diff --git a/hacking/aws_config/build_iam_policy_framework.py b/hacking/aws_config/build_iam_policy_framework.py deleted file mode 100644 index 940d55dbd3d..00000000000 --- a/hacking/aws_config/build_iam_policy_framework.py +++ /dev/null @@ -1,330 +0,0 @@ -# Requires pandas, bs4, html5lib, and lxml -# -# Call script with the output from aws_resource_actions callback, e.g. -# python build_iam_policy_framework.py ['ec2:AuthorizeSecurityGroupEgress', 'ec2:AuthorizeSecurityGroupIngress', 'sts:GetCallerIdentity'] -# -# The sample output: -# { -# "Version": "2012-10-17", -# "Statement": [ -# { -# "Sid": "AnsibleEditor0", -# "Effect": "Allow", -# "Action": [ -# "ec2:AuthorizeSecurityGroupEgress", -# "ec2:AuthorizeSecurityGroupIngress" -# ], -# "Resource": "arn:aws:ec2:${Region}:${Account}:security-group/${SecurityGroupId}" -# }, -# { -# "Sid": "AnsibleEditor1", -# "Effect": "Allow", -# "Action": [ -# "sts:GetCallerIdentity" -# ], -# "Resource": "*" -# } -# ] -# } -# -# Policy troubleshooting: -# - If there are more actions in the policy than you provided, AWS has documented dependencies for some of your actions and -# those have been added to the policy. -# - If there are fewer actions in the policy than you provided, some of your actions are not in the IAM table of actions for -# that service. For example, the API call s3:DeleteObjects does not actually correlate to the permission needed in a policy. -# In this case s3:DeleteObject is the permission required to allow both the s3:DeleteObjects action and the s3:DeleteObject action. -# - The policies output are only as accurate as the AWS documentation. If the policy does not permit the -# necessary actions, look for undocumented dependencies. For example, redshift:CreateCluster requires ec2:DescribeVpcs, -# ec2:DescribeSubnets, ec2:DescribeSecurityGroups, and ec2:DescribeInternetGateways, but AWS does not document this. -# - -from __future__ import (absolute_import, division, print_function) -__metaclass__ = type - -import json -import requests -import sys - -missing_dependencies = [] -try: - import pandas as pd -except ImportError: - missing_dependencies.append('pandas') -try: - import bs4 -except ImportError: - missing_dependencies.append('bs4') -try: - import html5lib -except ImportError: - missing_dependencies.append('html5lib') -try: - import lxml -except ImportError: - missing_dependencies.append('lxml') - - -irregular_service_names = { - 'a4b': 'alexaforbusiness', - 'appstream': 'appstream2.0', - 'acm': 'certificatemanager', - 'acm-pca': 'certificatemanagerprivatecertificateauthority', - 'aws-marketplace-management': 'marketplacemanagementportal', - 'ce': 'costexplorerservice', - 'cognito-identity': 'cognitoidentity', - 'cognito-sync': 'cognitosync', - 'cognito-idp': 'cognitouserpools', - 'cur': 'costandusagereport', - 'dax': 'dynamodbacceleratordax', - 'dlm': 'datalifecyclemanager', - 'dms': 'databasemigrationservice', - 'ds': 'directoryservice', - 'ec2messages': 'messagedeliveryservice', - 'ecr': 'ec2containerregistry', - 'ecs': 'elasticcontainerservice', - 'eks': 'elasticcontainerserviceforkubernetes', - 'efs': 'elasticfilesystem', - 'es': 'elasticsearchservice', - 'events': 'cloudwatchevents', - 'firehose': 'kinesisfirehose', - 'fms': 'firewallmanager', - 'health': 'healthapisandnotifications', - 'importexport': 'importexportdiskservice', - 'iot1click': 'iot1-click', - 'kafka': 'managedstreamingforkafka', - 'kinesisvideo': 'kinesisvideostreams', - 'kms': 'keymanagementservice', - 'license-manager': 'licensemanager', - 'logs': 'cloudwatchlogs', - 'opsworks-cm': 'opsworksconfigurationmanagement', - 'mediaconnect': 'elementalmediaconnect', - 'mediaconvert': 'elementalmediaconvert', - 'medialive': 'elementalmedialive', - 'mediapackage': 'elementalmediapackage', - 'mediastore': 'elementalmediastore', - 'mgh': 'migrationhub', - 'mobiletargeting': 'pinpoint', - 'pi': 'performanceinsights', - 'pricing': 'pricelist', - 'ram': 'resourceaccessmanager', - 'resource-groups': 'resourcegroups', - 'sdb': 'simpledb', - 'servicediscovery': 'cloudmap', - 'serverlessrepo': 'serverlessapplicationrepository', - 'sms': 'servermigrationservice', - 'sms-voice': 'pinpointsmsandvoiceservice', - 'sso-directory': 'ssodirectory', - 'ssm': 'systemsmanager', - 