wbrawner/ansible
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix EC2 test suite to work with testing policies (#44387)

Browse source 
* Update testing policies to ensure all required permissions are present
* Tidy up security policies to reduce duplicate permissions
* Make roles static so that they can be present before CI is run,
  meaning that role creation permission is not required by the CI
  itself, only by someone setting up the roles prior to testing
* Move contents to cloudfront policy to network policy to ensure policy
  count (maximum of 10) stays low
* Maintain compute policy below 6144 bytes
This commit is contained in:
Will Thames 2019-07-05 05:25:19 +10:00 committed by Sloane Hertel
parent 6cf722fed6
commit 60fb9fc208
14 changed files with 125 additions and 157 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

1
hacking/aws_config/setup-iam.yml
View file

@ -52,3 +52,4 @@
state: present state: present
managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}" managed_policy: "{{ iam_managed_policies | json_query('results[].policy.policy_name') }}"
profile: "{{ profile|default(omit) }}" profile: "{{ profile|default(omit) }}"
purge_policy: yes

29
hacking/aws_config/testing_policies/cloudfront-policy.json
View file

@ -1,29 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowCloudfrontUsage",
"Effect": "Allow",
"Action": [
"cloudfront:CreateDistribution",
"cloudfront:CreateDistributionWithTags",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetDistribution",
"cloudfront:GetStreamingDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:GetInvalidation",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:ListInvalidations",
"cloudfront:ListStreamingDistributions",
"cloudfront:ListTagsForResource",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateDistribution"
],
"Resource": "*"
}
]
}

16
hacking/aws_config/testing_policies/compute-policy.json
View file

@ -43,6 +43,7 @@
"ec2:AssociateSubnetCidrBlock", "ec2:AssociateSubnetCidrBlock",
"ec2:AttachInternetGateway", "ec2:AttachInternetGateway",
"ec2:AttachNetworkInterface", "ec2:AttachNetworkInterface",
"ec2:AttachVolume",
"ec2:AttachVpnGateway", "ec2:AttachVpnGateway",
"ec2:CreateCustomerGateway", "ec2:CreateCustomerGateway",
"ec2:CreateDhcpOptions", "ec2:CreateDhcpOptions",
@ -50,6 +51,7 @@
"ec2:CreateInternetGateway", "ec2:CreateInternetGateway",
"ec2:CreateKeyPair", "ec2:CreateKeyPair",
"ec2:CreateNatGateway", "ec2:CreateNatGateway",
"ec2:CreateNetworkInterface",
"ec2:CreateRoute", "ec2:CreateRoute",
"ec2:CreateRouteTable", "ec2:CreateRouteTable",
"ec2:CreateSecurityGroup", "ec2:CreateSecurityGroup",
@ -64,6 +66,7 @@
"ec2:DeleteInternetGateway", "ec2:DeleteInternetGateway",
"ec2:DeleteKeyPair", "ec2:DeleteKeyPair",
"ec2:DeleteNatGateway", "ec2:DeleteNatGateway",
"ec2:DeleteNetworkInterface",
"ec2:DeleteRoute", "ec2:DeleteRoute",
"ec2:DeleteRouteTable", "ec2:DeleteRouteTable",
"ec2:DeleteSnapshot", "ec2:DeleteSnapshot",
@ -87,6 +90,7 @@
"ec2:RegisterImage", "ec2:RegisterImage",
"ec2:ReleaseAddress", "ec2:ReleaseAddress",
"ec2:ReplaceRouteTableAssociation", "ec2:ReplaceRouteTableAssociation",
"ec2:ReplaceIamInstanceProfileAssociation",
"ec2:ReportInstanceStatus" "ec2:ReportInstanceStatus"
], ],
"Resource": "*" "Resource": "*"
@ -135,10 +139,7 @@
"elasticloadbalancing:DeleteTargetGroup", "elasticloadbalancing:DeleteTargetGroup",
"elasticloadbalancing:DeregisterInstancesFromLoadBalancer", "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
"elasticloadbalancing:DescribeInstanceHealth", "elasticloadbalancing:DescribeInstanceHealth",
"elasticloadbalancing:DescribeLoadBalancerAttributes", "elasticloadbalancing:DescribeLoadBalancer*",
"elasticloadbalancing:DescribeLoadBalancerPolicies",
"elasticloadbalancing:DescribeLoadBalancerPolicyTypes",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:DescribeTags", "elasticloadbalancing:DescribeTags",
"elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
"elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer", "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
@ -177,9 +178,7 @@
"lambda:CreateEventSourceMapping", "lambda:CreateEventSourceMapping",
"lambda:GetAccountSettings", "lambda:GetAccountSettings",
"lambda:GetEventSourceMapping", "lambda:GetEventSourceMapping",
"lambda:ListEventSourceMappings", "lambda:List*",
"lambda:ListFunctions",
"lambda:ListTags",
"lambda:TagResource", "lambda:TagResource",
"lambda:UntagResource" "lambda:UntagResource"
], ],
@ -199,8 +198,6 @@
"lambda:GetFunctionConfiguration", "lambda:GetFunctionConfiguration",
"lambda:GetPolicy", "lambda:GetPolicy",
"lambda:InvokeFunction", "lambda:InvokeFunction",
"lambda:ListAliases",
"lambda:ListVersionsByFunction",
"lambda:PublishVersion", "lambda:PublishVersion",
"lambda:RemovePermission", "lambda:RemovePermission",
"lambda:UpdateAlias", "lambda:UpdateAlias",
@ -219,6 +216,7 @@
"Resource": [ "Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible_lambda_role", "arn:aws:iam::{{aws_account}}:role/ansible_lambda_role",
"arn:aws:iam::{{aws_account}}:role/ecsInstanceRole", "arn:aws:iam::{{aws_account}}:role/ecsInstanceRole",
"arn:aws:iam::{{aws_account}}:role/ec2InstanceRole",
"arn:aws:iam::{{aws_account}}:role/ecsServiceRole", "arn:aws:iam::{{aws_account}}:role/ecsServiceRole",
"arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role", "arn:aws:iam::{{aws_account}}:role/aws_eks_cluster_role",
"arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole" "arn:aws:iam::{{aws_account}}:role/ecsTaskExecutionRole"

