Consolidate IAM policies into fewer, larger policies (#33122)

Due to IAM limits allowing at most 10 policies per group, need to reduce the number of total policies in use.
7 years ago · 1ca0c0e7f7
parent 0962a0d816
commit 1ca0c0e7f7
9 changed files with 224 additions and 244 deletions
--- a/hacking/aws_config/setup-iam.yml
+++ b/hacking/aws_config/setup-iam.yml
@ -36,11 +36,11 @@

    - name: Ensure Managed IAM policies exist
      iam_managed_policy:
-        policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|upper }}Policy"
+        policy_name: "AnsibleTest{{ item|basename|regex_replace('-.*', '')|capitalize }}Policy"
        policy: "{{ lookup('template', item) }}"
        state: present
        profile: "{{ profile|default(omit) }}"
-      with_fileglob: "testing_policies/*"
+      with_fileglob: "testing_policies/*.json"
      register: iam_managed_policies

    - debug:
--- a/hacking/aws_config/testing_policies/autoscaling-policy.json
+++ b/hacking/aws_config/testing_policies/autoscaling-policy.json
@ -1,33 +0,0 @@
-{# Not all Autoscaling API Actions allow specified resources #}
-{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "DescribeAutoscaling",
-            "Effect": "Allow",
-            "Action": [
-                "autoscaling:DescribeAutoScalingGroups",
-                "autoscaling:DescribeLaunchConfigurations",
-                "autoscaling:DescribePolicies"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "AllowAutoscaling",
-            "Effect": "Allow",
-            "Action": [
-                "autoscaling:CreateLaunchConfiguration",
-                "autoscaling:CreateAutoScalingGroup",
-                "autoscaling:UpdateAutoScalingGroup",
-                "autoscaling:DeleteAutoScalingGroup",
-                "autoscaling:DeleteLaunchConfiguration",
-                "autoscaling:PutScalingPolicy",
-                "autoscaling:DeletePolicy"
-            ],
-            "Resource": [
-                "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
-            ]
-        }
-    ]
-}
--- a/hacking/aws_config/testing_policies/compute-policy.json
+++ b/hacking/aws_config/testing_policies/compute-policy.json
@ -0,0 +1,222 @@
+{# Not all Autoscaling API Actions allow specified resources #}
+{# See http://docs.aws.amazon.com/autoscaling/latest/userguide/control-access-using-iam.html#policy-auto-scaling-resources #}
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "DescribeAutoscaling",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:DescribeAutoScalingGroups",
+                "autoscaling:DescribeLaunchConfigurations",
+                "autoscaling:DescribePolicies"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowAutoscaling",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:CreateLaunchConfiguration",
+                "autoscaling:CreateAutoScalingGroup",
+                "autoscaling:UpdateAutoScalingGroup",
+                "autoscaling:DeleteAutoScalingGroup",
+                "autoscaling:DeleteLaunchConfiguration",
+                "autoscaling:PutScalingPolicy",
+                "autoscaling:DeletePolicy"
+            ],
+            "Resource": [
+                "arn:aws:autoscaling:{{aws_region}}:{{aws_account}}:*"
+            ]
+        },
+{# Note that not all EC2 API Actions allow a specific resource #}
+{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
+        {
+            "Sid": "AllowUnspecifiedEC2Resource",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AllocateAddress",
+                "ec2:AssociateAddress",
+                "ec2:AssociateRouteTable",
+                "ec2:AssociateVpcCidrBlock",
+                "ec2:AssociateSubnetCidrBlock",
+                "ec2:AttachInternetGateway",
+                "ec2:CreateImage",
+                "ec2:CreateInternetGateway",
+                "ec2:CreateKeyPair",
+                "ec2:CreateNatGateway",
+                "ec2:CreateRoute",
+                "ec2:CreateRouteTable",
+                "ec2:CreateSecurityGroup",
+                "ec2:CreateSnapshot",
+                "ec2:CreateSubnet",
+                "ec2:CreateTags",
+                "ec2:CreateVpc",
+                "ec2:DeleteInternetGateway",
+                "ec2:DeleteKeyPair",
+                "ec2:DeleteNatGateway",
+                "ec2:DeleteRoute",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteSnapshot",
+                "ec2:DeleteSubnet",
+                "ec2:DeleteTags",
+                "ec2:DeleteVpc",
+                "ec2:DeleteTags",
+                "ec2:DeregisterImage",
+                "ec2:DetachInternetGateway",
+                "ec2:Describe*",
