summaryrefslogtreecommitdiff
path: root/hacking
diff options
context:
space:
mode:
authorWill Thames <will@thames.id.au>2017-07-14 14:50:55 +1000
committerGitHub <noreply@github.com>2017-07-14 14:50:55 +1000
commit0ed1c3ba9c8ebb51f776a45ca158e3d2c546860f (patch)
treee82982981c0cefe92245a3c05e6732b425157f3b /hacking
parent4f01a323a0516a54aeb6745c22506d6b2fff22b0 (diff)
downloadansible-0ed1c3ba9c8ebb51f776a45ca158e3d2c546860f.tar.gz
Split up testing IAM policies and automate creating them (#26223)
* Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
Diffstat (limited to 'hacking')
-rw-r--r--hacking/aws_config/setup-iam.yml51
-rw-r--r--hacking/aws_config/testing-iam-policy.json.j2246
-rw-r--r--hacking/aws_config/testing_policies/autoscaling-policy.json33
-rw-r--r--hacking/aws_config/testing_policies/ec2-policy.json51
-rw-r--r--hacking/aws_config/testing_policies/ecr-policy.json28
-rw-r--r--hacking/aws_config/testing_policies/elb-policy.json31
-rw-r--r--hacking/aws_config/testing_policies/lambda-policy.json77
-rw-r--r--hacking/aws_config/testing_policies/rds-policy.json51
-rw-r--r--hacking/aws_config/testing_policies/s3-policy.json23
9 files changed, 345 insertions, 246 deletions
diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml
new file mode 100644
index 0000000000..4b53de945a
--- /dev/null
+++ b/hacking/aws_config/setup-iam.yml
@@ -0,0 +1,51 @@
+# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv
+#
+# Creates IAM policies and associates them with iam_group. This group
+# can then be associated with an appropriate user
+#
+# You can pass -e profile=boto_profile_name if you have a profile that
+# you can use, otherwise use normal AWS methods (env variables, instance
+# profile, etc)
+#
+# If you want to use a region other than us-east-1 (and only us-east-2
+# works with ansible-test), pass -e region=us-east-2
+#
+# Requires 2.4 for iam_managed_policy and iam_group
+
+- hosts: localhost
+ connection: local
+ gather_facts: no
+ vars:
+ aws_region: "{{ region|default('us-east-1') }}"
+
+ tasks:
+ - name: Check that required variables are set
+ fail:
+ msg: "You must set the iam_group variable"
+ when: iam_group is not defined
+
+ - name: Get aws account ID
+ command: aws sts get-caller-identity --output text --query 'Account' "{{ '--profile=' ~ profile if profile else '' }}"
+ changed_when: False
+ register: aws_account_command
+
+ - name: Set aws_account_fact
+ set_fact:
+ aws_account: "{{ aws_account_command.stdout }}"
+
+
+ - name: Ensure Managed IAM policies exist
+ iam_managed_policy:
+ policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy"
+ policy: "{{ lookup('template', item) }}"
+ state: present
+ profile: "{{ profile|default(omit) }}"
+ with_fileglob: "testing_policies/*"
+ register: iam_managed_policies
+
+ - name: Ensure IAM group exists and attach managed policies
+ iam_group:
+ name: "{{ iam_group }}"
+ state: present
+ managed_policy: "{{ iam_managed_policies | json_query('results[].policy.PolicyName') }}"
+ profile: "{{ profile|default(omit) }}"
diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2
deleted file mode 100644
index d5534a41e8..0000000000
--- a/hacking/aws_config/testing-iam-policy.json.j2
+++ /dev/null
@@ -1,246 +0,0 @@
-{
- "Version": "2012-10-17",
- "Statement": [
- {
- "Sid": "AllowDescribeAllEC2",
- "Effect": "Allow",
- "Action": [
- "ec2:Describe*"
- ],
- "Resource": [
- "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
- ]
- },
- {
- "Sid": "MiscPrivilegesNeededByEC2Tests",
- "Effect": "Allow",
- "Action": [
