summaryrefslogtreecommitdiffstats
path: root/hacking
diff options
context:
space:
mode:
Diffstat (limited to 'hacking')
-rw-r--r--hacking/aws_config/setup-iam.yml1
-rw-r--r--hacking/aws_config/testing_policies/cloudfront-policy.json29
-rw-r--r--hacking/aws_config/testing_policies/compute-policy.json16
-rw-r--r--hacking/aws_config/testing_policies/container-policy.json1
-rw-r--r--hacking/aws_config/testing_policies/database-policy.json11
-rw-r--r--hacking/aws_config/testing_policies/iam-policy.json17
-rw-r--r--hacking/aws_config/testing_policies/network-policy.json24
-rw-r--r--hacking/aws_config/testing_policies/security-policy.json41
8 files changed, 51 insertions, 89 deletions
diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml
index 2740142959..9dfaca53c9 100644
--- a/hacking/aws_config/setup-iam.yml
+++ b/hacking/aws_config/setup-iam.yml
@@ -52,3 +52,4 @@
state: present
managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}"
profile: "{{ profile|default(omit) }}"
+ purge_policy: yes
diff --git a/hacking/aws_config/testing_policies/cloudfront-policy.json b/hacking/aws_config/testing_policies/cloudfront-policy.json
deleted file mode 100644
index 057cb586d6..0000000000
--- a/hacking/aws_config/testing_policies/cloudfront-policy.json
+++ /dev/null
@@ -1,29 +0,0 @@
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowCloudfrontUsage",
- "Effect": "Allow",
- "Action": [
- "cloudfront:CreateDistribution",
- "cloudfront:CreateDistributionWithTags",
- "cloudfront:CreateCloudFrontOriginAccessIdentity",
- "cloudfront:DeleteDistribution",
- "cloudfront:GetDistribution",
- "cloudfront:GetStreamingDistribution",
- "cloudfront:GetDistributionConfig",
- "cloudfront:GetStreamingDistributionConfig",
- "cloudfront:GetInvalidation",
- "cloudfront:ListDistributions",
- "cloudfront:ListDistributionsByWebACLId",
- "cloudfront:ListInvalidations",
- "cloudfront:ListStreamingDistributions",
- "cloudfront:ListTagsForResource",
- "cloudfront:TagResource",
- "cloudfront:UntagResource",
- "cloudfront:UpdateDistribution"
- ],
- "Resource": "*"
- }
- ]
-}
diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json
index 123843b3dd..a17850a4d0 100644
--- a/hacking/aws_config/testing_policies/compute-policy.json
+++ b/hacking/aws_config/testing_policies/compute-policy.json
@@ -43,6 +43,7 @@
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
+ "ec2:AttachVolume",
"ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions",
@@ -50,6 +51,7 @@
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
+ "ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
@@ -64,6 +66,7 @@
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
+ "ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSnapshot",
@@ -87,6 +90,7 @@
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation",
+ "ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReportInstanceStatus"
],
"Resource": "*"
@@ -135,10 +139,7 @@
"elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
- "elasticloadbalancing:DescribeLoadBalancerAttributes",
- "elasticloadbalancing:DescribeLoadBalancerPolicies",
- "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
- "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DescribeLoadBalancer*",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
@@ -177,9 +178,7 @@
"lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings",
"lambda:GetEventSourceMapping",
- "lambda:ListEventSourceMappings",
- "lambda:ListFunctions",
- "lambda:ListTags",
+ "lambda:List*",
"lambda:TagResource",
"lambda:UntagResource"
],
@@ -199,8 +198,6 @@
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:InvokeFunction",
- "lambda:ListAliases",
- "lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:UpdateAlias",
@@ -219,6 +216,7 @@
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
"arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
+ "arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
"arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
"arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"
diff --git a/hacking/aws_config/testing_policies/container-policy.json b/hacking/aws_config/testing_policies/container-policy.json
