Details
-
Type:
Task
-
Status: Closed (View Workflow)
-
Priority:
Major
-
Resolution: Done
-
Affects Version/s: None
-
Fix Version/s: None
-
Labels:None
-
Story Points:0.75
-
Epic Link:
-
Sprint:Spring 8 : 24 Apr to 8 May
Description
Tasks:
- Modify the role so that it is specific to the S3 bucket that the EC2 will use.
That is, the permission policy should only apply to the particular bucket that is created in the playbooks. This is to ensure that we can have a very liberal permissions in the role without fear of developers accidentally harming each other's S3 buckets.
- Name role itself to be named after the EC2 – e.g., the role name should be assigned to {{ ec_name }}.
Attachments
Activity
Add files containing policies to templates and files folders in appstore_s3 role folder.
New task flow:
- make bucket
- block public permission to bucket (added in previous ticket – left "as is")
- make IAM role for bucket; role is named for the bucket
- add policy to the to IAM role giving full access to the bucket; policy is also named for the bucket
- include role in EC2 creation task
Notes:
- https://github.com/ansible/ansible-modules-core/issues/2009 - iam_policy support for jinja templates
To test, provision a control node within your AWS account.
Then edit variables files as indicated in the documention.
Then, run:
It should work in any AWS account, with one catch: S3 bucket names have to be unique. If you pick a bucket name that is the same as an existing one, the playbook will fail.