'ssmmessages': 'sessionmanagermessagegatewayservice', - 'states': 'stepfunctions', - 'sts': 'securitytokenservice', - 'swf': 'simpleworkflowservice', - 'tag': 'resourcegrouptaggingapi', - 'transfer': 'transferforsftp', - 'waf-regional': 'wafregional', - 'wam': 'workspacesapplicationmanager', - 'xray': 'x-ray' -} - -irregular_service_links = { - 'apigateway': [ - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_manageamazonapigateway.html' - ], - 'aws-marketplace': [ - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsmarketplace.html', - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsmarketplacemeteringservice.html', - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_awsprivatemarketplace.html' - ], - 'discovery': [ - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_applicationdiscovery.html' - ], - 'elasticloadbalancing': [ - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_elasticloadbalancing.html', - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_elasticloadbalancingv2.html' - ], - 'globalaccelerator': [ - 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_globalaccelerator.html' - ] -} - - -def get_docs_by_prefix(prefix): - amazon_link_form = 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_amazon{0}.html' - aws_link_form = 'https://docs.aws.amazon.com/IAM/latest/UserGuide/list_aws{0}.html' - - if prefix in irregular_service_links: - links = irregular_service_links[prefix] - else: - if prefix in irregular_service_names: - prefix = irregular_service_names[prefix] - links = [amazon_link_form.format(prefix), aws_link_form.format(prefix)] - - return links - - -def get_html(links): - html_list = [] - for link in links: - html = requests.get(link).content - try: - parsed_html = pd.read_html(html) - html_list.append(parsed_html) - except ValueError as e: - if 'No tables found' in str(e): - pass - else: - raise e - - return html_list - - -def get_tables(service): - links = get_docs_by_prefix(service) - html_list = get_html(links) - action_tables = [] - arn_tables = [] - for df_list in html_list: - for df in df_list: - table = json.loads(df.to_json(orient='split')) - table_data = table['data'][0] - if 'Actions' in table_data and 'Resource Types (*required)' in table_data: - action_tables.append(table['data'][1::]) - elif 'Resource Types' in table_data and 'ARN' in table_data: - arn_tables.append(table['data'][1::]) - - # Action table indices: - # 0: Action, 1: Description, 2: Access level, 3: Resource type, 4: Condition keys, 5: Dependent actions - # ARN tables indices: - # 0: Resource type, 1: ARN template, 2: Condition keys - return action_tables, arn_tables - - -def add_dependent_action(resources, dependency): - resource, action = dependency.split(':') - if resource in resources: - resources[resource].append(action) - else: - resources[resource] = [action] - return resources - - -def get_dependent_actions(resources): - for service in dict(resources): - action_tables, arn_tables = get_tables(service) - for found_action_table in action_tables: - for action_stuff in found_action_table: - if action_stuff is None: - continue - if action_stuff[0] in resources[service] and action_stuff[5]: - dependencies = action_stuff[5].split() - if isinstance(dependencies, list): - for dependency in dependencies: - resources = add_dependent_action(resources, dependency) - else: - resources = add_dependent_action(resources, dependencies) - return resources - - -def get_actions_by_service(resources): - service_action_dict = {} - dependencies = {} - for service in resources: - action_tables, arn_tables = get_tables(service) - - # Create dict of the resource type to the corresponding ARN - arn_dict = {} - for found_arn_table in arn_tables: - for arn_stuff in found_arn_table: - arn_dict["{0}*".format(arn_stuff[0])] = arn_stuff[1] - - # Create dict of the action to the corresponding ARN - action_dict = {} - for found_action_table in action_tables: - for action_stuff in found_action_table: - if action_stuff[0] is None: - continue - if arn_dict.get(action_stuff[3]): - action_dict[action_stuff[0]] = arn_dict[action_stuff[3]] - else: - action_dict[action_stuff[0]] = None - service_action_dict[service] = action_dict - return service_action_dict - - -def