Installation of OpenShift on AWS


Hi AWS, we are onboarding RedHat OpenShift on AWS (ROSA) for one of our upcoming projects. The first step is to install OpenShift on AWS as a starting point and I have written a CloudFormation Template following the documentation Here is the code:

# version: 1.0

AWSTemplateFormatVersion: 2010-09-09
Description: >
  This Template Deploys Basic AWS Functional user to install RedhHat OpenShift on AWS.  
    Type: String
    Description: Name for IAM user to use OpenShift
    Type: String
    Description: Primary Owner for this user
    Type: String
    Description: Secondary Owner for this user
    Type: String
    Description: Cost Centre
    Type: String
    Description: Business Unit

    Type: AWS::IAM::User
      UserName: !Ref FuncUsername
        - Key: primary_owner
          Value: !Ref PrimaryOwner
        - Key: secondary_owner
          Value: !Ref SecondaryOwner
        - Key: cost_centre
          Value: !Ref CostCentre
        - Key: business_unit
          Value: !Ref BusinessUnit
    Type: AWS::IAM::ManagedPolicy
    DependsOn: FuncUser
        - !Ref FuncUsername
      ManagedPolicyName: !Sub "${FuncUsername}_rosa_policy"
        Version: "2012-10-17"
          - Sid: EC2Permissions
              - ec2:AuthorizeSecurityGroupEgress
              - ec2:AuthorizeSecurityGroupIngress
              - ec2:CopyImage
              - ec2:CreateNetworkInterface
              - ec2:AttachNetworkInterface
              - ec2:CreateSecurityGroup
              - ec2:CreateTags
              - ec2:CreateVolume
              - ec2:DeleteSecurityGroup
              - ec2:DeleteSnapshot
              - ec2:DeleteTags
              - ec2:DeregisterImage
              - ec2:DescribeAccountAttributes
              - ec2:DescribeAddresses
              - ec2:DescribeAvailabilityZones
              - ec2:DescribeDhcpOptions
              - ec2:DescribeImages
              - ec2:DescribeInstanceAttribute
              - ec2:DescribeInstanceCreditSpecifications
              - ec2:DescribeInstances
              - ec2:DescribeInstanceTypes
              - ec2:DescribeInternetGateways
              - ec2:DescribeKeyPairs
              - ec2:DescribeNatGateways
              - ec2:DescribeNetworkAcls
              - ec2:DescribeNetworkInterfaces
              - ec2:DescribePrefixLists
              - ec2:DescribeRegions
              - ec2:DescribeRouteTables
              - ec2:DescribeSecurityGroups
              - ec2:DescribeSecurityGroupRules
              - ec2:DescribeSubnets
              - ec2:DescribeTags
              - ec2:DescribeVolumes
              - ec2:DescribeVpcAttribute
              - ec2:DescribeVpcClassicLink
              - ec2:DescribeVpcClassicLinkDnsSupport
              - ec2:DescribeVpcEndpoints
              - ec2:DescribeVpcs
              - ec2:GetEbsDefaultKmsKeyId
              - ec2:ModifyInstanceAttribute
              - ec2:ModifyNetworkInterfaceAttribute
              - ec2:RevokeSecurityGroupEgress
              - ec2:RevokeSecurityGroupIngress
              - ec2:RunInstances
              - ec2:TerminateInstances
            Resource: "*"
# If you use an existing VPC, your account does not require these permissions for creating network resources.
          - Sid: NetworkingPermissions
              - ec2:AllocateAddress
              - ec2:AssociateAddress
              - ec2:AssociateDhcpOptions
              - ec2:AssociateRouteTable
              - ec2:AttachInternetGateway
              - ec2:CreateDhcpOptions
              - ec2:CreateInternetGateway
              - ec2:CreateNatGateway
              - ec2:CreateRoute
              - ec2:CreateRouteTable
              - ec2:CreateSubnet
              - ec2:CreateVpc
              - ec2:CreateVpcEndpoint
              - ec2:ModifySubnetAttribute
              - ec2:ModifyVpcAttribute
            Resource: "*"
          - Sid: LoadBalancerPermissions
              - elasticloadbalancing:AddTags
              - elasticloadbalancing:ApplySecurityGroupsToLoadBalancer
              - elasticloadbalancing:AttachLoadBalancerToSubnets
              - elasticloadbalancing:ConfigureHealthCheck
              - elasticloadbalancing:CreateLoadBalancer
              - elasticloadbalancing:CreateLoadBalancerListeners
              - elasticloadbalancing:DeleteLoadBalancer
              - elasticloadbalancing:DeregisterInstancesFromLoadBalancer
              - elasticloadbalancing:DescribeInstanceHealth
              - elasticloadbalancing:DescribeLoadBalancerAttributes
              - elasticloadbalancing:DescribeLoadBalancers
              - elasticloadbalancing:DescribeTags
              - elasticloadbalancing:ModifyLoadBalancerAttributes
