Installation of OpenShift on AWS

Question

Hi AWS, we are onboarding RedHat OpenShift on AWS (ROSA) for one of our upcoming projects. The first step is to install OpenShift on AWS as a starting point and I have written a CloudFormation Template following the documentation https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html/installing/installing-on-aws#installing-aws-customizations. Here is the code:

```
# version: 1.0

AWSTemplateFormatVersion: 2010-09-09
Description: >
  This Template Deploys Basic AWS Functional user to install RedhHat OpenShift on AWS.  
Parameters:
  FuncUsername:
    Type: String
    Description: Name for IAM user to use OpenShift
  PrimaryOwner:
    Type: String
    Description: Primary Owner for this user
  SecondaryOwner:
    Type: String
    Description: Secondary Owner for this user
  CostCentre:
    Type: String
    Description: Cost Centre
  BusinessUnit:
    Type: String
    Description: Business Unit

Resources:
  FuncUser:
    Type: AWS::IAM::User
    Properties:
      UserName: !Ref FuncUsername
      Tags:
        - Key: primary_owner
          Value: !Ref PrimaryOwner
        - Key: secondary_owner
          Value: !Ref SecondaryOwner
        - Key: cost_centre
          Value: !Ref CostCentre
        - Key: business_unit
          Value: !Ref BusinessUnit
  FuncUserAccessPolicy:
    Type: AWS::IAM::ManagedPolicy
    DependsOn: FuncUser
    Properties:
      Users:
        - !Ref FuncUsername
      ManagedPolicyName: !Sub "${FuncUsername}_rosa_policy"
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Sid: EC2Permissions
            Effect:
              - ec2:AuthorizeSecurityGroupEgress
              - ec2:AuthorizeSecurityGroupIngress
              - ec2:CopyImage
              - ec2:CreateNetworkInterface
              - ec2:AttachNetworkInterface
              - ec2:CreateSecurityGroup
              - ec2:CreateTags
              - ec2:CreateVolume
              - ec2:DeleteSecurityGroup
              - ec2:DeleteSnapshot
              - ec2:DeleteTags
              - ec2:DeregisterImage
              - ec2:DescribeAccountAttributes
              - ec2:DescribeAddresses
              - ec2:DescribeAvailabilityZones
              - ec2:DescribeDhcpOptions
              - ec2:DescribeImages
              - ec2:DescribeInstanceAttribute
              - ec2:DescribeInstanceCreditSpecifications
              - ec2:DescribeInstances
              - ec2:DescribeInstanceTypes
              - ec2:DescribeInternetGateways
              - ec2:DescribeKeyPairs
              - ec2:DescribeNatGateways
              - ec2:DescribeNetworkAcls
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribePrefixLists
              - ec2:DescribeRegions
              - ec2:DescribeRouteTables
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSecurityGroupRules
              - ec2:DescribeSubnets
              - ec2:DescribeTags
              - ec2:DescribeVolumes
              - ec2:DescribeVpcAttribute
              - ec2:DescribeVpcClassicLink
              - ec2:DescribeVpcClassicLinkDnsSupport
              - ec2:DescribeVpcEndpoints
              - ec2:DescribeVpcs
              - ec2:GetEbsDefaultKmsKeyId
              - ec2:ModifyInstanceAttribute
              - ec2:ModifyNetworkInterfaceAttribute
              - ec2:RevokeSecurityGroupEgress
              - ec2:RevokeSecurityGroupIngress
              - ec2:RunInstances
              - ec2:TerminateInstances
            Resource: "*"
# If you use an existing VPC, your account does not require these permissions for creating network resources.
          - Sid: NetworkingPermissions
            Effect:
              - ec2:AllocateAddress
              - ec2:AssociateAddress
              - ec2:AssociateDhcpOptions
              - ec2:AssociateRouteTable
              - ec2:AttachInternetGateway
              - ec2:CreateDhcpOptions
              - ec2:CreateInternetGateway
              - ec2:CreateNatGateway
              - ec2:CreateRoute
              - ec2:CreateRouteTable
              - ec2:CreateSubnet
              - ec2:CreateVpc
              - ec2:CreateVpcEndpoint
              - ec2:ModifySubnetAttribute
              - ec2:ModifyVpcAttribute
            Resource: "*"
          - Sid: LoadBalancerPermissions
            Effect:
              - elasticloadbalancing:AddTags
              - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
              - elasticloadbalancing:AttachLoadBalancerToSubnets
              - elasticloadbalancing:ConfigureHealthCheck
              - elasticloadbalancing:CreateLoadBalancer
              - elasticloadbalancing:CreateLoadBalancerListeners
              - elasticloadbalancing:DeleteLoadBalancer
              - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
