f972994662
* Add tests for group in a VPC * Improve ec2_group output and documentation Update ec2_group to provide full security group information Add RETURN documentation to match * Fix ec2_group creation within a VPC Ensure VPC ID gets passed when creating security group * Add test for auto creating SG * Fix ec2_group auto group creation * Add backoff to describe_security_groups Getting LimitExceeded from describe_security_groups is definitely possible (source: me) so add backoff to increase likelihood of success. To ensure that all `describe_security_group` calls are backed off, remove implicit ones that use `ec2.SecurityGroup`. From there, the decision to remove the `ec2` boto3 resource and rely on the client alone makes good sense. * Tidy up auto created security group Add resource_prefix to auto created security group and delete it in the `always` section. Use YAML argument form for all module parameters
53 lines
1.9 KiB
JSON
53 lines
1.9 KiB
JSON
{# Note that not all EC2 API Actions allow a specific resource #}
|
|
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
|
|
{
|
|
"Version": "2012-10-17",
|
|
"Statement": [
|
|
{
|
|
"Sid": "AllowUnspecifiedEC2Resource",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:AllocateAddress",
|
|
"ec2:AssociateAddress",
|
|
"ec2:AssociateRouteTable",
|
|
"ec2:AttachInternetGateway",
|
|
"ec2:CreateInternetGateway",
|
|
"ec2:CreateKeyPair",
|
|
"ec2:CreateNatGateway",
|
|
"ec2:CreateRouteTable",
|
|
"ec2:CreateSecurityGroup",
|
|
"ec2:CreateSubnet",
|
|
"ec2:CreateVpc",
|
|
"ec2:DeleteKeyPair",
|
|
"ec2:DeleteNatGateway",
|
|
"ec2:DeleteVpc",
|
|
"ec2:Describe*",
|
|
"ec2:DisassociateAddress",
|
|
"ec2:DisassociateRouteTable",
|
|
"ec2:ImportKeyPair",
|
|
"ec2:ModifyVpcAttribute",
|
|
"ec2:ReleaseAddress",
|
|
"ec2:ReplaceRouteTableAssociation"
|
|
],
|
|
"Resource": "*"
|
|
},
|
|
{
|
|
"Sid": "AllowSpecifiedEC2Resource",
|
|
"Effect": "Allow",
|
|
"Action": [
|
|
"ec2:AuthorizeSecurityGroupIngress",
|
|
"ec2:AuthorizeSecurityGroupEgress",
|
|
"ec2:CreateTags",
|
|
"ec2:DeleteRouteTable",
|
|
"ec2:DeleteSecurityGroup",
|
|
"ec2:RevokeSecurityGroupEgress",
|
|
"ec2:RevokeSecurityGroupIngress",
|
|
"ec2:RunInstances",
|
|
"ec2:TerminateInstances"
|
|
],
|
|
"Resource": [
|
|
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
|
|
]
|
|
}
|
|
]
|
|
}
|