Merge pull request #23 from ibm-client-engineering/adam-updates

Updates to cluster-sts, role yamls, installation.
ibm-client-engineering · Mar 14, 2024 · e5226e3 · e5226e3
2 parents b80e755 + 564ee7b
commit e5226e3
Show file tree

Hide file tree

Showing 5 changed files with 230 additions and 12 deletions.
diff --git a/...ts/Cloudformation/LambdaExecutionRole.yml → ...s/Cloudformation/LambdaExecutionRole.yaml b/...ts/Cloudformation/LambdaExecutionRole.yml → ...s/Cloudformation/LambdaExecutionRole.yaml
diff --git a/assets/Cloudformation/OCPCloudformRole.yaml b/assets/Cloudformation/OCPCloudformRole.yaml
@@ -0,0 +1,208 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: A CloudFormation template that creates an IAM role with specified permissions.
+Outputs:
+  RoleARN:
+    Description: The ARN of the custom role
+    Value:
+      Fn::GetAtt:
+      - CustomRole
+      - Arn
+Resources:
+  CustomRole:
+    Properties:
+      AssumeRolePolicyDocument:
+        Statement:
+        - Action: sts:AssumeRole
+          Effect: Allow
+          Principal:
+            Service: ec2.amazonaws.com
+        Version: '2012-10-17'
+      Policies:
+      - PolicyDocument:
+          Statement:
+          - Action:
+              - ec2:AuthorizeSecurityGroupEgress
+              - ec2:AuthorizeSecurityGroupIngress
+              - ec2:CreateNetworkInterface
+              - ec2:AttachNetworkInterface
+              - ec2:CreateSecurityGroup
+              - ec2:CreateTags
+              - ec2:CreateVolume
+              - ec2:DeleteSecurityGroup
+              - ec2:DeleteSnapshot
+              - ec2:DeleteTags
+              - ec2:DescribeAccountAttributes
+              - ec2:DescribeAddresses
+              - ec2:DescribeAvailabilityZones
+              - ec2:DescribeDhcpOptions
+              - ec2:DescribeImages
+              - ec2:DescribeInstanceAttribute
+              - ec2:DescribeInstanceCreditSpecifications
+              - ec2:DescribeInstances
+              - ec2:DescribeInstanceTypes
+              - ec2:DescribeInternetGateways
+              - ec2:DescribeKeyPairs
+              - ec2:DescribeNatGateways
+              - ec2:DescribeNetworkAcls
+              - ec2:DescribeNetworkInterfaces
+              - ec2:DescribePrefixLists
+              - ec2:DescribeRegions
+              - ec2:DescribeRouteTables
+              - ec2:DescribeSecurityGroups
+              - ec2:DescribeSubnets
+              - ec2:DescribeTags
+              - ec2:DescribeVolumes
+              - ec2:DescribeVpcAttribute
+              - ec2:DescribeVpcClassicLink
+              - ec2:DescribeVpcClassicLinkDnsSupport
+              - ec2:DescribeVpcEndpoints
+              - ec2:DescribeVpcs
+              - ec2:ModifyInstanceAttribute
+              - ec2:ModifyNetworkInterfaceAttribute
+              - ec2:RevokeSecurityGroupEgress
+              - ec2:RevokeSecurityGroupIngress
+              - ec2:RunInstances
+              - ec2:TerminateInstances
+              - ec2:AllocateAddress
+              - elasticloadbalancing:AddTags
+              - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
+              - elasticloadbalancing:AttachLoadBalancerToSubnets
+              - elasticloadbalancing:ConfigureHealthCheck
+              - elasticloadbalancing:CreateLoadBalancer
+              - elasticloadbalancing:CreateLoadBalancerListeners
+              - elasticloadbalancing:DeleteLoadBalancer
+              - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
+              - elasticloadbalancing:DescribeInstanceHealth
+              - elasticloadbalancing:DescribeLoadBalancerAttributes
+              - elasticloadbalancing:DescribeLoadBalancers
+              - elasticloadbalancing:DescribeTags
+              - elasticloadbalancing:ModifyLoadBalancerAttributes
+              - elasticloadbalancing:RegisterInstancesWithLoadBalancer
+              - elasticloadbalancing:SetLoadBalancerPoliciesOfListener
+              - elasticloadbalancing:AddTags
+              - elasticloadbalancing:CreateListener
+              - elasticloadbalancing:CreateLoadBalancer
+              - elasticloadbalancing:CreateTargetGroup
+              - elasticloadbalancing:DeleteLoadBalancer
+              - elasticloadbalancing:DeregisterTargets
+              - elasticloadbalancing:DescribeListeners
+              - elasticloadbalancing:DescribeLoadBalancerAttributes
+              - elasticloadbalancing:DescribeLoadBalancers
+              - elasticloadbalancing:DescribeTargetGroupAttributes
+              - elasticloadbalancing:DescribeTargetHealth
+              - elasticloadbalancing:ModifyLoadBalancerAttributes
+              - elasticloadbalancing:ModifyTargetGroup
+              - elasticloadbalancing:ModifyTargetGroupAttributes
+              - elasticloadbalancing:RegisterTargets
+              - iam:GetInstanceProfile
+              - iam:GetRole
+              - iam:GetRolePolicy
+              - iam:GetUser
+              - iam:ListInstanceProfilesForRole
+              - iam:ListRoles
+              - iam:ListUsers
+              - iam:PassRole
+              - iam:SimulatePrincipalPolicy
+              - route53:ChangeResourceRecordSets
+              - route53:ChangeTagsForResource