+                "ec2:DisassociateAddress",
+                "ec2:DisassociateRouteTable",
+                "ec2:ImportKeyPair",
+                "ec2:ModifyImageAttribute",
+                "ec2:ModifyVpcAttribute",
+                "ec2:RegisterImage",
+                "ec2:ReleaseAddress",
+                "ec2:ReplaceRouteTableAssociation"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowSpecifiedEC2Resource",
+            "Effect": "Allow",
+            "Action": [
+                "ec2:AuthorizeSecurityGroupIngress",
+                "ec2:AuthorizeSecurityGroupEgress",
+                "ec2:CreateTags",
+                "ec2:DeleteRouteTable",
+                "ec2:DeleteSecurityGroup",
+                "ec2:RevokeSecurityGroupEgress",
+                "ec2:RevokeSecurityGroupIngress",
+                "ec2:RunInstances",
+                "ec2:TerminateInstances",
+                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
+                "ec2:UpdateSecurityGroupRuleDescriptionsEgress"
+            ],
+            "Resource": [
+                "arn:aws:ec2:{{aws_region}}::image/*",
+                "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
+            ]
+        },
+        {
+            "Sid": "UnspecifiedCodeRepositories",
+            "Effect": "Allow",
+            "Action": [
+                "ecr:DescribeRepositories",
+                "ecr:CreateRepository"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "SpecifiedCodeRepositories",
+            "Effect": "Allow",
+            "Action": [
+                "ecr:GetRepositoryPolicy",
+                "ecr:SetRepositoryPolicy",
+                "ecr:DeleteRepository",
+                "ecr:DeleteRepositoryPolicy",
+                "ecr:DeleteRepositoryPolicy"
+            ],
+            "Resource": [
+                "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
+            ]
+        },
+{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
+{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
+{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
+        {
+            "Sid": "AllowLoadBalancerOperations",
+            "Effect": "Allow",
+            "Action": [
+                "elasticloadbalancing:ConfigureHealthCheck",
+                "elasticloadbalancing:CreateLoadBalancer",
+                "elasticloadbalancing:CreateLoadBalancerListeners",
+                "elasticloadbalancing:DeleteLoadBalancer",
+                "elasticloadbalancing:DeleteLoadBalancerListeners",
+                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
+                "elasticloadbalancing:DescribeInstanceHealth",
+                "elasticloadbalancing:DescribeLoadBalancerAttributes",
+                "elasticloadbalancing:DescribeLoadBalancerPolicies",
+                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
+                "elasticloadbalancing:DescribeLoadBalancerTags",
+                "elasticloadbalancing:DescribeLoadBalancers",
+                "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
+                "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
+                "elasticloadbalancing:ModifyLoadBalancerAttributes",
+                "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
+            ],
+            "Resource": "*"
+        },
+{# Only certain lambda actions can be restricted to a specific resource #}
+{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
+        {
+            "Sid": "AllowApiGateway",
+            "Effect": "Allow",
+            "Action": [
+                "apigateway:*"
+            ],
+            "Resource": [
+                "arn:aws:apigateway:{{aws_region}}::/*"
+            ]
+        },
+        {
+            "Sid": "AllowGetUserForLambdaCreation",
+            "Effect": "Allow",
+            "Action": [
+                "iam:GetUser"
+            ],
+            "Resource": [
+                "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
+            ]
+        },
+        {
+            "Sid": "AllowLambdaManagementWithoutResource",
+            "Effect": "Allow",
+            "Action": [
+                "lambda:CreateEventSourceMapping",
+                "lambda:GetAccountSettings",
+                "lambda:GetEventSourceMapping",
+                "lambda:ListEventSourceMappings",
+                "lambda:ListFunctions",
+                "lambda:ListTags",
+                "lambda:TagResource",
+                "lambda:UntagResource"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowLambdaManagementWithResource",
+            "Effect": "Allow",
+            "Action": [
