cloudtrail: Initial integration tests (#61919)
This commit is contained in:
parent
40660e7f6e
commit
0239f70648
10 changed files with 1590 additions and 4 deletions
|
@ -46,6 +46,7 @@
|
||||||
"iam:DeleteRolePolicy",
|
"iam:DeleteRolePolicy",
|
||||||
"iam:DeleteRolePermissionsBoundary",
|
"iam:DeleteRolePermissionsBoundary",
|
||||||
"iam:DetachRolePolicy",
|
"iam:DetachRolePolicy",
|
||||||
|
"iam:PutRolePolicy",
|
||||||
"iam:PassRole",
|
"iam:PassRole",
|
||||||
"iam:PutRolePolicy",
|
"iam:PutRolePolicy",
|
||||||
"iam:PutRolePermissionsBoundary",
|
"iam:PutRolePermissionsBoundary",
|
||||||
|
@ -98,6 +99,28 @@
|
||||||
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
|
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowModifyingCloudtrail",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"cloudtrail:*"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AllowDescribingCloudtrails",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"cloudtrail:DescribeTrails",
|
||||||
|
"cloudtrail:ListTags",
|
||||||
|
"cloudtrail:ListPublicKeys"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"*"
|
||||||
|
]
|
||||||
|
},
|
||||||
{
|
{
|
||||||
"Sid": "AllowModifyingCloudwatchLogs",
|
"Sid": "AllowModifyingCloudwatchLogs",
|
||||||
"Effect": "Allow",
|
"Effect": "Allow",
|
||||||
|
@ -107,7 +130,7 @@
|
||||||
"logs:DeleteLogGroup"
|
"logs:DeleteLogGroup"
|
||||||
],
|
],
|
||||||
"Resource": [
|
"Resource": [
|
||||||
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
|
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
{
|
||||||
|
|
|
@ -5,8 +5,7 @@
|
||||||
"Sid": "AllowS3AnsibleTestBuckets",
|
"Sid": "AllowS3AnsibleTestBuckets",
|
||||||
"Action": [
|
"Action": [
|
||||||
"s3:CreateBucket",
|
"s3:CreateBucket",
|
||||||
"s3:DeleteBucket",
|
"s3:Delete*",
|
||||||
"s3:DeleteObject",
|
|
||||||
"s3:GetBucketPolicy",
|
"s3:GetBucketPolicy",
|
||||||
"s3:GetBucketRequestPayment",
|
"s3:GetBucketRequestPayment",
|
||||||
"s3:GetBucketTagging",
|
"s3:GetBucketTagging",
|
||||||
|
@ -15,7 +14,7 @@
|
||||||
"s3:GetObject",
|
"s3:GetObject",
|
||||||
"s3:GetBucketNotification",
|
"s3:GetBucketNotification",
|
||||||
"s3:HeadBucket",
|
"s3:HeadBucket",
|
||||||
"s3:ListBucket",
|
"s3:List*",
|
||||||
"s3:PutBucketAcl",
|
"s3:PutBucketAcl",
|
||||||
"s3:PutBucketPolicy",
|
"s3:PutBucketPolicy",
|
||||||
"s3:PutBucketRequestPayment",
|
"s3:PutBucketRequestPayment",
|
||||||
|
|
2
test/integration/targets/cloudtrail/aliases
Normal file
2
test/integration/targets/cloudtrail/aliases
Normal file
|
@ -0,0 +1,2 @@
|
||||||
|
cloud/aws
|
||||||
|
unsupported
|
7
test/integration/targets/cloudtrail/defaults/main.yml
Normal file
7
test/integration/targets/cloudtrail/defaults/main.yml
Normal file
|
@ -0,0 +1,7 @@
|
||||||
|
cloudtrail_name: '{{ resource_prefix }}-cloudtrail'
|
||||||
|
s3_bucket_name: '{{ resource_prefix }}-cloudtrail-bucket'
|
||||||
|
kms_alias: '{{ resource_prefix }}-cloudtrail'
|
||||||
|
sns_topic: '{{ resource_prefix }}-cloudtrail-notifications'
|
||||||
|
cloudtrail_prefix: 'test-prefix'
|
||||||
|
cloudwatch_log_group: '{{ resource_prefix }}-cloudtrail'
|
||||||
|
cloudwatch_role: '{{ resource_prefix }}-cloudtrail'
|
1423
test/integration/targets/cloudtrail/tasks/main.yml
Normal file
1423
test/integration/targets/cloudtrail/tasks/main.yml
Normal file
File diff suppressed because it is too large
Load diff
|
@ -0,0 +1,13 @@
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "AssumeFromCloudTrails",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"Service": "cloudtrail.amazonaws.com"
|
||||||
|
},
|
||||||
|
"Action": "sts:AssumeRole"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
|
@ -0,0 +1,17 @@
