From 2108a76d30f91169c1d625ca1a781e492a88dac2 Mon Sep 17 00:00:00 2001 From: Dorota Wojcik Date: Fri, 13 Oct 2023 15:41:25 +0200 Subject: [PATCH] draft for the tf permissions part --- .../howto/byoc/create-custom-cloud.rst | 195 ++++++++++++++++++ 1 file changed, 195 insertions(+) diff --git a/docs/platform/howto/byoc/create-custom-cloud.rst b/docs/platform/howto/byoc/create-custom-cloud.rst index b0b1a54954..f8ca7302de 100644 --- a/docs/platform/howto/byoc/create-custom-cloud.rst +++ b/docs/platform/howto/byoc/create-custom-cloud.rst @@ -48,6 +48,201 @@ Prerequisites * You have Terraform installed (:ref:`to integrate with AWS `). * You have Terraform permissions (:ref:`to integrate with AWS `). +.. dropdown:: Show permissions required for creating resources for bastion and workload networks + + .. code-block:: bash + + { + "Version": "2023-10-04", + "Statement": + [ + { + "Sid": "Describe", + "Effect": "Allow", + "Action": + [ + "ec2:DescribeAddresses", + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInternetGateways", + "ec2:DescribeNATGateways", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeRoutes", + "ec2:DescribeRouteTables", + "ec2:DescribeSubnets", + "ec2:DescribeVpcs", + "ec2:DescribeTags" + ], + "Resource": "*", + "Condition": + { + "StringLike": + { + "aws:ResourceTag/aiven_custom_cloud_environment_id": "cce*" + } + } + }, + { + "Sid": "Create", + "Effect": "Allow", + "Action": + [ + "ec2:AllocateAddress", + "ec2:AssociateAddress", + "ec2:AssociateRouteTable", + "ec2:AssociateSubnetCidrBlock", + "ec2:AssociateVpcCidrBlock", + "ec2:AttachInternetGateway", + "ec2:CreateInternetGateway", + "ec2:CreateNATGateway", + "ec2:CreateNetworkInterface", + "ec2:CreateRoute", + "ec2:CreateRouteTable", + "ec2:CreateSubnet", + "ec2:CreateVpc", + "ec2:ReplaceRoute", + "ec2:ReplaceRouteTableAssociation", + "ec2:CreateTags", + "tag:TagResources" + ], + "Resource": "*", + "Condition": + { + "StringLike": + { + "aws:ResourceTag/aiven_custom_cloud_environment_id": "cce*" + } + } + }, + { + "Sid": "Delete", + "Effect": "Allow", + "Action": + [ + "ec2:DetachInternetGateway", + "ec2:DisassociateAddress", + "ec2:DisassociateRouteTable", + "ec2:DisassociateSubnetCidrBlock", + "ec2:DisassociateVpcCidrBlock", + "ec2:ModifySubnetAttribute", + "ec2:ModifyVpcAttribute", + "ec2:DeleteInternetGateway", + "ec2:DeleteNATGateway", + "ec2:DeleteNetworkInterface", + "ec2:DeleteRoute", + "ec2:DeleteRouteTable", + "ec2:DeleteSubnet", + "ec2:DeleteVpc", + "ec2:ReleaseAddress", + "ec2:DeleteTags" + ], + "Resource": "*", + "Condition": + { + "StringLike": + { + "aws:ResourceTag/aiven_custom_cloud_environment_id": "cce*" + } + } + } + ] + } + +.. dropdown:: Show permissions required for creating the security groups for bastion and workload nodes + + .. code-block:: bash + + { + "Version": "2023-10-04", + "Statement": + [ + { + "Sid": "Describe", + "Effect": "Allow", + "Action": + [ + "ec2:DescribeSecurityGroups", + "ec2:DescribeSecurityGroupRules", + "ec2:DescribeNetworkInterfaces", + "ec2:DescribeTags" + ], + "Resource": + [ + "arn:aws:ec2:::security-group/*" + ], + "Condition": + { + "StringLike": + { + "aws:ResourceTag/aiven_security_group": "cce*-security-group-dmz-*", + "aws:ResourceTag/aiven_security_group": "cce*-security-group-workload-*" + } + } + }, + { + "Sid": "Create", + "Effect": "Allow", + "Action": + [ + "ec2:AuthorizeSecurityGroupEgress", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:CreateSecurityGroup", + "ec2:CreateTags", + "tag:TagResources" + ], + "Resource": "*", + "Condition": + { + "StringLike": + { + "aws:ResourceTag/aiven_security_group": "cce*-security-group-dmz-*", + "aws:ResourceTag/aiven_security_group": "cce*-security-group-workload-*" + } + } + }, + { + "Sid": "Delete", + "Effect": "Allow", + "Action": + [ + "ec2:RevokeSecurityGroupEgress", + "ec2:RevokeSecurityGroupIngress", + "ec2:DeleteSecurityGroup", + "ec2:DeleteTags" + ], + "Resource": "arn:aws:ec2:::security-group/*", + "Condition": + { + "StringLike": + { + "aws:ResourceTag/aiven_security_group": "cce*-security-group-dmz-*", + "aws:ResourceTag/aiven_security_group": "cce*-security-group-workload-*" + } + } + } + ] + } + +.. dropdown:: Show permissions required for creating the `cce*-iam-role` role, which has all the required policies + + The `cce*-iam-role` role specified in the `aws.tf` file has all the necessary policies for managing the nodes of the cloud. To create `cce*-iam-role`, you need to run the Terraform script using a role with the following permissions: + + .. code-block:: bash + + { + "Version": "2023-10-04", + "Statement": [ + { + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:CreateRole", + "iam:PutRolePolicy" + ], + "Resource": "arn:aws:iam::*:role/cce*-iam-role" + } + ] + } + .. _create-cloud: Create a custom cloud