a09aa205e1
* Update testing policy to be correct for RDS test suite * Create read replica in same region to avoid more permissions being required * Ensure modifying DB doesn't try to downgrade engine version * Add tags to main test suite to limit number of tests run for problem solving
91 lines
3 KiB
JSON
91 lines
3 KiB
JSON
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Action": "iam:CreateServiceLinkedRole",
|
|
"Effect": "Allow",
|
|
"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
|
|
"Condition": {
|
|
"StringLike": {
|
|
"iam:AWSServiceName":"rds.amazonaws.com"
|
|
}
|
|
}
|
|
},
|
|
{
|
|
"Sid": "AllowRDSReadEverywhere",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:ListTagsForResource",
|
|
"rds:DescribeDBInstances",
|
|
"rds:DescribeDBParameterGroups",
|
|
"rds:DescribeDBParameters",
|
|
"rds:DescribeDBSnapshots"
|
|
],
|
|
"Resource": ["*"]
|
|
},
|
|
{
|
|
"Sid": "AllowRDSModuleTests",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:AddTagsToResource",
|
|
"rds:CreateDBInstance",
|
|
"rds:DeleteDBInstance",
|
|
"rds:ModifyDBInstance",
|
|
"rds:PromoteReadReplica",
|
|
"rds:RebootDBInstance",
|
|
"rds:RemoveTagsFromResource",
|
|
"rds:StartDBInstance",
|
|
"rds:StopDBInstance"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowRDSSnapshotManageSnapshots",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:AddTagsToResource",
|
|
"rds:CreateDBSnapshot",
|
|
"rds:DeleteDBInstance",
|
|
"rds:DeleteDBSnapshot",
|
|
"rds:RemoveTagsFromResource",
|
|
"rds:RestoreDBInstanceFromDBSnapshot",
|
|
"rds:CreateDBInstanceReadReplica"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:ansible-test*",
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowRDSParameterGroupManagement",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"rds:CreateDBParameterGroup",
|
|
"rds:DeleteDBParameterGroup",
|
|
"rds:ModifyDBParameterGroup",
|
|
"rds:AddTagsToResource",
|
|
"rds:RemoveTagsFromResource"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:rds:{{aws_region}}:{{aws_account}}:pg:*"
|
|
]
|
|
},
|
|
{
|
|
"Sid": "AllowRedshiftManagment",
|
|
"Action": [
|
|
"redshift:CreateCluster",
|
|
"redshift:CreateTags",
|
|
"redshift:DeleteCluster",
|
|
"redshift:DeleteTags",
|
|
"redshift:DescribeClusters",
|
|
"redshift:DescribeTags",
|
|
"redshift:ModifyCluster",
|
|
"redshift:RebootCluster"
|
|
],
|
|
"Effect": "Allow",
|
|
"Resource": "*"
|
|
}
|
|
]
|
|
}
|