cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Remove hacking/aws_config

Browse source 
AWS hacking config has been moved to the AWS CI terminator repo, and is no
longer required in base.
https://github.com/mattclay/aws-terminator/pull/91
This commit is contained in:
Jill Rouleau 2020-03-16 13:10:24 -07:00 committed by Matt Clay
parent 9139c1f81d
commit 0bf7a08eb6
9 changed files with 0 additions and 1307 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

330
hacking/aws_config/build_iam_policy_framework.py
View file

@ -1,330 +0,0 @@
# Requires pandas, bs4, html5lib, and lxml
#
# Call script with the output from aws_resource_actions callback, e.g.
# python build_iam_policy_framework.py ['ec2:AuthorizeSecurityGroupEgress', 'ec2:AuthorizeSecurityGroupIngress', 'sts:GetCallerIdentity']
#
# The sample output:
# {
# "Version": "2012-10-17",
# "Statement": [
# {
# "Sid": "AnsibleEditor0",
# "Effect": "Allow",
# "Action": [
# "ec2:AuthorizeSecurityGroupEgress",
# "ec2:AuthorizeSecurityGroupIngress"
# ],
# "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}"
# },
# {
# "Sid": "AnsibleEditor1",
# "Effect": "Allow",
# "Action": [
# "sts:GetCallerIdentity"
# ],
# "Resource": "*"
# }
# ]
# }
#
# Policy troubleshooting:
# - If there are more actions in the policy than you provided, AWS has documented dependencies for some of your actions and
# those have been added to the policy.
# - If there are fewer actions in the policy than you provided, some of your actions are not in the IAM table of actions for
# that service. For example, the API call s3:DeleteObjects does not actually correlate to the permission needed in a policy.
# In this case s3:DeleteObject is the permission required to allow both the s3:DeleteObjects action and the s3:DeleteObject action.
# - The policies output are only as accurate as the AWS documentation. If the policy does not permit the
# necessary actions, look for undocumented dependencies. For example, redshift:CreateCluster requires ec2:DescribeVpcs,
# ec2:DescribeSubnets, ec2:DescribeSecurityGroups, and ec2:DescribeInternetGateways, but AWS does not document this.
#
from __future__ import (absolute_import, division, print_function)
__metaclass__ = type
import json
import requests
import sys
missing_dependencies = []
try:
import pandas as pd
except ImportError:
missing_dependencies.append('pandas')
try:
import bs4
except ImportError:
missing_dependencies.append('bs4')
try:
import html5lib
except ImportError:
missing_dependencies.append('html5lib')
try:
import lxml
except ImportError:
missing_dependencies.append('lxml')
irregular_service_names = {
'a4b': 'alexaforbusiness',
'appstream': 'appstream2.0',
'acm': 'certificatemanager',
'acm-pca': 'certificatemanagerprivatecertificateauthority',
'aws-marketplace-management': 'marketplacemanagementportal',
'ce': 'costexplorerservice',
'cognito-identity': 'cognitoidentity',
'cognito-sync': 'cognitosync',
'cognito-idp': 'cognitouserpools',
'cur': 'costandusagereport',
'dax': 'dynamodbacceleratordax',
'dlm': 'datalifecyclemanager',
'dms': 'databasemigrationservice',
'ds': 'directoryservice',
'ec2messages': 'messagedeliveryservice',
'ecr': 'ec2containerregistry',
'ecs': 'elasticcontainerservice',
'eks': 'elasticcontainerserviceforkubernetes',
'efs': 'elasticfilesystem',
'es': 'elasticsearchservice',
'events': 'cloudwatchevents',
'firehose': 'kinesisfirehose',
'fms': 'firewallmanager',
'health': 'healthapisandnotifications',
'importexport': 'importexportdiskservice',
'iot1click': 'iot1-click',
'kafka': 'managedstreamingforkafka',
'kinesisvideo': 'kinesisvideostreams',
'kms': 'keymanagementservice',
'license-manager': 'licensemanager',
'logs': 'cloudwatchlogs',
'opsworks-cm': 'opsworksconfigurationmanagement',
'mediaconnect': 'elementalmediaconnect',
'mediaconvert': 'elementalmediaconvert',
'medialive': 'elementalmedialive',
'mediapackage': 'elementalmediapackage',
'mediastore': 'elementalmediastore',
'mgh': 'migrationhub',
'mobiletargeting': 'pinpoint',
'pi': 'performanceinsights',
'pricing': 'pricelist',
'ram': 'resourceaccessmanager',
'resource-groups': 'resourcegroups',
'sdb': 'simpledb',
'servicediscovery': 'cloudmap',
'serverlessrepo': 'serverlessapplicationrepository',
'sms': 'servermigrationservice',
'sms-voice': 'pinpointsmsandvoiceservice',
'sso-directory': 'ssodirectory',
'ssm': 'systemsmanager',
'ssmmessages': 'sessionmanagermessagegatewayservice',
'states': 'stepfunctions',
'sts': 'securitytokenservice',
'swf': 'simpleworkflowservice',
'tag': 'resourcegrouptaggingapi',
'transfer': 'transferforsftp',
'waf-regional': 'wafregional',
'wam': 'workspacesapplicationmanager',
'xray': 'x-ray'
}
irregular_service_links = {
'apigateway': [
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_manageamazonapigateway.html'
],
'aws-marketplace': [
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsmarketplace.html',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsmarketplacemeteringservice.html',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsprivatemarketplace.html'
],
'discovery': [
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_applicationdiscovery.html'
],
'elasticloadbalancing': [
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_elasticloadbalancing.html',
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_elasticloadbalancingv2.html'