1
hacking/aws_config/testing_policies/container-policy.json
View file

@ -46,6 +46,7 @@
"ecs:StopTask", "ecs:StopTask",
"ecs:UpdateService", "ecs:UpdateService",
"elasticloadbalancing:Describe*", "elasticloadbalancing:Describe*",
"iam:GetInstanceProfile",
"iam:GetPolicy", "iam:GetPolicy",
"iam:GetPolicyVersion", "iam:GetPolicyVersion",
"iam:GetRole", "iam:GetRole",

11
hacking/aws_config/testing_policies/database-policy.json
View file

@ -86,6 +86,17 @@
], ],
"Effect": "Allow", "Effect": "Allow",
"Resource": "*" "Resource": "*"
},
{
"Sid": "DMSEndpoints",
"Effect": "Allow",
"Action": [
"dms:CreateEndpoint",
"dms:DeleteEndpoint",
"dms:DescribeEndpoints",
"dms:ModifyEndpoint"
],
"Resource": ["*"]
} }
] ]
} }

17
hacking/aws_config/testing_policies/iam-policy.json
View file

@ -1,17 +0,0 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowAccessToServerCertificates",
"Effect": "Allow",
"Action": [
"iam:ListServerCertificates",
"iam:UploadServerCertificate",
"iam:UpdateServerCertificate",
"iam:DeleteServerCertificate",
"iam:GetServerCertificate"
],
"Resource": "*"
}
]
}