index d14deacf84..1a6641f36b 100644
--- a/hacking/aws_config/testing_policies/container-policy.json
+++ b/hacking/aws_config/testing_policies/container-policy.json
@@ -46,6 +46,7 @@
"ecs:StopTask",
"ecs:UpdateService",
"elasticloadbalancing:Describe*",
+ "iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
diff --git a/hacking/aws_config/testing_policies/database-policy.json b/hacking/aws_config/testing_policies/database-policy.json
index 472e6206c0..f4c824ae21 100644
--- a/hacking/aws_config/testing_policies/database-policy.json
+++ b/hacking/aws_config/testing_policies/database-policy.json
@@ -86,6 +86,17 @@
],
"Effect": "Allow",
"Resource": "*"
+ },
+ {
+ "Sid": "DMSEndpoints",
+ "Effect": "Allow",
+ "Action": [
+ "dms:CreateEndpoint",
+ "dms:DeleteEndpoint",
+ "dms:DescribeEndpoints",
+ "dms:ModifyEndpoint"
+ ],
+ "Resource": ["*"]
}
]
}
diff --git a/hacking/aws_config/testing_policies/iam-policy.json b/hacking/aws_config/testing_policies/iam-policy.json
deleted file mode 100644
index 6105e40a92..0000000000
--- a/hacking/aws_config/testing_policies/iam-policy.json
+++ /dev/null
@@ -1,17 +0,0 @@
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowAccessToServerCertificates",
- "Effect": "Allow",
- "Action": [
- "iam:ListServerCertificates",
- "iam:UploadServerCertificate",
- "iam:UpdateServerCertificate",
- "iam:DeleteServerCertificate",
- "iam:GetServerCertificate"
- ],
- "Resource": "*"
- }
- ]
-}
diff --git a/hacking/aws_config/testing_policies/network-policy.json b/hacking/aws_config/testing_policies/network-policy.json
index d28115ee45..d5cb2d36ec 100644
--- a/hacking/aws_config/testing_policies/network-policy.json
+++ b/hacking/aws_config/testing_policies/network-policy.json
@@ -22,6 +22,30 @@
"ec2:DescribeTransitGateways"
],
"Resource": "*"
+ },
+ {
+ "Sid": "AllowCloudfrontUsage",
+ "Effect": "Allow",
+ "Action": [
+ "cloudfront:CreateDistribution",
+ "cloudfront:CreateDistributionWithTags",
+ "cloudfront:CreateCloudFrontOriginAccessIdentity",
+ "cloudfront:DeleteDistribution",
+ "cloudfront:GetDistribution",
+ "cloudfront:GetStreamingDistribution",
+ "cloudfront:GetDistributionConfig",
+ "cloudfront:GetStreamingDistributionConfig",
+ "cloudfront:GetInvalidation",
+ "cloudfront:ListDistributions",
+ "cloudfront:ListDistributionsByWebACLId",
+ "cloudfront:ListInvalidations",
+ "cloudfront:ListStreamingDistributions",
+ "cloudfront:ListTagsForResource",
+ "cloudfront:TagResource",
+ "cloudfront:UntagResource",
+ "cloudfront:UpdateDistribution"
+ ],
+ "Resource": "*"
}
]
}
diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json
index 2cb253bf4a..4b1f53e362 100644
--- a/hacking/aws_config/testing_policies/security-policy.json
+++ b/hacking/aws_config/testing_policies/security-policy.json
@@ -33,7 +33,9 @@
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
- "iam:PassRole"
+ "iam:PassRole",
+ "iam:UpdateAssumeRolePolicy",
+ "sts:AssumeRole"
],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow",
@@ -92,22 +94,6 @@
]
},
{
- "Sid": "AllowSTSAnsibleTests",
- "Action": [
- "iam:CreateRole",
- "iam:DeleteRole",
- "iam:DetachRolePolicy",
- "sts:AssumeRole",
- "iam:AttachRolePolicy",
- "iam:CreateInstanceProfile"
- ],
- "Effect": "Allow",
- "Resource": [
- "arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*",
- "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*"
- ]
- },
- {
"Sid": "AllowAccessToUnspecifiedKMSResources",
"Effect": "Allow",
"Action": [
@@ -132,26 +118,13 @@
"Resource": "*"
},
{
- "Sid": "AllowAccessToSpecifiedIAMResources",
+ "Sid": "AllowAccessToServerCertificates",
"Effect": "Allow",
"Action": [
- "iam:CreateRole",
- "iam:DeleteRole",
- "iam:GetRole",
- "iam:PassRole",
- "iam:UpdateAssumeRolePolicy"
- ],
- "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*"
- },
- {
- "Sid": "AllowInstanceProfileCreation",
- "Effect": "Allow",
- "Action": [
- "iam:AddRoleToInstanceProfile",
- "iam:CreateInstanceProfile",
- "iam:RemoveRoleFromInstanceProfile"
+ "iam:ListServerCertificates",
+ "iam:UploadServerCertificate"
],
- "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*"
+ "Resource": "*"
}
]
}
generated by cgit v1.2.3 (git 2.39.1) at 2024-12-02 03:38:18 +0100