- "ec2:CreateKeyPair",
- "ec2:CreateNatGateway",
- "ec2:DeleteKeyPair",
- "ec2:ImportKeyPair",
- "ec2:RunInstances",
- "ec2:CreateTags",
- "ec2:TerminateInstances",
- "ec2:AllocateAddress",
- "ec2:AssociateAddress",
- "ec2:DisassociateAddress",
- "ec2:ReleaseAddress",
- "ec2:CreateSubnet",
- "ec2:CreateVpc",
- "ec2:CreateRouteTable",
- "ec2:ModifyRouteTable",
- "ec2:DescribeRouteTable",
- "ec2:AssociateRouteTable",
- "ec2:DisassociateRouteTable",
- "ec2:ModifyVpcAttribute",
- "ec2:CreateInternetGateway",
- "ec2:AttachInternetGateway",
- "ec2:DeleteNatGateway"
- ],
- "Resource": [
- "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
- ]
- },
- {
- "Sid": "AllowManageSecurityGroupsForSetup",
- "Effect": "Allow",
- "Action": [
- "ec2:DescribeSecurityGroups",
- "ec2:CreateSecurityGroup",
- "ec2:RevokeSecurityGroupEgress",
- "ec2:AuthorizeSecurityGroupIngress",
- "ec2:DeleteSecurityGroup",
- "ec2:RevokeSecurityGroupIngress"
- ],
- "Resource": [
- "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*"
- ]
- },
- {
- "Sid": "AllowAutoscaling",
- "Effect": "Allow",
- "Action": [
- "autoscaling:DescribeAutoScalingGroups",
- "autoscaling:DescribeLaunchConfigurations",
- "autoscaling:CreateLaunchConfiguration",
- "autoscaling:CreateAutoScalingGroup",
- "autoscaling:UpdateAutoScalingGroup",
- "autoscaling:DeleteAutoScalingGroup",
- "autoscaling:DeleteLaunchConfiguration"
- ],
- "Resource": [
- "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
- ]
- },
- {
- "Sid": "AllowReadAllLoadBalancers",
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:DescribeLoadBalancers",
- "elasticloadbalancing:DescribeLoadBalancerAttributes",
- "elasticloadbalancing:DescribeInstanceHealth"
- ],
- "Resource": [
- "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*"
- ]
- },
- {
- "Sid": "AllowManagementofOwnLoadBalancers",
- "Effect": "Allow",
- "Action": [
- "elasticloadbalancing:DescribeLoadBalancers",
- "elasticloadbalancing:CreateLoadBalancer",
- "elasticloadbalancing:DeleteLoadBalancer",
- "elasticloadbalancing:ConfigureHealthCheck",
- "elasticloadbalancing:DescribeLoadBalancerAttributes",
- "elasticloadbalancing:ModifyLoadBalancerAttributes",
- "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
- "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
- "elasticloadbalancing:DeleteLoadBalancerListeners",
- "elasticloadbalancing:CreateLoadBalancerListeners",
- "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
- "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
- "elasticloadbalancing:DescribeInstanceHealth"
- ],
- "Resource": [
- "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*"
- ]
- },
- {
- "Sid": "AllowCodeRepositories",
- "Effect": "Allow",
- "Action": [
- "ecr:DescribeRepositories",
- "ecr:CreateRepository",
- "ecr:DescribeRepositories",
- "ecr:GetRepositoryPolicy",
- "ecr:DescribeRepositories",
- "ecr:SetRepositoryPolicy",
- "ecr:DeleteRepository",
- "ecr:DeleteRepositoryPolicy",
- "ecr:DeleteRepositoryPolicy"
- ],
- "Resource": [
- "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
- ]
- },
- {
- "Sid": "AllowOldRDSModule",
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBInstances",
- "rds:CreateDBInstance",
- "rds:ModifyDBInstance",
- "rds:DeleteDBInstance"
- ],
- "Resource": [
- "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*"
- ]
- },
- {
- "Sid": "AllowRDSModuleCompatibilityTests",
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBInstances",
- "rds:CreateDBInstance",
- "rds:ModifyDBInstance",
- "rds:ListTagsForResource",