+              - route53:CreateHostedZone
+              - route53:DeleteHostedZone
+              - route53:GetChange
+              - route53:GetHostedZone
+              - route53:ListHostedZones
+              - route53:ListHostedZonesByName
+              - route53:ListResourceRecordSets
+              - route53:ListTagsForResource
+              - route53:UpdateHostedZoneComment
+              - s3:CreateBucket
+              - s3:DeleteBucket
+              - s3:GetAccelerateConfiguration
+              - s3:GetBucketAcl
+              - s3:GetBucketCors
+              - s3:GetBucketLocation
+              - s3:GetBucketLogging
+              - s3:GetBucketPolicy
+              - s3:GetBucketObjectLockConfiguration
+              - s3:GetBucketRequestPayment
+              - s3:GetBucketTagging
+              - s3:GetBucketVersioning
+              - s3:GetBucketWebsite
+              - s3:GetEncryptionConfiguration
+              - s3:GetLifecycleConfiguration
+              - s3:GetReplicationConfiguration
+              - s3:ListBucket
+              - s3:PutBucketTagging
+              - s3:PutEncryptionConfiguration
+              - s3:DeleteObject
+              - s3:GetObject
+              - s3:GetObjectAcl
+              - s3:GetObjectTagging
+              - s3:GetObjectVersion
+              - s3:PutObject
+              - s3:PutObjectTagging
+              - autoscaling:DescribeAutoScalingGroups
+              - ec2:DeletePlacementGroup
+              - ec2:DeleteNetworkInterface
+              - ec2:DeleteVolume
+              - elasticloadbalancing:DeleteTargetGroup
+              - elasticloadbalancing:DescribeTargetGroups
+              - iam:ListAttachedRolePolicies
+              - iam:ListInstanceProfiles
+              - iam:ListRolePolicies
+              - iam:ListUserPolicies
+              - s3:DeleteObject
+              - s3:ListBucketVersions
+              - tag:GetResources
+              - ec2:ReleaseAddress
+              - iam:GetUserPolicy
+              - iam:ListAccessKeys
+              - s3:GetBucketPublicAccessBlock
+              - s3:PutLifecycleConfiguration
+              - s3:ListBucket
+              - s3:ListBucketMultipartUploads
+              - s3:AbortMultipartUpload
+              - ec2:DescribeInstanceTypeOfferings
+              - servicequotas:ListAWSDefaultServiceQuotas
+              - secretsmanager:CreateSecret
+              - ssm:PutParameter
+              - ssm:AddTagsToResource
+              - ssm:DeleteParameter
+              - secretsmanager:TagResource
+              - secretsmanager:DeleteSecret
+              - lambda:CreateFunction
+              - lambda:DeleteFunction
+              - lambda:TagResource
+              - lambda:GetFunction
+              - lambda:InvokeFunction
+              - elasticfilesystem:DescribeFileSystems
+              - elasticfilesystem:TagResource
+              - elasticfilesystem:CreateFileSystem
+              - iam:ListOpenIDConnectProviders
+              - iam:GetOpenIDConnectProvider
+              - iam:CreateOpenIDConnectProvider
+              - iam:TagOpenIDConnectProvider
+              - iam:DeleteOpenIDConnectProvider
+              - iam:DeleteRole
+              - iam:DeleteRolePolicy
+              - iam:GetOpenIDConnectProvider
+              - iam:GetRole
+              - iam:GetUser
+              - iam:ListOpenIDConnectProviders
+              - iam:ListRolePolicies
+              - iam:ListRoles
+              - iam:PutRolePolicy
+              - iam:TagOpenIDConnectProvider
+              - iam:TagRole
+              - iam:CreateRole
+              - ec2:GetEbsDefaultKmsKeyId
+              - iam:CreateInstanceProfile
+              - iam:AddRoleToInstanceProfile
+              - iam:RemoveRoleFromInstanceProfile
+              - ec2:GetConsoleOutput
+              - iam:DeleteInstanceProfile
+            Effect: Allow
+            Resource: '*'
+          Version: '2012-10-17'
+        PolicyName: OCPCloudform-policy
+      RoleName: OCPCloudform-role
+    Type: AWS::IAM::Role
diff --git a/assets/Cloudformation/OCPInstall_Role.yaml → assets/Cloudformation/OCPInstallRole.yaml b/assets/Cloudformation/OCPInstall_Role.yaml → assets/Cloudformation/OCPInstallRole.yaml
@@ -203,6 +203,6 @@ Resources:
             Effect: Allow
             Resource: '*'
           Version: '2012-10-17'
-        PolicyName: CustomPolicy
-      RoleName: CustomRole
+        PolicyName: OCPInstall-policy
+      RoleName: OCPInstall-role
     Type: AWS::IAM::Role
diff --git a/assets/Cloudformation/cluster-sts.yml b/assets/Cloudformation/cluster-sts.yml
@@ -502,10 +502,10 @@ Mappings:
   AWSAMIRegionMap:
     us-east-1:
       BootNodeAmiId: ami-0c26d25ec2932e467
-      COREOSAmiId: ami-0b35795bcab04ee70
+      COREOSAmiId: ami-02c49727beec1d0ed
     us-east-2:
       BootNodeAmiId: ami-09a2344bd22fcf787
-      COREOSAmiId: ami-0c17b13bb8b268411
+      COREOSAmiId: ami-00a8ad62bbaede57f
     us-west-1:
       BootNodeAmiId: ami-0186e3fec9b0283ee
       COREOSAmiId: ami-004de02e4e2bba5f2
@@ -587,7 +587,7 @@ Resources:
       Type: String
       Value: !Sub "https://console-openshift-console.apps.${ClusterName}.${DomainName}"
 
