infrastructure/ansible
1
0
Fork 0
Code Pull requests 7 Activity Actions

aws policy: initial copies of json policy files.

Browse source 
Signed-off-by: Kevin Fenzi <kevin@scrye.com>
This commit is contained in:
Kevin Fenzi 2019-11-08 00:12:57 +00:00 committed by Pierre-Yves Chibon
parent f6c6852d5c
commit 7f4959768b
7 changed files with 332 additions and 0 deletions
Download patch file Download diff file Expand all files Collapse all files

87
files/aws/iam/policies/fcos-builds-releng.json Normal file
View file

@ -0,0 +1,87 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"s3:PutAnalyticsConfiguration",
"s3:GetObjectVersionTagging",
"s3:CreateBucket",
"s3:ReplicateObject",
"s3:GetObjectAcl",
"s3:GetBucketObjectLockConfiguration",
"s3:DeleteBucketWebsite",
"s3:PutLifecycleConfiguration",
"s3:GetObjectVersionAcl",
"s3:HeadBucket",
"s3:DeleteObject",
"s3:GetBucketPolicyStatus",
"s3:GetObjectRetention",
"s3:GetBucketWebsite",
"s3:ListJobs",
"s3:PutReplicationConfiguration",
"s3:PutObjectLegalHold",
"s3:GetObjectLegalHold",
"s3:GetBucketNotification",
"s3:PutBucketCORS",
"s3:GetReplicationConfiguration",
"s3:ListMultipartUploadParts",
"s3:PutObject",
"s3:GetObject",
"s3:PutBucketNotification",
"s3:DescribeJob",
"s3:PutBucketLogging",
"s3:GetAnalyticsConfiguration",
"s3:PutBucketObjectLockConfiguration",
"s3:GetObjectVersionForReplication",
"s3:CreateJob",
"s3:GetLifecycleConfiguration",
"s3:ListBucketByTags",
"s3:GetInventoryConfiguration",
"s3:GetBucketTagging",
"s3:PutAccelerateConfiguration",
"s3:DeleteObjectVersion",
"s3:GetBucketLogging",
"s3:ListBucketVersions",
"s3:RestoreObject",
"s3:ListBucket",
"s3:GetAccelerateConfiguration",
"s3:GetBucketPolicy",
"s3:PutEncryptionConfiguration",
"s3:GetEncryptionConfiguration",
"s3:GetObjectVersionTorrent",
"s3:AbortMultipartUpload",
"s3:GetBucketRequestPayment",
"s3:UpdateJobPriority",
"s3:GetObjectTagging",
"s3:GetMetricsConfiguration",
"s3:DeleteBucket",
"s3:PutBucketVersioning",
"s3:GetBucketPublicAccessBlock",
"s3:ListBucketMultipartUploads",
"s3:PutMetricsConfiguration",
"s3:UpdateJobStatus",
"s3:GetBucketVersioning",
"s3:GetBucketAcl",
"s3:PutInventoryConfiguration",
"s3:GetObjectTorrent",
"s3:GetAccountPublicAccessBlock",
"s3:PutBucketWebsite",
"s3:ListAllMyBuckets",
"s3:PutBucketRequestPayment",
"s3:PutObjectRetention",
"s3:GetBucketCORS",
"s3:GetBucketLocation",
"s3:ReplicateDelete",
"s3:GetObjectVersion"
],
"Resource": "*",
"Condition": {
"IpAddress": {
"aws:SourceIp": "209.132.181.102/32"
}
}
}
]
}

23
files/aws/iam/policies/fcos-poc-artifacts.json Normal file
View file

@ -0,0 +1,23 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": "s3:PutObjectAcl",
"Resource": [
"arn:aws:s3:::fcos-builds/*",
"arn:aws:s3:::fcos-builds"
]
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "s3:*",
"Resource": [
"arn:aws:s3:::fcos-builds/*",
"arn:aws:s3:::fcos-builds"
]
}
]
}

