Installing AWS to Gov regions

_topic_map.yml

@@ -141,6 +141,8 @@ Topics:
     File: installing-aws-vpc
   - Name: Installing a private cluster on AWS
     File: installing-aws-private
+  - Name: Installing a cluster on AWS into a government region
+    File: installing-aws-government-region
   - Name: Installing a cluster on AWS using CloudFormation templates
     File: installing-aws-user-infra
   - Name: Installing a cluster on AWS in a restricted network

installing/installing_aws/installing-aws-government-region.adoc

@@ -0,0 +1,70 @@
+[id="installing-aws-government-region"]
+= Installing a cluster on AWS into a government region
+include::modules/common-attributes.adoc[]
+:context: installing-aws-government-region
+
+toc::[]
+
+In {product-title} version {product-version}, you can install a cluster on
+Amazon Web Services (AWS) into a government region. To configure the government
+region, modify parameters in the `install-config.yaml` file before you
+install the cluster.
+
+== Prerequisites
+
+* Review details about the
+xref:../../architecture/architecture-installation.adoc#architecture-installation[{product-title} installation and update]
+processes.
+* xref:../../installing/installing_aws/installing-aws-account.adoc#installing-aws-account[Configure an AWS account]
+to host the cluster.
++
+[IMPORTANT]
+====
+If you have an AWS profile stored on your computer, it must not use a temporary
+session token that you generated while using a multi-factor authentication
+device. The cluster continues to use your current AWS credentials to create
+AWS resources for the entire life of the cluster, so you must use long-lived
+credentials. To generate appropriate keys, see
+link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_access-keys.html[Managing Access Keys for IAM Users]
+in the AWS documentation. You can supply the keys when you run the installation
+program.
+====
+* If you use a firewall, you must
+xref:../../installing/install_config/configuring-firewall.adoc#configuring-firewall[configure it to allow the sites] that your cluster requires access to.
+* If you do not allow the system to manage identity and access management (IAM),
+then a cluster administrator can
+xref:../../installing/installing_aws/manually-creating-iam.adoc#manually-creating-iam-aws[manually
+create and maintain IAM credentials]. Manual mode can also be used in
+environments where the cloud IAM APIs are not reachable.
+
+include::modules/installation-aws-about-government-region.adoc[leveloffset=+1]
+
+include::modules/private-clusters-default.adoc[leveloffset=+1]
+include::modules/private-clusters-about-aws.adoc[leveloffset=+2]
+
+include::modules/installation-custom-aws-vpc.adoc[leveloffset=+1]
+
+include::modules/cluster-entitlements.adoc[leveloffset=+1]
+
+include::modules/ssh-agent-using.adoc[leveloffset=+1]
+
+include::modules/installation-obtaining-installer.adoc[leveloffset=+1]
+
+include::modules/installation-initializing-manual.adoc[leveloffset=+1]
+include::modules/installation-configuration-parameters.adoc[leveloffset=+2]
+include::modules/installation-aws-config-yaml.adoc[leveloffset=+2]
+include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+2]
+include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+2]
+include::modules/installation-configure-proxy.adoc[leveloffset=+2]
+
+include::modules/installation-launching-installer.adoc[leveloffset=+1]
+
+include::modules/cli-installing-cli.adoc[leveloffset=+1]
+
+include::modules/cli-logging-in-kubeadmin.adoc[leveloffset=+1]
+
+== Next steps
+
+* xref:../../installing/install_config/customizations.adoc#customizations[Customize your cluster].
+* If necessary, you can
+xref:../../support/remote_health_monitoring/opting-out-of-remote-health-reporting.adoc#opting-out-remote-health-reporting_opting-out-remote-health-reporting[opt out of remote health reporting].

installing/installing_aws/installing-aws-user-infra.adoc

@@ -84,6 +84,10 @@ include::modules/installation-cloudformation-security.adoc[leveloffset=+2]
 
 include::modules/installation-aws-user-infra-rhcos-ami.adoc[leveloffset=+1]
 
