ansible/community.general
1
0
Fork 0
mirror of https://github.com/ansible-collections/community.general.git synced 2024-09-14 20:13:21 +02:00
Code Releases Activity

Consolidate IAM policies into fewer, larger policies ()

Browse source 
Due to IAM limits allowing at most 10 policies per group,
need to reduce the number of total policies in use.
This commit is contained in:
Will Thames 2017-11-22 08:15:31 +10:00 committed by Sloane Hertel
parent 0962a0d816
commit 1ca0c0e7f7
9 changed files with 224 additions and 244 deletions

4
hacking/aws_config/setup-iam.yml
View file

@ -36,11 +36,11 @@
- name: Ensure Managed IAM policies exist - name: Ensure Managed IAM policies exist
iam_managed_policy: iam_managed_policy:
policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy" policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|capitalize }}Policy"
policy: "{{ lookup('template', item) }}" policy: "{{ lookup('template', item) }}"
state: present state: present
profile: "{{ profile|default(omit) }}" profile: "{{ profile|default(omit) }}"
with_fileglob: "testing_policies/*" with_fileglob: "testing_policies/*.json"
register: iam_managed_policies register: iam_managed_policies
- debug: - debug:

33
hacking/aws_config/testing_policies/autoscaling-policy.json
View file

@ -1,33 +0,0 @@
{# Not all Autoscaling API Actions allow specified resources #}
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies"
],
"Resource": "*"
},
{
"Sid": "AllowAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:PutScalingPolicy",
"autoscaling:DeletePolicy"
],
"Resource": [
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
]
}
]
}

222
hacking/aws_config/testing_policies/compute-policy.json Normal file
View file

@ -0,0 +1,222 @@
{# Not all Autoscaling API Actions allow specified resources #}
{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "DescribeAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:DescribeAutoScalingGroups",
"autoscaling:DescribeLaunchConfigurations",
"autoscaling:DescribePolicies"
],
"Resource": "*"
},
{
"Sid": "AllowAutoscaling",
"Effect": "Allow",
"Action": [
"autoscaling:CreateLaunchConfiguration",
"autoscaling:CreateAutoScalingGroup",
"autoscaling:UpdateAutoScalingGroup",
"autoscaling:DeleteAutoScalingGroup",
"autoscaling:DeleteLaunchConfiguration",
"autoscaling:PutScalingPolicy",
"autoscaling:DeletePolicy"
],
"Resource": [
"arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
]
},
{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
{
"Sid": "AllowUnspecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway",
"ec2:CreateImage",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair",
"ec2:DeleteNatGateway",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DeleteTags",
"ec2:DeregisterImage",
"ec2:DetachInternetGateway",
"ec2:Describe*",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation"
],
"Resource": "*"
},
{
"Sid": "AllowSpecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}::image/*",
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{
"Sid": "UnspecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "*"
},
{
"Sid": "SpecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
],
"Resource": [
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
]
},
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
{
"Sid": "AllowLoadBalancerOperations",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancerTags",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": "*"
},
{# Only certain lambda actions can be restricted to a specific resource #}
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
{
"Sid": "AllowApiGateway",
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:{{aws_region}}::/*"
]
},
{
"Sid": "AllowGetUserForLambdaCreation",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
]
},
{
"Sid": "AllowLambdaManagementWithoutResource",
"Effect": "Allow",
"Action": [
"lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings",
"lambda:GetEventSourceMapping",
"lambda:ListEventSourceMappings",
"lambda:ListFunctions",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AllowLambdaManagementWithResource",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:CreateFunction",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:ListAliases",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:UpdateAlias",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
},
{
"Sid": "AllowLambdaRoleManagement",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
]
}
]
}

0
hacking/aws_config/testing_policies/rds-policy.json → hacking/aws_config/testing_policies/database-policy.json
View file

