cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Update AWS dev guide to recomment module_defaults and point to CI policy repo (#63589)

Browse source
This commit is contained in:
Jill R 2019-10-21 14:01:19 -07:00 committed by Sandra McCann
parent c2d1cc6f5b
commit 9cda5819b9
1 changed files with 6 additions and 8 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

14
docs/docsite/rst/dev_guide/platforms/aws_guidelines.rst
View file

@ -639,14 +639,14 @@ to your test in the following variables:
* `aws_secret_key` * `aws_secret_key`
* `security_token` * `security_token`
So all invocations of AWS modules in the test should set these parameters. To avoid duplication these So all invocations of AWS modules in the test should set these parameters. To avoid duplicating these
for every call, it's preferable to use `YAML Anchors <https://blog.daemonl.com/2016/02/yaml.html>`_. For example: for every call, it's preferable to use :ref:`module_defaults <module_defaults>`. For example:
.. code-block:: yaml .. code-block:: yaml
- name: set connection information for all tasks - name: set connection information for all tasks
set_fact: module_defaults:
aws_connection_info: &aws_connection_info group/aws:
aws_access_key: "{{ aws_access_key }}" aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}" aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}" security_token: "{{ security_token }}"
@ -656,12 +656,10 @@ for every call, it's preferable to use `YAML Anchors <https://blog.daemonl.com/2
- name: Do Something - name: Do Something
ec2_instance: ec2_instance:
... params ... ... params ...
<<: *aws_connection_info
- name: Do Something Else - name: Do Something Else
ec2_instance: ec2_instance:
... params ... ... params ...
<<: *aws_connection_info
AWS Permissions for Integration Tests AWS Permissions for Integration Tests
------------------------------------- -------------------------------------
@ -694,7 +692,7 @@ To start with the most permissive IAM policy:
3) Modify your policy to allow only the actions your tests use. Restrict account, region, and prefix where possible. Wait a few minutes for your policy to update. 3) Modify your policy to allow only the actions your tests use. Restrict account, region, and prefix where possible. Wait a few minutes for your policy to update.
4) Run the tests again with a user or role that allows only the new policy. 4) Run the tests again with a user or role that allows only the new policy.
5) If the tests fail, troubleshoot (see tips below), modify the policy, run the tests again, and repeat the process until the tests pass with a restrictive policy. 5) If the tests fail, troubleshoot (see tips below), modify the policy, run the tests again, and repeat the process until the tests pass with a restrictive policy.
6) Share the minimum policy in a comment on your PR. 6) Open a pull request proposing the minimum required policy to the `testing policies <https://github.com/mattclay/aws-terminator/tree/master/aws/policy>`_.
To start from the least permissive IAM policy: To start from the least permissive IAM policy:
@ -711,7 +709,7 @@ To start from the least permissive IAM policy:
3) Add the action or resource that caused the failure to `an IAM policy <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start>`_. Wait a few minutes for your policy to update. 3) Add the action or resource that caused the failure to `an IAM policy <https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_create.html#access_policies_create-start>`_. Wait a few minutes for your policy to update.
4) Run the tests again with this policy attached to your user or role. 4) Run the tests again with this policy attached to your user or role.
5) If the tests still fail at the same place with the same error you will need to troubleshoot (see tips below). If the first test passes, repeat steps 2 and 3 for the next error. Repeat the process until the tests pass with a restrictive policy. 5) If the tests still fail at the same place with the same error you will need to troubleshoot (see tips below). If the first test passes, repeat steps 2 and 3 for the next error. Repeat the process until the tests pass with a restrictive policy.
6) Share the minimum policy in a comment on your PR. 6) Open a pull request proposing the minimum required policy to the `testing policies <https://github.com/mattclay/aws-terminator/tree/master/aws/policy>`_.
Troubleshooting IAM policies Troubleshooting IAM policies
^^^^^^^^^^^^^^^^^^^^^^^^^^^^ ^^^^^^^^^^^^^^^^^^^^^^^^^^^^