cloudtrail: Initial integration tests (#61919)

This commit is contained in:
Mark Chappell 2019-09-21 03:46:37 +02:00 committed by Jill R
parent 40660e7f6e
commit 0239f70648
10 changed files with 1590 additions and 4 deletions

View file

@ -46,6 +46,7 @@
"iam:DeleteRolePolicy", "iam:DeleteRolePolicy",
"iam:DeleteRolePermissionsBoundary", "iam:DeleteRolePermissionsBoundary",
"iam:DetachRolePolicy", "iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole", "iam:PassRole",
"iam:PutRolePolicy", "iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary", "iam:PutRolePermissionsBoundary",
@ -98,6 +99,28 @@
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*" "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
] ]
}, },
{
"Sid": "AllowModifyingCloudtrail",
"Effect": "Allow",
"Action": [
"cloudtrail:*"
],
"Resource": [
"arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*"
]
},
{
"Sid": "AllowDescribingCloudtrails",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:ListTags",
"cloudtrail:ListPublicKeys"
],
"Resource": [
"*"
]
},
{ {
"Sid": "AllowModifyingCloudwatchLogs", "Sid": "AllowModifyingCloudwatchLogs",
"Effect": "Allow", "Effect": "Allow",
@ -107,7 +130,7 @@
"logs:DeleteLogGroup" "logs:DeleteLogGroup"
], ],
"Resource": [ "Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*" "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*"
] ]
}, },
{ {

View file

@ -5,8 +5,7 @@
"Sid": "AllowS3AnsibleTestBuckets", "Sid": "AllowS3AnsibleTestBuckets",
"Action": [ "Action": [
"s3:CreateBucket", "s3:CreateBucket",
"s3:DeleteBucket", "s3:Delete*",
"s3:DeleteObject",
"s3:GetBucketPolicy", "s3:GetBucketPolicy",
"s3:GetBucketRequestPayment", "s3:GetBucketRequestPayment",
"s3:GetBucketTagging", "s3:GetBucketTagging",
@ -15,7 +14,7 @@
"s3:GetObject", "s3:GetObject",
"s3:GetBucketNotification", "s3:GetBucketNotification",
"s3:HeadBucket", "s3:HeadBucket",
"s3:ListBucket", "s3:List*",
"s3:PutBucketAcl", "s3:PutBucketAcl",
"s3:PutBucketPolicy", "s3:PutBucketPolicy",
"s3:PutBucketRequestPayment", "s3:PutBucketRequestPayment",

View file

@ -0,0 +1,2 @@
cloud/aws
unsupported

View file

@ -0,0 +1,7 @@
cloudtrail_name: '{{ resource_prefix }}-cloudtrail'
s3_bucket_name: '{{ resource_prefix }}-cloudtrail-bucket'
kms_alias: '{{ resource_prefix }}-cloudtrail'
sns_topic: '{{ resource_prefix }}-cloudtrail-notifications'
cloudtrail_prefix: 'test-prefix'
cloudwatch_log_group: '{{ resource_prefix }}-cloudtrail'
cloudwatch_role: '{{ resource_prefix }}-cloudtrail'

File diff suppressed because it is too large Load diff

View file

@ -0,0 +1,13 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AssumeFromCloudTrails",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sts:AssumeRole"
}
]
}

View file

@ -0,0 +1,17 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudTrail2CloudWatch",
"Effect": "Allow",
"Action": [
"logs:CreateLogStream",
"logs:PutLogEvents"
],
"Resource": [
"arn:aws:logs:{{ aws_region }}:{{ aws_caller_info.account }}:log-group:{{ cloudwatch_log_group }}:log-stream:*",
"arn:aws:logs:{{ aws_region }}:{{ aws_caller_info.account }}:log-group:{{ cloudwatch_log_group }}-2:log-stream:*"
]
}
]
}

View file

@ -0,0 +1,34 @@
{
"Version": "2012-10-17",
"Id": "CloudTrailPolicy",
"Statement": [
{
"Sid": "EncryptLogs",
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "kms:GenerateDataKey*",
"Resource": "*",
"Condition": {
"StringLike": {
"kms:EncryptionContext:aws:cloudtrail:arn": [
"arn:aws:cloudtrail:*:{{ aws_caller_info.account }}:trail/{{ resource_prefix }}*"
]
}
}
},
{
"Sid": "DescribeKey",
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "kms:DescribeKey",
"Resource": "*"
},
{
"Sid": "AnsibleTestManage",
"Effect": "Allow",
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
"Action": "*",
"Resource": "*"
}
]
}

View file

@ -0,0 +1,34 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "CloudTrailCheckAcl",
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "s3:GetBucketAcl",
"Resource": "arn:aws:s3:::{{ bucket_name }}",
},
{
"Sid": "CloudTrailWriteLogs",
"Effect": "Allow",
"Principal": { "Service": "cloudtrail.amazonaws.com" },
"Action": "s3:PutObject",
"Resource": [
"arn:aws:s3:::{{ bucket_name }}/AWSLogs/{{ aws_caller_info.account }}/*",
"arn:aws:s3:::{{ bucket_name }}/{{ cloudtrail_prefix }}*/AWSLogs/{{ aws_caller_info.account }}/*"
],
"Condition": {
"StringEquals": {
"s3:x-amz-acl": "bucket-owner-full-control"
}
}
},
{
"Sid": "AnsibleTestManage",
"Effect": "Allow",
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
"Action": "*",
"Resource": "arn:aws:s3:::{{ bucket_name }}"
}
]
}

View file

@ -0,0 +1,34 @@
{
"Version": "2008-10-17",
"Id": "AnsibleSNSTesting",
"Statement": [
{
"Sid": "CloudTrailSNSPolicy",
"Effect": "Allow",
"Principal": {
"Service": "cloudtrail.amazonaws.com"
},
"Action": "sns:Publish",
"Resource": "arn:aws:sns:{{ aws_region }}:{{ aws_caller_info.account }}:{{ sns_topic_name }}"
},
{
"Sid": "AnsibleTestManage",
"Effect": "Allow",
"Principal": {
"AWS": "{{ aws_caller_info.arn }}"
},
"Action": [
"sns:Subscribe",
"sns:ListSubscriptionsByTopic",
"sns:DeleteTopic",
"sns:GetTopicAttributes",
"sns:Publish",
"sns:RemovePermission",
"sns:AddPermission",
"sns:Receive",
"sns:SetTopicAttributes"
],
"Resource": "arn:aws:sns:{{ aws_region }}:{{ aws_caller_info.account }}:{{ sns_topic_name }}"
}
]
}