+                "lambda:AddPermission",
+                "lambda:CreateAlias",
+                "lambda:CreateFunction",
+                "lambda:DeleteAlias",
+                "lambda:DeleteFunction",
+                "lambda:GetAlias",
+                "lambda:GetFunction",
+                "lambda:GetFunctionConfiguration",
+                "lambda:GetPolicy",
+                "lambda:InvokeFunction",
+                "lambda:ListAliases",
+                "lambda:ListVersionsByFunction",
+                "lambda:PublishVersion",
+                "lambda:RemovePermission",
+                "lambda:UpdateAlias",
+                "lambda:UpdateEventSourceMapping",
+                "lambda:UpdateFunctionCode",
+                "lambda:UpdateFunctionConfiguration"
+            ],
+            "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
+        },
+        {
+            "Sid": "AllowLambdaRoleManagement",
+            "Effect": "Allow",
+            "Action": [
+                "iam:PassRole"
+            ],
+            "Resource": [
+                "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
+            ]
+        }
+    ]
+}
--- a/hacking/aws_config/testing_policies/database-policy.json
+++ b/hacking/aws_config/testing_policies/database-policy.json
--- a/hacking/aws_config/testing_policies/ec2-policy.json
+++ b/hacking/aws_config/testing_policies/ec2-policy.json
@ -1,73 +0,0 @@
-{# Note that not all EC2 API Actions allow a specific resource #}
-{# See http://docs.aws.amazon.com/AWSEC2/latest/APIReference/ec2-api-permissions.html#ec2-api-unsupported-resource-permissions #}
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AllowUnspecifiedEC2Resource",
-            "Effect": "Allow",
-            "Action": [
-                "ec2:AllocateAddress",
-                "ec2:AssociateAddress",
-                "ec2:AssociateRouteTable",
-                "ec2:AssociateVpcCidrBlock",
-                "ec2:AssociateSubnetCidrBlock",
-                "ec2:CreateImage",
-                "ec2:AttachInternetGateway",
-                "ec2:CreateInternetGateway",
-                "ec2:CreateKeyPair",
-                "ec2:CreateNatGateway",
-                "ec2:CreateRoute",
-                "ec2:CreateRouteTable",
-                "ec2:CreateSecurityGroup",
-                "ec2:CreateSnapshot",
-                "ec2:CreateSubnet",
-                "ec2:CreateTags",
-                "ec2:CreateVpc",
-                "ec2:DeleteKeyPair",
-                "ec2:DeleteInternetGateway",
-                "ec2:DeleteNatGateway",
-                "ec2:DeleteSnapshot",
-                "ec2:DeleteSubnet",
-                "ec2:DeleteRoute",
-                "ec2:DeleteRouteTable",
-                "ec2:DeleteTags",
-                "ec2:DeleteVpc",
-                "ec2:DeleteTags",
-                "ec2:DeregisterImage",
-                "ec2:Describe*",
-                "ec2:DetachInternetGateway",
-                "ec2:DisassociateAddress",
-                "ec2:DisassociateRouteTable",
-                "ec2:ImportKeyPair",
-                "ec2:ModifyImageAttribute",
-                "ec2:ModifyVpcAttribute",
-                "ec2:RegisterImage",
-                "ec2:ReleaseAddress",
-                "ec2:ReplaceRouteTableAssociation"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "AllowSpecifiedEC2Resource",
-            "Effect": "Allow",
-            "Action": [
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:AuthorizeSecurityGroupEgress",
-                "ec2:CreateTags",
-                "ec2:DeleteRouteTable",
-                "ec2:DeleteSecurityGroup",
-                "ec2:RevokeSecurityGroupEgress",
-                "ec2:RevokeSecurityGroupIngress",
-                "ec2:RunInstances",
-                "ec2:TerminateInstances",
-                "ec2:UpdateSecurityGroupRuleDescriptionsIngress",
-                "ec2:UpdateSecurityGroupRuleDescriptionsEgress"
-            ],
-            "Resource": [
-                "arn:aws:ec2:{{aws_region}}::image/*",
-                "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
-            ]
-        }
-    ]
-}
--- a/hacking/aws_config/testing_policies/ecr-policy.json
+++ b/hacking/aws_config/testing_policies/ecr-policy.json
@ -1,28 +0,0 @@
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "UnspecifiedCodeRepositories",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:DescribeRepositories",
-                "ecr:CreateRepository"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "SpecifiedCodeRepositories",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:GetRepositoryPolicy",
-                "ecr:SetRepositoryPolicy",
