cmueller/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

aws integration tests - provide an IAM policy for running (#24725)

Browse source 
* aws integration tests - provide an IAM policy that can be used for running them

* move documentation of aws policies into main integration testing documentation + some updates there

* Update testing_integration.rst

Edits
This commit is contained in:
Michael De La Rue 2017-05-19 22:37:39 +01:00 committed by scottb
parent 4a718645e8
commit e9e661ebbb
3 changed files with 310 additions and 10 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

39
docs/docsite/rst/dev_guide/testing_integration.rst
View file

@ -29,7 +29,9 @@ more information about supported credentials, refer to ``credentials.template``.
Prerequisites
=============
The tests will assume things like hg, svn, and git are installed and in path.
The tests will assume things like hg, svn, and git are installed and in path. Some tests
(such as those for Amazon Web Services) need separate definitions, which will be covered
later in this document.
(Complete list pending)
@ -139,10 +141,38 @@ To test with Python 3 use the following images:
- ubuntu1604py3
Cloud Tests
===========
Legacy Cloud Tests
==================
See the :doc:`testing_integration_legacy` page for more information.
Some of the cloud tests run as normal integration tests, and others run as legacy tests; see the
:doc:`testing_integration_legacy` page for more information.
Other configuration for Cloud Tests
===================================
In order to run some tests, you must provide access credentials in a file named
``cloud-config-aws.yml`` or ``cloud-config-cs.ini`` in the test/integration
directory. Corresponding .template files are available for for syntax help. The newer AWS
tests now use the file test/integration/cloud-config-aws.yml
IAM policies for AWS
====================
Ansible needs fairly wide ranging powers to run the tests in an AWS account. This rights can be provided to a dedicated user. These need to be configured before running the test.
testing-iam-policy.json.j2
--------------------------
The testing-iam-policy.json.j2 file contains a policy which can be given to the user
running the tests to minimize the rights of that user. Please note that while this policy does limit the user to one region, this does not fully restrict the user (primarily due to the limitations of the Amazon ARN notation). The user will still have wide privileges for viewing account definitions, and will also able to manage some resources that are not related to testing (for example, AWS lambdas with different names). Tests should not be run in a primary production account in any case.
Other Definitions required
--------------------------
Apart from installing the policy and giving it to the user identity running the tests, a
lambda role `ansible_integration_tests` has to be created which has lambda basic execution
privileges.
Network Tests
@ -159,7 +189,6 @@ This page details the specifics around testing Ansible Networking modules.
How to do this is explained in the rest of this document.
Network integration tests can be ran by doing::
cd test/integration

35
docs/docsite/rst/dev_guide/testing_integration_legacy.rst
View file

@ -8,7 +8,7 @@ This page details how to run the integration tests that haven't been ported to t
The following areas are still tested using the legacy ``make tests`` command:
* amazon
* amazon (some)
* azure
* cloudflare
* cloudscale
@ -37,7 +37,6 @@ In order to run cloud tests, you must provide access credentials in a file
named ``credentials.yml``. A sample credentials file named
``credentials.template`` is available for syntax help.
Provide cloud credentials::
cp credentials.template credentials.yml
@ -47,9 +46,35 @@ Provide cloud credentials::
Other configuration
===================
In order to run some tests, you must provide access credentials in a file
named ``credentials.yml``. A sample credentials file named
``credentials.template`` is available for syntax help.
In order to run some tests, you must provide access credentials in a file named
``credentials.yml``. A sample credentials file named ``credentials.template`` is available
for syntax help.
IAM policies for AWS
====================
In order to run the tests in an AWS account ansible needs fairly wide ranging powers which
can be provided to a dedicated user or temporary credentials using a specific policy
configured in the AWS account.
testing-iam-policy.json.j2
--------------------------
The testing-iam-policy.json.j2 file contains a policy which can be given to the user
running the tests to give close to minimum rights required to run the tests. Please note
that this does not fully restrict the user; The user has wide privileges for viewing
account definitions and is also able to manage some resources that are not related to
testing (e.g. AWS lambdas with different names) primarily due to the limitations of the
Amazon ARN notation. At the very least the policy limits the user to one region, however
tests should not be run in a primary production account in any case.
Other Definitions required
--------------------------
Apart from installing the policy and giving it to the user identity running
the tests, a lambda role `ansible_integration_tests` has to be created which
has lambda basic execution privileges.
Running Tests
=============

