From 12d5cf6a6a5b12305b704318152cd5e5a09b4a55 Mon Sep 17 00:00:00 2001
From: Alina Buzachis <abuzachis@redhat.com>
Date: Mon, 10 Jan 2022 13:10:37 +0100
Subject: [PATCH 1/3] Add policy for rds_export_task

Signed-off-by: Alina Buzachis <abuzachis@redhat.com>
---
 aws/policy/security-services.yaml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml
index ad82247c..99da2ef1 100644
--- a/aws/policy/security-services.yaml
+++ b/aws/policy/security-services.yaml
@@ -150,6 +150,7 @@ Statement:
       - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
       # This is hard coded into DMS...
       - 'arn:aws:iam::{{ aws_account_id }}:role/dms-vpc-role'
+      - 'arn:aws:sts::{{ aws_account_id }}:role/rds_export_task'
   # This allows AWS Services to autmatically create their Default Service Linked Roles
   # These have fixed policies and can only be assumed by the service itself.
   - Sid: AllowServiceLinkedRoleCreation

From 5852a02c118d82395cd52e0338fe2cf6b55d252a Mon Sep 17 00:00:00 2001
From: Alina Buzachis <abuzachis@redhat.com>
Date: Fri, 14 Jan 2022 11:50:53 +0100
Subject: [PATCH 2/3] Add policies for start and cancel export task

Signed-off-by: Alina Buzachis <abuzachis@redhat.com>
---
 aws/policy/data-services.yaml     | 3 +++
 aws/policy/security-services.yaml | 2 +-
 2 files changed, 4 insertions(+), 1 deletion(-)

diff --git a/aws/policy/data-services.yaml b/aws/policy/data-services.yaml
index 53eb16f7..2326440c 100644
--- a/aws/policy/data-services.yaml
+++ b/aws/policy/data-services.yaml
@@ -98,6 +98,9 @@ Statement:
       - rds:DeleteOptionGroup
       - rds:CreateDBSnapshot
       - rds:DeleteDBSnapshot
+      - rds:DescribeExportTasks
+      - rds:StartExportTask
+      - rds:CancelExportTask
     Resource:
       - 'arn:aws:dms:{{ aws_region }}:{{ aws_account_id }}:subgrp:*'
       - 'arn:aws:dynamodb:{{ aws_region }}:{{ aws_account_id }}:table/*'
diff --git a/aws/policy/security-services.yaml b/aws/policy/security-services.yaml
index 99da2ef1..a0a1622f 100644
--- a/aws/policy/security-services.yaml
+++ b/aws/policy/security-services.yaml
@@ -150,7 +150,7 @@ Statement:
       - 'arn:aws:iam::{{ aws_account_id }}:role/ansible-test-*'
       # This is hard coded into DMS...
       - 'arn:aws:iam::{{ aws_account_id }}:role/dms-vpc-role'
-      - 'arn:aws:sts::{{ aws_account_id }}:role/rds_export_task'
+      - 'arn:aws:iam::{{ aws_account_id }}:role/rds_export_task'
   # This allows AWS Services to autmatically create their Default Service Linked Roles
   # These have fixed policies and can only be assumed by the service itself.
   - Sid: AllowServiceLinkedRoleCreation

From 3a2fa66a50138ca3c298a52e629b0c63aa8e11b2 Mon Sep 17 00:00:00 2001
From: Mandar Kulkarni <mandar242@gmail.com>
Date: Thu, 27 Jan 2022 16:40:28 -0800
Subject: [PATCH 3/3] Add permissions to create and delete ec2 placement group

---
 aws/policy/compute.yaml | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/aws/policy/compute.yaml b/aws/policy/compute.yaml
index a7216967..a9c1bb08 100644
--- a/aws/policy/compute.yaml
+++ b/aws/policy/compute.yaml
@@ -65,11 +65,13 @@ Statement:
       - ec2:CreateKeyPair
       - ec2:CreateLaunchTemplate
       - ec2:CreateLaunchTemplateVersion
+      - ec2:CreatePlacementGroup
       - ec2:CreateSnapshot
       - ec2:CreateTags
       - ec2:DeleteKeyPair
       - ec2:DeleteLaunchTemplate
       - ec2:DeleteLaunchTemplateVersions
+      - ec2:DeletePlacementGroup
       - ec2:DeleteSnapshot
       - ec2:DeleteTags
       - ec2:DeregisterImage