cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity
ansible/hacking/aws_config/testing_policies/ec2-policy.json

67 lines
2.4 KiB
JSON
Raw Normal View History

Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUnspecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:CreateImage",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:CreateSnapshot",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:CreateSubnet",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:CreateTags",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:CreateVpc",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
ec2_group: add rule description support - fixes #29040 (#30273) * ec2_group: add support for rule descriptions. * Document rule description feature and add an example using it. * Fix removing rule descriptions. * Add integration tests to verify adding/modifying/removing rule descriptions works as expected. * Add permissions to hacking/aws_config/testing_policies/ec2-policy.json for updating ingress and egress rule descriptions. * ec2_group: add backwards compatibility with older versions of botocore for rule descriptions. * Add compatibility with older version of botocore for ec2_group integration tests. * ec2_group: move HAS_RULE_DESCRIPTION to be checked first. * Make requested change * Pass around a variable instead of client * Make sure has_rule_description defaults to None * Fail if rule_desc is in any ingress/egress rules and the the botocore version < 1.7.2 * Remove unnecessary variable * Fix indentation for changed=True when updating rule descriptions. * minor refactor to remove duplicate code * add missing parameter * Fix pep8 * Update test policy.
2017-10-25 03:18:56 +02:00
"ec2:DeleteTags",
[cloud] fix VPC behavior for ec2_group module, improve integration tests (#27038) * Add tests for group in a VPC * Improve ec2_group output and documentation Update ec2_group to provide full security group information Add RETURN documentation to match * Fix ec2_group creation within a VPC Ensure VPC ID gets passed when creating security group * Add test for auto creating SG * Fix ec2_group auto group creation * Add backoff to describe_security_groups Getting LimitExceeded from describe_security_groups is definitely possible (source: me) so add backoff to increase likelihood of success. To ensure that all `describe_security_group` calls are backed off, remove implicit ones that use `ec2.SecurityGroup`. From there, the decision to remove the `ec2` boto3 resource and rely on the client alone makes good sense. * Tidy up auto created security group Add resource_prefix to auto created security group and delete it in the `always` section. Use YAML argument form for all module parameters
2017-08-01 12:53:43 +02:00
"ec2:DeleteVpc",
[cloud] Add retries/backoff to ec2_vpc_subnet module (#31870) * Allow backoff for describe_subnets Improve exception handling to latest standards * Add integration test suite for ec2_vpc_subnet * Add test for creating subnet without AZ Fix bug identified by test Fixes #31905
2017-11-16 19:09:42 +01:00
"ec2:DeleteTags",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:DeregisterImage",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:Describe*",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ImportKeyPair",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:ModifyImageAttribute",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:ModifyVpcAttribute",
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"ec2:RegisterImage",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation"
],
"Resource": "*"
},
{
"Sid": "AllowSpecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
Use Boto3 for ec2_group Fixes #23507 (#25340) * Use Boto3 for ec2_group Currently boto doesn't support ipv6. To support ipv6 in ec2_group, we need boto3. boto3 has significant API changes, which caused more re-factoring for ec2_group module. Added additional integration test to test_ec2_group role. * Follow the standard for boto3 ansible Fixed imports. Use boto3 ansible exception with camel_dict_to_snake_dict. Refactored the call to authorize/revoke ingress and egress. * Removed dependancy with module ipaddress Added new parameter called cidr_ipv6 for specifying ipv6 addresses inline with how boto3 handles ipv6 addresses. * Updated integration test * Added ipv6 integration test for ec2_group * Set purge_rules to false for integration test * Fixed import statements Added example for ipv6. Removed defining HAS_BOTO3 variable and import HAS_BOTO3 from ec2. Cleaned up import statements. * Fixed exception handling * Add IAM permissions for ec2_group tests Missing AuthorizeSecurityGroupEgress necessary for latest tests * Wrapped botocore import in try/except block Import just botocore to be more similar to other modules
2017-07-17 04:03:31 +02:00
"ec2:AuthorizeSecurityGroupEgress",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"ec2:CreateTags",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
ec2_group: add rule description support - fixes #29040 (#30273) * ec2_group: add support for rule descriptions. * Document rule description feature and add an example using it. * Fix removing rule descriptions. * Add integration tests to verify adding/modifying/removing rule descriptions works as expected. * Add permissions to hacking/aws_config/testing_policies/ec2-policy.json for updating ingress and egress rule descriptions. * ec2_group: add backwards compatibility with older versions of botocore for rule descriptions. * Add compatibility with older version of botocore for ec2_group integration tests. * ec2_group: move HAS_RULE_DESCRIPTION to be checked first. * Make requested change * Pass around a variable instead of client * Make sure has_rule_description defaults to None * Fail if rule_desc is in any ingress/egress rules and the the botocore version < 1.7.2 * Remove unnecessary variable * Fix indentation for changed=True when updating rule descriptions. * minor refactor to remove duplicate code * add missing parameter * Fix pep8 * Update test policy.
2017-10-25 03:18:56 +02:00
"ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
],
"Resource": [
Allow AWS image and snapshot creation/deletion Provide all necessary permissions for AMI tests Allow tests to run in us-east-2 Ensure `always` section gets used Update tests to ensure that cleanup works better, and add deletion idempotency test
2017-09-20 07:53:15 +02:00
"arn:aws:ec2:{{aws_region}}::image/*",
Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies
2017-07-14 06:50:55 +02:00
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
}
]
}
Reference in a new issue Copy permalink