Uploaded image for project: 'IGB'
  1. IGB
  2. IGBF-2363

Make s3 role more specific to EC2 using it

        Details

        • Type: Task
        • Status: Closed (View Workflow)
        • Priority: Major
        • Resolution: Done
        • Affects Version/s: None
        • Fix Version/s: None
        • Labels:
          None

          Description

          Tasks:

          • Modify the role so that it is specific to the S3 bucket that the EC2 will use.
            That is, the permission policy should only apply to the particular bucket that is created in the playbooks. This is to ensure that we can have a very liberal permissions in the role without fear of developers accidentally harming each other's S3 buckets.
          • Name role itself to be named after the EC2 – e.g., the role name should be assigned to {{ ec_name }}.

            Attachments

              Activity

              Ascending order - Click to sort in descending order
              ann.loraine Ann Loraine created issue -
              ann.loraine Ann Loraine made changes -
              Field Original Value New Value
              Epic Link IGBF-2323 [ 18477 ]
              ann.loraine Ann Loraine made changes -
              Rank Ranked higher
              ann.loraine Ann Loraine made changes -
              Assignee Ann Loraine [ aloraine ]
              ann.loraine Ann Loraine made changes -
              Status To-Do [ 10305 ] In Progress [ 3 ]
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              Notes:

              Show
              ann.loraine Ann Loraine added a comment - - edited Notes: https://github.com/ansible/ansible-modules-core/issues/2009 - iam_policy support for jinja templates
              ann.loraine Ann Loraine made changes -
              Story Points 0.5 0.75
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              Add files containing policies to templates and files folders in appstore_s3 role folder.

              New task flow:

              • make bucket
              • block public permission to bucket (added in previous ticket – left "as is")
              • make IAM role for bucket; role is named for the bucket
              • add policy to the to IAM role giving full access to the bucket; policy is also named for the bucket
              • include role in EC2 creation task
              Show
              ann.loraine Ann Loraine added a comment - - edited Add files containing policies to templates and files folders in appstore_s3 role folder. New task flow: make bucket block public permission to bucket (added in previous ticket – left "as is") make IAM role for bucket; role is named for the bucket add policy to the to IAM role giving full access to the bucket; policy is also named for the bucket include role in EC2 creation task
              ann.loraine Ann Loraine made changes -
              Status In Progress [ 3 ] Needs 1st Level Review [ 10005 ]
              ann.loraine Ann Loraine made changes -
              Status Needs 1st Level Review [ 10005 ] First Level Review in Progress [ 10301 ]
              ann.loraine Ann Loraine made changes -
              Status First Level Review in Progress [ 10301 ] Ready for Pull Request [ 10304 ]
              ann.loraine Ann Loraine made changes -
              Status Ready for Pull Request [ 10304 ] Pull Request Submitted [ 10101 ]
              ann.loraine Ann Loraine made changes -
              Status Pull Request Submitted [ 10101 ] Reviewing Pull Request [ 10303 ]
              ann.loraine Ann Loraine made changes -
              Status Reviewing Pull Request [ 10303 ] Merged Needs Testing [ 10002 ]
              ann.loraine Ann Loraine made changes -
              Status Merged Needs Testing [ 10002 ] Post-merge Testing In Progress [ 10003 ]
              Hide
              Permalink
              ann.loraine Ann Loraine added a comment - - edited

              To test, provision a control node within your AWS account.

              Then edit variables files as indicated in the documention.

              Then, run:

              • ansible-playbook setup.yml

              It should work in any AWS account, with one catch: S3 bucket names have to be unique. If you pick a bucket name that is the same as an existing one, the playbook will fail.

              Show
              ann.loraine Ann Loraine added a comment - - edited To test, provision a control node within your AWS account. Then edit variables files as indicated in the documention. Then, run: ansible-playbook setup.yml It should work in any AWS account, with one catch: S3 bucket names have to be unique. If you pick a bucket name that is the same as an existing one, the playbook will fail.
              ann.loraine Ann Loraine made changes -
              Assignee Ann Loraine [ aloraine ]
              ann.loraine Ann Loraine made changes -
              Resolution Done [ 10000 ]
              Status Post-merge Testing In Progress [ 10003 ] Closed [ 6 ]
              ann.loraine Ann Loraine made changes -
              Assignee Ann Loraine [ aloraine ]

                People

                • Assignee:
                  ann.loraine Ann Loraine
                  Reporter:
                  ann.loraine Ann Loraine
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  1 Start watching this issue

                  Dates

                  • Created:
                    Updated:
                    Resolved: