# clouds: AWS
---
appname: smoketest
roles:
- name: somerole
  can_assume:
  - entity_id: ec2.amazonaws.com
    entity_type: service
  import:
  - AmazonLexReadOnly
  - arn:aws:iam::aws:policy/AmazonRDSFullAccess
  policies:
  - name: a_basic_policy
    permissions:
    - ec2:CreateSnapshot
    targets:
    - identifier: thing1
      type: user
  iam_policies:
  - CloudWatch_Logs:
      Version: '2012-10-17'
      Statement:
      - Sid: Stmt1406256819000
        Effect: Allow
        Action:
        - logs:CreateLogGroup
        - logs:CreateLogStream
        - logs:DeleteRetentionPolicy
        - logs:DescribeLogGroups
        - logs:DescribeLogStreams
        - logs:DescribeMetricFilters
        - logs:GetLogEvents
        - logs:PutLogEvents
        - logs:PutMetricFilter
        - logs:PutRetentionPolicy
        - logs:TestMetricFilter
        Resource:
        - "*"
  - Snapshots_and_Tags:
      Version: '2012-10-17'
      Statement:
      - Sid: Stmt1385828567000
        Effect: Allow
        Action:
        - ec2:CreateSnapshot
        - ec2:DeleteSnapshot
        - ec2:DescribeSnapshotAttribute
        - ec2:DescribeSnapshots
        - ec2:DescribeTags
        - ec2:DescribeInstanceAttribute
        - ec2:DescribeInstanceStatus
        - ec2:DescribeInstances
        - ec2:CreateTags
        - ec2:DescribeVolumes
        - ec2:DescribeVolumeAttribute
        - ec2:DescribeVolumeStatus
        - ec2:ModifySnapshotAttribute
        Resource: "*"
- name: somepolicies
  bare_policies: true
  iam_policies:
  - AllowCertListing:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: acm:ListCertificates
        Resource: "*"
- name: assume_condition_test
  can_assume:
  - assume_method: web
    conditions:
    - comparison: StringEquals
      variable: cognito-identity.amazonaws.com:aud
      values:
      - us-east-1:1aba9203-4b68-4bf3-b8ac-06c0335bec6f
    entity_type: federated
    entity_id: cognito-identity.amazonaws.com
  attachable_policies:
  - id: AmazonDynamoDBReadOnlyAccess
  - id: AmazonS3ReadOnlyAccess
# XXX this one will fail if someone ever deletes the VPC or account specified;
# need our implementation to look up Refs here so we can specify VPCs, etc
# dynamically. Also logic like this is so hard to use we should provide a
# shortcut for it.
- name: restrict_by_vpc_test
  bare_policies: true
  policies:
  - name: restrict_by_vpc_test_0
    permissions:
    - ec2:Describe*
    - ec2:CreateKeyPair
    - ec2:CreateSecurityGroup
    - iam:GetInstanceProfile
    - iam:ListInstanceProfiles
    flag: allow
    targets:
    - identifier: "*"
  - name: restrict_by_vpc_test_1
    permissions:
    - ec2:RebootInstances
    - ec2:StopInstances
    - ec2:TerminateInstances
    - ec2:StartInstances
    - ec2:AttachVolume
    - ec2:DetachVolume
    flag: allow
    targets:
    - identifier: arn:aws:ec2:us-east-1:616552976502:instance/*
    conditions:
    - comparison: StringEquals
      variable: ec2:InstanceProfile
      values:
      - arn:aws:iam::616552976502:instance-profile/test_role_delete_me
  - name: restrict_by_vpc_test_2
    permissions:
    - ec2:RunInstances
    flag: allow
    targets:
    - identifier: arn:aws:ec2:us-east-1:616552976502:instance/*
    conditions:
    - comparison: StringEquals
      variable: ec2:InstanceProfile
      values:
      - arn:aws:iam::616552976502:instance-profile/test_role_delete_me
  - name: restrict_by_vpc_test_3
    permissions:
    - ec2:RunInstances
    flag: allow
    targets:
    - identifier: arn:aws:ec2:us-east-1:616552976502:subnet/*
    conditions:
    - comparison: StringEquals
      variable: ec2:vpc
      values:
      - arn:aws:ec2:us-east-1:616552976502:vpc/vpc-29531e4c
  - name: restrict_by_vpc_test_4
    permissions:
    - ec2:RunInstances
    flag: allow
    targets:
    - identifier: arn:aws:ec2:us-east-1:616552976502:volume/*
    - identifier: arn:aws:ec2:us-east-1::image/*
    - identifier: arn:aws:ec2:us-east-1::snapshot/*
    - identifier: arn:aws:ec2:us-east-1:616552976502:network-interface/*
    - identifier: arn:aws:ec2:us-east-1:616552976502:key-pair/*
    - identifier: arn:aws:ec2:us-east-1:616552976502:security-group/*
  - name: restrict_by_vpc_test_5
    permissions:
    - ec2:DeleteNetworkAcl
    - ec2:DeleteNetworkAclEntry
    - ec2:DeleteRoute
    - ec2:DeleteRouteTable
    - ec2:AuthorizeSecurityGroupEgress
    - ec2:AuthorizeSecurityGroupIngress
    - ec2:RevokeSecurityGroupEgress
    - ec2:RevokeSecurityGroupIngress
    - ec2:DeleteSecurityGroup
    flag: allow
    targets:
    - identifier: "*"
    conditions:
    - comparison: StringEquals
      variable: ec2:vpc
      values:
      - arn:aws:ec2:us-east-1:616552976502:vpc/vpc-29531e4c
users:
- name: thing1
  tags:
  - key: thisisatag
    value: thisisatagvalue
  groups:
  - developers
  - impliedgroup
  - declaredawsgroup
  create_console_password: true
  create_api_key: true
  raw_policies:
  - Thing1CertListing:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action: acm:ListCertificates
        Resource: "*"
groups:
- name: admin
  members:
  - thing1
- name: declaredgroup
  purge_extra_members: true
  members:
  - john.stange@eglobaltech.com
  raw_policies:
  - S3_List_Get_Objects:
      Version: '2012-10-17'
      Statement:
      - Effect: Allow
        Action:
        - s3:GetObject
        - s3:ListBucket
        - s3:ListAllMyBuckets
        Resource:
        - "*"
vpcs:
- name: flowlogtest
  enable_traffic_logging: true