diff options
author | Will Thames <will@thames.id.au> | 2019-06-25 23:54:03 +1000 |
---|---|---|
committer | Sloane Hertel <shertel@redhat.com> | 2019-06-25 09:54:03 -0400 |
commit | a09aa205e12ddcd6ca979c52ab719197f87d269d (patch) | |
tree | 5ba348f03f9008aba6580aab18dc7f25e086c904 /hacking | |
parent | 48af9bdfec638962fe2a6750a2949dd4c6fe267a (diff) | |
download | ansible-a09aa205e12ddcd6ca979c52ab719197f87d269d.tar.gz |
Fix RDS test suite and minor bugs revealed (#57940)
* Update testing policy to be correct for RDS test suite
* Create read replica in same region to avoid more permissions being
required
* Ensure modifying DB doesn't try to downgrade engine version
* Add tags to main test suite to limit number of tests run for problem
solving
Diffstat (limited to 'hacking')
-rw-r--r-- | hacking/aws_config/testing_policies/database-policy.json | 54 |
1 files changed, 31 insertions, 23 deletions
diff --git a/hacking/aws_config/testing_policies/database-policy.json b/hacking/aws_config/testing_policies/database-policy.json index 673e108f39..472e6206c0 100644 --- a/hacking/aws_config/testing_policies/database-policy.json +++ b/hacking/aws_config/testing_policies/database-policy.json @@ -2,61 +2,69 @@ "Version": "2012-10-17", "Statement": [ { - "Sid": "AllowRDSModuleTests", + "Action": "iam:CreateServiceLinkedRole", + "Effect": "Allow", + "Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS", + "Condition": { + "StringLike": { + "iam:AWSServiceName":"rds.amazonaws.com" + } + } + }, + { + "Sid": "AllowRDSReadEverywhere", "Effect": "Allow", "Action": [ - "rds:DescribeDBInstances", - "rds:CreateDBInstance", - "rds:ModifyDBInstance", "rds:ListTagsForResource", - "rds:DeleteDBInstance" + "rds:DescribeDBInstances", + "rds:DescribeDBParameterGroups", + "rds:DescribeDBParameters", + "rds:DescribeDBSnapshots" ], - "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-testing*" - ] + "Resource": ["*"] }, { - "Sid": "AllowRDSInstanceManageOwnInstance", + "Sid": "AllowRDSModuleTests", "Effect": "Allow", "Action": [ + "rds:AddTagsToResource", "rds:CreateDBInstance", + "rds:DeleteDBInstance", "rds:ModifyDBInstance", - "rds:ListTagsForResource", - "rds:DescribeDBInstances" + "rds:PromoteReadReplica", + "rds:RebootDBInstance", + "rds:RemoveTagsFromResource", + "rds:StartDBInstance", + "rds:StopDBInstance" ], "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*" ] }, { "Sid": "AllowRDSSnapshotManageSnapshots", "Effect": "Allow", "Action": [ - "rds:DescribeDBSnapshots", - "rds:DescribeDBInstances", - "rds:DescribeDBSnapshots", - "rds:DeleteDBInstance", + "rds:AddTagsToResource", "rds:CreateDBSnapshot", + "rds:DeleteDBInstance", "rds:DeleteDBSnapshot", + "rds:RemoveTagsFromResource", "rds:RestoreDBInstanceFromDBSnapshot", "rds:CreateDBInstanceReadReplica" ], "Resource": [ - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:snapshot-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:rds-*", - "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:rds-*" - ] + "arn:aws:rds:{{aws_region}}:{{aws_account}}:snapshot:ansible-test*", + "arn:aws:rds:{{aws_region}}:{{aws_account}}:db:ansible-test*" + ] }, { "Sid": "AllowRDSParameterGroupManagement", "Effect": "Allow", "Action": [ - "rds:DescribeDBParameterGroups", - "rds:DescribeDBParameters", "rds:CreateDBParameterGroup", "rds:DeleteDBParameterGroup", "rds:ModifyDBParameterGroup", - "rds:ListTagsForResource", "rds:AddTagsToResource", "rds:RemoveTagsFromResource" ], |