Hi AWS, we are onboarding RedHat OpenShift on AWS (ROSA) for one of our upcoming projects. The first step is to install OpenShift on AWS as a starting point and I have written a CloudFormation Template following the documentation https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html/installing/installing-on-aws#installing-aws-customizations. Here is the code:
# version: 1.0
AWSTemplateFormatVersion: 2010-09-09
Description: >
This Template Deploys Basic AWS Functional user to install RedhHat OpenShift on AWS.
Parameters:
FuncUsername:
Type: String
Description: Name for IAM user to use OpenShift
PrimaryOwner:
Type: String
Description: Primary Owner for this user
SecondaryOwner:
Type: String
Description: Secondary Owner for this user
CostCentre:
Type: String
Description: Cost Centre
BusinessUnit:
Type: String
Description: Business Unit
Resources:
FuncUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref FuncUsername
Tags:
- Key: primary_owner
Value: !Ref PrimaryOwner
- Key: secondary_owner
Value: !Ref SecondaryOwner
- Key: cost_centre
Value: !Ref CostCentre
- Key: business_unit
Value: !Ref BusinessUnit
FuncUserAccessPolicy:
Type: AWS::IAM::ManagedPolicy
DependsOn: FuncUser
Properties:
Users:
- !Ref FuncUsername
ManagedPolicyName: !Sub "${FuncUsername}_rosa_policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: EC2Permissions
Effect:
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CopyImage
- ec2:CreateNetworkInterface
- ec2:AttachNetworkInterface
- ec2:CreateSecurityGroup
- ec2:CreateTags
- ec2:CreateVolume
- ec2:DeleteSecurityGroup
- ec2:DeleteSnapshot
- ec2:DeleteTags
- ec2:DeregisterImage
- ec2:DescribeAccountAttributes
- ec2:DescribeAddresses
- ec2:DescribeAvailabilityZones
- ec2:DescribeDhcpOptions
- ec2:DescribeImages
- ec2:DescribeInstanceAttribute
- ec2:DescribeInstanceCreditSpecifications
- ec2:DescribeInstances
- ec2:DescribeInstanceTypes
- ec2:DescribeInternetGateways
- ec2:DescribeKeyPairs
- ec2:DescribeNatGateways
- ec2:DescribeNetworkAcls
- ec2:DescribeNetworkInterfaces
- ec2:DescribePrefixLists
- ec2:DescribeRegions
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSecurityGroupRules
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVolumes
- ec2:DescribeVpcAttribute
- ec2:DescribeVpcClassicLink
- ec2:DescribeVpcClassicLinkDnsSupport
- ec2:DescribeVpcEndpoints
- ec2:DescribeVpcs
- ec2:GetEbsDefaultKmsKeyId
- ec2:ModifyInstanceAttribute
- ec2:ModifyNetworkInterfaceAttribute
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
- ec2:RunInstances
- ec2:TerminateInstances
Resource: "*"
# If you use an existing VPC, your account does not require these permissions for creating network resources.
- Sid: NetworkingPermissions
Effect:
- ec2:AllocateAddress
- ec2:AssociateAddress
- ec2:AssociateDhcpOptions
- ec2:AssociateRouteTable
- ec2:AttachInternetGateway
- ec2:CreateDhcpOptions
- ec2:CreateInternetGateway
- ec2:CreateNatGateway
- ec2:CreateRoute
- ec2:CreateRouteTable
- ec2:CreateSubnet
- ec2:CreateVpc
- ec2:CreateVpcEndpoint
- ec2:ModifySubnetAttribute
- ec2:ModifyVpcAttribute
Resource: "*"
- Sid: LoadBalancerPermissions
Effect:
- elasticloadbalancing:AddTags
- elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
- elasticloadbalancing:AttachLoadBalancerToSubnets
- elasticloadbalancing:ConfigureHealthCheck
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateLoadBalancerListeners
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:DescribeInstanceHealth
- elasticloadbalancing:DescribeLoadBalancerAttributes
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTags
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:SetLoadBalancerPoliciesOfListener
# ELBV2 permissions
- elasticloadbalancing:AddTags
- elasticloadbalancing:CreateListener
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DescribeLoadBalancerAttributes
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTargetGroupAttributes
- elasticloadbalancing:DescribeTargetHealth
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:RegisterTargets
Resource: "*"
- Sid: IAMPermissions
# If you have not created a load balancer in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRole permission
Effect:
- iam:AddRoleToInstanceProfile
- iam:CreateInstanceProfile
- iam:CreateRole
- iam:DeleteInstanceProfile
- iam:DeleteRole
- iam:DeleteRolePolicy
- iam:GetInstanceProfile
- iam:GetRole
- iam:GetRolePolicy
- iam:GetUser
- iam:ListInstanceProfilesForRole
- iam:ListRoles
- iam:ListUsers
- iam:PassRole
- iam:PutRolePolicy
- iam:RemoveRoleFromInstanceProfile
- iam:SimulatePrincipalPolicy
- iam:TagRole
Resource: "*"
- Sid: Route53Permissions
Effect:
- route53:ChangeResourceRecordSets
- route53:ChangeTagsForResource
- route53:CreateHostedZone
- route53:DeleteHostedZone
- route53:GetChange
- route53:GetHostedZone
- route53:ListHostedZones
- route53:ListHostedZonesByName
- route53:ListResourceRecordSets
- route53:ListTagsForResource
- route53:UpdateHostedZoneComment
Resource: "*"
- Sid: S3Permissions
Effect:
- s3:CreateBucket
- s3:DeleteBucket
- s3:GetAccelerateConfiguration
- s3:GetBucketAcl
- s3:GetBucketCors
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketPolicy
- s3:GetBucketObjectLockConfiguration
- s3:GetBucketRequestPayment
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetEncryptionConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:ListBucket
- s3:PutBucketAcl
- s3:PutBucketTagging
- s3:PutEncryptionConfiguration
Resource: "*"
Firstly I need to know whether the template looks fine or is there any modification/improvement needed. Secondly I need to improve this template from production setup POV as currently we are doing a POC in one of our AWS Workload accounts. Also I have seen a lot of sections in the document where there is a specific IAM permission to create/delete an operator and to create/delete the manifests, so are they also needed from installation standpoint. Last but not the least I need to know do I create an IAM role or IAM user is fine for serving the purpose.
Please acknowledge and guide.
Permissions wise does it look good or have I missed something ?