              - elasticloadbalancing:DescribeInstanceHealth
              - elasticloadbalancing:DescribeLoadBalancerAttributes
              - elasticloadbalancing:DescribeLoadBalancers
              - elasticloadbalancing:DescribeTags
              - elasticloadbalancing:ModifyLoadBalancerAttributes
              - elasticloadbalancing:RegisterInstancesWithLoadBalancer
              - elasticloadbalancing:SetLoadBalancerPoliciesOfListener
            # ELBV2 permissions
              - elasticloadbalancing:AddTags
              - elasticloadbalancing:CreateListener
              - elasticloadbalancing:CreateLoadBalancer
              - elasticloadbalancing:CreateTargetGroup
              - elasticloadbalancing:DeleteLoadBalancer
              - elasticloadbalancing:DeregisterTargets
              - elasticloadbalancing:DescribeListeners
              - elasticloadbalancing:DescribeLoadBalancerAttributes
              - elasticloadbalancing:DescribeLoadBalancers
              - elasticloadbalancing:DescribeTargetGroupAttributes
              - elasticloadbalancing:DescribeTargetHealth
              - elasticloadbalancing:ModifyLoadBalancerAttributes
              - elasticloadbalancing:ModifyTargetGroup
              - elasticloadbalancing:ModifyTargetGroupAttributes
              - elasticloadbalancing:RegisterTargets
            Resource: "*"
          - Sid: IAMPermissions
# If you have not created a load balancer in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRole permission
            Effect:
              - iam:AddRoleToInstanceProfile
              - iam:CreateInstanceProfile
              - iam:CreateRole
              - iam:DeleteInstanceProfile
              - iam:DeleteRole
              - iam:DeleteRolePolicy
              - iam:GetInstanceProfile
              - iam:GetRole
              - iam:GetRolePolicy
              - iam:GetUser
              - iam:ListInstanceProfilesForRole
              - iam:ListRoles
              - iam:ListUsers
              - iam:PassRole
              - iam:PutRolePolicy
              - iam:RemoveRoleFromInstanceProfile
              - iam:SimulatePrincipalPolicy
              - iam:TagRole
            Resource: "*"
          - Sid: Route53Permissions
            Effect: 
              - route53:ChangeResourceRecordSets
              - route53:ChangeTagsForResource
              - route53:CreateHostedZone
              - route53:DeleteHostedZone
              - route53:GetChange
              - route53:GetHostedZone
              - route53:ListHostedZones
              - route53:ListHostedZonesByName
              - route53:ListResourceRecordSets
              - route53:ListTagsForResource
              - route53:UpdateHostedZoneComment
            Resource: "*"
          - Sid: S3Permissions
            Effect:
              - s3:CreateBucket
              - s3:DeleteBucket
              - s3:GetAccelerateConfiguration
              - s3:GetBucketAcl
              - s3:GetBucketCors
              - s3:GetBucketLocation
              - s3:GetBucketLogging
              - s3:GetBucketPolicy
              - s3:GetBucketObjectLockConfiguration
              - s3:GetBucketRequestPayment
              - s3:GetBucketTagging
              - s3:GetBucketVersioning
              - s3:GetBucketWebsite
              - s3:GetEncryptionConfiguration
              - s3:GetLifecycleConfiguration
              - s3:GetReplicationConfiguration
              - s3:ListBucket
              - s3:PutBucketAcl
              - s3:PutBucketTagging
              - s3:PutEncryptionConfiguration
            Resource: "*"
```

Firstly I need to know whether the template looks fine or is there any modification/improvement needed. Secondly I need to improve this template from production setup POV as currently we are doing a POC in one of our AWS Workload accounts. Also I have seen a lot of sections in the document where there is a specific IAM permission to create/delete an operator and to create/delete the manifests, so are they also needed from installation standpoint. Last but not the least I need to know do I create an IAM role or IAM user is fine for serving the purpose.

Please acknowledge and guide.

Answer

Hello, 
Trying to evaluate your code for a production environment, I would envision the following improvements to make it failfree..
First of all I would review and narrow down IAM permissions to follow the **principle of least privilege** and use secrets for any sensitive information where possible.
Can you narrow down network permissions further ?
Also, make use of IAM Roles instead of going straight to IAM Users especially if the access is not long term.
Once you've made these adjustments, your template should be more suitable for a production environment.

Installation of OpenShift on AWS

相关内容