diff options
author | Will Thames <will@thames.id.au> | 2017-07-14 14:50:55 +1000 |
---|---|---|
committer | GitHub <noreply@github.com> | 2017-07-14 14:50:55 +1000 |
commit | 0ed1c3ba9c8ebb51f776a45ca158e3d2c546860f (patch) | |
tree | e82982981c0cefe92245a3c05e6732b425157f3b /hacking | |
parent | 4f01a323a0516a54aeb6745c22506d6b2fff22b0 (diff) | |
download | ansible-0ed1c3ba9c8ebb51f776a45ca158e3d2c546860f.tar.gz |
Split up testing IAM policies and automate creating them (#26223)
* Split up testing IAM policies and automate creating them
Move to managed policies to avoid the 5KB limit on policies
for an IAM entity.
The policy file is templated, so need to make sure that there
is an easy mechanism to populate the templates and push the
new policies.
* Update IAM policies for ec2_scaling_policy tests
* Fix RouteTable policies
DescribeRouteTable should be plural
ModifyRouteTable does not exist, but ReplaceRouteTableAssociation
does.
* Some IAM policies do not allow specified Resources
Various IAM policies do not allow Resources
to be specified and should just use `*`. This differs
per service
* [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources)
* [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions)
* [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html)
* [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html)
* Finish fixing AWS IAM resource specifications for testing
Update Lambda and RDS policies
Diffstat (limited to 'hacking')
-rw-r--r-- | hacking/aws_config/setup-iam.yml | 51 | ||||
-rw-r--r-- | hacking/aws_config/testing-iam-policy.json.j2 | 246 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/autoscaling-policy.json | 33 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/ec2-policy.json | 51 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/ecr-policy.json | 28 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/elb-policy.json | 31 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/lambda-policy.json | 77 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/rds-policy.json | 51 | ||||
-rw-r--r-- | hacking/aws_config/testing_policies/s3-policy.json | 23 |
9 files changed, 345 insertions, 246 deletions
diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml new file mode 100644 index 0000000000..4b53de945a --- /dev/null +++ b/hacking/aws_config/setup-iam.yml @@ -0,0 +1,51 @@ +# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv +# +# Creates IAM policies and associates them with iam_group. This group +# can then be associated with an appropriate user +# +# You can pass -e profile=boto_profile_name if you have a profile that +# you can use, otherwise use normal AWS methods (env variables, instance +# profile, etc) +# +# If you want to use a region other than us-east-1 (and only us-east-2 +# works with ansible-test), pass -e region=us-east-2 +# +# Requires 2.4 for iam_managed_policy and iam_group + +- hosts: localhost + connection: local + gather_facts: no + vars: + aws_region: "{{ region|default('us-east-1') }}" + + tasks: + - name: Check that required variables are set + fail: + msg: "You must set the iam_group variable" + when: iam_group is not defined + + - name: Get aws account ID + command: aws sts get-caller-identity --output text --query 'Account' "{{ '--profile=' ~ profile if profile else '' }}" + changed_when: False + register: aws_account_command + + - name: Set aws_account_fact + set_fact: + aws_account: "{{ aws_account_command.stdout }}" + + + - name: Ensure Managed IAM policies exist + iam_managed_policy: + policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy" + policy: "{{ lookup('template', item) }}" + state: present + profile: "{{ profile|default(omit) }}" + with_fileglob: "testing_policies/*" + register: iam_managed_policies + + - name: Ensure IAM group exists and attach managed policies + iam_group: + name: "{{ iam_group }}" + state: present + managed_policy: "{{ iam_managed_policies | json_query('results[].policy.PolicyName') }}" + profile: "{{ profile|default(omit) }}" diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2 deleted file mode 100644 index d5534a41e8..0000000000 --- a/hacking/aws_config/testing-iam-policy.json.j2 +++ /dev/null @@ -1,246 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowDescribeAllEC2", - "Effect": "Allow", - "Action": [ - "ec2:Describe*" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "MiscPrivilegesNeededByEC2Tests", - "Effect": "Allow", - "Action": [ - "ec2:CreateKeyPair", - "ec2:CreateNatGateway", - "ec2:DeleteKeyPair", - "ec2:ImportKeyPair", - "ec2:RunInstances", - "ec2:CreateTags", - "ec2:TerminateInstances", - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:DisassociateAddress", - "ec2:ReleaseAddress", - "ec2:CreateSubnet", - "ec2:CreateVpc", - "ec2:CreateRouteTable", - "ec2:ModifyRouteTable", - "ec2:DescribeRouteTable", - "ec2:AssociateRouteTable", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:CreateInternetGateway", - "ec2:AttachInternetGateway", - "ec2:DeleteNatGateway" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "AllowManageSecurityGroupsForSetup", - "Effect": "Allow", - "Action": [ - "ec2:DescribeSecurityGroups", - "ec2:CreateSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*" - ] - }, - { - "Sid": "AllowAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration" - ], - "Resource": [ - "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "AllowReadAllLoadBalancers", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeInstanceHealth" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*" - ] - }, - { - "Sid": "AllowManagementofOwnLoadBalancers", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DescribeInstanceHealth" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*" - ] - }, - { - "Sid": "AllowCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:SetRepositoryPolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DeleteRepositoryPolicy" - ], - "Resource": [ - "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" - ] - }, - { - "Sid": "AllowOldRDSModule", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:DeleteDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] - }, - { - "Sid": "AllowRDSModuleCompatibilityTests", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DeleteDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] - }, - { - "Sid": "AllowRDSInstanceManageOwnInstance", - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DescribeDBInstances" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] - }, - { - "Sid": "AllowRDSSnapshotManageSnapshots", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBSnapshots", - "rds:DescribeDBInstances", - "rds:DescribeDBSnapshots", - "rds:DeleteDBInstance", - "rds:CreateDBSnapshot", - "rds:DeleteDBSnapshot", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:CreateDBInstanceReadReplica" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] - }, - { - "Sid": "AlowS3AnsibleTestBuckets", - "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteBucket", - "s3:DeleteObject" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::ansible_test_*", - "arn:aws:s3:::ansible_test_*/*" - ] - }, - { - "Sid": "AllowApiGateway", - "Effect": "Allow", - "Action": [ - "apigateway:*" - ], - "Resource": [ - "arn:aws:apigateway:us-east-1::*" - ] - }, - { - "Sid": "AllowGetUserForLambdaCreation", - "Effect": "Allow", - "Action": [ - "iam:GetUser" - ], - "Resource": [ - "arn:aws:iam::459030870916:user/ansible_integration_tests" - ] - }, - { - "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight", - "Effect": "Allow", - "Action": [ - "lambda:*" - ], - "Resource": [ - "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" - ] - }, - { - "Sid": "AllowLambdaRoleManagement", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:aws:iam::459030870916:role/ansible_lambda_role" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/autoscaling-policy.json b/hacking/aws_config/testing_policies/autoscaling-policy.json new file mode 100644 index 0000000000..650b9eda13 --- /dev/null +++ b/hacking/aws_config/testing_policies/autoscaling-policy.json @@ -0,0 +1,33 @@ +{# Not all Autoscaling API Actions allow specified resources #} +{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribePolicies" + ], + "Resource": "*" + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration", + "autoscaling:PutScalingPolicy", + "autoscaling:DeletePolicy" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/ec2-policy.json b/hacking/aws_config/testing_policies/ec2-policy.json new file mode 100644 index 0000000000..099e78b159 --- /dev/null +++ b/hacking/aws_config/testing_policies/ec2-policy.json @@ -0,0 +1,51 @@ +{# Note that not all EC2 API Actions allow a specific resource #} +{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUnspecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:DeleteKeyPair", + "ec2:DeleteNatGateway", + "ec2:Describe*", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:ImportKeyPair", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:ReplaceRouteTableAssociation" + ], + "Resource": "*" + }, + { + "Sid": "AllowSpecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateTags", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:TerminateInstances" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/ecr-policy.json b/hacking/aws_config/testing_policies/ecr-policy.json new file mode 100644 index 0000000000..db8204a302 --- /dev/null +++ b/hacking/aws_config/testing_policies/ecr-policy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "UnspecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository" + ], + "Resource": "*" + }, + { + "Sid": "SpecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:GetRepositoryPolicy", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/elb-policy.json b/hacking/aws_config/testing_policies/elb-policy.json new file mode 100644 index 0000000000..6a844e909f --- /dev/null +++ b/hacking/aws_config/testing_policies/elb-policy.json @@ -0,0 +1,31 @@ +{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} +{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} +{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowLoadBalancerOperations", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", + "elasticloadbalancing:DescribeLoadBalancerTags", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer" + ], + "Resource": "*" + } + ] +} diff --git a/hacking/aws_config/testing_policies/lambda-policy.json b/hacking/aws_config/testing_policies/lambda-policy.json new file mode 100644 index 0000000000..c03f1b1ab3 --- /dev/null +++ b/hacking/aws_config/testing_policies/lambda-policy.json @@ -0,0 +1,77 @@ +{# Only certain lambda actions can be restricted to a specific resource #} +{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:{{aws_region}}::/*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementWithoutResource", + "Effect": "Allow", + "Action": [ + "lambda:CreateEventSourceMapping", + "lambda:GetAccountSettings", + "lambda:GetEventSourceMapping", + "lambda:ListEventSourceMappings", + "lambda:ListFunctions", + "lambda:ListTags", + "lambda:TagResource", + "lambda:UntagResource" + ], + "Resource": "*" + }, + { + "Sid": "AllowLambdaManagementWithResource", + "Effect": "Allow", + "Action": [ + "lambda:AddPermission", + "lambda:CreateAlias", + "lambda:CreateFunction", + "lambda:DeleteAlias", + "lambda:DeleteFunction", + "lambda:GetAlias", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:GetPolicy", + "lambda:InvokeFunction", + "lambda:ListAliases", + "lambda:ListVersionsByFunction", + "lambda:PublishVersion", + "lambda:RemovePermission", + "lambda:UpdateAlias", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/rds-policy.json b/hacking/aws_config/testing_policies/rds-policy.json new file mode 100644 index 0000000000..6284bd56e2 --- /dev/null +++ b/hacking/aws_config/testing_policies/rds-policy.json @@ -0,0 +1,51 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowRDSModuleTests", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSInstanceManageOwnInstance", + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AllowRDSSnapshotManageSnapshots", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBSnapshots", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots", + "rds:DeleteDBInstance", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:CreateDBInstanceReadReplica" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/s3-policy.json b/hacking/aws_config/testing_policies/s3-policy.json new file mode 100644 index 0000000000..88b50d0a4e --- /dev/null +++ b/hacking/aws_config/testing_policies/s3-policy.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AlowS3AnsibleTestBuckets", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteBucket", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::ansible_test_*", + "arn:aws:s3:::ansible_test_*/*" + ] + } + ] +} |