+include::modules/installation-aws-regions-with-no-ami.adoc[leveloffset=+2]
+
+include::modules/installation-aws-upload-custom-rhcos-ami.adoc[leveloffset=+2]
+
 include::modules/installation-creating-aws-bootstrap.adoc[leveloffset=+1]
 
 include::modules/installation-cloudformation-bootstrap.adoc[leveloffset=+2]

modules/cli-installing-cli.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc

modules/cli-logging-in-kubeadmin.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc

modules/cluster-entitlements.adoc

@@ -4,6 +4,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc

modules/installation-aws-about-government-region.adoc

@@ -0,0 +1,24 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_aws/installing-aws-government-region.adoc
+
+[id="installation-aws-about-government-region_{context}"]
+= AWS government regions
+
+{product-title} supports deploying a cluster to
+link:https://aws.amazon.com/govcloud-us[AWS GovCloud (US)] regions. AWS GovCloud
+is specifically designed for US government agencies at the federal, state, and
+local level, as well as contractors, educational institutions, and other US
+customers that must run sensitive workloads in the cloud.
+
+These regions do not have published {op-system-first} Amazon Machine Images (AMI) to select, so you
+must upload a custom AMI that belongs to that region.
+
+The following AWS GovCloud partitions are supported:
+
+* `us-gov-west-1`
+* `us-gov-east-1`
+
+The AWS GovCloud region and custom AMI must be manually configured in the
+`install-config.yaml` file since {op-system} AMIs are not provided by Red Hat
+for those regions.

modules/installation-aws-config-yaml.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
@@ -18,6 +19,11 @@ ifeval::["{context}" == "installing-aws-private"]
 :vpc:
 :private:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:vpc:
+:private:
+:gov:
+endif::[]
 
