UntagResource",
- "cloudfront:UpdateDistribution"
- ],
- "Resource": "*"
- }
- ]
-}
diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json
index 123843b3dd..a17850a4d0 100644
--- a/hacking/aws_config/testing_policies/compute-policy.json
+++ b/hacking/aws_config/testing_policies/compute-policy.json
@@ -43,6 +43,7 @@
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
+ "ec2:AttachVolume",
"ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions",
@@ -50,6 +51,7 @@
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
+ "ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
@@ -64,6 +66,7 @@
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
+ "ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSnapshot",
@@ -87,6 +90,7 @@
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation",
+ "ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReportInstanceStatus"
],
"Resource": "*"
@@ -135,10 +139,7 @@
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
- "elasticloadbalancing:DescribeLoadBalancerAttributes",
- "elasticloadbalancing:DescribeLoadBalancerPolicies",
- "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
- "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeLoadBalancer*",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
@@ -177,9 +178,7 @@
"lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings",
"lambda:GetEventSourceMapping",
- "lambda:ListEventSourceMappings",
- "lambda:ListFunctions",
- "lambda:ListTags",
+ "lambda:List*",
"lambda:TagResource",
"lambda:UntagResource"
],
@@ -199,8 +198,6 @@
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:InvokeFunction",
- "lambda:ListAliases",
- "lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:UpdateAlias",
@@ -219,6 +216,7 @@
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
"arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
+ "arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
"arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
"arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"
diff --git a/hacking/aws_config/testing_policies/container-policy.json b/hacking/aws_config/testing_policies/container-policy.json
index d14deacf84..1a6641f36b 100644
--- a/hacking/aws_config/testing_policies/container-policy.json
+++ b/hacking/aws_config/testing_policies/container-policy.json
@@ -46,6 +46,7 @@
"ecs:StopTask",
"ecs:UpdateService",
"elasticloadbalancing:Describe*",
+ "iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
diff --git a/hacking/aws_config/testing_policies/database-policy.json b/hacking/aws_config/testing_policies/database-policy.json
index 472e6206c0..f4c824ae21 100644
--- a/hacking/aws_config/testing_policies/database-policy.json
+++ b/hacking/aws_config/testing_policies/database-policy.json
@@ -86,6 +86,17 @@
],
"Effect": "Allow",
"Resource": "*"
+ },
+ {
+ "Sid": "DMSEndpoints",
+ "Effect": "Allow",
+ "Action": [
+ "dms:CreateEndpoint",
+ "dms:DeleteEndpoint",
+ "dms:DescribeEndpoints",
+ "dms:ModifyEndpoint"
+ ],
+ "Resource": ["*"]
}
]
}
diff --git a/hacking/aws_config/testing_policies/iam-policy.json b/hacking/aws_config/testing_policies/iam-policy.json
deleted file mode 100644
index 6105e40a92..0000000000
--- a/hacking/aws_config/testing_policies/iam-policy.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowAccessToServerCertificates",
- "Effect": "Allow",
- "Action": [
- "iam:ListServerCertificates",
- "iam:UploadServerCertificate",
- "iam:UpdateServerCertificate",
- "iam:DeleteServerCertificate",
- "iam:GetServerCertificate"
- ],
- "Resource": "*"
- }
- ]
-}
diff --git a/hacking/aws_config/testing_policies/network-policy.json b/hacking/aws_config/testing_policies/network-policy.json
index d28115ee45..d5cb2d36ec 100644
--- a/hacking/aws_config/testing_policies/network-policy.json
+++ b/hacking/aws_config/testing_policies/network-policy.json
@@ -22,6 +22,30 @@
"ec2:DescribeTransitGateways"
],
"Resource": "*"
+ },
+ {
+ "Sid": "AllowCloudfrontUsage",
+ "Effect": "Allow",
+ "Action": [
+ "cloudfront:CreateDistribution",
+ "cloudfront:CreateDistributionWithTags",
+ "cloudfront:CreateCloudFrontOriginAccessIdentity",
+ "cloudfront:DeleteDistribution",
+ "cloudfront:GetDistribution",
+ "cloudfront:GetStreamingDistribution",
+ "cloudfront:GetDistributionConfig",
+ "cloudfront:GetStreamingDistributionConfig",
+ "cloudfront:GetInvalidation",
+ "cloudfront:ListDistributions",
+ "cloudfront:ListDistributionsByWebACLId",
+ "cloudfront:ListInvalidations",
+ "cloudfront:ListStreamingDistributions",
+ "cloudfront:ListTagsForResource",
+ "cloudfront:TagResource",
+ "cloudfront:UntagResource",
+ "cloudfront:UpdateDistribution"
+ ],
+ "Resource": "*"
}
]
}
diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json
index 2cb253bf4a..4b1f53e362 100644
--- a/hacking/aws_config/testing_policies/security-policy.json
+++ b/hacking/aws_config/testing_policies/security-policy.json
@@ -33,7 +33,9 @@
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
- "iam:PassRole"
+ "iam:PassRole",
+ "iam:UpdateAssumeRolePolicy",
+ "sts:AssumeRole"
],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow",
@@ -92,22 +94,6 @@
]
},
{
- "Sid": "AllowSTSAnsibleTests",
- "Action": [
- "iam:CreateRole",
- "iam:DeleteRole",
- "iam:DetachRolePolicy",
- "sts:AssumeRole",
- "iam:AttachRolePolicy",
- "iam:CreateInstanceProfile"
- ],
- "Effect": "Allow",
- "Resource": [
- "arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*",
- "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*"
- ]
- },
- {
"Sid": "AllowAccessToUnspecifiedKMSResources",
"Effect": "Allow",
"Action": [
@@ -132,26 +118,13 @@
"Resource": "*"
},
{
- "Sid": "AllowAccessToSpecifiedIAMResources",
+ "Sid": "AllowAccessToServerCertificates",
"Effect": "Allow",
"Action": [
- "iam:CreateRole",
- "iam:DeleteRole",
- "iam:GetRole",
- "iam:PassRole",
- "iam:UpdateAssumeRolePolicy"
- ],
- "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*"
- },
- {
- "Sid": "AllowInstanceProfileCreation",
- "Effect": "Allow",
- "Action": [
- "iam:AddRoleToInstanceProfile",
- "iam:CreateInstanceProfile",
- "iam:RemoveRoleFromInstanceProfile"
+ "iam:ListServerCertificates",
+ "iam:UploadServerCertificate"
],
- "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*"
+ "Resource": "*"
}
]
}