- "rds:DeleteDBInstance"
- ],
- "Resource": [
- "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*"
- ]
- },
- {
- "Sid": "AllowRDSInstanceManageOwnInstance",
- "Effect": "Allow",
- "Action": [
- "rds:CreateDBInstance",
- "rds:ModifyDBInstance",
- "rds:ListTagsForResource",
- "rds:DescribeDBInstances"
- ],
- "Resource": [
- "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*"
- ]
- },
- {
- "Sid": "AllowRDSSnapshotManageSnapshots",
- "Effect": "Allow",
- "Action": [
- "rds:DescribeDBSnapshots",
- "rds:DescribeDBInstances",
- "rds:DescribeDBSnapshots",
- "rds:DeleteDBInstance",
- "rds:CreateDBSnapshot",
- "rds:DeleteDBSnapshot",
- "rds:RestoreDBInstanceFromDBSnapshot",
- "rds:CreateDBInstanceReadReplica"
- ],
- "Resource": [
- "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*",
- "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*",
- "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*"
- ]
- },
- {
- "Sid": "AlowS3AnsibleTestBuckets",
- "Action": [
- "s3:GetObject",
- "s3:ListBucket",
- "s3:PutBucketAcl",
- "s3:CreateBucket",
- "s3:PutObject",
- "s3:PutObjectAcl",
- "s3:DeleteBucket",
- "s3:DeleteObject"
- ],
- "Effect": "Allow",
- "Resource": [
- "arn:aws:s3:::ansible_test_*",
- "arn:aws:s3:::ansible_test_*/*"
- ]
- },
- {
- "Sid": "AllowApiGateway",
- "Effect": "Allow",
- "Action": [
- "apigateway:*"
- ],
- "Resource": [
- "arn:aws:apigateway:us-east-1::*"
- ]
- },
- {
- "Sid": "AllowGetUserForLambdaCreation",
- "Effect": "Allow",
- "Action": [
- "iam:GetUser"
- ],
- "Resource": [
- "arn:aws:iam::459030870916:user/ansible_integration_tests"
- ]
- },
- {
- "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight",
- "Effect": "Allow",
- "Action": [
- "lambda:*"
- ],
- "Resource": [
- "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
- ]
- },
- {
- "Sid": "AllowLambdaRoleManagement",
- "Effect": "Allow",
- "Action": [
- "iam:PassRole"
- ],
- "Resource": [
- "arn:aws:iam::459030870916:role/ansible_lambda_role"
- ]
- }
- ]
-}
diff --git a/hacking/aws_config/testing_policies/autoscaling-policy.json b/hacking/aws_config/testing_policies/autoscaling-policy.json
new file mode 100644
index 0000000000..650b9eda13
--- /dev/null
+++ b/hacking/aws_config/testing_policies/autoscaling-policy.json
@@ -0,0 +1,33 @@
+{# Not all Autoscaling API Actions allow specified resources #}
+{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "DescribeAutoscaling",
+ "Effect": "Allow",
+ "Action": [
+ "autoscaling:DescribeAutoScalingGroups",
+ "autoscaling:DescribeLaunchConfigurations",
+ "autoscaling:DescribePolicies"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "AllowAutoscaling",
+ "Effect": "Allow",
+ "Action": [
+ "autoscaling:CreateLaunchConfiguration",
+ "autoscaling:CreateAutoScalingGroup",
+ "autoscaling:UpdateAutoScalingGroup",
+ "autoscaling:DeleteAutoScalingGroup",
+ "autoscaling:DeleteLaunchConfiguration",
+ "autoscaling:PutScalingPolicy",
+ "autoscaling:DeletePolicy"
+ ],
+ "Resource": [
+ "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
+ ]
+ }
+ ]
+}
diff --git a/hacking/aws_config/testing_policies/ec2-policy.json b/hacking/aws_config/testing_policies/ec2-policy.json
new file mode 100644
index 0000000000..099e78b159
--- /dev/null
+++ b/hacking/aws_config/testing_policies/ec2-policy.json
@@ -0,0 +1,51 @@
+{# Note that not all EC2 API Actions allow a specific resource #}
+{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowUnspecifiedEC2Resource",
+ "Effect": "Allow",
+ "Action": [
+ "ec2:AllocateAddress",
+ "ec2:AssociateAddress",