 
 [id="installation-aws-config-yaml_{context}"]
@@ -38,22 +44,28 @@ This sample YAML file is provided for reference only. You must obtain your
 apiVersion: v1
 baseDomain: example.com <1>
 credentialsMode: Mint <2>
-controlPlane: <3>
-  hyperthreading: Enabled <4> <5>
+controlPlane: <3> <4>
+  hyperthreading: Enabled <5>
   name: master
   platform:
     aws:
       zones:
+ifdef::gov[]
+      - us-gov-west-1a
+      - us-gov-west-1b
+endif::gov[]
+ifndef::gov[]
       - us-west-2a
       - us-west-2b
+endif::gov[]
       rootVolume:
         iops: 4000
         size: 500
-        type: io1
-      type: m5.xlarge <5>
+        type: io1 <6>
+      type: m5.xlarge
   replicas: 3
 compute: <3>
-- hyperthreading: Enabled <4>
+- hyperthreading: Enabled <5>
   name: worker
   platform:
     aws:
@@ -63,7 +75,12 @@ compute: <3>
         type: io1 <6>
       type: c5.4xlarge
       zones:
+ifdef::gov[]
+      - us-gov-west-1c
+endif::gov[]
+ifndef::gov[]
       - us-west-2c
+endif::gov[]
   replicas: 3
 metadata:
   name: test-cluster <1>
@@ -83,7 +100,12 @@ endif::[]
   - 172.30.0.0/16
 platform:
   aws:
+ifndef::gov[]
     region: us-west-2 <1>
+endif::gov[]
+ifdef::gov[]
+    region: us-gov-west-1
+endif::gov[]
     userTags:
       adminContact: jdoe
       costCenter: 7536
@@ -92,21 +114,36 @@ ifdef::vpc[]
     - subnet-1
     - subnet-2
     - subnet-3
+    amiID: ami-96c6f8f7 <8>
+    serviceEndpoints: <9>
+      - name: ec2
+        url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
+endif::vpc[]
+ifndef::vpc[]
+    amiID: ami-96c6f8f7 <7>
+    serviceEndpoints: <8>
+      - name: ec2
+        url: https://vpce-id.ec2.us-west-2.vpce.amazonaws.com
 endif::vpc[]
 pullSecret: '{"auths": ...}' <1>
 ifdef::vpc[]
-fips: false <8>
-sshKey: ssh-ed25519 AAAA... <9>
+fips: false <10>
+sshKey: ssh-ed25519 AAAA... <11>
 endif::vpc[]
 ifndef::vpc[]
-fips: false <7>
-sshKey: ssh-ed25519 AAAA... <8>
+fips: false <9>
+sshKey: ssh-ed25519 AAAA... <10>
 endif::vpc[]
 ifdef::private[]
-publish: Internal <10>
+publish: Internal <12>
 endif::private[]
 ----
+ifndef::gov[]
 <1> Required. The installation program prompts you for this value.
+endif::gov[]
+ifdef::gov[]
+<1> Required.
+endif::gov[]
 <2> Optional: Add this parameter to force the Cloud Credential Operator (CCO) to use the specified mode, instead of having the CCO dynamically try to determine the capabilities of the credentials. For details about CCO modes, see the _Cloud Credential Operator_ entry in the _Red Hat Operators reference_ content.
 <3> If you do not provide these parameters and values, the installation program
 provides the default value.
@@ -135,13 +172,23 @@ disable simultaneous multithreading.
 storage type as `io1` and set `iops` to `2000`.
 ifdef::vpc[]
 <7> If you provide your own VPC, specify subnets for each availability zone that your cluster uses.
-<8> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
-<9> You can optionally provide the `sshKey` value that you use to access the
+<8> The ID of the AMI used to boot machines for the cluster. If set, the AMI
+must belong to the same region as the cluster.
+<9> The AWS service endpoints. Custom endpoints are required when installing to
+an unknown AWS region. The endpoint URL must use the `https` protocol and the
+host must trust the certificate.
+<10> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
+<11> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::vpc[]
 ifndef::vpc[]
-<7> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
-<8> You can optionally provide the `sshKey` value that you use to access the
+<7> The ID of the AMI used to boot machines for the cluster. If set, the AMI
+must belong to the same region as the cluster.
+<8> The AWS service endpoints. Custom endpoints are required when installing to
+an unknown AWS region. The endpoint URL must use the `https` protocol and the
+host must trust the certificate.
+<9> Whether to enable or disable FIPS mode. By default, FIPS mode is not enabled. If FIPS mode is enabled, the {op-system-first} machines that {product-title} runs on bypass the default Kubernetes cryptography suite and use the cryptography modules that are provided with {op-system} instead.
+<10> You can optionally provide the `sshKey` value that you use to access the
 machines in your cluster.
 endif::vpc[]
 +
@@ -150,7 +197,7 @@ endif::vpc[]
 For production {product-title} clusters on which you want to perform installation debugging or disaster recovery, specify an SSH key that your `ssh-agent` process uses.
 ====
 ifdef::private[]
-<10> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
+<12> How to publish the user-facing endpoints of your cluster. Set `publish` to `Internal` to deploy a private cluster, which cannot be accessed from the internet. The default value is `External`.
 endif::private[]
 
 ifeval::["{context}" == "installing-aws-network-customizations"]
@@ -166,3 +213,8 @@ ifeval::["{context}" == "installing-aws-private"]
 :!vpc:
 :!private:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:!vpc:
+:!private:
+:!gov:
+endif::[]

modules/installation-aws-regions-with-no-ami.adoc

@@ -0,0 +1,27 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_aws/installing-aws-government-region.adoc
+// * installing/installing_aws/installing-aws-user-infra.adoc
+
+[id="installation-aws-regions-with-no-ami_{context}"]
+= AWS regions without a published {op-system} AMI
+
+You can deploy an {product-title} cluster to Amazon Web Services (AWS) regions
+without native support for a {op-system-first} Amazon Machine Image (AMI) or the
+AWS software development kit (SDK). If a
+published AMI is not available for an AWS region, you can upload a custom AMI
+prior to installing the cluster. This is required if you are deploying your
+cluster to an AWS government region.
+
+If you are deploying to a non-government region that does not have a published
+{op-system} AMI, and you do not specify a custom AMI, the installation program
+copies the `us-east-1` AMI to the user account automatically. Then the
+installation program creates the control plane machines with encrypted EBS
+volumes using the default or user-specified Key Management Service (KMS) key.
+This allows the AMI to follow the same process workflow as published {op-system}
+AMIs.
+
+A region without native support for an {op-system} AMI is not available to
+select from the terminal during cluster creation because it is not published.
+However, you can install to this region by configuring the custom AMI in the
+`install-config.yaml` file.

