Remove ECS policies from AWS compute policy

The compute policy was exceeding maximum size and contained policies that already exist in ecs-policy. Look up suitable AMIs rather than hardcode We don't want to maintain multiple image IDs for multiple regions so use ec2_ami_facts to set a suitable image ID Improve exception handling
2025-07-22 04:40:22 -07:00 · 2018-06-06 19:48:00 +10:00 · 2018-06-06 19:48:00 +10:00 · a60fe1946c
commit a60fe1946c
parent fbcd6f8a65
4 changed files with 15 additions and 57 deletions
--- a/hacking/aws_config/testing_policies/compute-policy.json
+++ b/hacking/aws_config/testing_policies/compute-policy.json
@ -109,29 +109,6 @@
                "arn:aws:ec2:{{aws_region}}:{{aws_account}}:*"
            ]
        },
-        {
-            "Sid": "UnspecifiedCodeRepositories",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:DescribeRepositories",
-                "ecr:CreateRepository"
-            ],
-            "Resource": "*"
-        },
-        {
-            "Sid": "SpecifiedCodeRepositories",
-            "Effect": "Allow",
-            "Action": [
-                "ecr:GetRepositoryPolicy",
-                "ecr:SetRepositoryPolicy",
-                "ecr:DeleteRepository",
-                "ecr:DeleteRepositoryPolicy",
-                "ecr:DeleteRepositoryPolicy"
-            ],
-            "Resource": [
-                "arn:aws:ecr:{{aws_region}}:{{aws_account}}:repository/ansible-*"
-            ]
-        },
 {# According to http://docs.aws.amazon.com/elasticloadbalancing/latest/userguide/load-balancer-authentication-access-control.html #}
 {# Resource level access control is not possible for the new ELB API (providing Application Load Balancer functionality #}
 {# While it remains possible for the old API, there is no distinction of the Actions between old API and new API #}
@ -238,29 +215,6 @@
                "arn:aws:iam::{{aws_account}}:role/ecsServiceRole"
            ]
        },
-        {
-          "Sid": "AllowECSManagement",
-          "Effect": "Allow",
-          "Action": [
-            "application-autoscaling:Describe*",
-            "application-autoscaling:PutScalingPolicy",
-            "application-autoscaling:RegisterScalableTarget",
-            "cloudwatch:DescribeAlarms",
-            "cloudwatch:PutMetricAlarm",
-            "ecs:CreateCluster",
-            "ecs:CreateService",
-            "ecs:DeleteCluster",
-            "ecs:DeleteService",
-            "ecs:Describe*",
-            "ecs:DeregisterTaskDefinition",
-            "ecs:List*",
-            "ecs:RegisterTaskDefinition",
-            "ecs:UpdateService"
-          ],
-          "Resource": [
-            "*"
-          ]
-        },
        {
          "Sid": "AllowSESManagement",
          "Effect": "Allow",