From 1ca0c0e7f7c90870a4bc9b8e649ce59c6917351c Mon Sep 17 00:00:00 2001 From: Will Thames Date: Wed, 22 Nov 2017 08:15:31 +1000 Subject: [PATCH] Consolidate IAM policies into fewer, larger policies (#33122) Due to IAM limits allowing at most 10 policies per group, need to reduce the number of total policies in use. --- hacking/aws_config/setup-iam.yml | 4 +- .../testing_policies/autoscaling-policy.json | 33 --- .../testing_policies/compute-policy.json | 222 ++++++++++++++++++ .../{rds-policy.json => database-policy.json} | 0 .../testing_policies/ec2-policy.json | 73 ------ .../testing_policies/ecr-policy.json | 28 --- .../testing_policies/elb-policy.json | 31 --- .../testing_policies/lambda-policy.json | 77 ------ .../{s3-policy.json => storage-policy.json} | 0 9 files changed, 224 insertions(+), 244 deletions(-) delete mode 100644 hacking/aws_config/testing_policies/autoscaling-policy.json create mode 100644 hacking/aws_config/testing_policies/compute-policy.json rename hacking/aws_config/testing_policies/{rds-policy.json => database-policy.json} (100%) delete mode 100644 hacking/aws_config/testing_policies/ec2-policy.json delete mode 100644 hacking/aws_config/testing_policies/ecr-policy.json delete mode 100644 hacking/aws_config/testing_policies/elb-policy.json delete mode 100644 hacking/aws_config/testing_policies/lambda-policy.json rename hacking/aws_config/testing_policies/{s3-policy.json => storage-policy.json} (100%) diff --git a/hacking/aws_config/setup-iam.yml b/hacking/aws_config/setup-iam.yml index 54c5950e85e..8132e27bb50 100644 --- a/hacking/aws_config/setup-iam.yml +++ b/hacking/aws_config/setup-iam.yml @@ -36,11 +36,11 @@ - name: Ensure Managed IAM policies exist iam_managed_policy: - policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy" + policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|capitalize }}Policy" policy: "{{ lookup('template', item) }}" state: present profile: "{{ profile|default(omit) }}" - with_fileglob: "testing_policies/*" + with_fileglob: "testing_policies/*.json" register: iam_managed_policies - debug: diff --git a/hacking/aws_config/testing_policies/autoscaling-policy.json b/hacking/aws_config/testing_policies/autoscaling-policy.json deleted file mode 100644 index 650b9eda139..00000000000 --- a/hacking/aws_config/testing_policies/autoscaling-policy.json +++ /dev/null @@ -1,33 +0,0 @@ -{# Not all Autoscaling API Actions allow specified resources #} -{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:DescribeAutoScalingGroups", - "autoscaling:DescribeLaunchConfigurations", - "autoscaling:DescribePolicies" - ], - "Resource": "*" - }, - { - "Sid": "AllowAutoscaling", - "Effect": "Allow", - "Action": [ - "autoscaling:CreateLaunchConfiguration", - "autoscaling:CreateAutoScalingGroup", - "autoscaling:UpdateAutoScalingGroup", - "autoscaling:DeleteAutoScalingGroup", - "autoscaling:DeleteLaunchConfiguration", - "autoscaling:PutScalingPolicy", - "autoscaling:DeletePolicy" - ], - "Resource": [ - "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/compute-policy.json b/hacking/aws_config/testing_policies/compute-policy.json new file mode 100644 index 00000000000..5e2b2afc2fa --- /dev/null +++ b/hacking/aws_config/testing_policies/compute-policy.json @@ -0,0 +1,222 @@ +{# Not all Autoscaling API Actions allow specified resources #} +{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #} +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeLaunchConfigurations", + "autoscaling:DescribePolicies" + ], + "Resource": "*" + }, + { + "Sid": "AllowAutoscaling", + "Effect": "Allow", + "Action": [ + "autoscaling:CreateLaunchConfiguration", + "autoscaling:CreateAutoScalingGroup", + "autoscaling:UpdateAutoScalingGroup", + "autoscaling:DeleteAutoScalingGroup", + "autoscaling:DeleteLaunchConfiguration", + "autoscaling:PutScalingPolicy", + "autoscaling:DeletePolicy" + ], + "Resource": [ + "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*" + ] + }, +{# Note that not all EC2 API Actions allow a specific resource #} +{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} + { + "Sid": "AllowUnspecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:AssociateRouteTable", + "ec2:AssociateVpcCidrBlock", + "ec2:AssociateSubnetCidrBlock", + "ec2:AttachInternetGateway", + "ec2:CreateImage", + "ec2:CreateInternetGateway", + "ec2:CreateKeyPair", + "ec2:CreateNatGateway", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSecurityGroup", + "ec2:CreateSnapshot", + "ec2:CreateSubnet", + "ec2:CreateTags", + "ec2:CreateVpc", + "ec2:DeleteInternetGateway", + "ec2:DeleteKeyPair", + "ec2:DeleteNatGateway", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSnapshot", + "ec2:DeleteSubnet", + "ec2:DeleteTags", + "ec2:DeleteVpc", + "ec2:DeleteTags", + "ec2:DeregisterImage", + "ec2:DetachInternetGateway", + "ec2:Describe*", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:ImportKeyPair", + "ec2:ModifyImageAttribute", + "ec2:ModifyVpcAttribute", + "ec2:RegisterImage", + "ec2:ReleaseAddress", + "ec2:ReplaceRouteTableAssociation" + ], + "Resource": "*" + }, + { + "Sid": "AllowSpecifiedEC2Resource", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress", + "ec2:CreateTags", + "ec2:DeleteRouteTable", + "ec2:DeleteSecurityGroup", + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:RunInstances", + "ec2:TerminateInstances", + "ec2:UpdateSecurityGroupRuleDescriptionsIngress", + "ec2:UpdateSecurityGroupRuleDescriptionsEgress" + ], + "Resource": [ + "arn:aws:ec2:{{aws_region}}::image/*", + "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" + ] + }, + { + "Sid": "UnspecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:DescribeRepositories", + "ecr:CreateRepository" + ], + "Resource": "*" + }, + { + "Sid": "SpecifiedCodeRepositories", + "Effect": "Allow", + "Action": [ + "ecr:GetRepositoryPolicy", + "ecr:SetRepositoryPolicy", + "ecr:DeleteRepository", + "ecr:DeleteRepositoryPolicy", + "ecr:DeleteRepositoryPolicy" + ], + "Resource": [ + "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" + ] + }, +{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} +{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} +{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} + { + "Sid": "AllowLoadBalancerOperations", + "Effect": "Allow", + "Action": [ + "elasticloadbalancing:ConfigureHealthCheck", + "elasticloadbalancing:CreateLoadBalancer", + "elasticloadbalancing:CreateLoadBalancerListeners", + "elasticloadbalancing:DeleteLoadBalancer", + "elasticloadbalancing:DeleteLoadBalancerListeners", + "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", + "elasticloadbalancing:DescribeInstanceHealth", + "elasticloadbalancing:DescribeLoadBalancerAttributes", + "elasticloadbalancing:DescribeLoadBalancerPolicies", + "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", + "elasticloadbalancing:DescribeLoadBalancerTags", + "elasticloadbalancing:DescribeLoadBalancers", + "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", + "elasticloadbalancing:ModifyLoadBalancerAttributes", + "elasticloadbalancing:RegisterInstancesWithLoadBalancer" + ], + "Resource": "*" + }, +{# Only certain lambda actions can be restricted to a specific resource #} +{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} + { + "Sid": "AllowApiGateway", + "Effect": "Allow", + "Action": [ + "apigateway:*" + ], + "Resource": [ + "arn:aws:apigateway:{{aws_region}}::/*" + ] + }, + { + "Sid": "AllowGetUserForLambdaCreation", + "Effect": "Allow", + "Action": [ + "iam:GetUser" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" + ] + }, + { + "Sid": "AllowLambdaManagementWithoutResource", + "Effect": "Allow", + "Action": [ + "lambda:CreateEventSourceMapping", + "lambda:GetAccountSettings", + "lambda:GetEventSourceMapping", + "lambda:ListEventSourceMappings", + "lambda:ListFunctions", + "lambda:ListTags", + "lambda:TagResource", + "lambda:UntagResource" + ], + "Resource": "*" + }, + { + "Sid": "AllowLambdaManagementWithResource", + "Effect": "Allow", + "Action": [ + "lambda:AddPermission", + "lambda:CreateAlias", + "lambda:CreateFunction", + "lambda:DeleteAlias", + "lambda:DeleteFunction", + "lambda:GetAlias", + "lambda:GetFunction", + "lambda:GetFunctionConfiguration", + "lambda:GetPolicy", + "lambda:InvokeFunction", + "lambda:ListAliases", + "lambda:ListVersionsByFunction", + "lambda:PublishVersion", + "lambda:RemovePermission", + "lambda:UpdateAlias", + "lambda:UpdateEventSourceMapping", + "lambda:UpdateFunctionCode", + "lambda:UpdateFunctionConfiguration" + ], + "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" + }, + { + "Sid": "AllowLambdaRoleManagement", + "Effect": "Allow", + "Action": [ + "iam:PassRole" + ], + "Resource": [ + "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role" + ] + } + ] +} diff --git a/hacking/aws_config/testing_policies/rds-policy.json b/hacking/aws_config/testing_policies/database-policy.json similarity index 100% rename from hacking/aws_config/testing_policies/rds-policy.json rename to hacking/aws_config/testing_policies/database-policy.json diff --git a/hacking/aws_config/testing_policies/ec2-policy.json b/hacking/aws_config/testing_policies/ec2-policy.json deleted file mode 100644 index 54c8c53fba1..00000000000 --- a/hacking/aws_config/testing_policies/ec2-policy.json +++ /dev/null @@ -1,73 +0,0 @@ -{# Note that not all EC2 API Actions allow a specific resource #} -{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #} -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowUnspecifiedEC2Resource", - "Effect": "Allow", - "Action": [ - "ec2:AllocateAddress", - "ec2:AssociateAddress", - "ec2:AssociateRouteTable", - "ec2:AssociateVpcCidrBlock", - "ec2:AssociateSubnetCidrBlock", - "ec2:CreateImage", - "ec2:AttachInternetGateway", - "ec2:CreateInternetGateway", - "ec2:CreateKeyPair", - "ec2:CreateNatGateway", - "ec2:CreateRoute", - "ec2:CreateRouteTable", - "ec2:CreateSecurityGroup", - "ec2:CreateSnapshot", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:DeleteKeyPair", - "ec2:DeleteInternetGateway", - "ec2:DeleteNatGateway", - "ec2:DeleteSnapshot", - "ec2:DeleteSubnet", - "ec2:DeleteRoute", - "ec2:DeleteRouteTable", - "ec2:DeleteTags", - "ec2:DeleteVpc", - "ec2:DeleteTags", - "ec2:DeregisterImage", - "ec2:Describe*", - "ec2:DetachInternetGateway", - "ec2:DisassociateAddress", - "ec2:DisassociateRouteTable", - "ec2:ImportKeyPair", - "ec2:ModifyImageAttribute", - "ec2:ModifyVpcAttribute", - "ec2:RegisterImage", - "ec2:ReleaseAddress", - "ec2:ReplaceRouteTableAssociation" - ], - "Resource": "*" - }, - { - "Sid": "AllowSpecifiedEC2Resource", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupEgress", - "ec2:CreateTags", - "ec2:DeleteRouteTable", - "ec2:DeleteSecurityGroup", - "ec2:RevokeSecurityGroupEgress", - "ec2:RevokeSecurityGroupIngress", - "ec2:RunInstances", - "ec2:TerminateInstances", - "ec2:UpdateSecurityGroupRuleDescriptionsIngress", - "ec2:UpdateSecurityGroupRuleDescriptionsEgress" - ], - "Resource": [ - "arn:aws:ec2:{{aws_region}}::image/*", - "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/ecr-policy.json b/hacking/aws_config/testing_policies/ecr-policy.json deleted file mode 100644 index db8204a302d..00000000000 --- a/hacking/aws_config/testing_policies/ecr-policy.json +++ /dev/null @@ -1,28 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "UnspecifiedCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:DescribeRepositories", - "ecr:CreateRepository" - ], - "Resource": "*" - }, - { - "Sid": "SpecifiedCodeRepositories", - "Effect": "Allow", - "Action": [ - "ecr:GetRepositoryPolicy", - "ecr:SetRepositoryPolicy", - "ecr:DeleteRepository", - "ecr:DeleteRepositoryPolicy", - "ecr:DeleteRepositoryPolicy" - ], - "Resource": [ - "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/elb-policy.json b/hacking/aws_config/testing_policies/elb-policy.json deleted file mode 100644 index 6a844e909f8..00000000000 --- a/hacking/aws_config/testing_policies/elb-policy.json +++ /dev/null @@ -1,31 +0,0 @@ -{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #} -{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #} -{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #} -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowLoadBalancerOperations", - "Effect": "Allow", - "Action": [ - "elasticloadbalancing:ConfigureHealthCheck", - "elasticloadbalancing:CreateLoadBalancer", - "elasticloadbalancing:CreateLoadBalancerListeners", - "elasticloadbalancing:DeleteLoadBalancer", - "elasticloadbalancing:DeleteLoadBalancerListeners", - "elasticloadbalancing:DeregisterInstancesFromLoadBalancer", - "elasticloadbalancing:DescribeInstanceHealth", - "elasticloadbalancing:DescribeLoadBalancerAttributes", - "elasticloadbalancing:DescribeLoadBalancerPolicies", - "elasticloadbalancing:DescribeLoadBalancerPolicyTypes", - "elasticloadbalancing:DescribeLoadBalancerTags", - "elasticloadbalancing:DescribeLoadBalancers", - "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", - "elasticloadbalancing:ModifyLoadBalancerAttributes", - "elasticloadbalancing:RegisterInstancesWithLoadBalancer" - ], - "Resource": "*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/lambda-policy.json b/hacking/aws_config/testing_policies/lambda-policy.json deleted file mode 100644 index c03f1b1ab3c..00000000000 --- a/hacking/aws_config/testing_policies/lambda-policy.json +++ /dev/null @@ -1,77 +0,0 @@ -{# Only certain lambda actions can be restricted to a specific resource #} -{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #} -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowApiGateway", - "Effect": "Allow", - "Action": [ - "apigateway:*" - ], - "Resource": [ - "arn:aws:apigateway:{{aws_region}}::/*" - ] - }, - { - "Sid": "AllowGetUserForLambdaCreation", - "Effect": "Allow", - "Action": [ - "iam:GetUser" - ], - "Resource": [ - "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests" - ] - }, - { - "Sid": "AllowLambdaManagementWithoutResource", - "Effect": "Allow", - "Action": [ - "lambda:CreateEventSourceMapping", - "lambda:GetAccountSettings", - "lambda:GetEventSourceMapping", - "lambda:ListEventSourceMappings", - "lambda:ListFunctions", - "lambda:ListTags", - "lambda:TagResource", - "lambda:UntagResource" - ], - "Resource": "*" - }, - { - "Sid": "AllowLambdaManagementWithResource", - "Effect": "Allow", - "Action": [ - "lambda:AddPermission", - "lambda:CreateAlias", - "lambda:CreateFunction", - "lambda:DeleteAlias", - "lambda:DeleteFunction", - "lambda:GetAlias", - "lambda:GetFunction", - "lambda:GetFunctionConfiguration", - "lambda:GetPolicy", - "lambda:InvokeFunction", - "lambda:ListAliases", - "lambda:ListVersionsByFunction", - "lambda:PublishVersion", - "lambda:RemovePermission", - "lambda:UpdateAlias", - "lambda:UpdateEventSourceMapping", - "lambda:UpdateFunctionCode", - "lambda:UpdateFunctionConfiguration" - ], - "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*" - }, - { - "Sid": "AllowLambdaRoleManagement", - "Effect": "Allow", - "Action": [ - "iam:PassRole" - ], - "Resource": [ - "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role" - ] - } - ] -} diff --git a/hacking/aws_config/testing_policies/s3-policy.json b/hacking/aws_config/testing_policies/storage-policy.json similarity index 100% rename from hacking/aws_config/testing_policies/s3-policy.json rename to hacking/aws_config/testing_policies/storage-policy.json