modules/installation-aws-regions.adoc

@@ -5,7 +5,7 @@
 [id="installation-aws-regions_{context}"]
 = Supported AWS regions
 
-You can deploy an {product-title} cluster to the following regions:
+You can deploy an {product-title} cluster to the following public regions:
 
 * ap-northeast-1 (Tokyo)
 * ap-northeast-2 (Seoul)
@@ -24,3 +24,8 @@ You can deploy an {product-title} cluster to the following regions:
 * us-east-2 (Ohio)
 * us-west-1 (N. California)
 * us-west-2 (Oregon)
+
+The following AWS GovCloud regions are supported:
+
+* us-gov-west-1
+* us-gov-east-1

modules/installation-aws-upload-custom-rhcos-ami.adoc

@@ -0,0 +1,141 @@
+// Module included in the following assemblies:
+//
+// * installing/installing_aws/installing-aws-government-region.adoc
+
+[id="installation-aws-upload-custom-rhcos-ami_{context}"]
+= Uploading a custom {op-system} AMI in AWS
+ 
+If you are deploying to a custom Amazon Web Services (AWS) region, you must
+upload a custom {op-system-first} Amazon Machine Image (AMI) that belongs to
+that region.
+
+.Prerequisites
+
+* Configure an AWS account.
+* Create an Amazon S3 bucket with the required IAM
+link:https://docs.aws.amazon.com/vm-import/latest/userguide/vmie_prereqs.html#vmimport-role[service role].
+* Upload your {op-system} VMDK file to Amazon S3. The {op-system} VMDK file must
+be the highest version that is less than or equal to the {product-title} version
+you are installing.
+* Download the AWS CLI and install it on your computer. See
+link:https://docs.aws.amazon.com/cli/latest/userguide/install-bundle.html[Install the AWS CLI Using the Bundled Installer].
+
+.Procedure
+
+. Export your AWS profile as an environment variable:
++
+[source,terminal]
+----
+$ export AWS_PROFILE=<aws_profile> <1>
+----
+<1> The AWS profile name that holds your AWS credentials, like `govcloud`.
+
+. Export the region to associate with your custom AMI as an environment
+variable:
++
+[source,terminal]
+----
+$ export AWS_DEFAULT_REGION=<aws_region> <1>
+----
+<1> The AWS region, like `us-gov-east-1`.
+
+. Export the version of {op-system} you uploaded to Amazon S3 as an environment
+variable:
++
+[source,terminal]
+----
+$ export RHCOS_VERSION=<version> <1>
+----
+<1> The {op-system} VMDK version, like `4.6.0`.
+
+. Export the Amazon S3 bucket name as an environment variable:
++
+[source,terminal]
+----
+$ export VMIMPORT_BUCKET_NAME=<s3_bucket_name>
+----
+
+. Create the `containers.json` file and define your {op-system} VMDK file:
++
+[source,terminal]
+----
+$ cat <<EOF > containers.json
+{
+   "Description": "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64",
+   "Format": "vmdk",
+   "UserBucket": {
+      "S3Bucket": "${VMIMPORT_BUCKET_NAME}",
+      "S3Key": "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64.vmdk"
+   }
+}
+EOF
+----
+
+. Import the {op-system} disk as an Amazon EBS snapshot:
++
+[source,terminal]
+----
+$ aws ec2 import-snapshot --region ${AWS_DEFAULT_REGION} \
+     --description "<description>" \ <1>
+     --disk-container <file_path>/containers.json <2>
+----
+<1> The description of your {op-system} disk being imported, like
+`rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64`.
+<2> The file path to the JSON file describing your {op-system} disk. The JSON
+file should contain your Amazon S3 bucket name and key.
+
+. Check the status of the image import:
++
+[source,terminal]
+----
+$ watch -n 5 aws ec2 describe-import-snapshot-tasks --region ${AWS_DEFAULT_REGION}
+----
++
+.Example output
+[source,terminal]
+----
+{
+    "ImportSnapshotTasks": [
+        {
+            "Description": "rhcos-4.6.0-x86_64-aws.x86_64",
+            "ImportTaskId": "import-snap-fh6i8uil",
+            "SnapshotTaskDetail": {
+                "Description": "rhcos-4.6.0-x86_64-aws.x86_64",
+                "DiskImageSize": 819056640.0,
+                "Format": "VMDK",
+                "SnapshotId": "snap-06331325870076318",
+                "Status": "completed",
+                "UserBucket": {
+                    "S3Bucket": "external-images",
+                    "S3Key": "rhcos-4.6.0-x86_64-aws.x86_64.vmdk"
+                }
+            }
+        }
+    ]
+}
+----
++
+Copy the `SnapshotId` to register the image.
+
+. Create a custom {op-system} AMI from the {op-system} snapshot:
++
+[source,terminal]
+----
+$ aws ec2 register-image \
+   --region ${AWS_DEFAULT_REGION} \
+   --architecture x86_64 \ <1>
+   --description "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64" \ <2>
+   --ena-support \
+   --name "rhcos-${RHCOS_VERSION}-x86_64-aws.x86_64" \ <3>
+   --virtualization-type hvm \
+   --root-device-name '/dev/xvda' \
+   --block-device-mappings 'DeviceName=/dev/xvda,Ebs={DeleteOnTermination=true,SnapshotId=<snapshot_ID>}' <4>
+----
+<1> The {op-system} VMDK architecture type, like `x86_64`, `s390x`, or `ppc64le`.
+<2> The `Description` from the imported snapshot.
+<3> The name of the {op-system} AMI.
+<4> The `SnapshotID` from the imported snapshot.
+
+To learn more about these APIs, see the AWS documentation for
+link:https://docs.aws.amazon.com/vm-import/latest/userguide/vmimport-import-snapshot.html[importing snapshots]
+and link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/creating-an-ami-ebs.html#creating-launching-ami-from-snapshot[creating EBS-backed AMIs].

