Merge branch 'sns_topic_tag_policies' of https://github.com/alinabuza…

…chis/aws-terminator into sns_topic_tag_policies
mattclay · Jun 9, 2022 · 8c10abe · 8c10abe
2 parents b53a3b7 + 02de107
commit 8c10abe
Show file tree

Hide file tree

Showing 5 changed files with 30 additions and 8 deletions.
diff --git a/aws/policy/application-security.yaml b/aws/policy/application-security.yaml
@@ -34,7 +34,6 @@ Statement:
       - wafv2:DeleteFirewallManagerRuleGroups
       - wafv2:DisassociateFirewallManager
       - wafv2:UpdateIPSet
-      - wafv2:TagResource
     Resource:
       - 'arn:aws:wafv2:{{ aws_region }}:{{ aws_account_id }}:*'
 
@@ -110,6 +109,9 @@ Statement:
       - waf:UpdateSqlInjectionMatchSet
       - waf:UpdateWebACL
       - waf:UpdateXssMatchSet
+      - wafv2:ListTagsForResource
+      - wafv2:TagResource
+      - wafv2:UntagResource
     Resource: "*"
     Condition:
       StringEquals:

diff --git a/aws/policy/application-services.yaml b/aws/policy/application-services.yaml
@@ -69,9 +69,19 @@ Statement:
       - kinesis:DescribeStream
       - cloudformation:DescribeStacks
       - cloudformation:ListExports
+        # These cloudformation permissions simply enable use of the Cloud Control API.
+        # The underlying resources the API is managing would still require their own permissions.
+      - cloudformation:CreateResource
+      - cloudformation:DeleteResource
+      - cloudformation:GetResource
+      - cloudformation:GetResourceRequestStatus
+      - cloudformation:ListResources
+      - cloudformation:ListResourceRequests
+      - cloudformation:UpdateResource
       - glue:GetConnections
       - glue:GetCrawlers
       - glue:GetJobs
+      - logs:ListLogDeliveries
     Resource: "*"
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow

diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml
@@ -141,10 +141,12 @@ Statement:
       - autoscaling:DeleteScheduledAction
       - autoscaling:DeleteTags
       - autoscaling:DetachLoadBalancers
+      - autoscaling:DeleteLifecycleHook
       - autoscaling:DetachLoadBalancerTargetGroups
       - autoscaling:DisableMetricsCollection
       - autoscaling:PutScalingPolicy
       - autoscaling:PutScheduledUpdateGroupAction
+      - autoscaling:PutLifecycleHook
       - autoscaling:StartInstanceRefresh
       - autoscaling:TerminateInstanceInAutoScalingGroup
       - ec2:DeleteVolume

diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml
@@ -21,11 +21,14 @@ Statement:
   - Sid: AllowGlobalResourceRestrictedActionsWhichIncurNoFees
     Effect: Allow
     Action:
+      - dms:AddTagsToResource
       - dms:CreateReplicationSubnetGroup
       - dms:DeleteEndpoint
-      - dms:ModifyEndpoint
       - dms:DeleteReplicationSubnetGroup
+      - dms:ListTagsForResource
+      - dms:ModifyEndpoint
       - dms:ModifyReplicationSubnetGroup
+      - dms:RemoveTagsFromResource
       - dynamodb:CreateTable
       - dynamodb:DeleteItem
       - dynamodb:DeleteTable
@@ -43,12 +46,7 @@ Statement:
       - elasticache:DeleteCacheCluster
       - elasticache:DeleteCacheSecurityGroup
       - elasticache:DeleteCacheSubnetGroup
-      - elasticache:DescribeCacheClusters
-      - elasticache:DescribeCacheEngineVersions
-      - elasticache:DescribeCacheParameterGroups
-      - elasticache:DescribeCacheParameters
-      - elasticache:DescribeCacheSecurityGroups
-      - elasticache:DescribeCacheSubnetGroups
+      - elasticache:DescribeCache*
       - elasticache:DescribeEngineDefaultParameters
       - elasticache:DescribeUpdateActions
       - elasticache:ModifyCacheCluster
@@ -79,6 +77,8 @@ Statement:
       - rds:DeleteDBParameterGroup
       - rds:DeleteDBSubnetGroup
       - rds:RestoreDBInstanceToPointInTime
+      - rds:RestoreDBInstanceFromDBSnapshot
+      - rds:RestoreDBInstanceFromS3
       - rds:CreateDBInstanceReadReplica
       - rds:CreateDBInstance
       - rds:ModifyDBInstance
@@ -100,14 +100,17 @@ Statement:
       - rds:DeleteDBClusterSnapshot
       - rds:CreateDBSnapshot
       - rds:DeleteDBSnapshot
+      - rds:CopyDBSnapshot
       - rds:DescribeExportTasks
       - rds:StartExportTask
       - rds:CancelExportTask
       - rds:RestoreDBClusterToPointInTime
       - rds:RestoreDBClusterFromSnapshot
       - rds:RestoreDBClusterFromS3
       - rds:PromoteReadReplicaDBCluster
+      - rds:CopyDBClusterSnapshot
     Resource:
+      - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:endpoint:*'
       - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*'
       - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*'
       - 'arn:aws:elasticache:{{ aws_region }}:{{ aws_account_id }}:cluster:*'

diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml
@@ -25,6 +25,7 @@ Statement:
           - 'arn:aws:iam::aws:policy/service-role/AWSLambdaSQSQueueExecutionRole'
           - 'arn:aws:iam::aws:policy/service-role/AmazonDMSVPCManagementRole'
           - 'arn:aws:iam::aws:policy/service-role/AmazonRDSEnhancedMonitoringRole'
+          - 'arn:aws:iam::aws:policy/service-role/AWSServiceRoleForVPCTransitGateway'
 
   # Legacy - We need to backport ansible-collections/community.aws/63 or
   # wait until community.aws drops CI support for Ansible 2.9
@@ -169,9 +170,13 @@ Statement:
       - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/autoscaling.amazonaws.com/*'
       - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/spot.amazonaws.com/*'
       - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/eks-fargate.amazonaws.com/*'
+      - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/transitgateway.amazonaws.com/*'
+      - 'arn:aws:iam::{{ aws_account_id }}:role/aws-service-role/network-firewall.amazonaws.com/*'
     Condition:
       ForAnyValue:StringEquals:
         iam:AWSServiceName:
           - 'autoscaling.amazonaws.com'
           - 'spot.amazonaws.com'
           - 'eks-fargate.amazonaws.com'
+          - 'transitgateway.amazonaws.com'
+          - 'network-firewall.amazonaws.com'