Installation of OpenShift on AWS
Hi AWS, we are onboarding RedHat OpenShift on AWS (ROSA) for one of our upcoming projects. The first step is to install OpenShift on AWS as a starting point and I have written a CloudFormation Template following the documentation https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html/installing/installing-on-aws#installing-aws-customizations. Here is the code:
# version: 1.0
AWSTemplateFormatVersion: 2010-09-09
Description: >
This Template Deploys Basic AWS Functional user to install RedhHat OpenShift on AWS.
Parameters:
FuncUsername:
Type: String
Description: Name for IAM user to use OpenShift
PrimaryOwner:
Type: String
Description: Primary Owner for this user
SecondaryOwner:
Type: String
Description: Secondary Owner for this user
CostCentre:
Type: String
Description: Cost Centre
BusinessUnit:
Type: String
Description: Business Unit
Resources:
FuncUser:
Type: AWS::IAM::User
Properties:
UserName: !Ref FuncUsername
Tags:
- Key: primary_owner
Value: !Ref PrimaryOwner
- Key: secondary_owner
Value: !Ref SecondaryOwner
- Key: cost_centre
Value: !Ref CostCentre
- Key: business_unit
Value: !Ref BusinessUnit
FuncUserAccessPolicy:
Type: AWS::IAM::ManagedPolicy
DependsOn: FuncUser
Properties:
Users:
- !Ref FuncUsername
ManagedPolicyName: !Sub "${FuncUsername}_rosa_policy"
PolicyDocument:
Version: "2012-10-17"
Statement:
- Sid: EC2Permissions
Effect:
- ec2:AuthorizeSecurityGroupEgress
- ec2:AuthorizeSecurityGroupIngress
- ec2:CopyImage
- ec2:CreateNetworkInterface
- ec2:AttachNetworkInterface
- ec2:CreateSecurityGroup
- ec2:CreateTags
- ec2:CreateVolume
- ec2:DeleteSecurityGroup
- ec2:DeleteSnapshot
- ec2:DeleteTags
- ec2:DeregisterImage
- ec2:DescribeAccountAttributes
- ec2:DescribeAddresses
- ec2:DescribeAvailabilityZones
- ec2:DescribeDhcpOptions
- ec2:DescribeImages
- ec2:DescribeInstanceAttribute
- ec2:DescribeInstanceCreditSpecifications
- ec2:DescribeInstances
- ec2:DescribeInstanceTypes
- ec2:DescribeInternetGateways
- ec2:DescribeKeyPairs
- ec2:DescribeNatGateways
- ec2:DescribeNetworkAcls
- ec2:DescribeNetworkInterfaces
- ec2:DescribePrefixLists
- ec2:DescribeRegions
- ec2:DescribeRouteTables
- ec2:DescribeSecurityGroups
- ec2:DescribeSecurityGroupRules
- ec2:DescribeSubnets
- ec2:DescribeTags
- ec2:DescribeVolumes
- ec2:DescribeVpcAttribute
- ec2:DescribeVpcClassicLink
- ec2:DescribeVpcClassicLinkDnsSupport
- ec2:DescribeVpcEndpoints
- ec2:DescribeVpcs
- ec2:GetEbsDefaultKmsKeyId
- ec2:ModifyInstanceAttribute
- ec2:ModifyNetworkInterfaceAttribute
- ec2:RevokeSecurityGroupEgress
- ec2:RevokeSecurityGroupIngress
- ec2:RunInstances
- ec2:TerminateInstances
Resource: "*"