-  BootnodeInstancePro le:
+  BootnodeInstanceProfile:
     Type: "AWS::IAM::InstanceProfile"
     Properties:
       Path: "/"

diff --git a/docs/1-GettingStarted/3-Installation.mdx b/docs/1-GettingStarted/3-Installation.mdx
@@ -30,8 +30,10 @@ aws configure
 
 #### Redhat pull secret
 
-The Red Hat pull secret must be downloaded from https://console.redhat.com/openshift/downloads#tool-pull-secret. 
-Rename the file from ```pull-secret.txt``` to ```pull_secret.json```
+The Red Hat pull secret can be downloaded from https://console.redhat.com/openshift/downloads#tool-pull-secret. \
+
+After downloading the file, it will need to be uploaded to s3.
+
 
 #### Create s3 bucket
 
@@ -86,27 +88,33 @@ Review ***"parameters-override.yaml"***, the following changes will need to be m
 ### Deployment
 
 #### Create OCPInstall Role
-[Download the OCPInstall_Role.yaml](../../assets/Cloudformation/OCPInstall_Role.yaml)
+[Download the OCPInstallRole.yaml](../../assets/Cloudformation/OCPInstallRole.yaml) \
 Create the role by running the following command:
 
 ```
-aws cloudformation deploy --stack-name OCPInstall-role-1 -template-file OCPInstall_Role.yaml --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here*
+aws cloudformation deploy --stack-name OCPInstall-role-1 -template-file OCPInstallRole.yaml --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here*
 ```
 
 #### Create LambdaExecution Role
-[Download the LambdaExecutionRole.yaml](../../assets/Cloudformation/LambdaExecutionRole.yml)
+[Download the LambdaExecutionRole.yaml](../../assets/Cloudformation/LambdaExecutionRole.yaml) \
 Create the role by running the following command:
 
 ```
 aws cloudformation deploy --stack-name LambdaExecutionRole -template-file LambdaExecutionRole.yaml --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here*
 ```
+#### Create OCPCloudform Role
+[Download the OCPCloudFormRole.yaml](../../assets/Cloudformation/OCPCloudFormRole.yaml) \
+Create the role by running the following command:
 
+```
+aws cloudformation deploy --stack-name OCPCloudFormRole -template-file OCPCloudFormRole.yaml --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here*
+```
 
 #### Deply cloudformation template using AWS CLI
 Using the OCPInstall role arn, run the following command to start the main cloudformation deployment:
 
 ```
-aws cloudformation deploy --stack-name stack-deployment-1 --template-file cluster.yaml --parameter-overrides file://parameters-override.json --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here* --role-arn arn:aws:iam::<ACCOUNT>:role/OCPInstall
+aws cloudformation deploy --stack-name stack-deployment-1 --template-file cluster-sts.yaml --parameter-overrides file://STS-parameters-override.json --capabilities CAPABILITY_NAMED_IAM --tags *add Key=Value tag here* --role-arn arn:aws:iam::<ACCOUNT>:role/OCPInstall
 ```
 
 Check the AWS Console to see when the cloudformation template has progressed far enough that the bootnode is online.
@@ -142,8 +150,10 @@ su ec2-user
 
 You will now be able to review deployment logs.
 
+#### Fixing aws command in SSM
+
 <details>
-<summary><b> #### Fixing aws command in SSM </b></summary>
+<summary><b>Fixing aws command in SSM</b></summary>
 SSM does not work exactly the same as SSH. If you intend to use any additional commands, such as ```aws```, then you need to do the following:
 
 Check the output of running the  ```aws``` command,