cfbe9c8aee
* Add integration test suite for ec2_vpc_subnet * wrap boto3 connection in try/except update module documentation and add RETURN docs add IPv6 support to VPC subnet module rename ipv6cidr to ipv6_cidr, use required_if for parameter testing, update some failure messages to be more descriptive DryRun mode was removed from this function a while ago but exception handling was still checking for it, removed add wait and timeout for subnet creation process fixup the ipv6 cidr disassociation logic a bit per review update RETURN values per review added module parameter check removed DryRun parameter from boto3 call since it would always be false here fix subnet wait loop add a purge_tags parameter, fix the ensure_tags function, update to use compare_aws_tags func fix tags type error per review remove **kwargs use in create_subnet function per review * rebased on #31870, fixed merge conflicts, and updated error messages * fixes to pass tests * add test for failure on invalid ipv6 block and update tags test for purge_tags=true function * fix pylint issue * fix exception handling error when run with python3 * add ipv6 tests and fix module code * Add permissions to hacking/aws_config/testing_policies/ec2-policy.json for adding IPv6 cidr blocks to VPC and subnets * fix type in tests and update assert conditional to check entire returned value * add AWS_SESSION_TOKEN into environment for aws cli commands to work in CI * remove key and value options from call to boto3_tag_list_to_ansible_dict * remove wait loop and use boto3 EC2 waiter * remove unused register: result vars * revert az argument default value to original setting default=None
68 lines
2.5 KiB
JSON
68 lines
2.5 KiB
JSON
{# Note that not all EC2 API Actions allow a specific resource #}
|
|
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AllowUnspecifiedEC2Resource",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:AllocateAddress",
|
|
"ec2:AssociateAddress",
|
|
"ec2:AssociateRouteTable",
|
|
"ec2:AssociateVpcCidrBlock",
|
|
"ec2:AssociateSubnetCidrBlock",
|
|
"ec2:CreateImage",
|
|
"ec2:AttachInternetGateway",
|
|
"ec2:CreateInternetGateway",
|
|
"ec2:CreateKeyPair",
|
|
"ec2:CreateNatGateway",
|
|
"ec2:CreateRouteTable",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateSnapshot",
|
|
"ec2:CreateSubnet",
|
|
"ec2:CreateTags",
|
|
"ec2:CreateVpc",
|
|
"ec2:DeleteKeyPair",
|
|
"ec2:DeleteNatGateway",
|
|
"ec2:DeleteSnapshot",
|
|
"ec2:DeleteSubnet",
|
|
"ec2:DeleteTags",
|
|
"ec2:DeleteVpc",
|
|
"ec2:DeleteTags",
|
|
"ec2:DeregisterImage",
|
|
"ec2:Describe*",
|
|
"ec2:DisassociateAddress",
|
|
"ec2:DisassociateRouteTable",
|
|
"ec2:ImportKeyPair",
|
|
"ec2:ModifyImageAttribute",
|
|
"ec2:ModifyVpcAttribute",
|
|
"ec2:RegisterImage",
|
|
"ec2:ReleaseAddress",
|
|
"ec2:ReplaceRouteTableAssociation"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "AllowSpecifiedEC2Resource",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:AuthorizeSecurityGroupEgress",
|
|
"ec2:CreateTags",
|
|
"ec2:DeleteRouteTable",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:RevokeSecurityGroupEgress",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"ec2:RunInstances",
|
|
"ec2:TerminateInstances",
|
|
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
|
|
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:ec2:{{aws_region}}::image/*",
|
|
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
|
|
]
|
|
}
|
|
]
|
|
}
|