diff --git a/aws-govcloud/iam-policies/avicontroller-asg-policy.json b/aws-govcloud/iam-policies/avicontroller-asg-policy.json new file mode 100644 index 00000000..d2fde5ea --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-asg-policy.json @@ -0,0 +1,15 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "autoscaling:DescribeAutoScalingGroups", + "autoscaling:DescribeAutoScalingInstances", + "autoscaling:DescribeLaunchConfigurations" + ], + "Resource": "*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-ec2-policy.json b/aws-govcloud/iam-policies/avicontroller-ec2-policy.json new file mode 100644 index 00000000..623bd257 --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-ec2-policy.json @@ -0,0 +1,99 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "ec2:DeleteTags", + "ec2:RebootInstances", + "ec2:RevokeSecurityGroupIngress", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:TerminateInstances", + "ec2:RevokeSecurityGroupEgress" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/AVICLOUD_UUID": "*" + } + } + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "ec2:DeleteSnapshot", + "ec2:ModifySnapshotAttribute" + ], + "Resource": "*", + "Condition": { + "StringLike": { + "ec2:ResourceTag/avicloud_uuid": "*" + } + } + }, + { + "Sid": "VisualEditor2", + "Effect": "Allow", + "Action": [ + "ec2:AllocateAddress", + "ec2:AssignPrivateIpAddresses", + "ec2:AssociateAddress", + "ec2:AttachNetworkInterface", + "ec2:CancelConversionTask", + "ec2:CancelImportTask", + "ec2:CopyImage", + "ec2:CreateNetworkInterface", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "ec2:DeleteNetworkInterface", + "ec2:DeregisterImage", + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeConversionTasks", + "ec2:DescribeImageAttribute", + "ec2:DescribeImages", + "ec2:DescribeImportSnapshotTasks", + "ec2:DescribeInstanceAttribute", + "ec2:DescribeInstanceStatus", + "ec2:DescribeInstances", + "ec2:DescribeInternetGateways", + "ec2:DescribeNetworkAcls", + "ec2:DescribeNetworkInterfaceAttribute", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRegions", + "ec2:DescribeRouteTables", + "ec2:DescribeSecurityGroups", + "ec2:DescribeSnapshotAttribute", + "ec2:DescribeSnapshots", + "ec2:DescribeSubnets", + "ec2:DescribeTags", + "ec2:DescribeVolumeAttribute", + "ec2:DescribeVolumes", + "ec2:DescribeVpcAttribute", + "ec2:DescribeVpcs", + "ec2:DetachNetworkInterface", + "ec2:DisassociateAddress", + "ec2:GetConsoleOutput", + "ec2:ImportSnapshot", + "ec2:ModifyImageAttribute", + "ec2:ModifyInstanceAttribute", + "ec2:ModifyNetworkInterfaceAttribute", + "ec2:RegisterImage", + "ec2:ReleaseAddress", + "ec2:ResetImageAttribute", + "ec2:ResetInstanceAttribute", + "ec2:ResetNetworkInterfaceAttribute", + "ec2:ResetSnapshotAttribute", + "ec2:RunInstances", + "ec2:UnassignPrivateIpAddresses" + ], + "Resource": "*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-iam-policy.json b/aws-govcloud/iam-policies/avicontroller-iam-policy.json new file mode 100644 index 00000000..660dd401 --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-iam-policy.json @@ -0,0 +1,44 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "iam:GetPolicy", + "iam:GetPolicyVersion", + "iam:ListPolicyVersions" + ], + "Resource": [ + "arn:aws-us-gov:iam::*:role/AviController-Refined-Role", + "arn:aws-us-gov:iam::*:policy/AviController*" + ] + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "iam:GetInstanceProfile", + "iam:GetRole", + "iam:GetRolePolicy", + "iam:ListAttachedRolePolicies", + "iam:ListRolePolicies" + ], + "Resource": [ + "arn:aws-us-gov:iam::*:instance-profile/AviController-Refined-Role", + "arn:aws-us-gov:iam::*:policy/AviController*", + "arn:aws-us-gov:iam::*:role/vmimport", + "arn:aws-us-gov:iam::*:role/AviController-Refined-Role" + ] + }, + { + "Sid": "VisualEditor2", + "Effect": "Allow", + "Action": [ + "iam:ListPolicies", + "iam:ListRoles" + ], + "Resource": "*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-kms-policy.json b/aws-govcloud/iam-policies/avicontroller-kms-policy.json new file mode 100644 index 00000000..6be7b693 --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-kms-policy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "kms:CreateGrant", + "kms:Decrypt", + "kms:DescribeKey", + "kms:GenerateDataKey", + "kms:GenerateDataKeyWithoutPlaintext", + "kms:ReEncryptFrom", + "kms:ReEncryptTo" + ], + "Resource": "arn:aws-us-gov:kms:*:*:key/*" + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "kms:ListAliases", + "kms:ListKeys" + ], + "Resource": "*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-kms-vmimport.json b/aws-govcloud/iam-policies/avicontroller-kms-vmimport.json new file mode 100644 index 00000000..91f2738c --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-kms-vmimport.json @@ -0,0 +1,11 