ansible/hacking/aws_config/testing_policies/database-policy.json
Will Thames 60fb9fc208 Fix EC2 test suite to work with testing policies (#44387)
* Update testing policies to ensure all required permissions are present
* Tidy up security policies to reduce duplicate permissions
* Make roles static so that they can be present before CI is run,
  meaning that role creation permission is not required by the CI
  itself, only by someone setting up the roles prior to testing
* Move contents to cloudfront policy to network policy to ensure policy
  count (maximum of 10) stays low
* Maintain compute policy below 6144 bytes
2019-07-04 15:25:19 -04:00

102 lines
3.2 KiB
JSON

{
"Version": "2012-10-17",
"Statement": [
{
"Action": "iam:CreateServiceLinkedRole",
"Effect": "Allow",
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
"Condition": {
"StringLike": {
"iam:AWSServiceName":"rds.amazonaws.com"
}
}
},
{
"Sid": "AllowRDSReadEverywhere",
"Effect": "Allow",
"Action": [
"rds:ListTagsForResource",
"rds:DescribeDBInstances",
"rds:DescribeDBParameterGroups",
"rds:DescribeDBParameters",
"rds:DescribeDBSnapshots"
],
"Resource": ["*"]
},
{
"Sid": "AllowRDSModuleTests",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBInstance",
"rds:DeleteDBInstance",
"rds:ModifyDBInstance",
"rds:PromoteReadReplica",
"rds:RebootDBInstance",
"rds:RemoveTagsFromResource",
"rds:StartDBInstance",
"rds:StopDBInstance"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
]
},
{
"Sid": "AllowRDSSnapshotManageSnapshots",
"Effect": "Allow",
"Action": [
"rds:AddTagsToResource",
"rds:CreateDBSnapshot",
"rds:DeleteDBInstance",
"rds:DeleteDBSnapshot",
"rds:RemoveTagsFromResource",
"rds:RestoreDBInstanceFromDBSnapshot",
"rds:CreateDBInstanceReadReplica"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:ansible-test*",
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
]
},
{
"Sid": "AllowRDSParameterGroupManagement",
"Effect": "Allow",
"Action": [
"rds:CreateDBParameterGroup",
"rds:DeleteDBParameterGroup",
"rds:ModifyDBParameterGroup",
"rds:AddTagsToResource",
"rds:RemoveTagsFromResource"
],
"Resource": [
"arn:aws:rds:{{aws_region}}:{{aws_account}}:pg:*"
]
},
{
"Sid": "AllowRedshiftManagment",
"Action": [
"redshift:CreateCluster",
"redshift:CreateTags",
"redshift:DeleteCluster",
"redshift:DeleteTags",
"redshift:DescribeClusters",
"redshift:DescribeTags",
"redshift:ModifyCluster",
"redshift:RebootCluster"
],
"Effect": "Allow",
"Resource": "*"
},
{
"Sid": "DMSEndpoints",
"Effect": "Allow",
"Action": [
"dms:CreateEndpoint",
"dms:DeleteEndpoint",
"dms:DescribeEndpoints",
"dms:ModifyEndpoint"
],
"Resource": ["*"]
}
]
}