Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add support for AWS config resources - terminator and hacking policy #133

Closed
wants to merge 3 commits into from
Closed

Add support for AWS config resources - terminator and hacking policy #133

wants to merge 3 commits into from

Conversation

tremble
Copy link
Contributor

@tremble tremble commented Feb 24, 2021

I find terminator helpful for cleaning up my 'local' test account, however only adding to the hacking policy because AWS only supports a single recorder per account per region.

@tremble tremble mentioned this pull request Feb 24, 2021
Merged
jillr
jillr requested changes Mar 11, 2021
View reviewed changes
Copy link
Collaborator

@jillr jillr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'm getting failures with this PR; running python3 cleanup.py --target ConfigAggregator --target ConfigRecorder --target ConfigDeliveryChannel --target ConfigRule --stage dev -vvv -c

We're missing the various describe permissions in CI
arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-dev/cleanup is not authorized to perform: config:DescribeConfigurationAggregators"}
User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-dev/cleanup is not authorized to perform: config:DescribeConfigurationRecorders"}
arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-dev/cleanup is not authorized to perform: config:DescribeConfigRules"}

We're presumably need the accompanying Remove actions

@tremble tremble requested a review from jillr March 12, 2021 05:56
jillr
jillr reviewed May 27, 2021
View reviewed changes
Copy link
Collaborator

@jillr jillr left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Partial review; we also need iam:PutRolePolicy and maybe iam:ListRolePolicies. I think these are fine? I need to read more IAM docs. There may be other things needed, I was not able to get the aws_config test passing and have not fully tested the new classes.

"msg": "An error occurred (AccessDenied) when calling the PutRolePolicy operation: User: arn:aws:sts::966509639900:assumed-role/ansible-core-ci-test-dev/dev=remote=jillr is not authorized to perform: iam:PutRolePolicy on resource: role ansible-test-ansible-test-59275417-lab",

aws/policy/security-services.yaml
@@ -127,6 +127,12 @@ Statement:
- Sid: AllowGlobalUnrestrictedResourceActionsWhichIncurNoFees
Effect: Allow
Action:
- config:DeleteConfigRule
- config:DeleteConfigurationRecorder
- config:DeleteDeliveryChannel
Copy link
Collaborator

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Suggested change
- config:DeleteDeliveryChannel
- config:DeleteDeliveryChannel
- config:DescribeAggregationAuthorizations
- config:DescribeConfigurationAggregators

@tremble tremble closed this Oct 25, 2021
@tremble tremble deleted the aws_config branch February 10, 2023 09:16
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@jillr jillr jillr requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@tremble @jillr