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "kms:Decrypt", + "Resource": "arn:aws-us-gov:kms:*:*:key/*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-r53-policy.json b/aws-govcloud/iam-policies/avicontroller-r53-policy.json new file mode 100644 index 00000000..e108c22d --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-r53-policy.json @@ -0,0 +1,28 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "route53:ChangeResourceRecordSets", + "route53:ListResourceRecordSets" + ], + "Resource": [ + "arn:aws-us-gov:route53:::hostedzone/*" + ] + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "route53:GetChange", + "route53:GetHostedZone", + "route53:GetHostedZoneCount", + "route53:ListHostedZones", + "route53:ListHostedZonesByName" + ], + "Resource": "*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-role-trust.json b/aws-govcloud/iam-policies/avicontroller-role-trust.json new file mode 100644 index 00000000..87c7d7c4 --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-role-trust.json @@ -0,0 +1,12 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Principal": { + "Service": "ec2.amazonaws.com" + }, + "Action": "sts:AssumeRole" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-s3-policy.json b/aws-govcloud/iam-policies/avicontroller-s3-policy.json new file mode 100644 index 00000000..45efddd5 --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-s3-policy.json @@ -0,0 +1,37 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": "s3:ListAllMyBuckets", + "Resource": "*" + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "s3:CreateBucket", + "s3:DeleteBucket", + "s3:GetBucketLocation", + "s3:GetBucketTagging", + "s3:ListBucket", + "s3:ListBucketMultipartUploads", + "s3:PutBucketTagging" + ], + "Resource": "arn:aws-us-gov:s3:::avi-se-*" + }, + { + "Sid": "VisualEditor2", + "Effect": "Allow", + "Action": [ + "s3:AbortMultipartUpload", + "s3:DeleteObject", + "s3:ListMultipartUploadParts", + "s3:GetObject", + "s3:PutObject" + ], + "Resource": "arn:aws-us-gov:s3:::avi-se-*/*" + } + ] +} diff --git a/aws-govcloud/iam-policies/avicontroller-sqs-sns-policy.json b/aws-govcloud/iam-policies/avicontroller-sqs-sns-policy.json new file mode 100644 index 00000000..c3195408 --- /dev/null +++ b/aws-govcloud/iam-policies/avicontroller-sqs-sns-policy.json @@ -0,0 +1,66 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "VisualEditor0", + "Effect": "Allow", + "Action": [ + "autoscaling:DeleteNotificationConfiguration", + "autoscaling:DescribeNotificationConfigurations", + "autoscaling:PutNotificationConfiguration", + "autoscaling:UpdateAutoScalingGroup" + ], + "Resource": "*" + }, + { + "Sid": "VisualEditor1", + "Effect": "Allow", + "Action": [ + "sqs:AddPermission", + "sqs:CreateQueue", + "sqs:DeleteQueue", + "sqs:DeleteMessage", + "sqs:DeleteMessageBatch", + "sqs:GetQueueAttributes", + "sqs:GetQueueUrl", + "sqs:ListQueueTags", + "sqs:PurgeQueue", + "sqs:ReceiveMessage", + "sqs:SetQueueAttributes", + "sqs:TagQueue", + "sqs:UntagQueue" + ], + "Resource": "arn:aws-us-gov:sqs:*:*:avi-sqs-cloud-*" + }, + { + "Sid": "VisualEditor2", + "Effect": "Allow", + "Action": "sns:Subscribe", + "Resource": "arn:aws-us-gov:sns:*:*:avi-asg-cloud-*" + }, + { + "Sid": "VisualEditor3", + "Effect": "Allow", + "Action": [ + "sns:ListTopics", + "sns:GetSubscriptionAttributes", + "sns:Unsubscribe" + ], + "Resource": "*" + }, + { + "Sid": "VisualEditor4", + "Effect": "Allow", + "Action": [ + "sns:ConfirmSubscription", + "sns:CreateTopic", + "sns:DeleteTopic", + "sns:GetTopicAttributes", + "sns:ListSubscriptionsByTopic", + "sns:Publish", + "sns:SetTopicAttributes" + ], + "Resource": "arn:aws-us-gov:sns:*:*:avi-asg-cloud-*" + } + ] +} diff --git a/aws-govcloud/iam-policies/vmimport-role-policy.json b/aws-govcloud/iam-policies/vmimport-role-policy.json new file mode 100644 index 00000000..aa25e59c --- /dev/null +++ b/aws-govcloud/iam-policies/vmimport-role-policy.json @@ -0,0 +1,30 @@ +{ + "Version": "2012-10-17", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "s3:GetBucketLocation", + "s3:ListBucket" + ], + "Resource": "arn:aws-us-gov:s3:::avi-se-*" + }, + { + "Effect": "Allow", + "Action": [ + "s3:GetObject" + ], + "Resource": "arn:aws-us-gov:s3:::avi-se-*/*" + }, + { + "Effect": "Allow", + "Action": [ + "ec2:ModifySnapshotAttribute", + "ec2:CopySnapshot", + "ec2:RegisterImage", + "ec2:Describe*" + ], + "Resource": "*" + } + ] +} diff --git a/aws-govcloud/iam-policies/vmimport-role-trust.json b/aws-govcloud/iam-policies/vmimport-role-trust.json new file mode 100644 index 00000000..b1a7868c --- /dev/null +++ b/aws-govcloud/iam-policies/vmimport-role-trust.json @@ -0,0 +1,18 @@ +{ + "Version":"2012-10-17", + "Statement":[ + { + "Sid":"", + "Effect":"Allow", + "Principal":{ + "Service":"vmie.amazonaws.com" + }, + "Action":"sts:AssumeRole", + "Condition":{ + "StringEquals":{ + "sts:ExternalId":"vmimport" + } + } + } + ] +}