Create IAM policy to manipulate ASG processes (#542)

* Need to check if is_local is defined in webserver meta dependencies. (#522)

* Ce dev refactor pr 1.x (#518)

* Making it easier to test with provision-target and ce-dev.

* Moving the provision forcing var back to plays so _init has it.

* Adding defaults vars and test script extra options.

* Adding a web server test to CI.

* examples string needs to be in quotes.

* Making sure is_local and _ce_provision_force_play are available to the _init role.

* Adding SSH keys to the provision user.

* Adding a --force to the test script.

* Explicitly adding vars to role.

* Fixing _init behaviour and adding SSH key for web role.

* Setting default PHP version to 7.4.

* Looking up the generated ce-dev SSH key instead of hard-coding one.

* We cannot run the ssh_server role locally, so excluding for tests of webserver role.

* Trying to remove user_root.yml in case it's breaking CI.

* Adding a verbose mode to the test script.

* Exposing the command in the test script.

* Trying hard-coded keys again.

* Changing location of data dir for test containers.

* Putting vars back and restricting CI to the 'web' example.

* Adding backup handling to ldap_server. (#525)

* Adding backup handling to ldap_server.

* Improving SSL docs and handling perms for openldap and letsencrypt.

* Cron user must be specified with file.

* Running as root, do not need a 'sudo' in this cron.

* Allowing 'gitLab' to disable Prometheus. (#530)

* Allowing 'gitLab' to disable Prometheus.

* Booleans to use in jinja2 as strings must be cast as strings.

* GitHub Actions - Rebuilt documentation. (#526)

Co-authored-by: Code Enigma CI <sysadm@codeenigma.com>

* Prometheus pr 1.x (#533)

* Allowing 'gitLab' to disable Prometheus.

* Booleans to use in jinja2 as strings must be cast as strings.

* Tidying up CI and adding a GitLab test.

* Fixing CI job description.

* Add private files support for Drupal in Nginx. (#535)

* Prometheus pr 1.x (#539)

* Allowing 'gitLab' to disable Prometheus.

* Booleans to use in jinja2 as strings must be cast as strings.

* Tidying up CI and adding a GitLab test.

* Fixing CI job description.

* Adding a firewall config preset to open port 80 for LetsEncrypt.

* Create IAM policy to manage ASG processes and add it to deploy user.

* ce_deploy IAM policy creation needs to be run on the infra server running the playbook.

Co-authored-by: Greg Harvey <greg.harvey@gmail.com>
Co-authored-by: github-actions[bot] <41898282+github-actions[bot]@users.noreply.github.com>
Co-authored-by: Code Enigma CI <sysadm@codeenigma.com>

Author: 4 people

roles/ce_deploy/defaults/main.yml

@@ -9,5 +9,6 @@ ce_deploy:
   config_repository: ""
   config_repository_branch: "master"
   local_dir: "/home/{{ _ce_deploy.username }}/ce-deploy"
+  asg_processes_policy_name: "DeployManageASGProcesses"
   # List of additional groups to add the user to.
   groups: []

roles/ce_deploy/tasks/main.yml

@@ -122,3 +122,18 @@
     state: directory
     owner: "{{ ce_deploy.username }}"
     recurse: true
+
+- name: Gather AWS account ID if it isn't already set.
+  amazon.aws.aws_caller_info:
+    profile: "{{ _aws_profile }}"
+  delegate_to: localhost
+  register: _deploy_caller_info
+
+- name: Create IAM policy for deploy user
+  community.aws.iam_policy:
+    iam_type: user
+    iam_name: "{{ ce_deploy.username }}"
+    policy_name: "{{ ce_deploy.asg_processes_policy_name }}"
+    policy_json: "{{ lookup('template', 'asg_processes.json.j2') }}"
+    state: present
+  delegate_to: localhost

roles/ce_deploy/templates/asg_processes.json.j2

@@ -0,0 +1,23 @@
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Sid": "VisualEditor0",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:ResumeProcesses",
+                "autoscaling:SuspendProcesses"
+            ],
+            "Resource": "arn:aws:autoscaling:*:{{ _deploy_caller_info.account }}:autoScalingGroup:*:autoScalingGroupName/*"
+        },
+        {
+            "Sid": "VisualEditor1",
+            "Effect": "Allow",
+            "Action": [
+                "autoscaling:DescribeScalingProcessTypes",
+                "autoscaling:DescribeAutoScalingGroups"
+            ],
+            "Resource": "*"
+        }
+    ]
+}