24
hacking/aws_config/testing_policies/network-policy.json
View file

@ -22,6 +22,30 @@
"ec2:DescribeTransitGateways" "ec2:DescribeTransitGateways"
], ],
"Resource": "*" "Resource": "*"
},
{
"Sid": "AllowCloudfrontUsage",
"Effect": "Allow",
"Action": [
"cloudfront:CreateDistribution",
"cloudfront:CreateDistributionWithTags",
"cloudfront:CreateCloudFrontOriginAccessIdentity",
"cloudfront:DeleteDistribution",
"cloudfront:GetDistribution",
"cloudfront:GetStreamingDistribution",
"cloudfront:GetDistributionConfig",
"cloudfront:GetStreamingDistributionConfig",
"cloudfront:GetInvalidation",
"cloudfront:ListDistributions",
"cloudfront:ListDistributionsByWebACLId",
"cloudfront:ListInvalidations",
"cloudfront:ListStreamingDistributions",
"cloudfront:ListTagsForResource",
"cloudfront:TagResource",
"cloudfront:UntagResource",
"cloudfront:UpdateDistribution"
],
"Resource": "*"
} }
] ]
} }

41
hacking/aws_config/testing_policies/security-policy.json
View file

@ -33,7 +33,9 @@
"iam:CreateRole", "iam:CreateRole",
"iam:DeleteRole", "iam:DeleteRole",
"iam:DetachRolePolicy", "iam:DetachRolePolicy",
"iam:PassRole" "iam:PassRole",
"iam:UpdateAssumeRolePolicy",
"sts:AssumeRole"
], ],
"Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*", "Resource": "arn:aws:iam::{{ aws_account }}:role/ansible-test-*",
"Effect": "Allow", "Effect": "Allow",
@ -91,22 +93,6 @@
"arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*" "arn:aws:logs:{{aws_region}}:{{aws_account}}:log-group:ansible-testing*"
] ]
}, },
{
"Sid": "AllowSTSAnsibleTests",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:DetachRolePolicy",
"sts:AssumeRole",
"iam:AttachRolePolicy",
"iam:CreateInstanceProfile"
],
"Effect": "Allow",
"Resource": [
"arn:aws:iam::{{aws_account}}:role/ansible-test-sts-*",
"arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-sts-*"
]
},
{ {
"Sid": "AllowAccessToUnspecifiedKMSResources", "Sid": "AllowAccessToUnspecifiedKMSResources",
"Effect": "Allow", "Effect": "Allow",
@ -132,26 +118,13 @@
"Resource": "*" "Resource": "*"
}, },
{ {
"Sid": "AllowAccessToSpecifiedIAMResources", "Sid": "AllowAccessToServerCertificates",
"Effect": "Allow", "Effect": "Allow",
"Action": [ "Action": [
"iam:CreateRole", "iam:ListServerCertificates",
"iam:DeleteRole", "iam:UploadServerCertificate"
"iam:GetRole",
"iam:PassRole",
"iam:UpdateAssumeRolePolicy"
], ],
"Resource": "arn:aws:iam::{{aws_account}}:role/ansible-test-*" "Resource": "*"
},
{
"Sid": "AllowInstanceProfileCreation",
"Effect": "Allow",
"Action": [
"iam:AddRoleToInstanceProfile",
"iam:CreateInstanceProfile",
"iam:RemoveRoleFromInstanceProfile"
],
"Resource": "arn:aws:iam::{{aws_account}}:instance-profile/ansible-test-*"
} }
] ]
} }

1
test/integration/targets/ec2_instance/meta/main.yml
View file

@ -1,3 +1,4 @@
dependencies: dependencies:
- prepare_tests - prepare_tests
- setup_ec2 - setup_ec2
- setup_remote_tmp_dir

6
test/integration/targets/ec2_instance/playbooks/full_test.yml
View file

@ -1,6 +0,0 @@
- hosts: localhost
connection: local
environment: "{{ ansible_test.environment }}"
roles:
- ec2_instance