],
'globalaccelerator': [
'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_globalaccelerator.html'
]
}
def get_docs_by_prefix(prefix):
amazon_link_form = 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazon{0}.html'
aws_link_form = 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_aws{0}.html'
if prefix in irregular_service_links:
links = irregular_service_links[prefix]
else:
if prefix in irregular_service_names:
prefix = irregular_service_names[prefix]
links = [amazon_link_form.format(prefix), aws_link_form.format(prefix)]
return links
def get_html(links):
html_list = []
for link in links:
html = requests.get(link).content
try:
parsed_html = pd.read_html(html)
html_list.append(parsed_html)
except ValueError as e:
if 'No tables found' in str(e):
pass
else:
raise e
return html_list
def get_tables(service):
links = get_docs_by_prefix(service)
html_list = get_html(links)
action_tables = []
arn_tables = []
for df_list in html_list:
for df in df_list:
table = json.loads(df.to_json(orient='split'))
table_data = table['data'][0]
if 'Actions' in table_data and 'Resource Types (*required)' in table_data:
action_tables.append(table['data'][1::])
elif 'Resource Types' in table_data and 'ARN' in table_data:
arn_tables.append(table['data'][1::])
# Action table indices:
# 0: Action, 1: Description, 2: Access level, 3: Resource type, 4: Condition keys, 5: Dependent actions
# ARN tables indices:
# 0: Resource type, 1: ARN template, 2: Condition keys
return action_tables, arn_tables
def add_dependent_action(resources, dependency):
resource, action = dependency.split(':')
if resource in resources:
resources[resource].append(action)
else:
resources[resource] = [action]
return resources
def get_dependent_actions(resources):
for service in dict(resources):
action_tables, arn_tables = get_tables(service)
for found_action_table in action_tables:
for action_stuff in found_action_table:
if action_stuff is None:
continue
if action_stuff[0] in resources[service] and action_stuff[5]:
dependencies = action_stuff[5].split()
if isinstance(dependencies, list):
for dependency in dependencies:
resources = add_dependent_action(resources, dependency)
else:
resources = add_dependent_action(resources, dependencies)
return resources
def get_actions_by_service(resources):
service_action_dict = {}
dependencies = {}
for service in resources:
action_tables, arn_tables = get_tables(service)
# Create dict of the resource type to the corresponding ARN
arn_dict = {}
for found_arn_table in arn_tables:
for arn_stuff in found_arn_table:
arn_dict["{0}*".format(arn_stuff[0])] = arn_stuff[1]
# Create dict of the action to the corresponding ARN
action_dict = {}
for found_action_table in action_tables:
for action_stuff in found_action_table:
if action_stuff[0] is None:
continue
if arn_dict.get(action_stuff[3]):
action_dict[action_stuff[0]] = arn_dict[action_stuff[3]]
else:
action_dict[action_stuff[0]] = None
service_action_dict[service] = action_dict
return service_action_dict
def get_resource_arns(aws_actions, action_dict):
resource_arns = {}
for resource_action in aws_actions:
resource, action = resource_action.split(':')
if action not in action_dict:
continue
if action_dict[action] is None:
resource = "*"
else:
resource = action_dict[action].replace("${Partition}", "aws")
if resource not in resource_arns:
resource_arns[resource] = []
resource_arns[resource].append(resource_action)
return resource_arns
def get_resources(actions):
resources = {}
for action in actions:
resource, action = action.split(':')
if resource not in resources:
resources[resource] = []
resources[resource].append(action)
return resources
def combine_arn_actions(resources, service_action_arn_dict):
arn_actions = {}
for service in service_action_arn_dict:
service_arn_actions = get_resource_arns(aws_actions, service_action_arn_dict[service])
for resource in service_arn_actions:
if resource in arn_actions:
arn_actions[resource].extend(service_arn_actions[resource])
else:
arn_actions[resource] = service_arn_actions[resource]
return arn_actions
def combine_actions_and_dependent_actions(resources):
aws_actions = []
for resource in resources:
for action in resources[resource]:
aws_actions.append('{0}:{1}'.format(resource, action))
return set(aws_actions)
def get_actions_restricted_by_arn(aws_actions):
resources = get_resources(aws_actions)
resources = get_dependent_actions(resources)
service_action_arn_dict = get_actions_by_service(resources)
aws_actions = combine_actions_and_dependent_actions(resources)
return combine_arn_actions(aws_actions, service_action_arn_dict)
def main(aws_actions):
arn_actions = get_actions_restricted_by_arn(aws_actions)
statement = []
for resource_restriction in arn_actions:
statement.append({
"Sid": "AnsibleEditor{0}".format(len(statement)),
"Effect": "Allow",
"Action": arn_actions[resource_restriction],
"Resource": resource_restriction
})
policy = {"Version": "2012-10-17", "Statement": statement}
print(json.dumps(policy, indent=4))
if __name__ == '__main__':
if missing_dependencies:
sys.exit('Missing Python libraries: {0}'.format(', '.join(missing_dependencies)))
actions = sys.argv[1:]
if len(actions) == 1:
actions = sys.argv[1].split(',')
aws_actions = [action.strip('[], "\'') for action in actions]
main(aws_actions)