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrail2CloudWatch",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"logs:CreateLogStream",
|
||||||
|
"logs:PutLogEvents"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:logs:{{ aws_region }}:{{ aws_caller_info.account }}:log-group:{{ cloudwatch_log_group }}:log-stream:*",
|
||||||
|
"arn:aws:logs:{{ aws_region }}:{{ aws_caller_info.account }}:log-group:{{ cloudwatch_log_group }}-2:log-stream:*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
34
test/integration/targets/cloudtrail/templates/kms-policy.j2
Normal file
34
test/integration/targets/cloudtrail/templates/kms-policy.j2
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Id": "CloudTrailPolicy",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "EncryptLogs",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "kms:GenerateDataKey*",
|
||||||
|
"Resource": "*",
|
||||||
|
"Condition": {
|
||||||
|
"StringLike": {
|
||||||
|
"kms:EncryptionContext:aws:cloudtrail:arn": [
|
||||||
|
"arn:aws:cloudtrail:*:{{ aws_caller_info.account }}:trail/{{ resource_prefix }}*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "DescribeKey",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "kms:DescribeKey",
|
||||||
|
"Resource": "*"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AnsibleTestManage",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
|
||||||
|
"Action": "*",
|
||||||
|
"Resource": "*"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
34
test/integration/targets/cloudtrail/templates/s3-policy.j2
Normal file
34
test/integration/targets/cloudtrail/templates/s3-policy.j2
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrailCheckAcl",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "s3:GetBucketAcl",
|
||||||
|
"Resource": "arn:aws:s3:::{{ bucket_name }}",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrailWriteLogs",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "s3:PutObject",
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:s3:::{{ bucket_name }}/AWSLogs/{{ aws_caller_info.account }}/*",
|
||||||
|
"arn:aws:s3:::{{ bucket_name }}/{{ cloudtrail_prefix }}*/AWSLogs/{{ aws_caller_info.account }}/*"
|
||||||
|
],
|
||||||
|
"Condition": {
|
||||||
|
"StringEquals": {
|
||||||
|
"s3:x-amz-acl": "bucket-owner-full-control"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AnsibleTestManage",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
|
||||||
|
"Action": "*",
|
||||||
|
"Resource": "arn:aws:s3:::{{ bucket_name }}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
34
test/integration/targets/cloudtrail/templates/sns-policy.j2
Normal file
34
test/integration/targets/cloudtrail/templates/sns-policy.j2
Normal file
|
@ -0,0 +1,34 @@
|
||||||
|
{
|
||||||
|
"Version": "2008-10-17",
|
||||||
|
"Id": "AnsibleSNSTesting",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrailSNSPolicy",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"Service": "cloudtrail.amazonaws.com"
|
||||||
|
},
|
||||||
|
"Action": "sns:Publish",
|
||||||
|
"Resource": "arn:aws:sns:{{ aws_region }}:{{ aws_caller_info.account }}:{{ sns_topic_name }}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AnsibleTestManage",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"AWS": "{{ aws_caller_info.arn }}"
|
||||||
|
},
|
||||||
|
"Action": [
|
||||||
|
"sns:Subscribe",
|
||||||
|
"sns:ListSubscriptionsByTopic",
|
||||||
|
"sns:DeleteTopic",
|
||||||
|
"sns:GetTopicAttributes",
|
||||||
|
"sns:Publish",
|
||||||
|
"sns:RemovePermission",
|
||||||
|
"sns:AddPermission",
|
||||||
|
"sns:Receive",
|
||||||
|
"sns:SetTopicAttributes"
|
||||||
|
],
|
||||||
|
"Resource": "arn:aws:sns:{{ aws_region }}:{{ aws_caller_info.account }}:{{ sns_topic_name }}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Reference in a new issue