73
hacking/aws_config/testing_policies/ec2-policy.json
View file

@ -1,73 +0,0 @@
{# Note that not all EC2 API Actions allow a specific resource #}
{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowUnspecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AllocateAddress",
"ec2:AssociateAddress",
"ec2:AssociateRouteTable",
"ec2:AssociateVpcCidrBlock",
"ec2:AssociateSubnetCidrBlock",
"ec2:CreateImage",
"ec2:AttachInternetGateway",
"ec2:CreateInternetGateway",
"ec2:CreateKeyPair",
"ec2:CreateNatGateway",
"ec2:CreateRoute",
"ec2:CreateRouteTable",
"ec2:CreateSecurityGroup",
"ec2:CreateSnapshot",
"ec2:CreateSubnet",
"ec2:CreateTags",
"ec2:CreateVpc",
"ec2:DeleteKeyPair",
"ec2:DeleteInternetGateway",
"ec2:DeleteNatGateway",
"ec2:DeleteSnapshot",
"ec2:DeleteSubnet",
"ec2:DeleteRoute",
"ec2:DeleteRouteTable",
"ec2:DeleteTags",
"ec2:DeleteVpc",
"ec2:DeleteTags",
"ec2:DeregisterImage",
"ec2:Describe*",
"ec2:DetachInternetGateway",
"ec2:DisassociateAddress",
"ec2:DisassociateRouteTable",
"ec2:ImportKeyPair",
"ec2:ModifyImageAttribute",
"ec2:ModifyVpcAttribute",
"ec2:RegisterImage",
"ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation"
],
"Resource": "*"
},
{
"Sid": "AllowSpecifiedEC2Resource",
"Effect": "Allow",
"Action": [
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateTags",
"ec2:DeleteRouteTable",
"ec2:DeleteSecurityGroup",
"ec2:RevokeSecurityGroupEgress",
"ec2:RevokeSecurityGroupIngress",
"ec2:RunInstances",
"ec2:TerminateInstances",
"ec2:UpdateSecurityGroupRuleDescriptionsIngress",
"ec2:UpdateSecurityGroupRuleDescriptionsEgress"
],
"Resource": [
"arn:aws:ec2:{{aws_region}}::image/*",
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
}
]
}

28
hacking/aws_config/testing_policies/ecr-policy.json
View file

@ -1,28 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "UnspecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "*"
},
{
"Sid": "SpecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
],
"Resource": [
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
]
}
]
}

31
hacking/aws_config/testing_policies/elb-policy.json
View file

@ -1,31 +0,0 @@
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowLoadBalancerOperations",
"Effect": "Allow",
"Action": [
"elasticloadbalancing:ConfigureHealthCheck",
"elasticloadbalancing:CreateLoadBalancer",
"elasticloadbalancing:CreateLoadBalancerListeners",
"elasticloadbalancing:DeleteLoadBalancer",
"elasticloadbalancing:DeleteLoadBalancerListeners",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancerTags",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:RegisterInstancesWithLoadBalancer"
],
"Resource": "*"
}
]
}

77
hacking/aws_config/testing_policies/lambda-policy.json
View file

@ -1,77 +0,0 @@
{# Only certain lambda actions can be restricted to a specific resource #}
{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowApiGateway",
"Effect": "Allow",
"Action": [
"apigateway:*"
],
"Resource": [
"arn:aws:apigateway:{{aws_region}}::/*"
]
},
{
"Sid": "AllowGetUserForLambdaCreation",
"Effect": "Allow",
"Action": [
"iam:GetUser"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
]
},
{
"Sid": "AllowLambdaManagementWithoutResource",
"Effect": "Allow",
"Action": [
"lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings",
"lambda:GetEventSourceMapping",
"lambda:ListEventSourceMappings",
"lambda:ListFunctions",
"lambda:ListTags",
"lambda:TagResource",
"lambda:UntagResource"
],
"Resource": "*"
},
{
"Sid": "AllowLambdaManagementWithResource",
"Effect": "Allow",
"Action": [
"lambda:AddPermission",
"lambda:CreateAlias",
"lambda:CreateFunction",
"lambda:DeleteAlias",
"lambda:DeleteFunction",
"lambda:GetAlias",
"lambda:GetFunction",
"lambda:GetFunctionConfiguration",
"lambda:GetPolicy",
"lambda:InvokeFunction",
"lambda:ListAliases",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion",
"lambda:RemovePermission",
"lambda:UpdateAlias",
"lambda:UpdateEventSourceMapping",
"lambda:UpdateFunctionCode",
"lambda:UpdateFunctionConfiguration"
],
"Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
},
{
"Sid": "AllowLambdaRoleManagement",
"Effect": "Allow",
"Action": [
"iam:PassRole"
],
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
]
}
]
}

0
hacking/aws_config/testing_policies/s3-policy.json → hacking/aws_config/testing_policies/storage-policy.json
View file