diff options
| author | Will Thames <will@thames.id.au> | 2019-07-05 05:25:19 +1000 |
|---|---|---|
| committer | Sloane Hertel <shertel@redhat.com> | 2019-07-04 15:25:19 -0400 |
| commit | 60fb9fc208adebdc10c8a0f5ff1b3d61f8d6516d (patch) | |
| tree | a8480436f2afb09710954aaf2b55a6f15c85de54 /hacking | |
| parent | 6cf722fed663051ae04786fe3cdc810aa75cd192 (diff) | |
| download | ansible-60fb9fc208adebdc10c8a0f5ff1b3d61f8d6516d.tar.gz | |
Fix EC2 test suite to work with testing policies (#44387)
* Update testing policies to ensure all required permissions are present
* Tidy up security policies to reduce duplicate permissions
* Make roles static so that they can be present before CI is run,
meaning that role creation permission is not required by the CI
itself, only by someone setting up the roles prior to testing
* Move contents to cloudfront policy to network policy to ensure policy
count (maximum of 10) stays low
* Maintain compute policy below 6144 bytes
Diffstat (limited to 'hacking')
8 files changed, 51 insertions, 89 deletions
diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml index 2740142959..9dfaca53c9 100644 --- a/hacking/aws_config/setup-iam.yml +++ b/hacking/aws_config/setup-iam.yml @@ -52,3 +52,4 @@ state: present managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}" profile: "{{ profile|default(omit) }}" + purge_policy: yes diff --git a/hacking/aws_config/testing_policies/cloudfront-policy.json b/hacking/aws_config/testing_policies/cloudfront-policy.json deleted file mode 100644 index 057cb586d6..0000000000 --- a/hacking/aws_config/testing_policies/cloudfront-policy.json +++ /dev/null @@ -1,29 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowCloudfrontUsage", - "Effect": "Allow", - "Action": [ - "cloudfront:CreateDistribution", - "cloudfront:CreateDistributionWithTags", - "cloudfront:CreateCloudFrontOriginAccessIdentity", - "cloudfront:DeleteDistribution", - "cloudfront:GetDistribution", - "cloudfront:GetStreamingDistribution", - "cloudfront:GetDistributionConfig", - "cloudfront:GetStreamingDistributionConfig", - "cloudfront:GetInvalidation", - "cloudfront:ListDistributions", - "cloudfront:ListDistributionsByWebACLId", - "cloudfront:ListInvalidations", - "cloudfront:ListStreamingDistributions", - "cloudfront:ListTagsForResource", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:UpdateDistribution" - ], - "Resource": "*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json index 123843b3dd..a17850a4d0 100644 --- a/hacking/aws_config/testing_policies/compute-policy.json +++ b/hacking/aws_config/testing_policies/compute-policy.json @@ -43,6 +43,7 @@ "ec2:AssociateSubnetCidrBlock", "ec2:AttachInternetGateway", "ec2:AttachNetworkInterface", + "ec2:AttachVolume", "ec2:AttachVpnGateway", "ec2:CreateCustomerGateway", "ec2:CreateDhcpOptions", @@ -50,6 +51,7 @@ "ec2:CreateInternetGateway", "ec2:CreateKeyPair", "ec2:CreateNatGateway", + "ec2:CreateNetworkInterface", "ec2:CreateRoute", "ec2:CreateRouteTable", "ec2:CreateSecurityGroup", @@ -64,6 +66,7 @@ "ec2:DeleteInternetGateway", "ec2:DeleteKeyPair", "ec2:DeleteNatGateway", + "ec2:DeleteNetworkInterface", "ec2:DeleteRoute", "ec2:DeleteRouteTable", "ec2:DeleteSnapshot", @@ -87,6 +90,7 @@ "ec2:RegisterImage", "ec2:ReleaseAddress", "ec2:ReplaceRouteTableAssociation", + "ec2:ReplaceIamInstanceProfileAssociation", "ec2:ReportInstanceStatus" ], "Resource": "*" @@ -135,10 +139,7 @@ "elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DescribeInstanceHealth", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", - "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DescribeLoadBalancer*", "elasticloadbalancing:DescribeTags", "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", @@ -177,9 +178,7 @@ "lambda:CreateEventSourceMapping", "lambda:GetAccountSettings", "lambda:GetEventSourceMapping", - "lambda:ListEventSourceMappings", - "lambda:ListFunctions", - "lambda:ListTags", + "lambda:List*", "lambda:TagResource", "lambda:UntagResource" ], @@ -199,8 +198,6 @@ "lambda:GetFunctionConfiguration", "lambda:GetPolicy", "lambda:InvokeFunction", - "lambda:ListAliases", - "lambda:ListVersionsByFunction", "lambda:PublishVersion", "lambda:RemovePermission", "lambda:UpdateAlias", @@ -219,6 +216,7 @@ "Resource": [ "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role", "arn:aws:iam::{{aws_account}}:role/ecsInstanceRole", + "arn:aws:iam::{{aws_account}}:role/ec2InstanceRole", "arn:aws:iam::{{aws_account}}:role/ecsServiceRole", "arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role", "arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole" diff --git a/hacking/aws_config/testing_policies/container-policy.json b/hacking/aws_config/testing_policies/container-policy.json index d14deacf84..1a6641f36b 100644 --- a/hacking/aws_config/testing_policies/container-policy.json +++ b/hacking/aws_config/testing_policies/container-policy.json @@ -46,6 +46,7 @@ "ecs:StopTask", "ecs:UpdateService", "elasticloadbalancing:Describe*", + "iam:GetInstanceProfile", "iam:GetPolicy", "iam:GetPolicyVersion", "iam:GetRole", diff --git a/hacking/aws_config/testing_policies/database-policy.json b/hacking/aws_config/testing_policies/database-policy.json index 472e6206c0..f4c824ae21 100644 --- a/hacking/aws_config/testing_policies/database-policy.json +++ b/hacking/aws_config/testing_policies/database-policy.json @@ -86,6 +86,17 @@ ], "Effect": "Allow", "Resource": "*" + }, + { + "Sid": "DMSEndpoints", + "Effect": "Allow", + "Action": [ + "dms:CreateEndpoint", + "dms:DeleteEndpoint", + "dms:DescribeEndpoints", + "dms:ModifyEndpoint" + ], + "Resource": ["*"] } ] } diff --git a/hacking/aws_config/testing_policies/iam-policy.json b/hacking/aws_config/testing_policies/iam-policy.json deleted file mode 100644 index 6105e40a92..0000000000 --- a/hacking/aws_config/testing_policies/iam-policy.json +++ /dev/null @@ -1,17 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAccessToServerCertificates", - "Effect": "Allow", - "Action": [ - "iam:ListServerCertificates", - "iam:UploadServerCertificate", - "iam:UpdateServerCertificate", - "iam:DeleteServerCertificate", - "iam:GetServerCertificate" - ], - "Resource": "*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/network-policy.json b/hacking/aws_config/testing_policies/network-policy.json index d28115ee45..d5cb2d36ec 100644 --- a/hacking/aws_config/testing_policies/network-policy.json +++ b/hacking/aws_config/testing_policies/network-policy.json @@ -22,6 +22,30 @@ "ec2:DescribeTransitGateways" ], "Resource": "*" + }, + { + "Sid": "AllowCloudfrontUsage", + "Effect": "Allow", + "Action": [ + "cloudfront:CreateDistribution", + "cloudfront:CreateDistributionWithTags", + "cloudfront:CreateCloudFrontOriginAccessIdentity", + "cloudfront:DeleteDistribution", + "cloudfront:GetDistribution", + "cloudfront:GetStreamingDistribution", + "cloudfront:GetDistributionConfig", + "cloudfront:GetStreamingDistributionConfig", + "cloudfront:GetInvalidation", + "cloudfront:ListDistributions", + "cloudfront:ListDistributionsByWebACLId", + "cloudfront:ListInvalidations", + "cloudfront:ListStreamingDistributions", + "cloudfront:ListTagsForResource", + "cloudfront:TagResource", + "cloudfront:UntagResource", + "cloudfront:UpdateDistribution" + ], + "Resource": "*" } ] } diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json index 2cb253bf4a..4b1f53e362 100644 --- a/hacking/aws_config/testing_policies/security-policy.json +++ b/hacking/aws_config/testing_policies/security-policy.json @@ -33,7 +33,9 @@ "iam:CreateRole", "iam:DeleteRole", "iam:DetachRolePolicy", - "iam:PassRole" + "iam:PassRole", + "iam:UpdateAssumeRolePolicy", + "sts:AssumeRole" ], "Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*", "Effect": "Allow", @@ -92,22 +94,6 @@ ] }, { - "Sid": "AllowSTSAnsibleTests", - "Action": [ - "iam:CreateRole", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "sts:AssumeRole", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*", - "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*" - ] - }, - { "Sid": "AllowAccessToUnspecifiedKMSResources", "Effect": "Allow", "Action": [ @@ -132,26 +118,13 @@ "Resource": "*" }, { - "Sid": "AllowAccessToSpecifiedIAMResources", + "Sid": "AllowAccessToServerCertificates", "Effect": "Allow", "Action": [ - "iam:CreateRole", - "iam:DeleteRole", - "iam:GetRole", - "iam:PassRole", - "iam:UpdateAssumeRolePolicy" - ], - "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*" - }, - { - "Sid": "AllowInstanceProfileCreation", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:RemoveRoleFromInstanceProfile" + "iam:ListServerCertificates", + "iam:UploadServerCertificate" ], - "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*" + "Resource": "*" } ] } |