+ "ec2:AssociateRouteTable",
+ "ec2:AttachInternetGateway",
+ "ec2:CreateInternetGateway",
+ "ec2:CreateKeyPair",
+ "ec2:CreateNatGateway",
+ "ec2:CreateRouteTable",
+ "ec2:CreateSecurityGroup",
+ "ec2:CreateSubnet",
+ "ec2:CreateVpc",
+ "ec2:DeleteKeyPair",
+ "ec2:DeleteNatGateway",
+ "ec2:Describe*",
+ "ec2:DisassociateAddress",
+ "ec2:DisassociateRouteTable",
+ "ec2:ImportKeyPair",
+ "ec2:ModifyVpcAttribute",
+ "ec2:ReleaseAddress",
+ "ec2:ReplaceRouteTableAssociation"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "AllowSpecifiedEC2Resource",
+ "Effect": "Allow",
+ "Action": [
+ "ec2:AuthorizeSecurityGroupIngress",
+ "ec2:CreateTags",
+ "ec2:DeleteRouteTable",
+ "ec2:DeleteSecurityGroup",
+ "ec2:RevokeSecurityGroupEgress",
+ "ec2:RevokeSecurityGroupIngress",
+ "ec2:RunInstances",
+ "ec2:TerminateInstances"
+ ],
+ "Resource": [
+ "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
+ ]
+ }
+ ]
+}
diff --git a/hacking/aws_config/testing_policies/ecr-policy.json b/hacking/aws_config/testing_policies/ecr-policy.json
new file mode 100644
index 0000000000..db8204a302
--- /dev/null
+++ b/hacking/aws_config/testing_policies/ecr-policy.json
@@ -0,0 +1,28 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "UnspecifiedCodeRepositories",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:DescribeRepositories",
+ "ecr:CreateRepository"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "SpecifiedCodeRepositories",
+ "Effect": "Allow",
+ "Action": [
+ "ecr:GetRepositoryPolicy",
+ "ecr:SetRepositoryPolicy",
+ "ecr:DeleteRepository",
+ "ecr:DeleteRepositoryPolicy",
+ "ecr:DeleteRepositoryPolicy"
+ ],
+ "Resource": [
+ "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
+ ]
+ }
+ ]
+}
diff --git a/hacking/aws_config/testing_policies/elb-policy.json b/hacking/aws_config/testing_policies/elb-policy.json
new file mode 100644
index 0000000000..6a844e909f
--- /dev/null
+++ b/hacking/aws_config/testing_policies/elb-policy.json
@@ -0,0 +1,31 @@
+{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
+{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
+{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowLoadBalancerOperations",
+ "Effect": "Allow",
+ "Action": [
+ "elasticloadbalancing:ConfigureHealthCheck",
+ "elasticloadbalancing:CreateLoadBalancer",
+ "elasticloadbalancing:CreateLoadBalancerListeners",
+ "elasticloadbalancing:DeleteLoadBalancer",
+ "elasticloadbalancing:DeleteLoadBalancerListeners",
+ "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+ "elasticloadbalancing:DescribeInstanceHealth",
+ "elasticloadbalancing:DescribeLoadBalancerAttributes",
+ "elasticloadbalancing:DescribeLoadBalancerPolicies",
+ "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+ "elasticloadbalancing:DescribeLoadBalancerTags",
+ "elasticloadbalancing:DescribeLoadBalancers",
+ "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
+ "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
+ "elasticloadbalancing:ModifyLoadBalancerAttributes",
+ "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
+ ],
+ "Resource": "*"
+ }
+ ]
+}
diff --git a/hacking/aws_config/testing_policies/lambda-policy.json b/hacking/aws_config/testing_policies/lambda-policy.json
new file mode 100644
index 0000000000..c03f1b1ab3
--- /dev/null
+++ b/hacking/aws_config/testing_policies/lambda-policy.json
@@ -0,0 +1,77 @@
+{# Only certain lambda actions can be restricted to a specific resource #}
+{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowApiGateway",
+ "Effect": "Allow",