modules/installation-aws-user-infra-rhcos-ami.adoc

@@ -6,8 +6,14 @@
 [id="installation-aws-user-infra-rhcos-ami_{context}"]
 = {op-system} AMIs for the AWS infrastructure
 
-You must use a valid {op-system-first} AMI for your Amazon Web Services
-(AWS) zone for your {product-title} nodes.
+Red Hat provides {op-system-first} AMIs valid for the various Amazon Web
+Services (AWS) zones you can specify for your {product-title} nodes.
+
+[NOTE]
+====
+You can also install to regions that do not have a {op-system} AMI published by
+importing your own AMI.
+====
 
 .{op-system} AMIs
 

modules/installation-cloudformation-dns.adoc

@@ -13,3 +13,16 @@ objects and load balancers that you need for your {product-title} cluster.
 ----
 include::https://raw.githubusercontent.com/openshift/installer/release-4.6/upi/aws/cloudformation/02_cluster_infra.yaml[]
 ----
+
+[IMPORTANT]
+====
+If you are deploying your cluster to an AWS government region, you must update the `InternalApiServerRecord` to use `CNAME` records. Records of type `ALIAS` are not supported for AWS government regions. For example:
+
+[source,yaml]
+----
+Type: CNAME
+TTL: 10
+ResourceRecords:
+- !GetAtt IntApiElb.DNSName
+----
+====

modules/installation-configuration-parameters.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
@@ -22,6 +23,9 @@
 ifeval::["{context}" == "installing-aws-customizations"]
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :aws:
 endif::[]
@@ -292,6 +296,10 @@ ifdef::aws[]
 |====
 |Parameter|Description|Values
 