246
hacking/aws_config/testing-iam-policy.json.j2 Normal file
View file

@ -0,0 +1,246 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescribeAllEC2",
"Effect": "Allow",
"Action": [
"ec2:Describe*"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{
"Sid": "MiscPrivilegesNeededByEC2Tests",
"Effect": "Allow",
"Action": [
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:DeleteKeyPair",
"ec2:ImportKeyPair",
"ec2:RunInstances",
"ec2:CreateTags",
"ec2:TerminateInstances",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:CreateSubnet",
"ec2:CreateVpc",
"ec2:CreateRouteTable",
"ec2:ModifyRouteTable",
"ec2:DescribeRouteTable",
"ec2:AssociateRouteTable",
"ec2:DisassociateRouteTable",
"ec2:ModifyVpcAttribute",
"ec2:CreateInternetGateway",
"ec2:AttachInternetGateway",
"ec2:DeleteNatGateway"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{
"Sid": "AllowManageSecurityGroupsForSetup",
"Effect": "Allow",
"Action": [
"ec2:DescribeSecurityGroups",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupIngress"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*"
]
},
{
"Sid": "AllowAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration"
],
"Resource": [
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
]
},
{
"Sid": "AllowReadAllLoadBalancers",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeInstanceHealth"
],
"Resource": [
"arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*"
]
},
{
"Sid": "AllowManagementofOwnLoadBalancers",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth"
],
"Resource": [
"arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*"
]
},
{
"Sid": "AllowCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository",
"ecr:DescribeRepositories",
"ecr:GetRepositoryPolicy",
"ecr:DescribeRepositories",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
],
"Resource": [
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
]
},
{
"Sid": "AllowOldRDSModule",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:CreateDBInstance",
"rds:ModifyDBInstance",
"rds:DeleteDBInstance"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*"
]
},
{
"Sid": "AllowRDSModuleCompatibilityTests",
"Effect": "Allow",
"Action": [
"rds:DescribeDBInstances",
"rds:CreateDBInstance",
"rds:ModifyDBInstance",
"rds:ListTagsForResource",
"rds:DeleteDBInstance"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*"
]
},
{
"Sid": "AllowRDSInstanceManageOwnInstance",
"Effect": "Allow",
"Action": [
"rds:CreateDBInstance",
"rds:ModifyDBInstance",
"rds:ListTagsForResource",
"rds:DescribeDBInstances"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*"
]
},
{
"Sid": "AllowRDSSnapshotManageSnapshots",
"Effect": "Allow",
"Action": [
"rds:DescribeDBSnapshots",
"rds:DescribeDBInstances",
"rds:DescribeDBSnapshots",
"rds:DeleteDBInstance",
"rds:CreateDBSnapshot",
"rds:DeleteDBSnapshot",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:CreateDBInstanceReadReplica"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*",
"arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*",
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*"
]
},
{
"Sid": "AlowS3AnsibleTestBuckets",
"Action": [
"s3:GetObject",
"s3:ListBucket",
"s3:PutBucketAcl",
"s3:CreateBucket",
"s3:PutObject",
"s3:PutObjectAcl",
"s3:DeleteBucket",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": [
"arn:aws:s3:::ansible_test_*",
"arn:aws:s3:::ansible_test_*/*"
]
},
{
"Sid": "AllowApiGateway",
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:us-east-1::*"
]
},
{
"Sid": "AllowGetUserForLambdaCreation",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::459030870916:user/ansible_integration_tests"
]
},
{
"Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight",
"Effect": "Allow",
"Action": [
"lambda:*"
],
"Resource": [
"arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
]
},
{
"Sid": "AllowLambdaRoleManagement",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::459030870916:role/ansible_lambda_role"
]
}
]
}