ansible/hacking/aws_config/setup-iam.yml
Will Thames 0ed1c3ba9c Split up testing IAM policies and automate creating them (#26223)
* Split up testing IAM policies and automate creating them

Move to managed policies to avoid the 5KB limit on policies
for an IAM entity.

The policy file is templated, so need to make sure that there
is an easy mechanism to populate the templates and push the
new policies.

* Update IAM policies for ec2_scaling_policy tests

* Fix RouteTable policies

DescribeRouteTable should be plural
ModifyRouteTable does not exist, but ReplaceRouteTableAssociation
does.

* Some IAM policies do not allow specified Resources

Various IAM policies do not allow Resources
to be specified and should just use `*`. This differs
per service

* [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources)
* [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions)
* [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html)
* [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html)

* Finish fixing AWS IAM resource specifications for testing

Update Lambda and RDS policies
2017-07-14 14:50:55 +10:00

51 lines
1.7 KiB
YAML

# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv
#
# Creates IAM policies and associates them with iam_group. This group
# can then be associated with an appropriate user
#
# You can pass -e profile=boto_profile_name if you have a profile that
# you can use, otherwise use normal AWS methods (env variables, instance
# profile, etc)
#
# If you want to use a region other than us-east-1 (and only us-east-2
# works with ansible-test), pass -e region=us-east-2
#
# Requires 2.4 for iam_managed_policy and iam_group
- hosts: localhost
connection: local
gather_facts: no
vars:
aws_region: "{{ region|default('us-east-1') }}"
tasks:
- name: Check that required variables are set
fail:
msg: "You must set the iam_group variable"
when: iam_group is not defined
- name: Get aws account ID
command: aws sts get-caller-identity --output text --query 'Account' "{{ '--profile=' ~ profile if profile else '' }}"
changed_when: False
register: aws_account_command
- name: Set aws_account_fact
set_fact:
aws_account: "{{ aws_account_command.stdout }}"
- name: Ensure Managed IAM policies exist
iam_managed_policy:
policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy"
policy: "{{ lookup('template', item) }}"
state: present
profile: "{{ profile|default(omit) }}"
with_fileglob: "testing_policies/*"
register: iam_managed_policies
- name: Ensure IAM group exists and attach managed policies
iam_group:
name: "{{ iam_group }}"
state: present
managed_policy: "{{ iam_managed_policies | json_query('results[].policy.PolicyName') }}"
profile: "{{ profile|default(omit) }}"