+|`compute.platform.aws.amiID`
+|The AWS AMI used to boot compute machines for the cluster. This is required for regions that require a custom {op-system} AMI.
+|Any published or custom {op-system} AMI that belongs to the set AWS region.
+
 |`compute.platform.aws.rootVolume.iops`
 |The Input/Output Operations Per Second (IOPS) that is reserved for the root volume.
 |Integer, for example `4000`.
@@ -318,6 +326,10 @@ link:https://yaml.org/spec/1.2/spec.html#sequence//[YAML sequence].
 |The AWS region that the installation program creates compute resources in.
 |Any valid link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS region], such as `us-east-1`.
 
+|`controlPlane.platform.aws.amiID`
+|The AWS AMI used to boot control plane machines for the cluster.  This is required for regions that require a custom {op-system} AMI.
+|Any published or custom {op-system} AMI that belongs to the set AWS region.
+
 |`controlPlane.platform.aws.type`
 |The EC2 instance type for the control plane machines.
 |Valid link:https://aws.amazon.com/ec2/instance-types/[AWS instance type], such as `c5.9xlarge`.
@@ -331,6 +343,23 @@ control plane MachinePool.
 |The AWS region that the installation program creates control plane resources in.
 |Valid link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS region], such as `us-east-1`.
 
+|`platform.aws.amiID`
+|The AWS AMI used to boot all machines for the cluster. If set, the AMI must
+belong to the same region as the cluster. This is required for regions that require a custom {op-system} AMI.
+|Any published or custom {op-system} AMI that belongs to the set AWS region.
+
+|`platform.aws.serviceEndpoints.name`
+|The AWS service endpoint name. Custom endpoints are only required for cases
+where alternative AWS endpoints, like FIPS, must be used. Custom API endpoints
+can be specified for EC2, S3, IAM, Elastic Load Balancing, Tagging, Route 53,
+and STS AWS services.
+|Valid link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS service endpoint] name.
+
+|`platform.aws.serviceEndpoints.url`
+|The AWS service endpoint URL. The URL must use the `https` protocol and the
+host must trust the certificate.
+|Valid link:https://docs.aws.amazon.com/general/latest/gr/rande.html[AWS service endpoint] URL.
+
 |`platform.aws.userTags`
 |A map of keys and values that the installation program adds as tags to all resources that it creates.
 |Any valid YAML map, such as key value pairs in the `<key>: <value>` format. For more information about AWS tags, see link:https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/Using_Tags.html[Tagging Your Amazon EC2 Resources] in the AWS documentation.
@@ -696,6 +725,9 @@ endif::vsphere[]
 ifeval::["{context}" == "installing-aws-customizations"]
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!aws:
 endif::[]

modules/installation-configure-proxy.adoc

@@ -1,6 +1,7 @@
 // Module included in the following assemblies:
 //
 // * installing/installing_aws/installing-aws-user-infra.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_azure/installing-azure-private.adoc
 // * installing/installing_azure/installing-azure-user-infra.adoc
 // * installing/installing_gcp/installing-gcp-user-infra.adoc

