diff options
| author | Will Thames <will@thames.id.au> | 2019-06-18 04:41:20 +1000 |
|---|---|---|
| committer | Jill R <4121322+jillr@users.noreply.github.com> | 2019-06-17 11:41:20 -0700 |
| commit | 924352a051b797b0e8eabec1966b9d985f2ca9b8 (patch) | |
| tree | 02e93b81d34eabc9fa7d5ea506b6f0d1cd47af53 /hacking | |
| parent | 7751e97e1e387f977555bd794b56c85da77625e0 (diff) | |
| download | ansible-924352a051b797b0e8eabec1966b9d985f2ca9b8.tar.gz | |
ecs_cluster test suite refactor (#57716)
* Combine testing policies
Because of the maximum of 10 policies per group, need to
consolidate testing policies as best we can.
* Tidy put-account-setting tasks and add permission
Using `environment` and `command` rather than `shell` avoids the
need for `no_log` and means that people can fix the problem
* refactor ecs_cluster test suite
move from runme.sh technique to virtualenv
use ec2_instance rather than ec2 module to
avoid need for boto
Diffstat (limited to 'hacking')
8 files changed, 82 insertions, 136 deletions
diff --git a/hacking/aws_config/testing_policies/container-policy.json b/hacking/aws_config/testing_policies/container-policy.json index 4bf60a80b2..d14deacf84 100644 --- a/hacking/aws_config/testing_policies/container-policy.json +++ b/hacking/aws_config/testing_policies/container-policy.json @@ -39,6 +39,7 @@ "ecs:DeregisterTaskDefinition", "ecs:Describe*", "ecs:List*", + "ecs:PutAccountSetting", "ecs:RegisterTaskDefinition", "ecs:RunTask", "ecs:StartTask", diff --git a/hacking/aws_config/testing_policies/database-policy.json b/hacking/aws_config/testing_policies/database-policy.json index e74f857b65..673e108f39 100644 --- a/hacking/aws_config/testing_policies/database-policy.json +++ b/hacking/aws_config/testing_policies/database-policy.json @@ -63,6 +63,21 @@ "Resource": [ "arn:aws:rds:{{aws_region}}:{{aws_account}}:pg:*" ] + }, + { + "Sid": "AllowRedshiftManagment", + "Action": [ + "redshift:CreateCluster", + "redshift:CreateTags", + "redshift:DeleteCluster", + "redshift:DeleteTags", + "redshift:DescribeClusters", + "redshift:DescribeTags", + "redshift:ModifyCluster", + "redshift:RebootCluster" + ], + "Effect": "Allow", + "Resource": "*" } ] } diff --git a/hacking/aws_config/testing_policies/efs-policy.json b/hacking/aws_config/testing_policies/efs-policy.json deleted file mode 100644 index 2c4c52922d..0000000000 --- a/hacking/aws_config/testing_policies/efs-policy.json +++ /dev/null @@ -1,36 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "ManageNetwork", - "Effect": "Allow", - "Action": [ - "ec2:CreateNetworkInterface", - "ec2:CreateSubnet", - "ec2:CreateTags", - "ec2:CreateVpc", - "ec2:DeleteNetworkInterface", - "ec2:DeleteSubnet", - "ec2:DeleteVpc", - "ec2:DescribeNetworkInterfaceAttribute", - "ec2:DescribeNetworkInterfaces", - "ec2:DescribeSecurityGroups", - "ec2:DescribeSubnets", - "ec2:DescribeTags", - "ec2:DescribeVpcAttribute", - "ec2:DescribeVpcClassicLink", - "ec2:DescribeVpcs", - "ec2:ModifyVpcAttribute" - ], - "Resource": "*" - }, - { - "Sid": "ManageEFS", - "Effect": "Allow", - "Action": [ - "elasticfilesystem:*" - ], - "Resource": "*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/kms-policy.json b/hacking/aws_config/testing_policies/kms-policy.json deleted file mode 100644 index 0ddc760633..0000000000 --- a/hacking/aws_config/testing_policies/kms-policy.json +++ /dev/null @@ -1,54 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowAccessToUnspecifiedKMSResources", - "Effect": "Allow", - "Action": [ - "iam:ListRoles", - "kms:CancelKeyDeletion", - "kms:CreateAlias", - "kms:CreateGrant", - "kms:CreateKey", - "kms:DeleteAlias", - "kms:Describe*", - "kms:DisableKey", - "kms:EnableKey", - "kms:GenerateRandom", - "kms:Get*", - "kms:List*", - "kms:RetireGrant", - "kms:ScheduleKeyDeletion", - "kms:TagResource", - "kms:UntagResource", - "kms:UpdateGrant", - "kms:UpdateKeyDescription" - ], - "Resource": "*" - }, - { - "Sid": "AllowAccessToSpecifiedIAMResources", - "Effect": "Allow", - "Action": [ - "iam:CreateRole", - "iam:DeleteRole", - "iam:GetRole", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:PassRole", - "iam:UpdateAssumeRolePolicy" - ], - "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*" - }, - { - "Sid": "AllowInstanceProfileCreation", - "Effect": "Allow", - "Action": [ - "iam:AddRoleToInstanceProfile", - "iam:CreateInstanceProfile", - "iam:RemoveRoleFromInstanceProfile" - ], - "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/redshift-policy.json b/hacking/aws_config/testing_policies/redshift-policy.json deleted file mode 100644 index bb73cef802..0000000000 --- a/hacking/aws_config/testing_policies/redshift-policy.json +++ /dev/null @@ -1,20 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowRedshiftManagment", - "Action": [ - "redshift:CreateCluster", - "redshift:CreateTags", - "redshift:DeleteCluster", - "redshift:DeleteTags", - "redshift:DescribeClusters", - "redshift:DescribeTags", - "redshift:ModifyCluster", - "redshift:RebootCluster" - ], - "Effect": "Allow", - "Resource": "*" - } - ] -} diff --git a/hacking/aws_config/testing_policies/security-policy.json b/hacking/aws_config/testing_policies/security-policy.json index aa172d9c1c..2cb253bf4a 100644 --- a/hacking/aws_config/testing_policies/security-policy.json +++ b/hacking/aws_config/testing_policies/security-policy.json @@ -63,7 +63,6 @@ "Effect": "Allow", "Sid": "AllowReplacementOfSpecificInstanceProfiles" }, - { "Sid": "AllowWAFusage", "Action": "waf:*", @@ -93,10 +92,66 @@ ] }, { - "Sid": "AllowWAFRegionalusage", - "Action": "waf-regional:*", + "Sid": "AllowSTSAnsibleTests", + "Action": [ + "iam:CreateRole", + "iam:DeleteRole", + "iam:DetachRolePolicy", + "sts:AssumeRole", + "iam:AttachRolePolicy", + "iam:CreateInstanceProfile" + ], "Effect": "Allow", + "Resource": [ + "arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*", + "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*" + ] + }, + { + "Sid": "AllowAccessToUnspecifiedKMSResources", + "Effect": "Allow", + "Action": [ + "kms:CancelKeyDeletion", + "kms:CreateAlias", + "kms:CreateGrant", + "kms:CreateKey", + "kms:DeleteAlias", + "kms:Describe*", + "kms:DisableKey", + "kms:EnableKey", + "kms:GenerateRandom", + "kms:Get*", + "kms:List*", + "kms:RetireGrant", + "kms:ScheduleKeyDeletion", + "kms:TagResource", + "kms:UntagResource", + "kms:UpdateGrant", + "kms:UpdateKeyDescription" + ], "Resource": "*" + }, + { + "Sid": "AllowAccessToSpecifiedIAMResources", + "Effect": "Allow", + "Action": [ + "iam:CreateRole", + "iam:DeleteRole", + "iam:GetRole", + "iam:PassRole", + "iam:UpdateAssumeRolePolicy" + ], + "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*" + }, + { + "Sid": "AllowInstanceProfileCreation", + "Effect": "Allow", + "Action": [ + "iam:AddRoleToInstanceProfile", + "iam:CreateInstanceProfile", + "iam:RemoveRoleFromInstanceProfile" + ], + "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*" } ] } diff --git a/hacking/aws_config/testing_policies/storage-policy.json b/hacking/aws_config/testing_policies/storage-policy.json index 873bc7f00b..06fbf0069e 100644 --- a/hacking/aws_config/testing_policies/storage-policy.json +++ b/hacking/aws_config/testing_policies/storage-policy.json @@ -37,6 +37,14 @@ ], "Effect": "Allow", "Resource": "*" + }, + { + "Sid": "ManageEFS", + "Effect": "Allow", + "Action": [ + "elasticfilesystem:*" + ], + "Resource": "*" } ] } diff --git a/hacking/aws_config/testing_policies/sts-policy.json b/hacking/aws_config/testing_policies/sts-policy.json deleted file mode 100644 index ba955548ee..0000000000 --- a/hacking/aws_config/testing_policies/sts-policy.json +++ /dev/null @@ -1,23 +0,0 @@ -{ - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "AllowSTSAnsibleTests", - "Action": [ - "iam:Get*", - "iam:List*", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DetachRolePolicy", - "sts:AssumeRole", - "iam:AttachRolePolicy", - "iam:CreateInstanceProfile" - ], - "Effect": "Allow", - "Resource": [ - "arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*", - "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*" - ] - } - ] -} |