ansible/hacking/aws_config/testing_policies/compute-policy.json
Tom De Keyser 6f74fca238 New module for AWS Step Functions state machines (#59116)
* add new module: aws_stepfunctions_state_machine

* add integration tests for new module: aws_stepfunctions_state_machine

* fix sanity checks

* use files/ folder instead for integration test

* rename role name in integration test

* attempt further permissions

* iam states prefix

* iam integration test prefix

* add iam policy for running step functions state machine actions

* slightly increase iam permission scope

* rename integration test folder to proper name

* move main() method to end of file

* move contents of integration-policy.json for state machines to compute-policy.json

* make check_mode return proper changed value + add check_mode integration tests

* rename module to aws_step_functions_state_machine

* fix missed rename in integration test variable

* add purge_tags option

* bump to version 2.10
2019-09-09 10:08:21 -07:00

290 lines
11 KiB
JSON

{# Not all Autoscaling API Actions allow specified resources #}
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies"
],
"Resource": "*"
},
{
"Sid": "AllowAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:*LaunchConfiguration",
"autoscaling:*LoadBalancers",
"autoscaling:*AutoScalingGroup",
"autoscaling:*MetricsCollection",
"autoscaling:PutScalingPolicy",
"autoscaling:DeletePolicy",
"autoscaling:*Tags"
],
"Resource": [
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
]
},
{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
{
"Sid": "AllowUnspecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:*LaunchTemplate",
"ec2:*LaunchTemplateVersion",
"ec2:*LaunchTemplateVersions",
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateDhcpOptions",
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions",
"ec2:CreateImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:CreateVpnConnection",
"ec2:CreateVpnGateway",
"ec2:DeleteCustomerGateway",
"ec2:DeleteDhcpOptions",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DeleteVpnConnection",
"ec2:DeleteVpnGateway",
"ec2:DeregisterImage",
"ec2:DetachInternetGateway",
"ec2:DetachVpnGateway",
"ec2:Describe*",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:DisassociateSubnetCidrBlock",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyInstanceAttribute",
"ec2:ModifySubnetAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReportInstanceStatus"
],
"Resource": "*"
},
{
"Sid": "AllowSpecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:CreateVolume",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVolume",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:StartInstances",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}::image/*",
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
{
"Sid": "AllowLoadBalancerOperations",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:*LoadBalancer",
"elasticloadbalancing:*LoadBalancers",
"elasticloadbalancing:*LoadBalancerListeners",
"elasticloadbalancing:*TargetGroup",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:CreateRule",
"elasticloadbalancing:DeleteListener",
"elasticloadbalancing:DeleteRule",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancer*",
"elasticloadbalancing:DescribeTags",
"elasticloadbalancing:ModifyListener",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:ModifyRule",
"elasticloadbalancing:RemoveTags"
],
"Resource": "*"
},
{# Only certain lambda actions can be restricted to a specific resource #}
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
{
"Sid": "AllowApiGateway",
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:{{aws_region}}::/*"
]
},
{
"Sid": "AllowGetUserForLambdaCreation",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
]
},
{
"Sid": "AllowLambdaManagementWithoutResource",
"Effect": "Allow",
"Action": [
"lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings",
"lambda:GetEventSourceMapping",
"lambda:List*",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AllowLambdaManagementWithResource",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:CreateFunction",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:UpdateAlias",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
},
{
"Sid": "AllowRoleManagement",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
"arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
"arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
"arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
"arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"
]
},
{
"Sid": "AllowSESManagement",
"Effect": "Allow",
"Action": [
"ses:VerifyEmailIdentity",
"ses:DeleteIdentity",
"ses:GetIdentityVerificationAttributes",
"ses:GetIdentityNotificationAttributes",
"ses:VerifyDomainIdentity",
"ses:SetIdentityNotificationTopic",
"ses:SetIdentityHeadersInNotificationsEnabled",
"ses:SetIdentityFeedbackForwardingEnabled",
"ses:GetIdentityPolicies",
"ses:PutIdentityPolicy",
"ses:DeleteIdentityPolicy",
"ses:ListIdentityPolicies",
"ses:SetIdentityFeedbackForwardingEnabled",
"ses:ListReceiptRuleSets",
"ses:DescribeReceiptRuleSet",
"ses:DescribeActiveReceiptRuleSet",
"ses:SetActiveReceiptRuleSet",
"ses:CreateReceiptRuleSet",
"ses:DeleteReceiptRuleSet"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowSNSManagement",
"Effect": "Allow",
"Action": [
"SNS:CreateTopic",
"SNS:DeleteTopic",
"SNS:GetTopicAttributes",
"SNS:ListSubscriptions",
"SNS:ListSubscriptionsByTopic",
"SNS:ListTopics",
"SNS:SetTopicAttributes",
"SNS:Subscribe",
"SNS:Unsubscribe"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowStepFunctionsStateMachine",
"Effect": "Allow",
"Action": [
"states:CreateStateMachine",
"states:DeleteStateMachine",
"states:DescribeStateMachine",
"states:ListStateMachines",
"states:ListTagsForResource",
"states:TagResource",
"states:UntagResource",
"states:UpdateStateMachine"
],
"Resource": [
"arn:aws:states:*"
]
}
]
}