get_resource_arns(aws_actions, action_dict): - resource_arns = {} - for resource_action in aws_actions: - resource, action = resource_action.split(':') - if action not in action_dict: - continue - if action_dict[action] is None: - resource = "*" - else: - resource = action_dict[action].replace("${Partition}", "aws") - if resource not in resource_arns: - resource_arns[resource] = [] - resource_arns[resource].append(resource_action) - return resource_arns - - -def get_resources(actions): - resources = {} - for action in actions: - resource, action = action.split(':') - if resource not in resources: - resources[resource] = [] - resources[resource].append(action) - return resources - - -def combine_arn_actions(resources, service_action_arn_dict): - arn_actions = {} - for service in service_action_arn_dict: - service_arn_actions = get_resource_arns(aws_actions, service_action_arn_dict[service]) - for resource in service_arn_actions: - if resource in arn_actions: - arn_actions[resource].extend(service_arn_actions[resource]) - else: - arn_actions[resource] = service_arn_actions[resource] - return arn_actions - - -def combine_actions_and_dependent_actions(resources): - aws_actions = [] - for resource in resources: - for action in resources[resource]: - aws_actions.append('{0}:{1}'.format(resource, action)) - return set(aws_actions) - - -def get_actions_restricted_by_arn(aws_actions): - resources = get_resources(aws_actions) - resources = get_dependent_actions(resources) - service_action_arn_dict = get_actions_by_service(resources) - aws_actions = combine_actions_and_dependent_actions(resources) - return combine_arn_actions(aws_actions, service_action_arn_dict) - - -def main(aws_actions): - arn_actions = get_actions_restricted_by_arn(aws_actions) - statement = [] - for resource_restriction in arn_actions: - statement.append({ - "Sid": "AnsibleEditor{0}".format(len(statement)), - "Effect": "Allow", - "Action": arn_actions[resource_restriction], - "Resource": resource_restriction - }) - - policy = {"Version": "2012-10-17", "Statement": statement} - print(json.dumps(policy, indent=4)) - - -if __name__ == '__main__': - if missing_dependencies: - sys.exit('Missing Python libraries: {0}'.format(', '.join(missing_dependencies))) - actions = sys.argv[1:] - if len(actions) == 1: - actions = sys.argv[1].split(',') - aws_actions = [action.strip('[], "\'') for action in actions] - main(aws_actions) diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml deleted file mode 100644 index 9dfaca53c97..00000000000 --- a/hacking/aws_config/setup-iam.yml +++ /dev/null @@ -1,55 +0,0 @@ -# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv -# -# Creates IAM policies and associates them with iam_group. This group -# can then be associated with an appropriate user -# -# You can pass -e profile=boto_profile_name if you have a profile that -# you can use, otherwise use normal AWS methods (env variables, instance -# profile, etc) -# -# If you want to use a region other than us-east-1 (and only us-east-2 -# works with ansible-test), pass -e region=us-east-2 -# -# Requires 2.4 for iam_managed_policy and iam_group - -- hosts: localhost - connection: local - gather_facts: no - vars: - aws_region: "{{ region|default('us-east-1') }}" - - tasks: - - name: Check that required variables are set - fail: - msg: "You must set the iam_group variable" - when: iam_group is not defined - - - name: Get aws account ID - aws_caller_info: - profile: "{{ profile|default(omit) }}" - register: aws_caller_info - - - name: Set aws_account_fact - set_fact: - aws_account: "{{ aws_caller_info.account }}" - - - - name: Ensure Managed IAM policies exist - iam_managed_policy: - policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|capitalize }}Policy" - policy: "{{ lookup('template', item) }}" - state: present - profile: "{{ profile|default(omit) }}" - with_fileglob: "testing_policies/*.json" - register: iam_managed_policies - - - debug: - msg: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}" - - - name: Ensure IAM group exists and attach managed policies - iam_group: - name: "{{ iam_group }}" - state: present - managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}" - profile: "{{ profile|default(omit) }}" - purge_policy: yes diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json deleted file mode 100644 index 2d28aa41d37..00000000000 --- a/hacking/aws_config/testing_policies/compute-policy.json +++ /dev/null @@ -1,280 +0,0 @@ -{# Not all Autoscaling API Actions allow specified resources #} -{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribePolicies" - ], - "Resource": "*" - }, - { - "Sid": "AllowAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:*LaunchConfiguration", - "autoscaling:*LoadBalancers", - "autoscaling:*AutoScalingGroup", - "autoscaling:*MetricsCollection", - "autoscaling:PutScalingPolicy", - "autoscaling:DeletePolicy", - "autoscaling:*Tags" - ], - "Resource": [ - "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" - ] - }, -{# Note that not all EC2 API Actions allow a specific resource #} -{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} - { - "Sid": "AllowUnspecifiedEC2Resource", - "Effect": "Allow", - "Action": [ - "ec2:*LaunchTemplate", - "ec2:*LaunchTemplateVersion", - "ec2:*LaunchTemplateVersions", - "ec2:AttachVolume", - "ec2:CreateImage", - "ec2:CreateKeyPair", - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateTags", - "ec2:DeleteKeyPair", - "ec2:DeleteSnapshot", - "ec2:DeleteTags", - "ec2:DeregisterImage", - "ec2:Describe*", - "ec2:DetachVolume", - "ec2:ImportKeyPair", - "ec2:ModifyImageAttribute", - "ec2:ModifyInstanceAttribute", - "ec2:RegisterImage", - "ec2:ReplaceIamInstanceProfileAssociation", - "ec2:ReportInstanceStatus" - ], - "Resource": "*" - }, - { - "Sid": "AllowSpecifiedEC2Resource", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:CreateTags", - "ec2:CreateVolume", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:DeleteVolume", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:TerminateInstances", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}::image/*", - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, -{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} -{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} -{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} - { - "Sid": "AllowLoadBalancerOperations", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:*LoadBalancer", - "elasticloadbalancing:*LoadBalancers", - "elasticloadbalancing:*LoadBalancerListeners", - "elasticloadbalancing:*TargetGroup", - "elasticloadbalancing:AddTags", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:Create*", - "elasticloadbalancing:Delete*", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:Describe*", - "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:Modify*", - "elasticloadbalancing:Register*", - "elasticloadbalancing:Deregister*", - "elasticloadbalancing:Remove*" - ], - "Resource": "*" - }, -{# Only certain lambda actions can be restricted to a specific resource #} -{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} - { - "Sid": "AllowApiGateway", - "Effect": "Allow", - "Action": [ - "apigateway:*" - ], - "Resource": [ - "arn:aws:apigateway:{{aws_region}}::/*" - ] - }, - { - "Sid": "AllowGetUserForLambdaCreation", - "Effect": "Allow", - "Action": [ - "iam:GetUser" - ], - "Resource": [ - "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" - ] - }, - { - "Sid": "AllowLambdaManagementWithoutResource", - "Effect": "Allow", - "Action": [ - "lambda:CreateEventSourceMapping", - "lambda:GetAccountSettings", - "lambda:GetEventSourceMapping", - "lambda:List*", - "lambda:TagResource", - "lambda:UntagResource" - ], - "Resource": "*" - }, - { - "Sid": "AllowLambdaManagementWithResource", - "Effect": "Allow", - "Action": [ - "lambda:AddPermission", - "lambda:CreateAlias", - "lambda:CreateFunction", - "lambda:DeleteAlias", - "lambda:DeleteFunction", - "lambda:GetAlias", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:GetPolicy", - "lambda:InvokeFunction", - "lambda:PublishVersion", - "lambda:RemovePermission", - "lambda:UpdateAlias", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" - }, - { - "Sid": "AllowRoleManagement", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role", - "arn:aws:iam::{{aws_account}}:role/ecsInstanceRole", - "arn:aws:iam::{{aws_account}}:role/ec2InstanceRole", - "arn:aws:iam::{{aws_account}}:role/ecsServiceRole", - "arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role", - "arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole" - ] - }, - { - "Sid": "AllowSESManagement", - "Effect": "Allow", - "Action": [ - "ses:VerifyEmailIdentity", - "ses:DeleteIdentity", - "ses:GetIdentityVerificationAttributes", - "ses:GetIdentityNotificationAttributes", - "ses:VerifyDomainIdentity", - "ses:SetIdentityNotificationTopic", - "ses:SetIdentityHeadersInNotificationsEnabled", - "ses:SetIdentityFeedbackForwardingEnabled", - "ses:GetIdentityPolicies", - "ses:PutIdentityPolicy", - "ses:DeleteIdentityPolicy", - "ses:ListIdentityPolicies", - "ses:SetIdentityFeedbackForwardingEnabled", - "ses:ListReceiptRuleSets", - "ses:DescribeReceiptRuleSet", - "ses:DescribeActiveReceiptRuleSet", - "ses:SetActiveReceiptRuleSet", - "ses:CreateReceiptRuleSet", - "ses:DeleteReceiptRuleSet" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "AllowSNSManagement", - "Effect": "Allow", - "Action": [ - "SNS:CreateTopic", - "SNS:DeleteTopic", - "SNS:GetTopicAttributes", - "SNS:ListSubscriptions", - "SNS:ListSubscriptionsByTopic", - "SNS:ListTopics", - "SNS:SetTopicAttributes", - "SNS:Subscribe", - "SNS:Unsubscribe" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "AllowStepFunctionsStateMachine", - "Effect": "Allow", - "Action": [ - "states:CreateStateMachine", - "states:DeleteStateMachine", - "states:DescribeExecution", - "states:DescribeStateMachine", - "states:ListExecutions", - "states:ListStateMachines", - "states:ListTagsForResource", - "states:StartExecution", - "states:StopExecution", - "states:TagResource", - "states:UntagResource", - "states:UpdateStateMachine" - ], - "Resource": [ - "arn:aws:states:*:*:*" - ] - }, - { - "Sid": "AllowLightsail", - "Effect": "Allow", - "Action": [ - "lightsail:CreateInstances", - "lightsail:DeleteInstance", - "lightsail:GetInstance", - "lightsail:GetInstances", - "lightsail:RebootInstance", - "lightsail:StartInstance", - "lightsail:StopInstance" - ], - "Resource": "arn:aws:lightsail:*:*:*" - }, - { - "Sid": "AllowSQS", - "Effect": "Allow", - "Action": [ - "sqs:GetQueueURL", - "sqs:CreateQueue", - "sqs:GetQueueAttributes", - "sqs:DeleteQueue", - "sqs:SetQueueAttributes" - ], - "Resource": "arn:aws:sqs:*:*:*" - }, - ] -} diff --git a/hacking/aws_config/testing_policies/container-policy.json b/hacking/aws_config/testing_policies/container-policy.json deleted file mode 100644 index 41ef600d61d..00000000000 --- a/hacking/aws_config/testing_policies/container-policy.json +++ /dev/null @@ -1,80 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "UnspecifiedCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories", - "ecr:CreateRepository" - ], - "Resource": "*" - }, - { - "Sid": "SpecifiedCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:GetLifecyclePolicy", - "ecr:PutLifecyclePolicy", - "ecr:DeleteLifecyclePolicy", - "ecr:GetRepositoryPolicy", - "ecr:SetRepositoryPolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DeleteRepositoryPolicy" - ], - "Resource": [ - "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "application-autoscaling:Describe*", - "application-autoscaling:PutScalingPolicy", - "application-autoscaling:RegisterScalableTarget", - "cloudwatch:DescribeAlarms", - "cloudwatch:PutMetricAlarm", - "ecs:CreateCluster", - "ecs:CreateService", - "ecs:DeleteCluster", - "ecs:DeleteService", - "ecs:DeregisterTaskDefinition", - "ecs:Describe*", - "ecs:List*", - "ecs:PutAccountSetting", - "ecs:RegisterTaskDefinition", - "ecs:RunTask", - "ecs:StartTask", - "ecs:StopTask", - "ecs:UpdateService", - "elasticloadbalancing:Describe*", - "iam:GetInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListGroups", - "iam:ListRoles", - "iam:ListUsers" - ], - "Resource": [ - "*" - ] - }, - { - "Effect": "Allow", - "Action": [ - "eks:CreateCluster", - "eks:DeleteCluster", - "eks:DescribeCluster", - "eks:ListClusters" - ], - "Resource": [ - "*" - ] - } - - - ] -} diff --git a/hacking/aws_config/testing_policies/database-policy.json b/hacking/aws_config/testing_policies/database-policy.json deleted file mode 100644 index 2f15baaf3ed..00000000000 --- a/hacking/aws_config/testing_policies/database-policy.json +++ /dev/null @@ -1,123 