55
hacking/aws_config/setup-iam.yml
View file

@ -1,55 +0,0 @@
# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv
#
# Creates IAM policies and associates them with iam_group. This group
# can then be associated with an appropriate user
#
# You can pass -e profile=boto_profile_name if you have a profile that
# you can use, otherwise use normal AWS methods (env variables, instance
# profile, etc)
#
# If you want to use a region other than us-east-1 (and only us-east-2
# works with ansible-test), pass -e region=us-east-2
#
# Requires 2.4 for iam_managed_policy and iam_group
- hosts: localhost
connection: local
gather_facts: no
vars:
aws_region: "{{ region|default('us-east-1') }}"
tasks:
- name: Check that required variables are set
fail:
msg: "You must set the iam_group variable"
when: iam_group is not defined
- name: Get aws account ID
aws_caller_info:
profile: "{{ profile|default(omit) }}"
register: aws_caller_info
- name: Set aws_account_fact
set_fact:
aws_account: "{{ aws_caller_info.account }}"
- name: Ensure Managed IAM policies exist
iam_managed_policy:
policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|capitalize }}Policy"
policy: "{{ lookup('template', item) }}"
state: present
profile: "{{ profile|default(omit) }}"
with_fileglob: "testing_policies/*.json"
register: iam_managed_policies
- debug:
msg: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}"
- name: Ensure IAM group exists and attach managed policies
iam_group:
name: "{{ iam_group }}"
state: present
managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}"
profile: "{{ profile|default(omit) }}"
purge_policy: yes