              - elasticloadbalancing:RegisterInstancesWithLoadBalancer
              - elasticloadbalancing:SetLoadBalancerPoliciesOfListener
            # ELBV2 permissions
              - elasticloadbalancing:AddTags
              - elasticloadbalancing:CreateListener
              - elasticloadbalancing:CreateLoadBalancer
              - elasticloadbalancing:CreateTargetGroup
              - elasticloadbalancing:DeleteLoadBalancer
              - elasticloadbalancing:DeregisterTargets
              - elasticloadbalancing:DescribeListeners
              - elasticloadbalancing:DescribeLoadBalancerAttributes
              - elasticloadbalancing:DescribeLoadBalancers
              - elasticloadbalancing:DescribeTargetGroupAttributes
              - elasticloadbalancing:DescribeTargetHealth
              - elasticloadbalancing:ModifyLoadBalancerAttributes
              - elasticloadbalancing:ModifyTargetGroup
              - elasticloadbalancing:ModifyTargetGroupAttributes
              - elasticloadbalancing:RegisterTargets
            Resource: "*"
          - Sid: IAMPermissions
# If you have not created a load balancer in your AWS account, the IAM user also requires the iam:CreateServiceLinkedRole permission
              - iam:AddRoleToInstanceProfile
              - iam:CreateInstanceProfile
              - iam:CreateRole
              - iam:DeleteInstanceProfile
              - iam:DeleteRole
              - iam:DeleteRolePolicy
              - iam:GetInstanceProfile
              - iam:GetRole
              - iam:GetRolePolicy
              - iam:GetUser
              - iam:ListInstanceProfilesForRole
              - iam:ListRoles
              - iam:ListUsers
              - iam:PassRole
              - iam:PutRolePolicy
              - iam:RemoveRoleFromInstanceProfile
              - iam:SimulatePrincipalPolicy
              - iam:TagRole
            Resource: "*"
          - Sid: Route53Permissions
              - route53:ChangeResourceRecordSets
              - route53:ChangeTagsForResource
              - route53:CreateHostedZone
              - route53:DeleteHostedZone
              - route53:GetChange
              - route53:GetHostedZone
              - route53:ListHostedZones
              - route53:ListHostedZonesByName
              - route53:ListResourceRecordSets
              - route53:ListTagsForResource
              - route53:UpdateHostedZoneComment
            Resource: "*"
          - Sid: S3Permissions
              - s3:CreateBucket
              - s3:DeleteBucket
              - s3:GetAccelerateConfiguration
              - s3:GetBucketAcl
              - s3:GetBucketCors
              - s3:GetBucketLocation
              - s3:GetBucketLogging
              - s3:GetBucketPolicy
              - s3:GetBucketObjectLockConfiguration
              - s3:GetBucketRequestPayment
              - s3:GetBucketTagging
              - s3:GetBucketVersioning
              - s3:GetBucketWebsite
              - s3:GetEncryptionConfiguration
              - s3:GetLifecycleConfiguration
              - s3:GetReplicationConfiguration
              - s3:ListBucket
              - s3:PutBucketAcl
              - s3:PutBucketTagging
              - s3:PutEncryptionConfiguration
            Resource: "*"

Firstly I need to know whether the template looks fine or is there any modification/improvement needed. Secondly I need to improve this template from production setup POV as currently we are doing a POC in one of our AWS Workload accounts. Also I have seen a lot of sections in the document where there is a specific IAM permission to create/delete an operator and to create/delete the manifests, so are they also needed from installation standpoint. Last but not the least I need to know do I create an IAM role or IAM user is fine for serving the purpose.

Please acknowledge and guide.

1 Answer

Hello, Trying to evaluate your code for a production environment, I would envision the following improvements to make it failfree.. First of all I would review and narrow down IAM permissions to follow the principle of least privilege and use secrets for any sensitive information where possible. Can you narrow down network permissions further ? Also, make use of IAM Roles instead of going straight to IAM Users especially if the access is not long term. Once you've made these adjustments, your template should be more suitable for a production environment.

profile picture
answered 2 months ago
profile picture
reviewed 2 months ago
  • Permissions wise does it look good or have I missed something ?

You are not logged in. Log in to post an answer.

A good answer clearly answers the question and provides constructive feedback and encourages professional growth in the question asker.

Guidelines for Answering Questions