47
test/integration/targets/ec2_instance/playbooks/version_fail.yml
View file

@ -1,47 +0,0 @@
- hosts: localhost
connection: local
environment: "{{ ansible_test.environment }}"
vars:
resource_prefix: 'ansible-testing'
tasks:
- block:
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: True
- name: Include vars file in {{ playbook_dir }}../defaults/main.yml
include_vars:
file: '{{ playbook_dir }}/../defaults/main.yml'
- name: create t3.nano with cpu options (fails gracefully)
ec2_instance:
state: present
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
image_id: "{{ ec2_ami_image[aws_region] }}"
instance_type: t3.nano
cpu_options:
core_count: 1
threads_per_core: 1
<<: *aws_connection_info
register: ec2_instance_cpu_options_creation
ignore_errors: yes
- name: check that graceful error message is returned when creation with cpu_options and old botocore
assert:
that:
- ec2_instance_cpu_options_creation.failed
- 'ec2_instance_cpu_options_creation.msg == "cpu_options is only supported with botocore >= 1.10.16"'
always:
- name: cleanup c4.large in case graceful failure was in fact a graceful success
ec2_instance:
state: absent
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
<<: *aws_connection_info
ignore_errors: yes

15
test/integration/targets/ec2_instance/runme.sh
View file

@ -1,15 +0,0 @@
#!/usr/bin/env bash
set -eux
export ANSIBLE_ROLES_PATH=../../targets/
# Test graceful failure for older versions of botocore
source virtualenv.sh
pip install 'botocore<1.10.16' 'boto3<1.7.16'
ansible-playbook -v playbooks/version_fail.yml "$@"
# Run full test suite
source virtualenv.sh
pip install 'botocore>=1.10.16' boto3
ansible-playbook -v playbooks/full_test.yml "$@"

37
test/integration/targets/ec2_instance/tasks/main.yml
View file

@ -8,6 +8,43 @@
- block: - block:
- set_fact:
virtualenv: "{{ remote_tmp_dir }}/virtualenv"
virtualenv_command: "{{ ansible_python_interpreter }} -m virtualenv"
- set_fact:
virtualenv_interpreter: "{{ virtualenv }}/bin/python"
- pip:
name: virtualenv
- pip:
name:
- 'botocore<1.10.16'
- boto3
- coverage
virtualenv: "{{ virtualenv }}"
virtualenv_command: "{{ virtualenv_command }}"
virtualenv_site_packages: no
- include_tasks: version_fail.yml
vars:
ansible_python_interpreter: "{{ virtualenv_interpreter }}"
- file:
path: "{{ virtualenv }}"
state: absent
- pip:
name:
- 'botocore>=1.10.16'
- boto3
- coverage
virtualenv: "{{ virtualenv }}"
virtualenv_command: "{{ virtualenv_command }}"
virtualenv_site_packages: no
- include_tasks: env_setup.yml - include_tasks: env_setup.yml
- include_tasks: cpu_options.yml - include_tasks: cpu_options.yml
- include_tasks: termination_protection.yml - include_tasks: termination_protection.yml

36
test/integration/targets/ec2_instance/tasks/version_fail.yml Normal file
View file

@ -0,0 +1,36 @@
- block:
- name: set up aws connection info
set_fact:
aws_connection_info: &aws_connection_info
aws_access_key: "{{ aws_access_key }}"
aws_secret_key: "{{ aws_secret_key }}"
security_token: "{{ security_token }}"
region: "{{ aws_region }}"
no_log: True
- name: create t3.nano with cpu options (fails gracefully)
ec2_instance:
state: present
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
image_id: "{{ ec2_ami_image[aws_region] }}"
instance_type: t3.nano
cpu_options:
core_count: 1
threads_per_core: 1
<<: *aws_connection_info
register: ec2_instance_cpu_options_creation
ignore_errors: yes
- name: check that graceful error message is returned when creation with cpu_options and old botocore
assert:
that:
- ec2_instance_cpu_options_creation.failed
- 'ec2_instance_cpu_options_creation.msg == "cpu_options is only supported with botocore >= 1.10.16"'
always:
- name: cleanup t3.nano in case graceful failure was in fact a graceful success
ec2_instance:
state: absent
name: "ansible-test-{{ resource_prefix | regex_search('([0-9]+)$') }}-ec2"
<<: *aws_connection_info
ignore_errors: yes