-                "ecr:DeleteRepository",
-                "ecr:DeleteRepositoryPolicy",
-                "ecr:DeleteRepositoryPolicy"
-            ],
-            "Resource": [
-                "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
-            ]
-        }
-    ]
-}
--- a/hacking/aws_config/testing_policies/elb-policy.json
+++ b/hacking/aws_config/testing_policies/elb-policy.json
@ -1,31 +0,0 @@
-{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
-{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
-{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AllowLoadBalancerOperations",
-            "Effect": "Allow",
-            "Action": [
-                "elasticloadbalancing:ConfigureHealthCheck",
-                "elasticloadbalancing:CreateLoadBalancer",
-                "elasticloadbalancing:CreateLoadBalancerListeners",
-                "elasticloadbalancing:DeleteLoadBalancer",
-                "elasticloadbalancing:DeleteLoadBalancerListeners",
-                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
-                "elasticloadbalancing:DescribeInstanceHealth",
-                "elasticloadbalancing:DescribeLoadBalancerAttributes",
-                "elasticloadbalancing:DescribeLoadBalancerPolicies",
-                "elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
-                "elasticloadbalancing:DescribeLoadBalancerTags",
-                "elasticloadbalancing:DescribeLoadBalancers",
-                "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
-                "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
-                "elasticloadbalancing:ModifyLoadBalancerAttributes",
-                "elasticloadbalancing:RegisterInstancesWithLoadBalancer"
-            ],
-            "Resource": "*"
-        }
-    ]
-}
--- a/hacking/aws_config/testing_policies/lambda-policy.json
+++ b/hacking/aws_config/testing_policies/lambda-policy.json
@ -1,77 +0,0 @@
-{# Only certain lambda actions can be restricted to a specific resource #}
-{# http://docs.aws.amazon.com/lambda/latest/dg/lambda-api-permissions-ref.html #}
-{
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Sid": "AllowApiGateway",
-            "Effect": "Allow",
-            "Action": [
-                "apigateway:*"
-            ],
-            "Resource": [
-                "arn:aws:apigateway:{{aws_region}}::/*"
-            ]
-        },
-        {
-            "Sid": "AllowGetUserForLambdaCreation",
-            "Effect": "Allow",
-            "Action": [
-                "iam:GetUser"
-            ],
-            "Resource": [
-                "arn:aws:iam::{{aws_account}}:user/ansible_integration_tests"
-            ]
-        },
-        {
-            "Sid": "AllowLambdaManagementWithoutResource",
-            "Effect": "Allow",
-            "Action": [
-                "lambda:CreateEventSourceMapping",
-                "lambda:GetAccountSettings",
-                "lambda:GetEventSourceMapping",
-                "lambda:ListEventSourceMappings",
-                "lambda:ListFunctions",
-                "lambda:ListTags",
-                "lambda:TagResource",
-                "lambda:UntagResource"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "AllowLambdaManagementWithResource",
-            "Effect": "Allow",
-            "Action": [
-                "lambda:AddPermission",
-                "lambda:CreateAlias",
-                "lambda:CreateFunction",
-                "lambda:DeleteAlias",
-                "lambda:DeleteFunction",
-                "lambda:GetAlias",
-                "lambda:GetFunction",
-                "lambda:GetFunctionConfiguration",
-                "lambda:GetPolicy",
-                "lambda:InvokeFunction",
-                "lambda:ListAliases",
-                "lambda:ListVersionsByFunction",
-                "lambda:PublishVersion",
-                "lambda:RemovePermission",
-                "lambda:UpdateAlias",
-                "lambda:UpdateEventSourceMapping",
-                "lambda:UpdateFunctionCode",
-                "lambda:UpdateFunctionConfiguration"
-            ],
-            "Resource": "arn:aws:lambda:{{aws_region}}:{{aws_account}}:function:*"
-        },
-        {
-            "Sid": "AllowLambdaRoleManagement",
-            "Effect": "Allow",
-            "Action": [
-                "iam:PassRole"
-            ],
-            "Resource": [
-                "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role"
-            ]
-        }
-    ]
-}
--- a/hacking/aws_config/testing_policies/storage-policy.json
+++ b/hacking/aws_config/testing_policies/storage-policy.json