aws_kms enhancements (#31960)

* Allow creation and deletion of keys (deletion just schedules for deletion, recreating an old key is just cancelling its deletion) * Allow grants to be set, thus enabling encryption contexts to be used with keys * Allow tags to be added and modified * Add testing for KMS module * Tidy up aws_kms module to latest standards
author: Will Thames <will@thames.id.au> 2019-02-13 13:06:58 +1000
committer: GitHub <noreply@github.com> 2019-02-13 13:06:58 +1000
commit: 46fbcf08bc1998db821714ad65a2b271e4e74f89 (patch)
tree: 774951d7ba00b037ce9de0eaf44bab1fd277161e /hacking
parent: 1f3a74c0c82556a3ed435c55b901a6f43d599f8a (diff)
download: ansible-46fbcf08bc1998db821714ad65a2b271e4e74f89.tar.gz
1 files changed, 54 insertions, 0 deletions
diff --git a/hacking/aws_config/testing_policies/kms-policy.json b/hacking/aws_config/testing_policies/kms-policy.json
new file mode 100644
index 0000000000..0ddc760633
--- /dev/null
+++ b/hacking/aws_config/testing_policies/kms-policy.json
@@ -0,0 +1,54 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "AllowAccessToUnspecifiedKMSResources",
+            "Effect": "Allow",
+            "Action": [
+                "iam:ListRoles",
+                "kms:CancelKeyDeletion",
+                "kms:CreateAlias",
+                "kms:CreateGrant",
+                "kms:CreateKey",
+                "kms:DeleteAlias",
+                "kms:Describe*",
+                "kms:DisableKey",
+                "kms:EnableKey",
+                "kms:GenerateRandom",
+                "kms:Get*",
+                "kms:List*",
+                "kms:RetireGrant",
+                "kms:ScheduleKeyDeletion",
+                "kms:TagResource",
+                "kms:UntagResource",
+                "kms:UpdateGrant",
+                "kms:UpdateKeyDescription"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Sid": "AllowAccessToSpecifiedIAMResources",
+            "Effect": "Allow",
+            "Action": [
+                "iam:CreateRole",
+                "iam:DeleteRole",
+                "iam:GetRole",
+                "iam:ListAttachedRolePolicies",
+                "iam:ListInstanceProfilesForRole",
+                "iam:PassRole",
+                "iam:UpdateAssumeRolePolicy"
+            ],
+            "Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*"
+        },
+        {
+            "Sid": "AllowInstanceProfileCreation",
+            "Effect": "Allow",
+            "Action": [
+                "iam:AddRoleToInstanceProfile",
+                "iam:CreateInstanceProfile",
+                "iam:RemoveRoleFromInstanceProfile"
+            ],
+            "Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*"
+        }
+    ]
+}
author	Will Thames <will@thames.id.au>	2019-02-13 13:06:58 +1000
committer	GitHub <noreply@github.com>	2019-02-13 13:06:58 +1000
commit	46fbcf08bc1998db821714ad65a2b271e4e74f89 (patch)
tree	774951d7ba00b037ce9de0eaf44bab1fd277161e /hacking
parent	1f3a74c0c82556a3ed435c55b901a6f43d599f8a (diff)
download	ansible-46fbcf08bc1998db821714ad65a2b271e4e74f89.tar.gz