mirror of https://github.com/ansible/ansible.git
cloudtrail: Initial integration tests (#61919)
parent
40660e7f6e
commit
0239f70648
@ -0,0 +1,2 @@
|
|||||||
|
cloud/aws
|
||||||
|
unsupported
|
@ -0,0 +1,7 @@
|
|||||||
|
cloudtrail_name: '{{ resource_prefix }}-cloudtrail'
|
||||||
|
s3_bucket_name: '{{ resource_prefix }}-cloudtrail-bucket'
|
||||||
|
kms_alias: '{{ resource_prefix }}-cloudtrail'
|
||||||
|
sns_topic: '{{ resource_prefix }}-cloudtrail-notifications'
|
||||||
|
cloudtrail_prefix: 'test-prefix'
|
||||||
|
cloudwatch_log_group: '{{ resource_prefix }}-cloudtrail'
|
||||||
|
cloudwatch_role: '{{ resource_prefix }}-cloudtrail'
|
File diff suppressed because it is too large
Load Diff
@ -0,0 +1,13 @@
|
|||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "AssumeFromCloudTrails",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"Service": "cloudtrail.amazonaws.com"
|
||||||
|
},
|
||||||
|
"Action": "sts:AssumeRole"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -0,0 +1,17 @@
|
|||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrail2CloudWatch",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Action": [
|
||||||
|
"logs:CreateLogStream",
|
||||||
|
"logs:PutLogEvents"
|
||||||
|
],
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:logs:{{ aws_region }}:{{ aws_caller_info.account }}:log-group:{{ cloudwatch_log_group }}:log-stream:*",
|
||||||
|
"arn:aws:logs:{{ aws_region }}:{{ aws_caller_info.account }}:log-group:{{ cloudwatch_log_group }}-2:log-stream:*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Id": "CloudTrailPolicy",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "EncryptLogs",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "kms:GenerateDataKey*",
|
||||||
|
"Resource": "*",
|
||||||
|
"Condition": {
|
||||||
|
"StringLike": {
|
||||||
|
"kms:EncryptionContext:aws:cloudtrail:arn": [
|
||||||
|
"arn:aws:cloudtrail:*:{{ aws_caller_info.account }}:trail/{{ resource_prefix }}*"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "DescribeKey",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "kms:DescribeKey",
|
||||||
|
"Resource": "*"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AnsibleTestManage",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
|
||||||
|
"Action": "*",
|
||||||
|
"Resource": "*"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
{
|
||||||
|
"Version": "2012-10-17",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrailCheckAcl",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "s3:GetBucketAcl",
|
||||||
|
"Resource": "arn:aws:s3:::{{ bucket_name }}",
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrailWriteLogs",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "Service": "cloudtrail.amazonaws.com" },
|
||||||
|
"Action": "s3:PutObject",
|
||||||
|
"Resource": [
|
||||||
|
"arn:aws:s3:::{{ bucket_name }}/AWSLogs/{{ aws_caller_info.account }}/*",
|
||||||
|
"arn:aws:s3:::{{ bucket_name }}/{{ cloudtrail_prefix }}*/AWSLogs/{{ aws_caller_info.account }}/*"
|
||||||
|
],
|
||||||
|
"Condition": {
|
||||||
|
"StringEquals": {
|
||||||
|
"s3:x-amz-acl": "bucket-owner-full-control"
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AnsibleTestManage",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": { "AWS": "{{ aws_caller_info.arn }}" },
|
||||||
|
"Action": "*",
|
||||||
|
"Resource": "arn:aws:s3:::{{ bucket_name }}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
@ -0,0 +1,34 @@
|
|||||||
|
{
|
||||||
|
"Version": "2008-10-17",
|
||||||
|
"Id": "AnsibleSNSTesting",
|
||||||
|
"Statement": [
|
||||||
|
{
|
||||||
|
"Sid": "CloudTrailSNSPolicy",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"Service": "cloudtrail.amazonaws.com"
|
||||||
|
},
|
||||||
|
"Action": "sns:Publish",
|
||||||
|
"Resource": "arn:aws:sns:{{ aws_region }}:{{ aws_caller_info.account }}:{{ sns_topic_name }}"
|
||||||
|
},
|
||||||
|
{
|
||||||
|
"Sid": "AnsibleTestManage",
|
||||||
|
"Effect": "Allow",
|
||||||
|
"Principal": {
|
||||||
|
"AWS": "{{ aws_caller_info.arn }}"
|
||||||
|
},
|
||||||
|
"Action": [
|
||||||
|
"sns:Subscribe",
|
||||||
|
"sns:ListSubscriptionsByTopic",
|
||||||
|
"sns:DeleteTopic",
|
||||||
|
"sns:GetTopicAttributes",
|
||||||
|
"sns:Publish",
|
||||||
|
"sns:RemovePermission",
|
||||||
|
"sns:AddPermission",
|
||||||
|
"sns:Receive",
|
||||||
|
"sns:SetTopicAttributes"
|
||||||
|
],
|
||||||
|
"Resource": "arn:aws:sns:{{ aws_region }}:{{ aws_caller_info.account }}:{{ sns_topic_name }}"
|
||||||
|
}
|
||||||
|
]
|
||||||
|
}
|
Loading…
Reference in New Issue