diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml new file mode 100644 index 00000000000..4b53de945a2 --- /dev/null +++ b/hacking/aws_config/setup-iam.yml @@ -0,0 +1,51 @@ +# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv +# +# Creates IAM policies and associates them with iam_group. This group +# can then be associated with an appropriate user +# +# You can pass -e profile=boto_profile_name if you have a profile that +# you can use, otherwise use normal AWS methods (env variables, instance +# profile, etc) +# +# If you want to use a region other than us-east-1 (and only us-east-2 +# works with ansible-test), pass -e region=us-east-2 +# +# Requires 2.4 for iam_managed_policy and iam_group + +- hosts: localhost + connection: local + gather_facts: no + vars: + aws_region: "{{ region|default('us-east-1') }}" + + tasks: + - name: Check that required variables are set + fail: + msg: "You must set the iam_group variable" + when: iam_group is not defined + + - name: Get aws account ID + command: aws sts get-caller-identity --output text --query 'Account' "{{ '--profile=' ~ profile if profile else '' }}" + changed_when: False + register: aws_account_command + + - name: Set aws_account_fact + set_fact: + aws_account: "{{ aws_account_command.stdout }}" + + + - name: Ensure Managed IAM policies exist + iam_managed_policy: + policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy" + policy: "{{ lookup('template', item) }}" + state: present + profile: "{{ profile|default(omit) }}" + with_fileglob: "testing_policies/*" + register: iam_managed_policies + + - name: Ensure IAM group exists and attach managed policies + iam_group: + name: "{{ iam_group }}" + state: present + managed_policy: "{{ iam_managed_policies | json_query('results[].policy.PolicyName') }}" + profile: "{{ profile|default(omit) }}" diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2 deleted file mode 100644 index d5534a41e8b..00000000000 --- a/hacking/aws_config/testing-iam-policy.json.j2 +++ /dev/null @@ -1,246 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowDescribeAllEC2", - "Effect": "Allow", - "Action": [ - "ec2:Describe*" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "MiscPrivilegesNeededByEC2Tests", - "Effect": "Allow", - "Action": [ - "ec2:CreateKeyPair", - "ec2:CreateNatGateway", - "ec2:DeleteKeyPair", - "ec2:ImportKeyPair", - "ec2:RunInstances", - "ec2:CreateTags", - "ec2:TerminateInstances", - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:DisassociateAddress", - "ec2:ReleaseAddress", - "ec2:CreateSubnet", - "ec2:CreateVpc", - "ec2:CreateRouteTable", - "ec2:ModifyRouteTable", - "ec2:DescribeRouteTable", - "ec2:AssociateRouteTable", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:CreateInternetGateway", - "ec2:AttachInternetGateway", - "ec2:DeleteNatGateway" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "AllowManageSecurityGroupsForSetup", - "Effect": "Allow", - "Action": [ - "ec2:DescribeSecurityGroups", - "ec2:CreateSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*" - ] - }, - { - "Sid": "AllowAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration" - ], - "Resource": [ - "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "AllowReadAllLoadBalancers", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeInstanceHealth" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*" - ] - }, - { - "Sid": "AllowManagementofOwnLoadBalancers", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DescribeInstanceHealth" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*" - ] - }, - { - "Sid": "AllowCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:SetRepositoryPolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DeleteRepositoryPolicy" - ], - "Resource": [ - "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" - ] - }, - { - "Sid": "AllowOldRDSModule", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:DeleteDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] - }, - { - "Sid": "AllowRDSModuleCompatibilityTests", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DeleteDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] - }, - { - "Sid": "AllowRDSInstanceManageOwnInstance", - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DescribeDBInstances" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] - }, - { - "Sid": "AllowRDSSnapshotManageSnapshots", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBSnapshots", - "rds:DescribeDBInstances", - "rds:DescribeDBSnapshots", - "rds:DeleteDBInstance", - "rds:CreateDBSnapshot", - "rds:DeleteDBSnapshot", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:CreateDBInstanceReadReplica" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] - }, - { - "Sid": "AlowS3AnsibleTestBuckets", - "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteBucket", - "s3:DeleteObject" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::ansible_test_*", - "arn:aws:s3:::ansible_test_*/*" - ] - }, - { - "Sid": "AllowApiGateway", - "Effect": "Allow", - "Action": [ - "apigateway:*" - ], - "Resource": [ - "arn:aws:apigateway:us-east-1::*" - ] - }, - { - "Sid": "AllowGetUserForLambdaCreation", - "Effect": "Allow", - "Action": [ - "iam:GetUser" - ], - "Resource": [ - "arn:aws:iam::459030870916:user/ansible_integration_tests" - ] - }, - { - "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight", - "Effect": "Allow", - "Action": [ - "lambda:*" - ], - "Resource": [ - "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" - ] - }, - { - "Sid": "AllowLambdaRoleManagement", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:aws:iam::459030870916:role/ansible_lambda_role" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/autoscaling-policy.json b/hacking/aws_config/testing_policies/autoscaling-policy.json new file mode 100644 index 00000000000..650b9eda139 --- /dev/null +++ b/hacking/aws_config/testing_policies/autoscaling-policy.json @@ -0,0 +1,33 @@ +{# Not all Autoscaling API Actions allow specified resources #} +{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribePolicies" + ], + "Resource": "*" + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration", + "autoscaling:PutScalingPolicy", + "autoscaling:DeletePolicy" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/ec2-policy.json b/hacking/aws_config/testing_policies/ec2-policy.json new file mode 100644 index 00000000000..099e78b159b --- /dev/null +++ b/hacking/aws_config/testing_policies/ec2-policy.json @@ -0,0 +1,51 @@ +{# Note that not all EC2 API Actions allow a specific resource #} +{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUnspecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:DeleteKeyPair", + "ec2:DeleteNatGateway", + "ec2:Describe*", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:ImportKeyPair", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:ReplaceRouteTableAssociation" + ], + "Resource": "*" + }, + { + "Sid": "AllowSpecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateTags", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:TerminateInstances" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/ecr-policy.json b/hacking/aws_config/testing_policies/ecr-policy.json new file mode 100644 index 00000000000..db8204a302d --- /dev/null +++ b/hacking/aws_config/testing_policies/ecr-policy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "UnspecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository" + ], + "Resource": "*" + }, + { + "Sid": "SpecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:GetRepositoryPolicy", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/elb-policy.json b/hacking/aws_config/testing_policies/elb-policy.json new file mode 100644 index 00000000000..6a844e909f8 --- /dev/null +++ b/hacking/aws_config/testing_policies/elb-policy.json @@ -0,0 +1,31 @@ +{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} +{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} +{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowLoadBalancerOperations", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", + "elasticloadbalancing:DescribeLoadBalancerTags", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer" + ], + "Resource": "*" + } + ] +} diff --git a/hacking/aws_config/testing_policies/lambda-policy.json b/hacking/aws_config/testing_policies/lambda-policy.json new file mode 100644 index 00000000000..c03f1b1ab3c --- /dev/null +++ b/hacking/aws_config/testing_policies/lambda-policy.json @@ -0,0 +1,77 @@ +{# Only certain lambda actions can be restricted to a specific resource #} +{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:{{aws_region}}::/*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementWithoutResource", + "Effect": "Allow", + "Action": [ + "lambda:CreateEventSourceMapping", + "lambda:GetAccountSettings", + "lambda:GetEventSourceMapping", + "lambda:ListEventSourceMappings", + "lambda:ListFunctions", + "lambda:ListTags", + "lambda:TagResource", + "lambda:UntagResource" + ], + "Resource": "*" + }, + { + "Sid": "AllowLambdaManagementWithResource", + "Effect": "Allow", + "Action": [ + "lambda:AddPermission", + "lambda:CreateAlias", + "lambda:CreateFunction", + "lambda:DeleteAlias", + "lambda:DeleteFunction", + "lambda:GetAlias", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:GetPolicy", + "lambda:InvokeFunction", + "lambda:ListAliases", + "lambda:ListVersionsByFunction", + "lambda:PublishVersion", + "lambda:RemovePermission", + "lambda:UpdateAlias", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/rds-policy.json b/hacking/aws_config/testing_policies/rds-policy.json new file mode 100644 index 00000000000..6284bd56e2d --- /dev/null +++ b/hacking/aws_config/testing_policies/rds-policy.json @@ -0,0 +1,51 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowRDSModuleTests", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSInstanceManageOwnInstance", + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AllowRDSSnapshotManageSnapshots", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBSnapshots", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots", + "rds:DeleteDBInstance", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:CreateDBInstanceReadReplica" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/s3-policy.json b/hacking/aws_config/testing_policies/s3-policy.json new file mode 100644 index 00000000000..88b50d0a4ef --- /dev/null +++ b/hacking/aws_config/testing_policies/s3-policy.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AlowS3AnsibleTestBuckets", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteBucket", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::ansible_test_*", + "arn:aws:s3:::ansible_test_*/*" + ] + } + ] +}