From 0ed1c3ba9c8ebb51f776a45ca158e3d2c546860f Mon Sep 17 00:00:00 2001 From: Will Thames Date: Fri, 14 Jul 2017 14:50:55 +1000 Subject: [PATCH] Split up testing IAM policies and automate creating them (#26223) * Split up testing IAM policies and automate creating them Move to managed policies to avoid the 5KB limit on policies for an IAM entity. The policy file is templated, so need to make sure that there is an easy mechanism to populate the templates and push the new policies. * Update IAM policies for ec2_scaling_policy tests * Fix RouteTable policies DescribeRouteTable should be plural ModifyRouteTable does not exist, but ReplaceRouteTableAssociation does. * Some IAM policies do not allow specified Resources Various IAM policies do not allow Resources to be specified and should just use `*`. This differs per service * [Autoscaling](http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources) * [EC2](http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions) * [ECR](http://docs.aws.amazon.com/AmazonECR/latest/userguide/ecr-supported-iam-actions-resources.html) * [ELB](http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html) * Finish fixing AWS IAM resource specifications for testing Update Lambda and RDS policies --- hacking/aws_config/setup-iam.yml | 51 ++++ hacking/aws_config/testing-iam-policy.json.j2 | 246 ------------------ .../testing_policies/autoscaling-policy.json | 33 +++ .../testing_policies/ec2-policy.json | 51 ++++ .../testing_policies/ecr-policy.json | 28 ++ .../testing_policies/elb-policy.json | 31 +++ .../testing_policies/lambda-policy.json | 77 ++++++ .../testing_policies/rds-policy.json | 51 ++++ .../testing_policies/s3-policy.json | 23 ++ 9 files changed, 345 insertions(+), 246 deletions(-) create mode 100644 hacking/aws_config/setup-iam.yml delete mode 100644 hacking/aws_config/testing-iam-policy.json.j2 create mode 100644 hacking/aws_config/testing_policies/autoscaling-policy.json create mode 100644 hacking/aws_config/testing_policies/ec2-policy.json create mode 100644 hacking/aws_config/testing_policies/ecr-policy.json create mode 100644 hacking/aws_config/testing_policies/elb-policy.json create mode 100644 hacking/aws_config/testing_policies/lambda-policy.json create mode 100644 hacking/aws_config/testing_policies/rds-policy.json create mode 100644 hacking/aws_config/testing_policies/s3-policy.json diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml new file mode 100644 index 00000000000..4b53de945a2 --- /dev/null +++ b/hacking/aws_config/setup-iam.yml @@ -0,0 +1,51 @@ +# Usage: ansible-playbook setup-iam.yml -e iam_group=ansible_test -vv +# +# Creates IAM policies and associates them with iam_group. This group +# can then be associated with an appropriate user +# +# You can pass -e profile=boto_profile_name if you have a profile that +# you can use, otherwise use normal AWS methods (env variables, instance +# profile, etc) +# +# If you want to use a region other than us-east-1 (and only us-east-2 +# works with ansible-test), pass -e region=us-east-2 +# +# Requires 2.4 for iam_managed_policy and iam_group + +- hosts: localhost + connection: local + gather_facts: no + vars: + aws_region: "{{ region|default('us-east-1') }}" + + tasks: + - name: Check that required variables are set + fail: + msg: "You must set the iam_group variable" + when: iam_group is not defined + + - name: Get aws account ID + command: aws sts get-caller-identity --output text --query 'Account' "{{ '--profile=' ~ profile if profile else '' }}" + changed_when: False + register: aws_account_command + + - name: Set aws_account_fact + set_fact: + aws_account: "{{ aws_account_command.stdout }}" + + + - name: Ensure Managed IAM policies exist + iam_managed_policy: + policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy" + policy: "{{ lookup('template', item) }}" + state: present + profile: "{{ profile|default(omit) }}" + with_fileglob: "testing_policies/*" + register: iam_managed_policies + + - name: Ensure IAM group exists and attach managed policies + iam_group: + name: "{{ iam_group }}" + state: present + managed_policy: "{{ iam_managed_policies | json_query('results[].policy.PolicyName') }}" + profile: "{{ profile|default(omit) }}" diff --git a/hacking/aws_config/testing-iam-policy.json.j2 b/hacking/aws_config/testing-iam-policy.json.j2 deleted file mode 100644 index d5534a41e8b..00000000000 --- a/hacking/aws_config/testing-iam-policy.json.j2 +++ /dev/null @@ -1,246 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowDescribeAllEC2", - "Effect": "Allow", - "Action": [ - "ec2:Describe*" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "MiscPrivilegesNeededByEC2Tests", - "Effect": "Allow", - "Action": [ - "ec2:CreateKeyPair", - "ec2:CreateNatGateway", - "ec2:DeleteKeyPair", - "ec2:ImportKeyPair", - "ec2:RunInstances", - "ec2:CreateTags", - "ec2:TerminateInstances", - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:DisassociateAddress", - "ec2:ReleaseAddress", - "ec2:CreateSubnet", - "ec2:CreateVpc", - "ec2:CreateRouteTable", - "ec2:ModifyRouteTable", - "ec2:DescribeRouteTable", - "ec2:AssociateRouteTable", - "ec2:DisassociateRouteTable", - "ec2:ModifyVpcAttribute", - "ec2:CreateInternetGateway", - "ec2:AttachInternetGateway", - "ec2:DeleteNatGateway" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "AllowManageSecurityGroupsForSetup", - "Effect": "Allow", - "Action": [ - "ec2:DescribeSecurityGroups", - "ec2:CreateSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupIngress" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:security-group/*" - ] - }, - { - "Sid": "AllowAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration" - ], - "Resource": [ - "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" - ] - }, - { - "Sid": "AllowReadAllLoadBalancers", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeInstanceHealth" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/*" - ] - }, - { - "Sid": "AllowManagementofOwnLoadBalancers", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DescribeInstanceHealth" - ], - "Resource": [ - "arn:aws:elasticloadbalancing:{{aws_region}}:{{aws_account}}:loadbalancer/ansible-testing-*" - ] - }, - { - "Sid": "AllowCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories", - "ecr:CreateRepository", - "ecr:DescribeRepositories", - "ecr:GetRepositoryPolicy", - "ecr:DescribeRepositories", - "ecr:SetRepositoryPolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DeleteRepositoryPolicy" - ], - "Resource": [ - "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" - ] - }, - { - "Sid": "AllowOldRDSModule", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:DeleteDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] - }, - { - "Sid": "AllowRDSModuleCompatibilityTests", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DeleteDBInstance" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] - }, - { - "Sid": "AllowRDSInstanceManageOwnInstance", - "Effect": "Allow", - "Action": [ - "rds:CreateDBInstance", - "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DescribeDBInstances" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] - }, - { - "Sid": "AllowRDSSnapshotManageSnapshots", - "Effect": "Allow", - "Action": [ - "rds:DescribeDBSnapshots", - "rds:DescribeDBInstances", - "rds:DescribeDBSnapshots", - "rds:DeleteDBInstance", - "rds:CreateDBSnapshot", - "rds:DeleteDBSnapshot", - "rds:RestoreDBInstanceFromDBSnapshot", - "rds:CreateDBInstanceReadReplica" - ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] - }, - { - "Sid": "AlowS3AnsibleTestBuckets", - "Action": [ - "s3:GetObject", - "s3:ListBucket", - "s3:PutBucketAcl", - "s3:CreateBucket", - "s3:PutObject", - "s3:PutObjectAcl", - "s3:DeleteBucket", - "s3:DeleteObject" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:s3:::ansible_test_*", - "arn:aws:s3:::ansible_test_*/*" - ] - }, - { - "Sid": "AllowApiGateway", - "Effect": "Allow", - "Action": [ - "apigateway:*" - ], - "Resource": [ - "arn:aws:apigateway:us-east-1::*" - ] - }, - { - "Sid": "AllowGetUserForLambdaCreation", - "Effect": "Allow", - "Action": [ - "iam:GetUser" - ], - "Resource": [ - "arn:aws:iam::459030870916:user/ansible_integration_tests" - ] - }, - { - "Sid": "AllowLambdaManagementxxxWildcardDoesntWorkRight", - "Effect": "Allow", - "Action": [ - "lambda:*" - ], - "Resource": [ - "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" - ] - }, - { - "Sid": "AllowLambdaRoleManagement", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:aws:iam::459030870916:role/ansible_lambda_role" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/autoscaling-policy.json b/hacking/aws_config/testing_policies/autoscaling-policy.json new file mode 100644 index 00000000000..650b9eda139 --- /dev/null +++ b/hacking/aws_config/testing_policies/autoscaling-policy.json @@ -0,0 +1,33 @@ +{# Not all Autoscaling API Actions allow specified resources #} +{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribePolicies" + ], + "Resource": "*" + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration", + "autoscaling:PutScalingPolicy", + "autoscaling:DeletePolicy" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/ec2-policy.json b/hacking/aws_config/testing_policies/ec2-policy.json new file mode 100644 index 00000000000..099e78b159b --- /dev/null +++ b/hacking/aws_config/testing_policies/ec2-policy.json @@ -0,0 +1,51 @@ +{# Note that not all EC2 API Actions allow a specific resource #} +{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowUnspecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:AssociateRouteTable", + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:DeleteKeyPair", + "ec2:DeleteNatGateway", + "ec2:Describe*", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:ImportKeyPair", + "ec2:ModifyVpcAttribute", + "ec2:ReleaseAddress", + "ec2:ReplaceRouteTableAssociation" + ], + "Resource": "*" + }, + { + "Sid": "AllowSpecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateTags", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:TerminateInstances" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/ecr-policy.json b/hacking/aws_config/testing_policies/ecr-policy.json new file mode 100644 index 00000000000..db8204a302d --- /dev/null +++ b/hacking/aws_config/testing_policies/ecr-policy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "UnspecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository" + ], + "Resource": "*" + }, + { + "Sid": "SpecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:GetRepositoryPolicy", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/elb-policy.json b/hacking/aws_config/testing_policies/elb-policy.json new file mode 100644 index 00000000000..6a844e909f8 --- /dev/null +++ b/hacking/aws_config/testing_policies/elb-policy.json @@ -0,0 +1,31 @@ +{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} +{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} +{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowLoadBalancerOperations", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", + "elasticloadbalancing:DescribeLoadBalancerTags", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer" + ], + "Resource": "*" + } + ] +} diff --git a/hacking/aws_config/testing_policies/lambda-policy.json b/hacking/aws_config/testing_policies/lambda-policy.json new file mode 100644 index 00000000000..c03f1b1ab3c --- /dev/null +++ b/hacking/aws_config/testing_policies/lambda-policy.json @@ -0,0 +1,77 @@ +{# Only certain lambda actions can be restricted to a specific resource #} +{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:{{aws_region}}::/*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementWithoutResource", + "Effect": "Allow", + "Action": [ + "lambda:CreateEventSourceMapping", + "lambda:GetAccountSettings", + "lambda:GetEventSourceMapping", + "lambda:ListEventSourceMappings", + "lambda:ListFunctions", + "lambda:ListTags", + "lambda:TagResource", + "lambda:UntagResource" + ], + "Resource": "*" + }, + { + "Sid": "AllowLambdaManagementWithResource", + "Effect": "Allow", + "Action": [ + "lambda:AddPermission", + "lambda:CreateAlias", + "lambda:CreateFunction", + "lambda:DeleteAlias", + "lambda:DeleteFunction", + "lambda:GetAlias", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:GetPolicy", + "lambda:InvokeFunction", + "lambda:ListAliases", + "lambda:ListVersionsByFunction", + "lambda:PublishVersion", + "lambda:RemovePermission", + "lambda:UpdateAlias", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/rds-policy.json b/hacking/aws_config/testing_policies/rds-policy.json new file mode 100644 index 00000000000..6284bd56e2d --- /dev/null +++ b/hacking/aws_config/testing_policies/rds-policy.json @@ -0,0 +1,51 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowRDSModuleTests", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBInstances", + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DeleteDBInstance" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" + ] + }, + { + "Sid": "AllowRDSInstanceManageOwnInstance", + "Effect": "Allow", + "Action": [ + "rds:CreateDBInstance", + "rds:ModifyDBInstance", + "rds:ListTagsForResource", + "rds:DescribeDBInstances" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + }, + { + "Sid": "AllowRDSSnapshotManageSnapshots", + "Effect": "Allow", + "Action": [ + "rds:DescribeDBSnapshots", + "rds:DescribeDBInstances", + "rds:DescribeDBSnapshots", + "rds:DeleteDBInstance", + "rds:CreateDBSnapshot", + "rds:DeleteDBSnapshot", + "rds:RestoreDBInstanceFromDBSnapshot", + "rds:CreateDBInstanceReadReplica" + ], + "Resource": [ + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/s3-policy.json b/hacking/aws_config/testing_policies/s3-policy.json new file mode 100644 index 00000000000..88b50d0a4ef --- /dev/null +++ b/hacking/aws_config/testing_policies/s3-policy.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AlowS3AnsibleTestBuckets", + "Action": [ + "s3:GetObject", + "s3:ListBucket", + "s3:PutBucketAcl", + "s3:CreateBucket", + "s3:PutObject", + "s3:PutObjectAcl", + "s3:DeleteBucket", + "s3:DeleteObject" + ], + "Effect": "Allow", + "Resource": [ + "arn:aws:s3:::ansible_test_*", + "arn:aws:s3:::ansible_test_*/*" + ] + } + ] +}