280
hacking/aws_config/testing_policies/compute-policy.json
View file

@ -1,280 +0,0 @@
{# Not all Autoscaling API Actions allow specified resources #}
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies"
],
"Resource": "*"
},
{
"Sid": "AllowAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:*LaunchConfiguration",
"autoscaling:*LoadBalancers",
"autoscaling:*AutoScalingGroup",
"autoscaling:*MetricsCollection",
"autoscaling:PutScalingPolicy",
"autoscaling:DeletePolicy",
"autoscaling:*Tags"
],
"Resource": [
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
]
},
{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
{
"Sid": "AllowUnspecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:*LaunchTemplate",
"ec2:*LaunchTemplateVersion",
"ec2:*LaunchTemplateVersions",
"ec2:AttachVolume",
"ec2:CreateImage",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateTags",
"ec2:DeleteKeyPair",
"ec2:DeleteSnapshot",
"ec2:DeleteTags",
"ec2:DeregisterImage",
"ec2:Describe*",
"ec2:DetachVolume",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:RegisterImage",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReportInstanceStatus"
],
"Resource": "*"
},
{
"Sid": "AllowSpecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}::image/*",
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
{
"Sid": "AllowLoadBalancerOperations",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*LoadBalancer",
"elasticloadbalancing:*LoadBalancers",
"elasticloadbalancing:*LoadBalancerListeners",
"elasticloadbalancing:*TargetGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:Create*",
"elasticloadbalancing:Delete*",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:Describe*",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:Modify*",
"elasticloadbalancing:Register*",
"elasticloadbalancing:Deregister*",
"elasticloadbalancing:Remove*"
],
"Resource": "*"
},
{# Only certain lambda actions can be restricted to a specific resource #}
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
{
"Sid": "AllowApiGateway",
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:{{aws_region}}::/*"
]
},
{
"Sid": "AllowGetUserForLambdaCreation",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
]
},
{
"Sid": "AllowLambdaManagementWithoutResource",
"Effect": "Allow",
"Action": [
"lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings",
"lambda:GetEventSourceMapping",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AllowLambdaManagementWithResource",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:CreateFunction",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:UpdateAlias",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
},
{
"Sid": "AllowRoleManagement",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
"arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
"arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
"arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
"arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"
]
},
{
"Sid": "AllowSESManagement",
"Effect": "Allow",
"Action": [
"ses:VerifyEmailIdentity",
"ses:DeleteIdentity",
"ses:GetIdentityVerificationAttributes",
"ses:GetIdentityNotificationAttributes",
"ses:VerifyDomainIdentity",
"ses:SetIdentityNotificationTopic",
"ses:SetIdentityHeadersInNotificationsEnabled",
"ses:SetIdentityFeedbackForwardingEnabled",
"ses:GetIdentityPolicies",
"ses:PutIdentityPolicy",
"ses:DeleteIdentityPolicy",
"ses:ListIdentityPolicies",
"ses:SetIdentityFeedbackForwardingEnabled",
"ses:ListReceiptRuleSets",
"ses:DescribeReceiptRuleSet",
"ses:DescribeActiveReceiptRuleSet",
"ses:SetActiveReceiptRuleSet",
"ses:CreateReceiptRuleSet",
"ses:DeleteReceiptRuleSet"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowSNSManagement",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:ListSubscriptions",
"SNS:ListSubscriptionsByTopic",
"SNS:ListTopics",
"SNS:SetTopicAttributes",
"SNS:Subscribe",
"SNS:Unsubscribe"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowStepFunctionsStateMachine",
"Effect": "Allow",
"Action": [
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:DescribeExecution",
"states:DescribeStateMachine",
"states:ListExecutions",
"states:ListStateMachines",
"states:ListTagsForResource",
"states:StartExecution",
"states:StopExecution",
"states:TagResource",
"states:UntagResource",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*:*:*"
]
},
{
"Sid": "AllowLightsail",
"Effect": "Allow",
"Action": [
"lightsail:CreateInstances",
"lightsail:DeleteInstance",
"lightsail:GetInstance",
"lightsail:GetInstances",
"lightsail:RebootInstance",
"lightsail:StartInstance",
"lightsail:StopInstance"
],
"Resource": "arn:aws:lightsail:*:*:*"
},
{
"Sid": "AllowSQS",
"Effect": "Allow",
"Action": [
"sqs:GetQueueURL",
"sqs:CreateQueue",
"sqs:GetQueueAttributes",
"sqs:DeleteQueue",
"sqs:SetQueueAttributes"
],
"Resource": "arn:aws:sqs:*:*:*"
},
]
}

