mirror of
https://github.com/ansible-collections/community.general.git
synced 2024-09-14 20:13:21 +02:00
Remove ECS policies from AWS compute policy
The compute policy was exceeding maximum size and contained policies that already exist in ecs-policy. Look up suitable AMIs rather than hardcode We don't want to maintain multiple image IDs for multiple regions so use ec2_ami_facts to set a suitable image ID Improve exception handling
This commit is contained in:
parent
fbcd6f8a65
commit
a60fe1946c
4 changed files with 15 additions and 57 deletions
|
@ -109,29 +109,6 @@
|
||||||
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
|
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"Sid": "UnspecifiedCodeRepositories",
|
|
||||||
"Effect": "Allow",
|
|
||||||
"Action": [
|
|
||||||
"ecr:DescribeRepositories",
|
|
||||||
"ecr:CreateRepository"
|
|
||||||
],
|
|
||||||
"Resource": "*"
|
|
||||||
},
|
|
||||||
{
|
|
||||||
"Sid": "SpecifiedCodeRepositories",
|
|
||||||
"Effect": "Allow",
|
|
||||||
"Action": [
|
|
||||||
"ecr:GetRepositoryPolicy",
|
|
||||||
"ecr:SetRepositoryPolicy",
|
|
||||||
"ecr:DeleteRepository",
|
|
||||||
"ecr:DeleteRepositoryPolicy",
|
|
||||||
"ecr:DeleteRepositoryPolicy"
|
|
||||||
],
|
|
||||||
"Resource": [
|
|
||||||
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
|
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
|
||||||
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
|
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
|
||||||
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
|
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
|
||||||
|
@ -238,29 +215,6 @@
|
||||||
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole"
|
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole"
|
||||||
]
|
]
|
||||||
},
|
},
|
||||||
{
|
|
||||||
"Sid": "AllowECSManagement",
|
|
||||||
"Effect": "Allow",
|
|
||||||
"Action": [
|
|
||||||
"application-autoscaling:Describe*",
|
|
||||||
"application-autoscaling:PutScalingPolicy",
|
|
||||||
"application-autoscaling:RegisterScalableTarget",
|
|
||||||
"cloudwatch:DescribeAlarms",
|
|
||||||
"cloudwatch:PutMetricAlarm",
|
|
||||||
"ecs:CreateCluster",
|
|
||||||
"ecs:CreateService",
|
|
||||||
"ecs:DeleteCluster",
|
|
||||||
"ecs:DeleteService",
|
|
||||||
"ecs:Describe*",
|
|
||||||
"ecs:DeregisterTaskDefinition",
|
|
||||||
"ecs:List*",
|
|
||||||
"ecs:RegisterTaskDefinition",
|
|
||||||
"ecs:UpdateService"
|
|
||||||
],
|
|
||||||
"Resource": [
|
|
||||||
"*"
|
|
||||||
]
|
|
||||||
},
|
|
||||||
{
|
{
|
||||||
"Sid": "AllowSESManagement",
|
"Sid": "AllowSESManagement",
|
||||||
"Effect": "Allow",
|
"Effect": "Allow",
|
||||||
|
|
|
@ -523,7 +523,7 @@ def main():
|
||||||
network_configuration,
|
network_configuration,
|
||||||
module.params['launch_type'])
|
module.params['launch_type'])
|
||||||
except botocore.exceptions.ClientError as e:
|
except botocore.exceptions.ClientError as e:
|
||||||
module.fail_json(msg=e.message)
|
module.fail_json_aws(e, msg="Couldn't create service")
|
||||||
|
|
||||||
results['service'] = response
|
results['service'] = response
|
||||||
|
|
||||||
|
@ -548,7 +548,7 @@ def main():
|
||||||
module.params['cluster']
|
module.params['cluster']
|
||||||
)
|
)
|
||||||
except botocore.exceptions.ClientError as e:
|
except botocore.exceptions.ClientError as e:
|
||||||
module.fail_json(msg=e.message)
|
module.fail_json_aws(e, msg="Couldn't delete service")
|
||||||
results['changed'] = True
|
results['changed'] = True
|
||||||
|
|
||||||
elif module.params['state'] == 'deleting':
|
elif module.params['state'] == 'deleting':
|
||||||
|
|
|
@ -1,11 +1,3 @@
|
||||||
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
|
|
||||||
# amzn-ami-2017.09.b-amazon-ecs-optimized
|
|
||||||
ecs_agent_images:
|
|
||||||
us-east-1: ami-71ef560b
|
|
||||||
us-east-2: ami-1b8ca37e
|
|
||||||
us-west-2: ami-d2f489aa
|
|
||||||
us-west-1: ami-6b81980b
|
|
||||||
|
|
||||||
ecs_cluster_name: "{{ resource_prefix }}"
|
ecs_cluster_name: "{{ resource_prefix }}"
|
||||||
user_data: |
|
user_data: |
|
||||||
#!/bin/bash
|
#!/bin/bash
|
||||||
|
|
|
@ -123,12 +123,24 @@
|
||||||
<<: *aws_connection_info
|
<<: *aws_connection_info
|
||||||
register: setup_sg
|
register: setup_sg
|
||||||
|
|
||||||
|
- name: find a suitable AMI
|
||||||
|
ec2_ami_facts:
|
||||||
|
owner: amazon
|
||||||
|
filters:
|
||||||
|
description: "Amazon Linux AMI* ECS *"
|
||||||
|
<<: *aws_connection_info
|
||||||
|
register: ec2_ami_facts
|
||||||
|
|
||||||
|
- name: set image id fact
|
||||||
|
set_fact:
|
||||||
|
ecs_image_id: "{{ (ec2_ami_facts.images|first).image_id }}"
|
||||||
|
|
||||||
- name: provision ec2 instance to create an image
|
- name: provision ec2 instance to create an image
|
||||||
ec2:
|
ec2:
|
||||||
key_name: '{{ ec2_keypair|default(setup_key.key.name) }}'
|
key_name: '{{ ec2_keypair|default(setup_key.key.name) }}'
|
||||||
instance_type: t2.micro
|
instance_type: t2.micro
|
||||||
state: present
|
state: present
|
||||||
image: '{{ ecs_agent_images[aws_region] }}'
|
image: '{{ ecs_image_id }}'
|
||||||
wait: yes
|
wait: yes
|
||||||
user_data: "{{ user_data }}"
|
user_data: "{{ user_data }}"
|
||||||
instance_profile_name: ecsInstanceRole
|
instance_profile_name: ecsInstanceRole
|
||||||
|
|
Loading…
Reference in a new issue