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": "iam:CreateServiceLinkedRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", - "Condition": { - "StringLike": { - "iam:AWSServiceName":"rds.amazonaws.com" - } - } - }, - { - "Action": "iam:CreateServiceLinkedRole", - "Effect": "Allow", - "Resource": "arn:aws:iam::*:role/aws-service-role/redshift.amazonaws.com/AWSServiceRoleForRedshift", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "redshift.amazonaws.com"} - } - }, - { - "Sid": "AllowRDSReadEverywhere", - "Effect": "Allow", - "Action": [ - "rds:ListTagsForResource", - "rds:DescribeDBInstances", - "rds:DescribeDBParameterGroups", - "rds:DescribeDBParameters", - "rds:DescribeDBSnapshots" - ], - "Resource": ["*"] - }, - { - "Sid": "AllowRDSModuleTests", - "Effect": "Allow", - "Action": [ - "rds:AddTagsToResource", - "rds:CreateDBInstance", - "rds:DeleteDBInstance", - "rds:ModifyDBInstance", - "rds:PromoteReadReplica", - "rds:RebootDBInstance", - "rds:RemoveTagsFromResource", - "rds:RestoreDBInstanceToPointInTime", - "rds:StartDBInstance", - "rds:StopDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*" - ] - }, - { - "Sid": "AllowRDSSnapshotManageSnapshots", - "Effect": "Allow", - "Action": [ - "rds:AddTagsToResource", - "rds:CreateDBSnapshot", - "rds:DeleteDBInstance", - "rds:DeleteDBSnapshot", - "rds:RemoveTagsFromResource", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:CreateDBInstanceReadReplica" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:ansible-test*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*" - ] - }, - { - "Sid": "AllowRDSParameterGroupManagement", - "Effect": "Allow", - "Action": [ - "rds:CreateDBParameterGroup", - "rds:DeleteDBParameterGroup", - "rds:ModifyDBParameterGroup", - "rds:AddTagsToResource", - "rds:RemoveTagsFromResource" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:pg:*" - ] - }, - { - "Sid": "AllowRedshiftManagment", - "Action": [ - "redshift:CreateCluster", - "redshift:CreateTags", - "redshift:DeleteCluster", - "redshift:DeleteTags", - "redshift:DescribeClusters", - "redshift:DescribeTags", - "redshift:ModifyCluster", - "redshift:RebootCluster" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "AllowRDSSubnetGroups", - "Effect": "Allow", - "Action": [ - "rds:CreateDBSubnetGroup", - "rds:DeleteDBSubnetGroup", - "rds:DescribeDBSubnetGroups", - "rds:ModifyDBSubnetGroup" - ], - "Resource": ["*"] - }, - { - "Sid": "DMSEndpoints", - "Effect": "Allow", - "Action": [ - "dms:CreateEndpoint", - "dms:DeleteEndpoint", - "dms:DescribeEndpoints", - "dms:ModifyEndpoint" - ], - "Resource": ["*"] - } - ] -} diff --git a/hacking/aws_config/testing_policies/devops-policy.json b/hacking/aws_config/testing_policies/devops-policy.json deleted file mode 100644 index 743e60345cb..00000000000 --- a/hacking/aws_config/testing_policies/devops-policy.json +++ /dev/null @@ -1,40 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowCodeCommitModuleTests", - "Effect": "Allow", - "Action": [ - "codecommit:ListRepositories", - "codecommit:*Repository", - "codecommit:*RepositoryDescription" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "AllowCloudformationTests", - "Effect": "Allow", - "Action": [ - "cloudformation:CreateChangeSet", - "cloudformation:CreateStack", - "cloudformation:DeleteChangeSet", - "cloudformation:DeleteStack", - "cloudformation:DescribeChangeSet", - "cloudformation:DescribeStackEvents", - "cloudformation:DescribeStacks", - "cloudformation:GetStackPolicy", - "cloudformation:GetTemplate", - "cloudformation:ListChangeSets", - "cloudformation:ListExports", - "cloudformation:ListStackResources", - "cloudformation:UpdateStack", - "cloudformation:UpdateTerminationProtection" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/network-policy.json b/hacking/aws_config/testing_policies/network-policy.json deleted file mode 100644 index d108c1c0fd7..00000000000 --- a/hacking/aws_config/testing_policies/network-policy.json +++ /dev/null @@ -1,117 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ManageRoute53ForTests", - "Effect": "Allow", - "Action": [ - "route53:CreateHostedZone", - "route53:ChangeResourceRecordSets", - "route53:DeleteHostedZone", - "route53:GetHostedZone", - "route53:ListHostedZones", - "route53:ListResourceRecordSets", - "route53:UpdateHostedZoneComment" - ], - "Resource": "*" - }, - { - "Sid": "AllowInternetGatewayManagement", - "Effect": "Allow", - "Action": [ - "ec2:CreateInternetGateway", - "ec2:DeleteInternetGateway", - "ec2:DescribeInternetGateways" - ], - "Resource": "*" - }, - { - "Sid": "AllowTransitGatewayManagement", - "Effect": "Allow", - "Action": [ - "ec2:CreateTransitGateway", - "ec2:DeleteTransitGateway", - "ec2:DescribeTransitGateways" - ], - "Resource": "*" - }, - { - "Sid": "AllowUnspecifiedEC2NetworkingResource", - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:AssociateDhcpOptions", - "ec2:AssociateRouteTable", - "ec2:AssociateVpcCidrBlock", - "ec2:AssociateSubnetCidrBlock", - "ec2:AttachInternetGateway", - "ec2:AttachNetworkInterface", - "ec2:AttachVpnGateway", - "ec2:CreateCustomerGateway", - "ec2:CreateDhcpOptions", - "ec2:CreateNatGateway", - "ec2:CreateNetworkAcl", - "ec2:CreateNetworkAclEntry", - "ec2:CreateNetworkInterface", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSubnet", - "ec2:CreateVpc", - "ec2:CreateVpnConnection", - "ec2:CreateVpnGateway", - "ec2:DeleteCustomerGateway", - "ec2:DeleteDhcpOptions", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteNetworkAcl", - "ec2:DeleteNetworkAclEntry", - "ec2:DeleteNetworkInterface", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DeleteVpnConnection", - "ec2:DeleteVpnGateway", - "ec2:DetachInternetGateway", - "ec2:DetachVpnGateway", - "ec2:Describe*", - "ec2:DisassociateAddress", - "ec2:DisassociateRouteTable", - "ec2:DisassociateSubnetCidrBlock", - "ec2:DisassociateVpcCidrBlock", - "ec2:ModifySubnetAttribute", - "ec2:ModifyVpcAttribute", - "ec2:ReleaseAddress", - "ec2:ReplaceNetworkAclAssociation", - "ec2:ReplaceNetworkAclEntry", - "ec2:ReplaceRouteTableAssociation" - ], - "Resource": "*" - }, - { - "Sid": "AllowCloudfrontUsage", - "Effect": "Allow", - "Action": [ - "cloudfront:CreateDistribution", - "cloudfront:CreateDistributionWithTags", - "cloudfront:CreateCloudFrontOriginAccessIdentity", - "cloudfront:DeleteDistribution", - "cloudfront:GetDistribution", - "cloudfront:GetStreamingDistribution", - "cloudfront:GetDistributionConfig", - "cloudfront:GetStreamingDistributionConfig", - "cloudfront:GetInvalidation", - "cloudfront:ListDistributions", - "cloudfront:ListDistributionsByWebACLId", - "cloudfront:ListInvalidations", - "cloudfront:ListStreamingDistributions", - "cloudfront:ListTagsForResource", - "cloudfront:TagResource", - "cloudfront:UntagResource", - "cloudfront:UpdateDistribution" - ], - "Resource": "*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json deleted file mode 100644 index adacf0040c4..00000000000 --- a/hacking/aws_config/testing_policies/security-policy.json +++ /dev/null @@ -1,228 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Action": [ - "iam:GetGroup", - "iam:GetInstanceProfile", - "iam:CreateInstanceProfile", - "iam:GetPolicy", - "iam:GetPolicyVersion", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:GetUser", - "iam:ListAttachedGroupPolicies", - "iam:ListAttachedRolePolicies", - "iam:ListAttachedUserPolicies", - "iam:ListGroups", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:ListPolicies", - "iam:ListRoles", - "iam:ListRolePolicies", - "iam:ListRoleTags", - "iam:ListUsers", - "iam:ListAccountAliases" - ], - "Resource": "*", - "Effect": "Allow", - "Sid": "AllowReadOnlyIAMUse" - }, - { - "Action": [ - "iam:CreatePolicy", - "iam:ListPolicyVersions", - "iam:ListEntitiesForPolicy", - "iam:DeletePolicy" - ], - "Resource": "arn:aws:iam::{{ aws_account }}:policy/ansible-test-*", - "Effect": "Allow", - "Sid": "AllowManagementOfSpecificPolicies" - }, - { - "Action": [ - "iam:AttachRolePolicy", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:DeleteRolePermissionsBoundary", - "iam:DetachRolePolicy", - "iam:PutRolePolicy", - "iam:PassRole", - "iam:PutRolePolicy", - "iam:PutRolePermissionsBoundary", - "iam:TagRole", - "iam:UntagRole", - "iam:UpdateAssumeRolePolicy", - "iam:UpdateRole", - "iam:UpdateRoleDescription", - "sts:AssumeRole" - ], - "Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*", - "Effect": "Allow", - "Sid": "AllowUpdateOfSpecificRoles" - }, - { - "Action": [ - "iam:CreateInstanceProfile", - "iam:DeleteInstanceProfile", - "iam:AddRoleToInstanceProfile", - "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*", - "Effect": "Allow", - "Sid": "AllowUpdateOfSpecificInstanceProfiles" - }, - { - "Action": [ - "ec2:ReplaceIamInstanceProfileAssociation" - ], - "Resource": "*", - "Condition": { - "ArnEquals": { - "ec2:InstanceProfile": "arn:aws:iam::{{ aws_account }}:instance-profile/ansible-test-*" - } - }, - "Effect": "Allow", - "Sid": "AllowReplacementOfSpecificInstanceProfiles" - }, - { - "Sid": "AllowWAFusage", - "Action": "waf:*", - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "AllowListingCloudwatchLogs", - "Effect": "Allow", - "Action": [ - "logs:DescribeLogGroups" - ], - "Resource": [ - "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:*" - ] - }, - { - "Sid": "AllowModifyingCloudtrail", - "Effect": "Allow", - "Action": [ - "cloudtrail:*" - ], - "Resource": [ - "arn:aws:cloudtrail:{{aws_region}}:{{aws_account}}:trail/ansible-test-*" - ] - }, - { - "Sid": "AllowDescribingCloudtrails", - "Effect": "Allow", - "Action": [ - "cloudtrail:DescribeTrails", - "cloudtrail:ListTags", - "cloudtrail:ListPublicKeys" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "AllowModifyingCloudwatchLogs", - "Effect": "Allow", - "Action": [ - "logs:CreateLogGroup", - "logs:PutRetentionPolicy", - "logs:DeleteLogGroup" - ], - "Resource": [ - "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-test*" - ] - }, - { - "Sid": "AllowAccessToUnspecifiedKMSResources", - "Effect": "Allow", - "Action": [ - "kms:CancelKeyDeletion", - "kms:CreateAlias", - "kms:CreateGrant", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:Describe*", - "kms:DisableKey", - "kms:EnableKey", - "kms:GenerateRandom", - "kms:Get*", - "kms:List*", - "kms:PutKeyPolicy", - "kms:RetireGrant", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:UpdateGrant", - "kms:UpdateKeyDescription" - ], - "Resource": "*" - }, - { - "Sid": "AllowAccessToServerCertificates", - "Effect": "Allow", - "Action": [ - "iam:*ServerCertificates", - "iam:*ServerCertificate" - ], - "Resource": "*" - }, - { - "Sid": "AllowAccessToSecrets", - "Effect": "Allow", - "Action": [ - "secretsmanager:*" - ], - "Resource": "arn:aws:secretsmanager:{{aws_region}}:{{aws_account}}:secret:ansible-test*" - }, - { - "Sid": "AllowAccessToManagePasswordPolicy", - "Effect": "Allow", - "Action": [ - "iam:*AccountPasswordPolicy" - ], - "Resource": "*" - }, - { - "Sid": "AllowAccessToManageUsersAndGroups", - "Effect": "Allow", - "Action": [ - "iam:*Group", - "iam:*User", - "iam:ListAttachedGroupPolicies" - ], - "Resource": [ - "arn:aws:iam::{{ aws_account }}:user/ansible-test*", - "arn:aws:iam::{{ aws_account }}:group/ansible-test*" - ] - }, - { - "Sid": "AllowAccessToACMRestrictable", - "Effect": "Allow", - "Action": [ - "acm:ImportCertificate", - "acm:DescribeCertificate", - "acm:GetCertificate", - "acm:AddTagsToCertificate", - "acm:DeleteCertificate" - ], - "Resource": [ - "arn:aws:acm:{{aws_region}}:{{aws_account}}:certificate/*" - ] - }, - { - "Sid": "AllowAccessToACMUnrestrictable", - "Effect": "Allow", - "Action": [ - "acm:ListCertificates", - "acm:ListTagsForCertificate" - ], - "Resource": [ - "*" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/storage-policy.json b/hacking/aws_config/testing_policies/storage-policy.json deleted file mode 100644 index cdde27ad924..00000000000 --- a/hacking/aws_config/testing_policies/storage-policy.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowS3AnsibleTestBuckets", - "Action": [ - "s3:CreateBucket", - "s3:Delete*", - "s3:GetBucketAcl", - "s3:GetBucketLogging", - "s3:GetBucketNotification", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetEncryptionConfiguration", - "s3:GetObject", - "s3:HeadBucket", - "s3:List*", - "s3:PutBucketAcl", - "s3:PutBucketLogging", - "s3:PutBucketNotification", - "s3:PutBucketPolicy", - "s3:PutBucketRequestPayment", - "s3:PutBucketTagging", - "s3:PutBucketVersioning", - "s3:PutEncryptionConfiguration", - "s3:PutObject", - "s3:PutObjectAcl" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::ansible-test-*", - "arn:aws:s3:::ansible-test-*/*" - ] - }, - { - "Sid": "AllowListingS3Buckets", - "Action": [ - "s3:ListAllMyBuckets" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "ManageEFS", - "Effect": "Allow", - "Action": [ - "elasticfilesystem:*" - ], - "Resource": "*" - } - ] -}