80
hacking/aws_config/testing_policies/container-policy.json
View file

@ -1,80 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnspecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "*"
},
{
"Sid": "SpecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:GetLifecyclePolicy",
"ecr:PutLifecyclePolicy",
"ecr:DeleteLifecyclePolicy",
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
],
"Resource": [
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
]
},
{
"Effect": "Allow",
"Action": [
"application-autoscaling:Describe*",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"ecs:CreateCluster",
"ecs:CreateService",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:DeregisterTaskDefinition",
"ecs:Describe*",
"ecs:List*",
"ecs:PutAccountSetting",
"ecs:RegisterTaskDefinition",
"ecs:RunTask",
"ecs:StartTask",
"ecs:StopTask",
"ecs:UpdateService",
"elasticloadbalancing:Describe*",
"iam:GetInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:ListGroups",
"iam:ListRoles",
"iam:ListUsers"
],
"Resource": [
"*"
]
},
{
"Effect": "Allow",
"Action": [
"eks:CreateCluster",
"eks:DeleteCluster",
"eks:DescribeCluster",
"eks:ListClusters"
],
"Resource": [
"*"
]
}
]
}

123
hacking/aws_config/testing_policies/database-policy.json
View file

@ -1,123 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName":"rds.amazonaws.com"
}
}
},
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift",
"Condition": {
"StringLike": {
"iam:AWSServiceName": "redshift.amazonaws.com"}
}
},
{
"Sid": "AllowRDSReadEverywhere",
"Effect": "Allow",
"Action": [
"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshots"
],
"Resource": ["*"]
},
{
"Sid": "AllowRDSModuleTests",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:ModifyDBInstance",
"rds:PromoteReadReplica",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:RestoreDBInstanceToPointInTime",
"rds:StartDBInstance",
"rds:StopDBInstance"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
]
},
{
"Sid": "AllowRDSSnapshotManageSnapshots",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBSnapshot",
"rds:RemoveTagsFromResource",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:CreateDBInstanceReadReplica"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:ansible-test*",
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
]
},
{
"Sid": "AllowRDSParameterGroupManagement",
"Effect": "Allow",
"Action": [
"rds:CreateDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:pg:*"
]
},
{
"Sid": "AllowRedshiftManagment",
"Action": [
"redshift:CreateCluster",
"redshift:CreateTags",
"redshift:DeleteCluster",
"redshift:DeleteTags",
"redshift:DescribeClusters",
"redshift:DescribeTags",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowRDSSubnetGroups",
"Effect": "Allow",
"Action": [
"rds:CreateDBSubnetGroup",
"rds:DeleteDBSubnetGroup",
"rds:DescribeDBSubnetGroups",
"rds:ModifyDBSubnetGroup"
],
"Resource": ["*"]
},
{
"Sid": "DMSEndpoints",
"Effect": "Allow",
"Action": [
"dms:CreateEndpoint",
"dms:DeleteEndpoint",
"dms:DescribeEndpoints",
"dms:ModifyEndpoint"
],
"Resource": ["*"]
}
]
}

40
hacking/aws_config/testing_policies/devops-policy.json
View file

@ -1,40 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCodeCommitModuleTests",
"Effect": "Allow",
"Action": [
"codecommit:ListRepositories",
"codecommit:*Repository",
"codecommit:*RepositoryDescription"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowCloudformationTests",
"Effect": "Allow",
"Action": [
"cloudformation:CreateChangeSet",
"cloudformation:CreateStack",
"cloudformation:DeleteChangeSet",
"cloudformation:DeleteStack",
"cloudformation:DescribeChangeSet",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetStackPolicy",
"cloudformation:GetTemplate",
"cloudformation:ListChangeSets",
"cloudformation:ListExports",
"cloudformation:ListStackResources",
"cloudformation:UpdateStack",
"cloudformation:UpdateTerminationProtection"
],
"Resource": [
"*"
]
}
]
}

