From 06fa62eb4517ca268a50f24b478c5704a3cda6e9 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Mon, 7 Oct 2024 17:20:27 +0200 Subject: [PATCH 1/3] Additional ASG permissions for autoscaling_instance --- aws/policy/compute.yaml | 3 +++ 1 file changed, 3 insertions(+) diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index b512db9..810edf0 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -6,6 +6,7 @@ Statement: - Sid: AllowRunInstancesInstanceType Effect: Allow Action: + - autoscaling:AttachInstances - autoscaling:CreateAutoScalingGroup - autoscaling:CreateLaunchConfiguration - autoscaling:UpdateAutoScalingGroup @@ -150,6 +151,8 @@ Statement: - autoscaling:PutScheduledUpdateGroupAction - autoscaling:PutLifecycleHook - autoscaling:StartInstanceRefresh + - autoscaling:SetInstanceHealth + - autoscaling:SetInstanceProtection - autoscaling:TerminateInstanceInAutoScalingGroup - ec2:DeleteVolume - elasticloadbalancing:AddListenerCertificates From 6e4db92d5bdcf82368b71acb3a2bc208e517347c Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Fri, 11 Oct 2024 17:57:20 +0200 Subject: [PATCH 2/3] Also add Suspend/Resume ASG --- aws/policy/compute.yaml | 2 ++ 1 file changed, 2 insertions(+) diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index 810edf0..1a5dc4b 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -111,6 +111,8 @@ Statement: Effect: Allow Action: - autoscaling:Describe* + - autoscaling:ResumeProcesses + - autoscaling:SuspendProcesses - ec2:Describe* - elasticloadbalancing:DeleteRule - elasticloadbalancing:DeleteListener From b04c171928d3d520157d1e8f532efb6f5f99a522 Mon Sep 17 00:00:00 2001 From: Mark Chappell Date: Wed, 6 Nov 2024 18:32:32 +0100 Subject: [PATCH 3/3] Suggestions from review --- aws/policy/compute.yaml | 12 +++--------- 1 file changed, 3 insertions(+), 9 deletions(-) diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml index 1a5dc4b..f36e1cd 100644 --- a/aws/policy/compute.yaml +++ b/aws/policy/compute.yaml @@ -131,7 +131,7 @@ Statement: Action: - autoscaling:EnableMetricsCollection - ec2:CreateVolume - - elasticloadbalancing:CreateLoadBalancer + - elasticloadbalancing:CreateLoadBalancer* - elasticloadbalancing:CreateRule Resource: - 'arn:aws:ec2:{{ aws_region }}:{{ aws_account_id }}:volume/*' @@ -165,13 +165,8 @@ Statement: - elasticloadbalancing:CreateAppCookieStickinessPolicy - elasticloadbalancing:CreateLBCookieStickinessPolicy - elasticloadbalancing:CreateListener - - elasticloadbalancing:CreateLoadBalancerListeners - - elasticloadbalancing:CreateLoadBalancerPolicy - elasticloadbalancing:CreateTargetGroup - - elasticloadbalancing:DeleteLoadBalancer - - elasticloadbalancing:DeleteLoadBalancerListeners - - elasticloadbalancing:DeleteLoadBalancerPolicy - - elasticloadbalancing:DeleteTargetGroup + - elasticloadbalancing:Delete* - elasticloadbalancing:DeregisterInstancesFromLoadBalancer - elasticloadbalancing:DetachLoadBalancerFromSubnets - elasticloadbalancing:DisableAvailabilityZonesForLoadBalancer @@ -180,8 +175,7 @@ Statement: - elasticloadbalancing:RemoveTags - elasticloadbalancing:RegisterInstancesWithLoadBalancer - elasticloadbalancing:RegisterTargets - - elasticloadbalancing:SetLoadBalancerPoliciesForBackendServer - - elasticloadbalancing:SetLoadBalancerPoliciesOfListener + - elasticloadbalancing:SetLoadBalancer* - elasticloadbalancing:SetSecurityGroups - elasticloadbalancing:SetWebACL Resource: