diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml index 35769269..3f413719 100644 --- a/aws/policy/security-services.yaml +++ b/aws/policy/security-services.yaml @@ -31,23 +31,11 @@ Statement: - 'arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole' - 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole' - 'arn:aws:iam::aws:policy/service-role/AWSServiceRoleForVPCTransitGateway' - - 'arn:aws:iam::aws:policy/service-role/AmazonEC2ContainerServiceRole' - - # Legacy - We need to backport ansible-collections/community.aws/63 or - # wait until community.aws drops CI support for Ansible 2.9 - - Sid: AllowPassRole - Effect: Allow - Action: - - iam:PassRole - Resource: - - 'arn:aws:iam::{{ aws_account_id }}:role/ansible_lambda_role' + - 'arn:aws:iam::aws:policy/service-role/AmazonECSTaskExecutionRolePolicy' - Sid: AllowRegionalUnrestrictedResourceActionsWhichIncurNoFees Effect: Allow Action: - - iam:ListAccountAliases - - iam:ListPolicies - - iam:ListInstanceProfiles - iam:GetUser - acm:ListCertificates - acm:ListTagsForCertificate @@ -143,7 +131,6 @@ Statement: - iam:GetInstanceProfile - iam:GetSAMLProvider - iam:GetServerCertificate - - iam:ListInstanceProfilesForRole - iam:PassRole - iam:RemoveRoleFromInstanceProfile - iam:UpdateSAMLProvider @@ -198,3 +185,4 @@ Statement: - 'transitgateway.amazonaws.com' - 'network-firewall.amazonaws.com' - 'ecs.amazonaws.com' + - 'ecs-test.amazonaws.com' diff --git a/aws/terminator/paas.py b/aws/terminator/paas.py index b59f30a2..02053ba3 100644 --- a/aws/terminator/paas.py +++ b/aws/terminator/paas.py @@ -1,4 +1,4 @@ -from datetime import datetime +from datetime import datetime, timedelta from . import DbTerminator, Terminator @@ -221,7 +221,7 @@ def _paginate_service_results(): class EcsCluster(DbTerminator): @property def age_limit(self): - return datetime.timedelta(minutes=30) + return timedelta(minutes=30) @property def name(self):