117
hacking/aws_config/testing_policies/network-policy.json
View file

@ -1,117 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "ManageRoute53ForTests",
"Effect": "Allow",
"Action": [
"route53:CreateHostedZone",
"route53:ChangeResourceRecordSets",
"route53:DeleteHostedZone",
"route53:GetHostedZone",
"route53:ListHostedZones",
"route53:ListResourceRecordSets",
"route53:UpdateHostedZoneComment"
],
"Resource": "*"
},
{
"Sid": "AllowInternetGatewayManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateInternetGateway",
"ec2:DeleteInternetGateway",
"ec2:DescribeInternetGateways"
],
"Resource": "*"
},
{
"Sid": "AllowTransitGatewayManagement",
"Effect": "Allow",
"Action": [
"ec2:CreateTransitGateway",
"ec2:DeleteTransitGateway",
"ec2:DescribeTransitGateways"
],
"Resource": "*"
},
{
"Sid": "AllowUnspecifiedEC2NetworkingResource",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions",
"ec2:CreateNatGateway",
"ec2:CreateNetworkAcl",
"ec2:CreateNetworkAclEntry",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:CreateVpnConnection",
"ec2:CreateVpnGateway",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkAcl",
"ec2:DeleteNetworkAclEntry",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSubnet",
"ec2:DeleteVpc",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnGateway",
"ec2:DetachInternetGateway",
"ec2:DetachVpnGateway",
"ec2:Describe*",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:DisassociateVpcCidrBlock",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:ReleaseAddress",
"ec2:ReplaceNetworkAclAssociation",
"ec2:ReplaceNetworkAclEntry",
"ec2:ReplaceRouteTableAssociation"
],
"Resource": "*"
},
{
"Sid": "AllowCloudfrontUsage",
"Effect": "Allow",
"Action": [
"cloudfront:CreateDistribution",
"cloudfront:CreateDistributionWithTags",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetDistribution",
"cloudfront:GetStreamingDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:GetInvalidation",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:ListInvalidations",
"cloudfront:ListStreamingDistributions",
"cloudfront:ListTagsForResource",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateDistribution"
],
"Resource": "*"
}
]
}

