Policy for running ansible integration tests

ansible_integration_iam.json.j2

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1489152727000",
            "Effect": "Allow",
            "Action": [
                "ec2:Describe*"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "Stmt1489154822000",
            "Effect": "Allow",
            "Action": [
                "ec2:CreateKeyPair",
                "ec2:CreateNatGateway",
                "ec2:DeleteKeyPair",
                "ec2:ImportKeyPair",
                "ec2:DescribeSecurityGroups",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:RunInstances",
                "ec2:CreateTags",
                "ec2:TerminateInstances",
                "ec2:AllocateAddress",
                "ec2:AssociateAddress",
                "ec2:DisassociateAddress",
                "ec2:ReleaseAddress",
                "ec2:CreateSubnet",
                "ec2:CreateVpc",
                "ec2:CreateRouteTable",
                "ec2:ModifyRouteTable",
                "ec2:DescribeRouteTable",
                "ec2:AssociateRouteTable",
                "ec2:DisassociateRouteTable",
                "ec2:ModifyVpcAttribute",
                "ec2:CreateInternetGateway",
                "ec2:AttachInternetGateway",
                "ec2:DeleteNatGateway"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowManageSecurityGroupsForSetup",
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeSecurityGroups",
                "ec2:CreateSecurityGroup",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:DeleteSecurityGroup",
                "ec2:RevokeSecurityGroupIngress"
            ],
            "Resource": [
                "arn:aws:ec2:{{region}}:{{account}}:security-group/*"
            ]
        },
        {
            "Sid": "Stmt1489163124000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowReadAllLoadBalancers",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeInstanceHealth"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowManagementofOwnLoadBalancers",
            "Effect": "Allow",
            "Action": [
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:EnableAvailabilityZonesForLoadBalancer",
                "elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DescribeInstanceHealth"
            ],
            "Resource": [
                "arn:aws:elasticloadbalancing:{{region}}:{{account}}:loadbalancer/ansible-testing-*"
            ]
        },
        {
            "Sid": "Stmt1489417130000",
            "Effect": "Allow",
            "Action": [
                "ecr:DescribeRepositories",
                "ecr:CreateRepository",
                "ecr:DescribeRepositories",
                "ecr:GetRepositoryPolicy",
                "ecr:DescribeRepositories",
                "ecr:SetRepositoryPolicy",
                "ecr:DeleteRepository",
                "ecr:DeleteRepositoryPolicy",
                "ecr:DeleteRepositoryPolicy"
            ],
            "Resource": [
                "*"
            ]
        },
        {
            "Sid": "AllowOldRDSModule",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:CreateDBInstance",
                "rds:ModifyDBInstance",
                "rds:DeleteDBInstance"
            ],
            "Resource": [
                "arn:aws:rds:{{region}}:{{account}}:db:ansible-testing*"
            ]
        },
        {
            "Sid": "AllowRDSModuleCompatibilityTests",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBInstances",
                "rds:CreateDBInstance",
                "rds:ModifyDBInstance",
                "rds:ListTagsForResource",
                "rds:DeleteDBInstance"
            ],
            "Resource": [
                "arn:aws:rds:{{region}}:{{account}}:db:ansible-testing*"
            ]
        },
        {
            "Sid": "AllowRDSInstanceManageOwnInstance",
            "Effect": "Allow",
            "Action": [
                "rds:CreateDBInstance",
                "rds:ModifyDBInstance",
                "rds:ListTagsForResource",
                "rds:DescribeDBInstances"
            ],
            "Resource": [
                "arn:aws:rds:{{region}}:{{account}}:db:rds-*"
            ]
        },
        {
            "Sid": "AllowRDSSnapshotManageSnapshots",
            "Effect": "Allow",
            "Action": [
                "rds:DescribeDBSnapshots",
                "rds:DescribeDBInstances",
                "rds:DescribeDBSnapshots",
                "rds:DeleteDBInstance",
                "rds:CreateDBSnapshot",
                "rds:DeleteDBSnapshot",
                "rds:RestoreDBInstanceFromDBSnapshot",
                "rds:CreateDBInstanceReadReplica"
            ],
            "Resource": [
                "arn:aws:rds:{{region}}:{{account}}:snapshot:snapshot-*",
                "arn:aws:rds:{{region}}:{{account}}:snapshot:rds-*",
                "arn:aws:rds:{{region}}:{{account}}:db:rds-*"
            ]
        },
        {
            "Sid": "Stmt1492534430805",
            "Action": [
                "s3:GetObject",
                "s3:ListBucket",
                "s3:PutBucketAcl",
                "s3:CreateBucket",
                "s3:PutObject",
                "s3:PutObjectAcl",
                "s3:DeleteBucket",
                "s3:DeleteObject"
            ],
            "Effect": "Allow",
            "Resource": [
                "arn:aws:s3:::ansible_test_*",
                "arn:aws:s3:::ansible_test_*/*"
            ]
        }
    ]
}

This is a policy which allows the ansible integration tests to run in an account. I have only added Actions that are actully needed and in some case I tried to narrow the resource selection but in most cases I then had to back out to all resources.

Comments and suggestions for improvement appreciated.

Yaml of required variables

# these are the parameters you have to give to create a correct AMI policy for testing
account:  123455678   # your AWS account number
region: us-east-1  # some of the EC2 tests use a special AMI so currently you *have* to use us-east-1 if everything is to work