From a60fe1946c98996355a66e29ea487f96c9d3c629 Mon Sep 17 00:00:00 2001 From: Will Thames Date: Wed, 6 Jun 2018 19:48:00 +1000 Subject: [PATCH] Remove ECS policies from AWS compute policy The compute policy was exceeding maximum size and contained policies that already exist in ecs-policy. Look up suitable AMIs rather than hardcode We don't want to maintain multiple image IDs for multiple regions so use ec2_ami_facts to set a suitable image ID Improve exception handling --- .../testing_policies/compute-policy.json | 46 ------------------- .../modules/cloud/amazon/ecs_service.py | 4 +- .../roles/ecs_cluster/defaults/main.yml | 8 ---- .../roles/ecs_cluster/tasks/main.yml | 14 +++++- 4 files changed, 15 insertions(+), 57 deletions(-) diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json index c9f31a4062..be4c4d0d51 100644 --- a/hacking/aws_config/testing_policies/compute-policy.json +++ b/hacking/aws_config/testing_policies/compute-policy.json @@ -109,29 +109,6 @@ "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" ] }, - { - "Sid": "UnspecifiedCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories", - "ecr:CreateRepository" - ], - "Resource": "*" - }, - { - "Sid": "SpecifiedCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:GetRepositoryPolicy", - "ecr:SetRepositoryPolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DeleteRepositoryPolicy" - ], - "Resource": [ - "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" - ] - }, {# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} {# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} {# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} @@ -238,29 +215,6 @@ "arn:aws:iam::{{aws_account}}:role/ecsServiceRole" ] }, - { - "Sid": "AllowECSManagement", - "Effect": "Allow", - "Action": [ - "application-autoscaling:Describe*", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:RegisterScalableTarget", - "cloudwatch:DescribeAlarms", - "cloudwatch:PutMetricAlarm", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:Describe*", - "ecs:DeregisterTaskDefinition", - "ecs:List*", - "ecs:RegisterTaskDefinition", - "ecs:UpdateService" - ], - "Resource": [ - "*" - ] - }, { "Sid": "AllowSESManagement", "Effect": "Allow", diff --git a/lib/ansible/modules/cloud/amazon/ecs_service.py b/lib/ansible/modules/cloud/amazon/ecs_service.py index 3aada5d26d..7047cba965 100644 --- a/lib/ansible/modules/cloud/amazon/ecs_service.py +++ b/lib/ansible/modules/cloud/amazon/ecs_service.py @@ -523,7 +523,7 @@ def main(): network_configuration, module.params['launch_type']) except botocore.exceptions.ClientError as e: - module.fail_json(msg=e.message) + module.fail_json_aws(e, msg="Couldn't create service") results['service'] = response @@ -548,7 +548,7 @@ def main(): module.params['cluster'] ) except botocore.exceptions.ClientError as e: - module.fail_json(msg=e.message) + module.fail_json_aws(e, msg="Couldn't delete service") results['changed'] = True elif module.params['state'] == 'deleting': diff --git a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml index 335faf99d4..288f531f95 100644 --- a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml +++ b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml @@ -1,11 +1,3 @@ -# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html -# amzn-ami-2017.09.b-amazon-ecs-optimized -ecs_agent_images: - us-east-1: ami-71ef560b - us-east-2: ami-1b8ca37e - us-west-2: ami-d2f489aa - us-west-1: ami-6b81980b - ecs_cluster_name: "{{ resource_prefix }}" user_data: | #!/bin/bash diff --git a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml index 490033538a..ccb23deb3f 100644 --- a/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml +++ b/test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml @@ -123,12 +123,24 @@ <<: *aws_connection_info register: setup_sg + - name: find a suitable AMI + ec2_ami_facts: + owner: amazon + filters: + description: "Amazon Linux AMI* ECS *" + <<: *aws_connection_info + register: ec2_ami_facts + + - name: set image id fact + set_fact: + ecs_image_id: "{{ (ec2_ami_facts.images|first).image_id }}" + - name: provision ec2 instance to create an image ec2: key_name: '{{ ec2_keypair|default(setup_key.key.name) }}' instance_type: t2.micro state: present - image: '{{ ecs_agent_images[aws_region] }}' + image: '{{ ecs_image_id }}' wait: yes user_data: "{{ user_data }}" instance_profile_name: ecsInstanceRole