diff options
Diffstat (limited to 'hacking/aws_config')
| -rw-r--r-- | hacking/aws_config/testing-iam-policy.json.j2 | 246 |
1 files changed, 246 insertions, 0 deletions
diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2 new file mode 100644 index 0000000000..d5534a41e8 --- /dev/null +++ b/hacking/aws_config/testing-iam-policy.json.j2 @@ -0,0 +1,246 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowDescribeAllEC2", + "Effect": "Allow", + "Action": [ + "ec2:Describe*" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "MiscPrivilegesNeededByEC2Tests", + "Effect": "Allow", + "Action": [ + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:DeleteKeyPair", + "ec2:ImportKeyPair", + "ec2:RunInstances", + "ec2:CreateTags", + "ec2:TerminateInstances", + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:DisassociateAddress", + "ec2:ReleaseAddress", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:CreateRouteTable", + "ec2:ModifyRouteTable", + "ec2:DescribeRouteTable", + "ec2:AssociateRouteTable", + "ec2:DisassociateRouteTable", + "ec2:ModifyVpcAttribute", + "ec2:CreateInternetGateway", + "ec2:AttachInternetGateway", + "ec2:DeleteNatGateway" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "AllowManageSecurityGroupsForSetup", + "Effect": "Allow", + "Action": [ + "ec2:DescribeSecurityGroups", + "ec2:CreateSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupIngress" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*" + ] + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "AllowReadAllLoadBalancers", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeInstanceHealth" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*" + ] + }, + { + "Sid": "AllowManagementofOwnLoadBalancers", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth" + ], + "Resource": [ + "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*" + ] + }, + { + "Sid": "AllowCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository", + "ecr:DescribeRepositories", + "ecr:GetRepositoryPolicy", + "ecr:DescribeRepositories", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + }, + { + "Sid": "AllowOldRDSModule", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSModuleCompatibilityTests", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSInstanceManageOwnInstance", + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AllowRDSSnapshotManageSnapshots", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBSnapshots", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots", + "rds:DeleteDBInstance", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:CreateDBInstanceReadReplica" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AlowS3AnsibleTestBuckets", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteBucket", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::ansible_test_*", + "arn:aws:s3:::ansible_test_*/*" + ] + }, + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:us-east-1::*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::459030870916:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight", + "Effect": "Allow", + "Action": [ + "lambda:*" + ], + "Resource": [ + "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + ] + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::459030870916:role/ansible_lambda_role" + ] + } + ] +} |