From 7f4959768bc92eb0276828a231462a31121ff9c8 Mon Sep 17 00:00:00 2001 From: Kevin Fenzi Date: Fri, 8 Nov 2019 00:12:57 +0000 Subject: [PATCH] aws policy: initial copies of json policy files. Signed-off-by: Kevin Fenzi --- .../aws/iam/policies/fcos-builds-releng.json | 87 +++++++++++++++++++ .../aws/iam/policies/fcos-poc-artifacts.json | 23 +++++ files/aws/iam/policies/fcos-upload-amis.json | 39 +++++++++ files/aws/iam/policies/fedora-centos-ec2.json | 51 +++++++++++ files/aws/iam/policies/fedora-copr-ec2.json | 51 +++++++++++ files/aws/iam/policies/fedora-infra-ec2.json | 45 ++++++++++ .../policies/robosignatory-fcos-devel.json | 36 ++++++++ 7 files changed, 332 insertions(+) create mode 100644 files/aws/iam/policies/fcos-builds-releng.json create mode 100644 files/aws/iam/policies/fcos-poc-artifacts.json create mode 100644 files/aws/iam/policies/fcos-upload-amis.json create mode 100644 files/aws/iam/policies/fedora-centos-ec2.json create mode 100644 files/aws/iam/policies/fedora-copr-ec2.json create mode 100644 files/aws/iam/policies/fedora-infra-ec2.json create mode 100644 files/aws/iam/policies/robosignatory-fcos-devel.json diff --git a/files/aws/iam/policies/fcos-builds-releng.json b/files/aws/iam/policies/fcos-builds-releng.json new file mode 100644 index 0000000000..3ce6d2e77b --- /dev/null +++ b/files/aws/iam/policies/fcos-builds-releng.json @@ -0,0 +1,87 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "s3:PutAnalyticsConfiguration", + "s3:GetObjectVersionTagging", + "s3:CreateBucket", + "s3:ReplicateObject", + "s3:GetObjectAcl", + "s3:GetBucketObjectLockConfiguration", + "s3:DeleteBucketWebsite", + "s3:PutLifecycleConfiguration", + "s3:GetObjectVersionAcl", + "s3:HeadBucket", + "s3:DeleteObject", + "s3:GetBucketPolicyStatus", + "s3:GetObjectRetention", + "s3:GetBucketWebsite", + "s3:ListJobs", + "s3:PutReplicationConfiguration", + "s3:PutObjectLegalHold", + "s3:GetObjectLegalHold", + "s3:GetBucketNotification", + "s3:PutBucketCORS", + "s3:GetReplicationConfiguration", + "s3:ListMultipartUploadParts", + "s3:PutObject", + "s3:GetObject", + "s3:PutBucketNotification", + "s3:DescribeJob", + "s3:PutBucketLogging", + "s3:GetAnalyticsConfiguration", + "s3:PutBucketObjectLockConfiguration", + "s3:GetObjectVersionForReplication", + "s3:CreateJob", + "s3:GetLifecycleConfiguration", + "s3:ListBucketByTags", + "s3:GetInventoryConfiguration", + "s3:GetBucketTagging", + "s3:PutAccelerateConfiguration", + "s3:DeleteObjectVersion", + "s3:GetBucketLogging", + "s3:ListBucketVersions", + "s3:RestoreObject", + "s3:ListBucket", + "s3:GetAccelerateConfiguration", + "s3:GetBucketPolicy", + "s3:PutEncryptionConfiguration", + "s3:GetEncryptionConfiguration", + "s3:GetObjectVersionTorrent", + "s3:AbortMultipartUpload", + "s3:GetBucketRequestPayment", + "s3:UpdateJobPriority", + "s3:GetObjectTagging", + "s3:GetMetricsConfiguration", + "s3:DeleteBucket", + "s3:PutBucketVersioning", + "s3:GetBucketPublicAccessBlock", + "s3:ListBucketMultipartUploads", + "s3:PutMetricsConfiguration", + "s3:UpdateJobStatus", + "s3:GetBucketVersioning", + "s3:GetBucketAcl", + "s3:PutInventoryConfiguration", + "s3:GetObjectTorrent", + "s3:GetAccountPublicAccessBlock", + "s3:PutBucketWebsite", + "s3:ListAllMyBuckets", + "s3:PutBucketRequestPayment", + "s3:PutObjectRetention", + "s3:GetBucketCORS", + "s3:GetBucketLocation", + "s3:ReplicateDelete", + "s3:GetObjectVersion" + ], + "Resource": "*", + "Condition": { + "IpAddress": { + "aws:SourceIp": "209.132.181.102/32" + } + } + } + ] +} diff --git a/files/aws/iam/policies/fcos-poc-artifacts.json b/files/aws/iam/policies/fcos-poc-artifacts.json new file mode 100644 index 0000000000..cdce0774c2 --- /dev/null +++ b/files/aws/iam/policies/fcos-poc-artifacts.json @@ -0,0 +1,23 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "s3:PutObjectAcl", + "Resource": [ + "arn:aws:s3:::fcos-builds/*", + "arn:aws:s3:::fcos-builds" + ] + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": "s3:*", + "Resource": [ + "arn:aws:s3:::fcos-builds/*", + "arn:aws:s3:::fcos-builds" + ] + } + ] +} diff --git a/files/aws/iam/policies/fcos-upload-amis.json b/files/aws/iam/policies/fcos-upload-amis.json new file mode 100644 index 0000000000..03999c6b09 --- /dev/null +++ b/files/aws/iam/policies/fcos-upload-amis.json @@ -0,0 +1,39 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "ec2:ImportVolume", + "ec2:CreateTags", + "ec2:RegisterImage", + "ec2:CancelConversionTask", + "ec2:ImportSnapshot", + "ec2:CopyImage", + "ec2:ModifyImageAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeSnapshotAttribute", + "ec2:DescribeImportSnapshotTasks", + "ec2:DescribeImages", + "ec2:DeleteVolume", + "ec2:ModifySnapshotAttribute", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeImageAttribute", + "ec2:DescribeVolumes", + "ec2:CreateSnapshot", + "ec2:DescribeConversionTasks" + ], + "Resource": "*" + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": "ec2:CreateTags", + "Resource": [ + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*::image/*" + ] + } + ] +} diff --git a/files/aws/iam/policies/fedora-centos-ec2.json b/files/aws/iam/policies/fedora-centos-ec2.json new file mode 100644 index 0000000000..1aea024a24 --- /dev/null +++ b/files/aws/iam/policies/fedora-centos-ec2.json @@ -0,0 +1,51 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowDescription", + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "iam:PassRole", + "iam:ListInstanceProfiles", + "ec2:ImportKeyPair", + "ec2:CreateKeyPair", + "ec2:CreateSecurityGroup" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "AllowWhenOwnerOrUntagged", + "Effect": "Allow", + "Action": [ + "ec2:*" + ], + "Condition": { + "StringEqualsIfExists": { + "ec2:ResourceTag/FedoraGroup": [ + "centos" + ] + } + }, + "Resource": [ + "arn:aws:ec2:*:*:capacity-reservation/*", + "arn:aws:ec2:*:*:elasticGpu/*", + "arn:aws:ec2:*::fpga-image/*", + "arn:aws:ec2:*::image/*", + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*:*:launch-template/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:placement-group/*", + "arn:aws:ec2:*:*:reserved-instances/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*::spot-instance-request/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:subnet/*" + ] + } + ] +} diff --git a/files/aws/iam/policies/fedora-copr-ec2.json b/files/aws/iam/policies/fedora-copr-ec2.json new file mode 100644 index 0000000000..09db7ce71f --- /dev/null +++ b/files/aws/iam/policies/fedora-copr-ec2.json @@ -0,0 +1,51 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "AllowDescription", + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "iam:PassRole", + "iam:ListInstanceProfiles", + "ec2:ImportKeyPair", + "ec2:CreateKeyPair", + "ec2:CreateSecurityGroup" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "AllowWhenOwnerOrUntagged", + "Effect": "Allow", + "Action": [ + "ec2:*" + ], + "Condition": { + "StringEqualsIfExists": { + "ec2:ResourceTag/FedoraGroup": [ + "copr" + ] + } + }, + "Resource": [ + "arn:aws:ec2:*:*:capacity-reservation/*", + "arn:aws:ec2:*:*:elasticGpu/*", + "arn:aws:ec2:*::fpga-image/*", + "arn:aws:ec2:*::image/*", + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*:*:launch-template/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:placement-group/*", + "arn:aws:ec2:*:*:reserved-instances/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*::spot-instance-request/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:subnet/*" + ] + } + ] +} diff --git a/files/aws/iam/policies/fedora-infra-ec2.json b/files/aws/iam/policies/fedora-infra-ec2.json new file mode 100644 index 0000000000..24d608a686 --- /dev/null +++ b/files/aws/iam/policies/fedora-infra-ec2.json @@ -0,0 +1,45 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "ec2:Describe*", + "iam:PassRole", + "ec2:ImportKeyPair", + "ec2:CreateKeyPair", + "ec2:CreateSecurityGroup", + "iam:ListInstanceProfiles" + ], + "Resource": "*" + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": "ec2:*", + "Resource": [ + "arn:aws:ec2:*:*:subnet/*", + "arn:aws:ec2:*:*:elasticGpu/*", + "arn:aws:ec2:*:*:reserved-instances/*", + "arn:aws:ec2:*:*:launch-template/*", + "arn:aws:ec2:*::snapshot/*", + "arn:aws:ec2:*:*:security-group/*", + "arn:aws:ec2:*:*:placement-group/*", + "arn:aws:ec2:*:*:network-interface/*", + "arn:aws:ec2:*:*:capacity-reservation/*", + "arn:aws:ec2:*:*:key-pair/*", + "arn:aws:ec2:*::spot-instance-request/*", + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*::fpga-image/*", + "arn:aws:ec2:*::image/*" + ], + "Condition": { + "StringEqualsIfExists": { + "ec2:ResourceTag/FedoraGroup": "infra" + } + } + } + ] +} diff --git a/files/aws/iam/policies/robosignatory-fcos-devel.json b/files/aws/iam/policies/robosignatory-fcos-devel.json new file mode 100644 index 0000000000..816757a5db --- /dev/null +++ b/files/aws/iam/policies/robosignatory-fcos-devel.json @@ -0,0 +1,36 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "WriteToTestBucket", + "Effect": "Allow", + "Action": [ + "s3:GetBucketPublicAccessBlock", + "s3:PutObject", + "s3:GetObjectAcl", + "s3:GetObject", + "s3:GetBucketTagging", + "s3:GetObjectTagging", + "s3:ListBucket", + "s3:GetBucketAcl", + "s3:PutObjectAcl" + ], + "Resource": [ + "arn:aws:s3:::*/*", + "arn:aws:s3:::robosig-dev-fcos-builds" + ] + }, + { + "Sid": "ReadFromProdBucket", + "Effect": "Allow", + "Action": [ + "s3:GetObject", + "s3:ListBucket" + ], + "Resource": [ + "arn:aws:s3:::*/*", + "arn:aws:s3:::fcos-builds" + ] + } + ] +}