60fb9fc208
* Update testing policies to ensure all required permissions are present * Tidy up security policies to reduce duplicate permissions * Make roles static so that they can be present before CI is run, meaning that role creation permission is not required by the CI itself, only by someone setting up the roles prior to testing * Move contents to cloudfront policy to network policy to ensure policy count (maximum of 10) stays low * Maintain compute policy below 6144 bytes
102 lines
3.2 KiB
JSON
102 lines
3.2 KiB
JSON
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": "iam:CreateServiceLinkedRole",
|
|
"Effect": "Allow",
|
|
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
|
|
"Condition": {
|
|
"StringLike": {
|
|
"iam:AWSServiceName":"rds.amazonaws.com"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowRDSReadEverywhere",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:ListTagsForResource",
|
|
"rds:DescribeDBInstances",
|
|
"rds:DescribeDBParameterGroups",
|
|
"rds:DescribeDBParameters",
|
|
"rds:DescribeDBSnapshots"
|
|
],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Sid": "AllowRDSModuleTests",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:AddTagsToResource",
|
|
"rds:CreateDBInstance",
|
|
"rds:DeleteDBInstance",
|
|
"rds:ModifyDBInstance",
|
|
"rds:PromoteReadReplica",
|
|
"rds:RebootDBInstance",
|
|
"rds:RemoveTagsFromResource",
|
|
"rds:StartDBInstance",
|
|
"rds:StopDBInstance"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowRDSSnapshotManageSnapshots",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:AddTagsToResource",
|
|
"rds:CreateDBSnapshot",
|
|
"rds:DeleteDBInstance",
|
|
"rds:DeleteDBSnapshot",
|
|
"rds:RemoveTagsFromResource",
|
|
"rds:RestoreDBInstanceFromDBSnapshot",
|
|
"rds:CreateDBInstanceReadReplica"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:ansible-test*",
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowRDSParameterGroupManagement",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:CreateDBParameterGroup",
|
|
"rds:DeleteDBParameterGroup",
|
|
"rds:ModifyDBParameterGroup",
|
|
"rds:AddTagsToResource",
|
|
"rds:RemoveTagsFromResource"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:pg:*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowRedshiftManagment",
|
|
"Action": [
|
|
"redshift:CreateCluster",
|
|
"redshift:CreateTags",
|
|
"redshift:DeleteCluster",
|
|
"redshift:DeleteTags",
|
|
"redshift:DescribeClusters",
|
|
"redshift:DescribeTags",
|
|
"redshift:ModifyCluster",
|
|
"redshift:RebootCluster"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "DMSEndpoints",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"dms:CreateEndpoint",
|
|
"dms:DeleteEndpoint",
|
|
"dms:DescribeEndpoints",
|
|
"dms:ModifyEndpoint"
|
|
],
|
|
"Resource": ["*"]
|
|
}
|
|
]
|
|
}
|