+ "Action": [
+ "apigateway:*"
+ ],
+ "Resource": [
+ "arn:aws:apigateway:{{aws_region}}::/*"
+ ]
+ },
+ {
+ "Sid": "AllowGetUserForLambdaCreation",
+ "Effect": "Allow",
+ "Action": [
+ "iam:GetUser"
+ ],
+ "Resource": [
+ "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
+ ]
+ },
+ {
+ "Sid": "AllowLambdaManagementWithoutResource",
+ "Effect": "Allow",
+ "Action": [
+ "lambda:CreateEventSourceMapping",
+ "lambda:GetAccountSettings",
+ "lambda:GetEventSourceMapping",
+ "lambda:ListEventSourceMappings",
+ "lambda:ListFunctions",
+ "lambda:ListTags",
+ "lambda:TagResource",
+ "lambda:UntagResource"
+ ],
+ "Resource": "*"
+ },
+ {
+ "Sid": "AllowLambdaManagementWithResource",
+ "Effect": "Allow",
+ "Action": [
+ "lambda:AddPermission",
+ "lambda:CreateAlias",
+ "lambda:CreateFunction",
+ "lambda:DeleteAlias",
+ "lambda:DeleteFunction",
+ "lambda:GetAlias",
+ "lambda:GetFunction",
+ "lambda:GetFunctionConfiguration",
+ "lambda:GetPolicy",
+ "lambda:InvokeFunction",
+ "lambda:ListAliases",
+ "lambda:ListVersionsByFunction",
+ "lambda:PublishVersion",
+ "lambda:RemovePermission",
+ "lambda:UpdateAlias",
+ "lambda:UpdateEventSourceMapping",
+ "lambda:UpdateFunctionCode",
+ "lambda:UpdateFunctionConfiguration"
+ ],
+ "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
+ },
+ {
+ "Sid": "AllowLambdaRoleManagement",
+ "Effect": "Allow",
+ "Action": [
+ "iam:PassRole"
+ ],
+ "Resource": [
+ "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
+ ]
+ }
+ ]
+}
diff --git a/hacking/aws_config/testing_policies/rds-policy.json b/hacking/aws_config/testing_policies/rds-policy.json
new file mode 100644
index 0000000000..6284bd56e2
--- /dev/null
+++ b/hacking/aws_config/testing_policies/rds-policy.json
@@ -0,0 +1,51 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AllowRDSModuleTests",
+ "Effect": "Allow",
+ "Action": [
+ "rds:DescribeDBInstances",
+ "rds:CreateDBInstance",
+ "rds:ModifyDBInstance",
+ "rds:ListTagsForResource",
+ "rds:DeleteDBInstance"
+ ],
+ "Resource": [
+ "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*"
+ ]
+ },
+ {
+ "Sid": "AllowRDSInstanceManageOwnInstance",
+ "Effect": "Allow",
+ "Action": [
+ "rds:CreateDBInstance",
+ "rds:ModifyDBInstance",
+ "rds:ListTagsForResource",
+ "rds:DescribeDBInstances"
+ ],
+ "Resource": [
+ "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*"
+ ]
+ },
+ {
+ "Sid": "AllowRDSSnapshotManageSnapshots",
+ "Effect": "Allow",
+ "Action": [
+ "rds:DescribeDBSnapshots",
+ "rds:DescribeDBInstances",
+ "rds:DescribeDBSnapshots",
+ "rds:DeleteDBInstance",
+ "rds:CreateDBSnapshot",
+ "rds:DeleteDBSnapshot",
+ "rds:RestoreDBInstanceFromDBSnapshot",
+ "rds:CreateDBInstanceReadReplica"
+ ],
+ "Resource": [
+ "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*",
+ "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*",
+ "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*"
+ ]
+ }
+ ]
+}
diff --git a/hacking/aws_config/testing_policies/s3-policy.json b/hacking/aws_config/testing_policies/s3-policy.json
new file mode 100644
index 0000000000..88b50d0a4e
--- /dev/null
+++ b/hacking/aws_config/testing_policies/s3-policy.json
@@ -0,0 +1,23 @@
+{
+ "Version": "2012-10-17",
+ "Statement": [
+ {
+ "Sid": "AlowS3AnsibleTestBuckets",
+ "Action": [
+ "s3:GetObject",
+ "s3:ListBucket",
+ "s3:PutBucketAcl",
+ "s3:CreateBucket",
+ "s3:PutObject",
+ "s3:PutObjectAcl",
+ "s3:DeleteBucket",
+ "s3:DeleteObject"
+ ],
+ "Effect": "Allow",
+ "Resource": [
+ "arn:aws:s3:::ansible_test_*",
+ "arn:aws:s3:::ansible_test_*/*"
+ ]
+ }
+ ]
+}