If you have time left today, could you work on this one?

(if yes, move it to In Progress)

Will pick this on monday.

Code changes have been made. Please review
https://bitbucket.org/chesterdias/chester-local-appstore-playbooks/branch/IGBF-2346#diff

This looks good - great first draft!

I have a couple of refinements to request:

• Can you modify the role so that it is specific to the S3 bucket that the EC2 will use?

That is, the permission policy should only apply to the particular bucket that is created in the playbooks. This is to ensure that we can have a very liberal permissions in the role without fear of developers accidentally harming each other's S3 buckets.

• Also, I would like for the role itself to be named after the EC2 – e.g., the role name should be assigned to {{ ec_name }}.

aws s3 ls
the above command was used to check if ec2 can list buckets

Chester Dias - Moving back to "To-Do". When you start working on it again, do please move it to "In Progress" to let me know you are working on it.

Let's work on the requested new features as part of different ticket. Merged the branch above to master.
cc: Chester Dias

Sure
Note: Below is the policy to be added to the role to grant limited priviledges over S3 to the EC2, The below policy will grant list priviledge to list all buckets and all privs over the bucket 'dev-media-****'
{
"Version": "2012-10-17",
"Statement": [

,

]
}

Thanks for this.
Making a note to add this to s3 role and moving back to "to do".

Please review https://bitbucket.org/chesterdias/chester-local-appstore-playbooks/branch/IGBF-2346#diff
I have added the code for creating a policy dynamically with a name of the EC2 to which it is associated to
the Policy will grant the Ec2 the access to list all the buckets and full permission over it own bucket and no access to other buckets

Change request:

• Please avoid coding JSON in the role playbook itself. Use templates instead. (As an example, see: https://bitbucket.org/lorainelab/appstore-playbooks/src/master/Ansible/roles/appstore_s3/templates/policy_json.j2)

sure will update the same

Requested Changes are made, Please review
https://bitbucket.org/chesterdias/chester-local-appstore-playbooks/branch/IGBF-2346#diff

Change requests - please take a look:

• Do not make any changes to EC instance as it is not created yet - please note order of role execution in set_up.yml.

• Accordingly, check role appstore_ec2 to ensure it is created using the new syntax.

Please note: the master branch version of appstore_s3/tasks/main.yml does not create a stand-alone policy but instead simply modifies a role that is created in the previous task. The proposed changes are an improvement on this because a stand-alone policy is being created, which is a better because this same policy can be separately attached to IAM users, thus allowing them to use the AWS console to make changes to their App Store's bucket.

• Change "policy_name" in task "Create IAM Managed Policy" to {{ s3_bucket_name }}.

• Change "name" in task "Create IAM role if not present for Ec2" to {{ s3_bucket_name }}

• Carefully compare proposed changes to master branch version to ensure existing functionality or assumptions will not be disrupted. If they are, please fix accordingly.

I have checked the order, the proposed change has been added.
I have moved the for 'granting a role to ec2' to appstore_ec2 since the ec2 won't be created till that execution point.

Please review the change:https://bitbucket.org/chesterdias/chester-local-appstore-playbooks/branch/IGBF-2346#diff

PR: https://bitbucket.org/lorainelab/appstore-playbooks/pull-requests/24/igbf-2346/diff