39
files/aws/iam/policies/fcos-upload-amis.json Normal file
View file

@ -0,0 +1,39 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:ImportVolume",
"ec2:CreateTags",
"ec2:RegisterImage",
"ec2:CancelConversionTask",
"ec2:ImportSnapshot",
"ec2:CopyImage",
"ec2:ModifyImageAttribute",
"ec2:DescribeSnapshots",
"ec2:DescribeSnapshotAttribute",
"ec2:DescribeImportSnapshotTasks",
"ec2:DescribeImages",
"ec2:DeleteVolume",
"ec2:ModifySnapshotAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeImageAttribute",
"ec2:DescribeVolumes",
"ec2:CreateSnapshot",
"ec2:DescribeConversionTasks"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:CreateTags",
"Resource": [
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::image/*"
]
}
]
}

51
files/aws/iam/policies/fedora-centos-ec2.json Normal file
View file

@ -0,0 +1,51 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescription",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:PassRole",
"iam:ListInstanceProfiles",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowWhenOwnerOrUntagged",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/FedoraGroup": [
"centos"
]
}
},
"Resource": [
"arn:aws:ec2:*:*:capacity-reservation/*",
"arn:aws:ec2:*:*:elasticGpu/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*"
]
}
]
}

51
files/aws/iam/policies/fedora-copr-ec2.json Normal file
View file

@ -0,0 +1,51 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "AllowDescription",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:PassRole",
"iam:ListInstanceProfiles",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup"
],
"Resource": [
"*"
]
},
{
"Sid": "AllowWhenOwnerOrUntagged",
"Effect": "Allow",
"Action": [
"ec2:*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/FedoraGroup": [
"copr"
]
}
},
"Resource": [
"arn:aws:ec2:*:*:capacity-reservation/*",
"arn:aws:ec2:*:*:elasticGpu/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*::image/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*:*:subnet/*"
]
}
]
}

45
files/aws/iam/policies/fedora-infra-ec2.json Normal file
View file

@ -0,0 +1,45 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "VisualEditor0",
"Effect": "Allow",
"Action": [
"ec2:Describe*",
"iam:PassRole",
"ec2:ImportKeyPair",
"ec2:CreateKeyPair",
"ec2:CreateSecurityGroup",
"iam:ListInstanceProfiles"
],
"Resource": "*"
},
{
"Sid": "VisualEditor1",
"Effect": "Allow",
"Action": "ec2:*",
"Resource": [
"arn:aws:ec2:*:*:subnet/*",
"arn:aws:ec2:*:*:elasticGpu/*",
"arn:aws:ec2:*:*:reserved-instances/*",
"arn:aws:ec2:*:*:launch-template/*",
"arn:aws:ec2:*::snapshot/*",
"arn:aws:ec2:*:*:security-group/*",
"arn:aws:ec2:*:*:placement-group/*",
"arn:aws:ec2:*:*:network-interface/*",
"arn:aws:ec2:*:*:capacity-reservation/*",
"arn:aws:ec2:*:*:key-pair/*",
"arn:aws:ec2:*::spot-instance-request/*",
"arn:aws:ec2:*:*:instance/*",
"arn:aws:ec2:*:*:volume/*",
"arn:aws:ec2:*::fpga-image/*",
"arn:aws:ec2:*::image/*"
],
"Condition": {
"StringEqualsIfExists": {
"ec2:ResourceTag/FedoraGroup": "infra"
}
}
}
]
}

36
files/aws/iam/policies/robosignatory-fcos-devel.json Normal file
View file

@ -0,0 +1,36 @@
{
"Version": "2012-10-17",
"Statement": [
{
"Sid": "WriteToTestBucket",
"Effect": "Allow",
"Action": [
"s3:GetBucketPublicAccessBlock",
"s3:PutObject",
"s3:GetObjectAcl",
"s3:GetObject",
"s3:GetBucketTagging",
"s3:GetObjectTagging",
"s3:ListBucket",
"s3:GetBucketAcl",
"s3:PutObjectAcl"
],
"Resource": [
"arn:aws:s3:::*/*",
"arn:aws:s3:::robosig-dev-fcos-builds"
]
},
{
"Sid": "ReadFromProdBucket",
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": [
"arn:aws:s3:::*/*",
"arn:aws:s3:::fcos-builds"
]
}
]
}