archive
/
ansible
mirror of https://github.com/ansible/ansible.git
1
0
Fork 0
Code Issues Projects Releases Wiki Activity

Remove ECS policies from AWS compute policy

Browse Source 
The compute policy was exceeding maximum size and contained
policies that already exist in ecs-policy.

Look up suitable AMIs rather than hardcode

We don't want to maintain multiple image IDs for multiple regions
so use ec2_ami_facts to set a suitable image ID

Improve exception handling
pull/41181/head
Will Thames 8 years ago
parent fbcd6f8a65
commit a60fe1946c
4 changed files with 15 additions and 57 deletions
Show Stats Download Patch File Download Diff File

46
hacking/aws_config/testing_policies/compute-policy.json
Unescape Escape View File

@ -109,29 +109,6 @@
"arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
]
},
{
"Sid": "UnspecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:DescribeRepositories",
"ecr:CreateRepository"
],
"Resource": "*"
},
{
"Sid": "SpecifiedCodeRepositories",
"Effect": "Allow",
"Action": [
"ecr:GetRepositoryPolicy",
"ecr:SetRepositoryPolicy",
"ecr:DeleteRepository",
"ecr:DeleteRepositoryPolicy",
"ecr:DeleteRepositoryPolicy"
],
"Resource": [
"arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
]
},
{# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
{# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
{# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
@ -238,29 +215,6 @@
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole"
]
},
{
"Sid": "AllowECSManagement",
"Effect": "Allow",
"Action": [
"application-autoscaling:Describe*",
"application-autoscaling:PutScalingPolicy",
"application-autoscaling:RegisterScalableTarget",
"cloudwatch:DescribeAlarms",
"cloudwatch:PutMetricAlarm",
"ecs:CreateCluster",
"ecs:CreateService",
"ecs:DeleteCluster",
"ecs:DeleteService",
"ecs:Describe*",
"ecs:DeregisterTaskDefinition",
"ecs:List*",
"ecs:RegisterTaskDefinition",
"ecs:UpdateService"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowSESManagement",
"Effect": "Allow",

4
lib/ansible/modules/cloud/amazon/ecs_service.py
Unescape Escape View File

@ -523,7 +523,7 @@ def main():
network_configuration,
module.params['launch_type'])
except botocore.exceptions.ClientError as e:
module.fail_json(msg=e.message)
module.fail_json_aws(e, msg="Couldn't create service")
results['service'] = response
@ -548,7 +548,7 @@ def main():
module.params['cluster']
)
except botocore.exceptions.ClientError as e:
module.fail_json(msg=e.message)
module.fail_json_aws(e, msg="Couldn't delete service")
results['changed'] = True
elif module.params['state'] == 'deleting':

8
test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/defaults/main.yml
Unescape Escape View File

@ -1,11 +1,3 @@
# http://docs.aws.amazon.com/AmazonECS/latest/developerguide/ecs-optimized_AMI.html
# amzn-ami-2017.09.b-amazon-ecs-optimized
ecs_agent_images:
us-east-1: ami-71ef560b
us-east-2: ami-1b8ca37e
us-west-2: ami-d2f489aa
us-west-1: ami-6b81980b
ecs_cluster_name: "{{ resource_prefix }}"
user_data: |
#!/bin/bash

14
test/integration/targets/ecs_cluster/playbooks/roles/ecs_cluster/tasks/main.yml
Unescape Escape View File

@ -123,12 +123,24 @@
<<: *aws_connection_info
register: setup_sg
- name: find a suitable AMI
ec2_ami_facts:
owner: amazon
filters:
description: "Amazon Linux AMI* ECS *"
<<: *aws_connection_info
register: ec2_ami_facts
- name: set image id fact
set_fact:
ecs_image_id: "{{ (ec2_ami_facts.images|first).image_id }}"
- name: provision ec2 instance to create an image
ec2:
key_name: '{{ ec2_keypair|default(setup_key.key.name) }}'
instance_type: t2.micro
state: present
image: '{{ ecs_agent_images[aws_region] }}'
image: '{{ ecs_image_id }}'
wait: yes
user_data: "{{ user_data }}"
instance_profile_name: ecsInstanceRole

Write Preview
Loading…
Cancel
Save