# If you use an existing VPC, your account does not require these permissions for creating network resources.
- Sid: NetworkingPermissions
Effect:
- ec2:AllocateAddress
- ec2:AssociateAddress
- ec2:AssociateDhcpOptions
- ec2:AssociateRouteTable
- ec2:AttachInternetGateway
- ec2:CreateDhcpOptions
- ec2:CreateInternetGateway
- ec2:CreateNatGateway
- ec2:CreateRoute
- ec2:CreateRouteTable
- ec2:CreateSubnet
- ec2:CreateVpc
- ec2:CreateVpcEndpoint
- ec2:ModifySubnetAttribute
- ec2:ModifyVpcAttribute
Resource: "*"
- Sid: LoadBalancerPermissions
Effect:
- elasticloadbalancing:AddTags
- elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
- elasticloadbalancing:AttachLoadBalancerToSubnets
- elasticloadbalancing:ConfigureHealthCheck
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateLoadBalancerListeners
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:DeregisterInstancesFromLoadBalancer
- elasticloadbalancing:DescribeInstanceHealth
- elasticloadbalancing:DescribeLoadBalancerAttributes
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTags
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:RegisterInstancesWithLoadBalancer
- elasticloadbalancing:SetLoadBalancerPoliciesOfListener
# ELBV2 permissions
- elasticloadbalancing:AddTags
- elasticloadbalancing:CreateListener
- elasticloadbalancing:CreateLoadBalancer
- elasticloadbalancing:CreateTargetGroup
- elasticloadbalancing:DeleteLoadBalancer
- elasticloadbalancing:DeregisterTargets
- elasticloadbalancing:DescribeListeners
- elasticloadbalancing:DescribeLoadBalancerAttributes
- elasticloadbalancing:DescribeLoadBalancers
- elasticloadbalancing:DescribeTargetGroupAttributes
- elasticloadbalancing:DescribeTargetHealth
- elasticloadbalancing:ModifyLoadBalancerAttributes
- elasticloadbalancing:ModifyTargetGroup
- elasticloadbalancing:ModifyTargetGroupAttributes
- elasticloadbalancing:RegisterTargets
Resource: "*"
- Sid: IAMPermissions
# If you have not created a load balancer in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRole permission
Effect:
- iam:AddRoleToInstanceProfile
- iam:CreateInstanceProfile
- iam:CreateRole
- iam:DeleteInstanceProfile
- iam:DeleteRole
- iam:DeleteRolePolicy
- iam:GetInstanceProfile
- iam:GetRole
- iam:GetRolePolicy
- iam:GetUser
- iam:ListInstanceProfilesForRole
- iam:ListRoles
- iam:ListUsers
- iam:PassRole
- iam:PutRolePolicy
- iam:RemoveRoleFromInstanceProfile
- iam:SimulatePrincipalPolicy
- iam:TagRole
Resource: "*"
- Sid: Route53Permissions
Effect:
- route53:ChangeResourceRecordSets
- route53:ChangeTagsForResource
- route53:CreateHostedZone
- route53:DeleteHostedZone
- route53:GetChange
- route53:GetHostedZone
- route53:ListHostedZones
- route53:ListHostedZonesByName
- route53:ListResourceRecordSets
- route53:ListTagsForResource
- route53:UpdateHostedZoneComment
Resource: "*"
- Sid: S3Permissions
Effect:
- s3:CreateBucket
- s3:DeleteBucket
- s3:GetAccelerateConfiguration
- s3:GetBucketAcl
- s3:GetBucketCors
- s3:GetBucketLocation
- s3:GetBucketLogging
- s3:GetBucketPolicy
- s3:GetBucketObjectLockConfiguration
- s3:GetBucketRequestPayment
- s3:GetBucketTagging
- s3:GetBucketVersioning
- s3:GetBucketWebsite
- s3:GetEncryptionConfiguration
- s3:GetLifecycleConfiguration
- s3:GetReplicationConfiguration
- s3:ListBucket
- s3:PutBucketAcl
- s3:PutBucketTagging
- s3:PutEncryptionConfiguration
Resource: "*"
Firstly I need to know whether the template looks fine or is there any modification/improvement needed. Secondly I need to improve this template from production setup POV as currently we are doing a POC in one of our AWS Workload accounts. Also I have seen a lot of sections in the document where there is a specific IAM permission to create/delete an operator and to create/delete the manifests, so are they also needed from installation standpoint. Last but not the least I need to know do I create an IAM role or IAM user is fine for serving the purpose.
Please acknowledge and guide.
- Newest
- Most votes
- Most comments
Hello, Trying to evaluate your code for a production environment, I would envision the following improvements to make it failfree.. First of all I would review and narrow down IAM permissions to follow the principle of least privilege and use secrets for any sensitive information where possible. Can you narrow down network permissions further ? Also, make use of IAM Roles instead of going straight to IAM Users especially if the access is not long term. Once you've made these adjustments, your template should be more suitable for a production environment.
Relevant content
- asked 5 months ago
- asked 7 months ago
AWS OFFICIALUpdated 5 months ago- AWS OFFICIALUpdated a year ago
- AWS OFFICIALUpdated 5 months ago
- AWS OFFICIALUpdated a year ago
Permissions wise does it look good or have I missed something ?