draft for the tf permissions part

aiven · Oct 13, 2023 · 2108a76 · 2108a76
1 parent 079f1f5
commit 2108a76
Showing 1 changed file with 195 additions and 0 deletions.
diff --git a/docs/platform/howto/byoc/create-custom-cloud.rst b/docs/platform/howto/byoc/create-custom-cloud.rst
@@ -48,6 +48,201 @@ Prerequisites
 * You have Terraform installed (:ref:`to integrate with AWS <create-cloud-aws>`).
 * You have Terraform permissions (:ref:`to integrate with AWS <create-cloud-aws>`).
 
+.. dropdown:: Show permissions required for creating resources for bastion and workload networks
+
+    .. code-block:: bash
+
+      {
+         "Version": "2023-10-04",
+         "Statement":
+         [
+            {
+                  "Sid": "Describe",
+                  "Effect": "Allow",
+                  "Action":
+                  [
+                     "ec2:DescribeAddresses",
+                     "ec2:DescribeAvailabilityZones",
+                     "ec2:DescribeInternetGateways",
+                     "ec2:DescribeNATGateways",
+                     "ec2:DescribeNetworkInterfaces",
+                     "ec2:DescribeRoutes",
+                     "ec2:DescribeRouteTables",
+                     "ec2:DescribeSubnets",
+                     "ec2:DescribeVpcs",
+                     "ec2:DescribeTags"
+                  ],
+                  "Resource": "*",
+                  "Condition":
+                  {
+                     "StringLike":
+                     {
+                        "aws:ResourceTag/aiven_custom_cloud_environment_id": "cce*"
+                     }
+                  }
+            },
+            {
+                  "Sid": "Create",
+                  "Effect": "Allow",
+                  "Action":
+                  [
+                     "ec2:AllocateAddress",
+                     "ec2:AssociateAddress",
+                     "ec2:AssociateRouteTable",
+                     "ec2:AssociateSubnetCidrBlock",
+                     "ec2:AssociateVpcCidrBlock",
+                     "ec2:AttachInternetGateway",
+                     "ec2:CreateInternetGateway",
+                     "ec2:CreateNATGateway",
+                     "ec2:CreateNetworkInterface",
+                     "ec2:CreateRoute",
+                     "ec2:CreateRouteTable",
+                     "ec2:CreateSubnet",
+                     "ec2:CreateVpc",
+                     "ec2:ReplaceRoute",
+                     "ec2:ReplaceRouteTableAssociation",
+                     "ec2:CreateTags",
+                     "tag:TagResources"
+                  ],
+                  "Resource": "*",
+                  "Condition":
+                  {
+                     "StringLike":
+                     {
+                        "aws:ResourceTag/aiven_custom_cloud_environment_id": "cce*"
+                     }
+                  }
+            },
+            {
+                  "Sid": "Delete",
+                  "Effect": "Allow",
+                  "Action":
+                  [
+                     "ec2:DetachInternetGateway",
+                     "ec2:DisassociateAddress",
+                     "ec2:DisassociateRouteTable",
+                     "ec2:DisassociateSubnetCidrBlock",
+                     "ec2:DisassociateVpcCidrBlock",
+                     "ec2:ModifySubnetAttribute",
+                     "ec2:ModifyVpcAttribute",
+                     "ec2:DeleteInternetGateway",
+                     "ec2:DeleteNATGateway",
+                     "ec2:DeleteNetworkInterface",
+                     "ec2:DeleteRoute",
+                     "ec2:DeleteRouteTable",
+                     "ec2:DeleteSubnet",
+                     "ec2:DeleteVpc",
+                     "ec2:ReleaseAddress",
+                     "ec2:DeleteTags"
+                  ],
+                  "Resource": "*",
+                  "Condition":
+                  {
+                     "StringLike":
+                     {
+                        "aws:ResourceTag/aiven_custom_cloud_environment_id": "cce*"
+                     }
+                  }
+            }
+         ]
+      }
+
+.. dropdown:: Show permissions required for creating the security groups for bastion and workload nodes
+
+    .. code-block:: bash
+
+      {
+         "Version": "2023-10-04",
+         "Statement":
+         [
+            {
+                  "Sid": "Describe",
+                  "Effect": "Allow",
+                  "Action":
+                  [
+                     "ec2:DescribeSecurityGroups",
+                     "ec2:DescribeSecurityGroupRules",
+                     "ec2:DescribeNetworkInterfaces",
+                     "ec2:DescribeTags"
+                  ],
+                  "Resource":
+                  [
+                     "arn:aws:ec2:<region>:<accountID>:security-group/*"
+                  ],
+                  "Condition":
+                  {
+                     "StringLike":
+                     {
+                        "aws:ResourceTag/aiven_security_group": "cce*-security-group-dmz-*",
+                        "aws:ResourceTag/aiven_security_group": "cce*-security-group-workload-*"
+                     }
+                  }
+            },
+            {
+                  "Sid": "Create",
+                  "Effect": "Allow",
+                  "Action":
+                  [
+                     "ec2:AuthorizeSecurityGroupEgress",
+                     "ec2:AuthorizeSecurityGroupIngress",
+                     "ec2:CreateSecurityGroup",
+                     "ec2:CreateTags",
+                     "tag:TagResources"
+                  ],
+                  "Resource": "*",
+                  "Condition":
+                  {
+                     "StringLike":
+                     {
+                        "aws:ResourceTag/aiven_security_group": "cce*-security-group-dmz-*",
+                        "aws:ResourceTag/aiven_security_group": "cce*-security-group-workload-*"
+                     }
+                  }
+            },
+            {
+                  "Sid": "Delete",
+                  "Effect": "Allow",
+                  "Action":
+                  [
+                     "ec2:RevokeSecurityGroupEgress",
+                     "ec2:RevokeSecurityGroupIngress",
+                     "ec2:DeleteSecurityGroup",
+                     "ec2:DeleteTags"
+                  ],
+                  "Resource": "arn:aws:ec2:<region>:<accountID>:security-group/*",
+                  "Condition":
+                  {
+                     "StringLike":
+                     {
+                        "aws:ResourceTag/aiven_security_group": "cce*-security-group-dmz-*",
+                        "aws:ResourceTag/aiven_security_group": "cce*-security-group-workload-*"
+                     }
+                  }
+            }
+         ]
+      }
+
+.. dropdown:: Show permissions required for creating the `cce*-iam-role` role, which has all the required policies
+
+   The `cce*-iam-role` role specified in the `aws.tf` file has all the necessary policies for managing the nodes of the cloud. To create `cce*-iam-role`, you need to run the Terraform script using a role with the following permissions:
+
+    .. code-block:: bash
+
+      {
+         "Version": "2023-10-04",
+         "Statement": [
+            {
+                  "Effect": "Allow",
+                  "Action": [
+                     "iam:AttachRolePolicy",
+                     "iam:CreateRole",
+                     "iam:PutRolePolicy"
+                  ],
+                  "Resource": "arn:aws:iam::*:role/cce*-iam-role"
+            }
+         ]
+      }
+
 .. _create-cloud:
 
 Create a custom cloud