228
hacking/aws_config/testing_policies/security-policy.json
View file

@ -1,228 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"iam:GetGroup",
"iam:GetInstanceProfile",
"iam:CreateInstanceProfile",
"iam:GetPolicy",
"iam:GetPolicyVersion",
"iam:GetRole",
"iam:GetRolePolicy",
"iam:GetUser",
"iam:ListAttachedGroupPolicies",
"iam:ListAttachedRolePolicies",
"iam:ListAttachedUserPolicies",
"iam:ListGroups",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:ListPolicies",
"iam:ListRoles",
"iam:ListRolePolicies",
"iam:ListRoleTags",
"iam:ListUsers",
"iam:ListAccountAliases"
],
"Resource": "*",
"Effect": "Allow",
"Sid": "AllowReadOnlyIAMUse"
},
{
"Action": [
"iam:CreatePolicy",
"iam:ListPolicyVersions",
"iam:ListEntitiesForPolicy",
"iam:DeletePolicy"
],
"Resource": "arn:aws:iam::{{ aws_account }}:policy/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowManagementOfSpecificPolicies"
},
{
"Action": [
"iam:AttachRolePolicy",
"iam:CreateRole",
"iam:DeleteRole",
"iam:DeleteRolePolicy",
"iam:DeleteRolePermissionsBoundary",
"iam:DetachRolePolicy",
"iam:PutRolePolicy",
"iam:PassRole",
"iam:PutRolePolicy",
"iam:PutRolePermissionsBoundary",
"iam:TagRole",
"iam:UntagRole",
"iam:UpdateAssumeRolePolicy",
"iam:UpdateRole",
"iam:UpdateRoleDescription",
"sts:AssumeRole"
],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificRoles"
},
{
"Action": [
"iam:CreateInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*",
"Effect": "Allow",
"Sid": "AllowUpdateOfSpecificInstanceProfiles"
},
{
"Action": [
"ec2:ReplaceIamInstanceProfileAssociation"
],
"Resource": "*",
"Condition": {
"ArnEquals": {
"ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*"
}
},
"Effect": "Allow",
"Sid": "AllowReplacementOfSpecificInstanceProfiles"
},
{
"Sid": "AllowWAFusage",
"Action": "waf:*",
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "AllowListingCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:DescribeLogGroups"
],
"Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*"
]
},
{
"Sid": "AllowModifyingCloudtrail",
"Effect": "Allow",
"Action": [
"cloudtrail:*"
],
"Resource": [
"arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*"
]
},
{
"Sid": "AllowDescribingCloudtrails",
"Effect": "Allow",
"Action": [
"cloudtrail:DescribeTrails",
"cloudtrail:ListTags",
"cloudtrail:ListPublicKeys"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowModifyingCloudwatchLogs",
"Effect": "Allow",
"Action": [
"logs:CreateLogGroup",
"logs:PutRetentionPolicy",
"logs:DeleteLogGroup"
],
"Resource": [
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*"
]
},
{
"Sid": "AllowAccessToUnspecifiedKMSResources",
"Effect": "Allow",
"Action": [
"kms:CancelKeyDeletion",
"kms:CreateAlias",
"kms:CreateGrant",
"kms:CreateKey",
"kms:DeleteAlias",
"kms:Describe*",
"kms:DisableKey",
"kms:EnableKey",
"kms:GenerateRandom",
"kms:Get*",
"kms:List*",
"kms:PutKeyPolicy",
"kms:RetireGrant",
"kms:ScheduleKeyDeletion",
"kms:TagResource",
"kms:UntagResource",
"kms:UpdateGrant",
"kms:UpdateKeyDescription"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToServerCertificates",
"Effect": "Allow",
"Action": [
"iam:*ServerCertificates",
"iam:*ServerCertificate"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToSecrets",
"Effect": "Allow",
"Action": [
"secretsmanager:*"
],
"Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*"
},
{
"Sid": "AllowAccessToManagePasswordPolicy",
"Effect": "Allow",
"Action": [
"iam:*AccountPasswordPolicy"
],
"Resource": "*"
},
{
"Sid": "AllowAccessToManageUsersAndGroups",
"Effect": "Allow",
"Action": [
"iam:*Group",
"iam:*User",
"iam:ListAttachedGroupPolicies"
],
"Resource": [
"arn:aws:iam::{{ aws_account }}:user/ansible-test*",
"arn:aws:iam::{{ aws_account }}:group/ansible-test*"
]
},
{
"Sid": "AllowAccessToACMRestrictable",
"Effect": "Allow",
"Action": [
"acm:ImportCertificate",
"acm:DescribeCertificate",
"acm:GetCertificate",
"acm:AddTagsToCertificate",
"acm:DeleteCertificate"
],
"Resource": [
"arn:aws:acm:{{aws_region}}:{{aws_account}}:certificate/*"
]
},
{
"Sid": "AllowAccessToACMUnrestrictable",
"Effect": "Allow",
"Action": [
"acm:ListCertificates",
"acm:ListTagsForCertificate"
],
"Resource": [
"*"
]
}
]
}

54
hacking/aws_config/testing_policies/storage-policy.json
View file

@ -1,54 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowS3AnsibleTestBuckets",
"Action": [
"s3:CreateBucket",
"s3:Delete*",
"s3:GetBucketAcl",
"s3:GetBucketLogging",
"s3:GetBucketNotification",
"s3:GetBucketPolicy",
"s3:GetBucketRequestPayment",
"s3:GetBucketTagging",
"s3:GetBucketVersioning",
"s3:GetEncryptionConfiguration",
"s3:GetObject",
"s3:HeadBucket",
"s3:List*",
"s3:PutBucketAcl",
"s3:PutBucketLogging",
"s3:PutBucketNotification",
"s3:PutBucketPolicy",
"s3:PutBucketRequestPayment",
"s3:PutBucketTagging",
"s3:PutBucketVersioning",
"s3:PutEncryptionConfiguration",
"s3:PutObject",
"s3:PutObjectAcl"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::ansible-test-*",
"arn:aws:s3:::ansible-test-*/*"
]
},
{
"Sid": "AllowListingS3Buckets",
"Action": [
"s3:ListAllMyBuckets"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "ManageEFS",
"Effect": "Allow",
"Action": [
"elasticfilesystem:*"
],
"Resource": "*"
}
]
}