cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Remove ECS policies from AWS compute policy

Browse source 
The compute policy was exceeding maximum size and contained
policies that already exist in ecs-policy.

Look up suitable AMIs rather than hardcode

We don't want to maintain multiple image IDs for multiple regions
so use ec2_ami_facts to set a suitable image ID

Improve exception handling
This commit is contained in:
Will Thames 2018-06-06 19:48:00 +10:00
parent fbcd6f8a65
commit a60fe1946c
4 changed files with 15 additions and 57 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

46
hacking/aws_config/testing_policies/compute-policy.json
View file

@ -109,29 +109,6 @@
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{
"Sid": "UnspecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "*"
},
{
"Sid": "SpecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
],
"Resource": [
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
]
},
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
@ -238,29 +215,6 @@
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole"
]
},
{
"Sid": "AllowECSManagement",
"Effect": "Allow",
"Action": [
"application-autoscaling:Describe*",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"ecs:CreateCluster",
"ecs:CreateService",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:Describe*",
"ecs:DeregisterTaskDefinition",
"ecs:List*",
"ecs:RegisterTaskDefinition",
"ecs:UpdateService"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowSESManagement",
"Effect": "Allow",

4
lib/ansible/modules/cloud/amazon/ecs_service.py
View file

@ -523,7 +523,7 @@ def main():
network_configuration,
module.params['launch_type'])
except botocore.exceptions.ClientError as e:
module.fail_json(msg=e.message)
module.fail_json_aws(e, msg="Couldn't create service")
results['service'] = response
@ -548,7 +548,7 @@ def main():
module.params['cluster']
)
except botocore.exceptions.ClientError as e:
module.fail_json(msg=e.message)
module.fail_json_aws(e, msg="Couldn't delete service")
results['changed'] = True
elif module.params['state'] == 'deleting':

8
test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml
View file

@ -1,11 +1,3 @@
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
# amzn-ami-2017.09.b-amazon-ecs-optimized
ecs_agent_images:
us-east-1: ami-71ef560b
us-east-2: ami-1b8ca37e
us-west-2: ami-d2f489aa
us-west-1: ami-6b81980b
ecs_cluster_name: "{{ resource_prefix }}"
user_data: |
#!/bin/bash

14
test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
View file

@ -123,12 +123,24 @@
<<: *aws_connection_info
register: setup_sg
- name: find a suitable AMI
ec2_ami_facts:
owner: amazon
filters:
description: "Amazon Linux AMI* ECS *"
<<: *aws_connection_info
register: ec2_ami_facts
- name: set image id fact
set_fact:
ecs_image_id: "{{ (ec2_ami_facts.images|first).image_id }}"
- name: provision ec2 instance to create an image
ec2:
key_name: '{{ ec2_keypair|default(setup_key.key.name) }}'
instance_type: t2.micro
state: present
image: '{{ ecs_agent_images[aws_region] }}'
image: '{{ ecs_image_id }}'
wait: yes
user_data: "{{ user_data }}"
instance_profile_name: ecsInstanceRole