Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

add extra policies for elb_application_lb #121

Merged
merged 1 commit into from
Jan 11, 2021
Merged

add extra policies for elb_application_lb #121

merged 1 commit into from
Jan 11, 2021

Conversation

goneri
Copy link
Contributor

@goneri goneri commented Jan 7, 2021

Allow the elasticloadbalancing:RemoveTags. The
elasticloadbalancing:AddTags is already accepted.

With need this policy for elb_application_lb.

@goneri goneri mentioned this pull request Jan 7, 2021
Merged
@jillr
Copy link
Collaborator

jillr commented Jan 7, 2021

@goneri There's some missing permissions here still. I've tested your PR with this changeset:

+++ b/aws/policy/compute.yaml
@@ -118,6 +118,7 @@ Statement:
       - ec2:DescribeAvailabilityZones
       - ec2:DescribeSpotPriceHistory
       - ec2:DescribeTransitGateways
+      - elasticloadbalancing:DeleteRule
       - elasticloadbalancing:DescribeListeners
       - elasticloadbalancing:DescribeLoadBalancerAttributes
       - elasticloadbalancing:DescribeLoadBalancers
@@ -128,6 +129,7 @@ Statement:
       - elasticloadbalancing:DescribeTargetHealth
       - elasticloadbalancing:DeregisterTargets
       - elasticloadbalancing:ModifyTargetGroupAttributes
+      - elasticloadbalancing:ModifyRule
     Resource:
       - "*"

@@ -136,6 +138,7 @@ Statement:
     Action:
       - ec2:CreateVolume
       - elasticloadbalancing:CreateLoadBalancer
+      - elasticloadbalancing:CreateRule
     Resource:
       - 'arn:aws:ec2:{{ aws_region }}:{{ aws_account_id }}:volume/*'
       - 'arn:aws:elasticloadbalancing:{{ aws_region }}:{{ aws_account_id }}:*'

But then I get a failure at tests/integration/targets/elb_application_lb/tasks/test_modifying_alb_listeners.yml:146 on this assertion - '{{ alb|community.general.json_query("listeners[].rules[].conditions[].host_header_config.values[]")|length == 1 }}'

I'll leave the policies in my diff deployed to stage:dev for now so you can do local testing.

@goneri goneri changed the title allow elasticloadbalancing:RemoveTags add extra policies for elb_application_lb Jan 8, 2021
@goneri goneri force-pushed the allow-elasticloadbalancing-RemoveTags_9046 branch from 61f6d2d to 067cdd7 Compare January 8, 2021 18:56
goneri
goneri commented Jan 8, 2021
View reviewed changes
aws/policy/compute.yaml
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DeleteListener
Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I had to also add this one.

@goneri
add extra actions for elb_application_lb
bb2afbb 
Extend the compute policy to be able to run `elb_application_lb` test.
@goneri goneri force-pushed the allow-elasticloadbalancing-RemoveTags_9046 branch from 067cdd7 to bb2afbb Compare January 11, 2021 14:27
@jillr jillr merged commit 044afb4 into mattclay:master Jan 11, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jillr jillr jillr approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@goneri @jillr