modules/installation-creating-aws-bootstrap.adoc

@@ -40,6 +40,11 @@ Ignition config files for your cluster are served from an S3 bucket. If you
 choose to serve the files from another location, you must modify the templates.
 ====
 +
+[IMPORTANT]
+====
+If you are deploying to a region that has endpoints that differ from the AWS SDK, or you are providing your own custom endpoints, you must use a presigned URL for your S3 bucket instead of the `s3://` schema.
+====
++
 [NOTE]
 ====
 The bootstrap Ignition config file does contain secrets, like X.509 keys. The
@@ -161,16 +166,20 @@ for the VPC.
 Amazon Resource Name (ARN) value.
 <17> The ARN for NLB IP target registration lambda group.
 <18> Specify the `RegisterNlbIpTargetsLambda` value from the output of the
-CloudFormation template for DNS and load balancing.
+CloudFormation template for DNS and load balancing. Use `arn:aws-us-gov` if
+deploying the cluster to an AWS GovCloud region.
 <19> The ARN for external API load balancer target group.
 <20> Specify the `ExternalApiTargetGroupArn` value from the output of the
-CloudFormation template for DNS and load balancing.
+CloudFormation template for DNS and load balancing. Use `arn:aws-us-gov` if
+deploying the cluster to an AWS GovCloud region.
 <21> The ARN for internal API load balancer target group.
 <22> Specify the `InternalApiTargetGroupArn` value from the output of the
-CloudFormation template for DNS and load balancing.
+CloudFormation template for DNS and load balancing. Use `arn:aws-us-gov` if
+deploying the cluster to an AWS GovCloud region.
 <23> The ARN for internal service load balancer target group.
 <24> Specify the `InternalServiceTargetGroupArn` value from the output of the
-CloudFormation template for DNS and load balancing.
+CloudFormation template for DNS and load balancing. Use `arn:aws-us-gov` if
+deploying the cluster to an AWS GovCloud region.
 
 . Copy the template from the *CloudFormation template for the bootstrap machine*
 section of this topic and save it as a YAML file on your computer. This template

modules/installation-creating-aws-control-plane.adoc

@@ -169,16 +169,20 @@ If `m4` instance types are not available in your region, such as with
 Amazon Resource Name (ARN) value.
 <25> The ARN for NLB IP target registration lambda group.
 <26> Specify the `RegisterNlbIpTargetsLambda` value from the output of the CloudFormation template for DNS
-and load balancing.
+and load balancing. Use `arn:aws-us-gov` if deploying the cluster to an AWS
+GovCloud region.
 <27> The ARN for external API load balancer target group.
 <28> Specify the `ExternalApiTargetGroupArn` value from the output of the CloudFormation template for DNS
-and load balancing.
+and load balancing. Use `arn:aws-us-gov` if deploying the cluster to an AWS
+GovCloud region.
 <29> The ARN for internal API load balancer target group.
 <30> Specify the `InternalApiTargetGroupArn` value from the output of the CloudFormation template for DNS
-and load balancing.
+and load balancing. Use `arn:aws-us-gov` if deploying the cluster to an AWS
+GovCloud region.
 <31> The ARN for internal service load balancer target group.
 <32> Specify the `InternalServiceTargetGroupArn` value from the output of the CloudFormation template for DNS
-and load balancing.
+and load balancing. Use `arn:aws-us-gov` if deploying the cluster to an AWS
+GovCloud region.
 
 . Copy the template from the *CloudFormation template for control plane machines*
 section of this topic and save it as a YAML file on your computer. This template

modules/installation-creating-aws-dns.adoc

@@ -110,6 +110,11 @@ for the VPC.
 . Copy the template from the *CloudFormation template for the network and load balancers*
 section of this topic and save it as a YAML file on your computer. This template
 describes the networking and load balancing objects that your cluster requires.
++
+[IMPORTANT]
+====
+If you are deploying your cluster to an AWS government region, you must update the `InternalApiServerRecord` in the CloudFormation template to use `CNAME` records. Records of type `ALIAS` are not supported for AWS government regions.
+====
 
 . Launch the template:
 +

modules/installation-custom-aws-vpc.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
 

modules/installation-generate-aws-user-infra-install-config.adoc

@@ -20,6 +20,7 @@ cluster.
 ifdef::restricted[]
 For a restricted network installation, these files are on your mirror host.
 endif::restricted[]
+* Check that you are deploying your cluster to a region with an accompanying {op-system-first} AMI published by Red Hat. If you are deploying to a region that requires a custom AMI, such as an AWS GovCloud region, you must create the `install-config.yaml` file manually.
 
 .Procedure
 

modules/installation-initializing-manual.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_bare_metal/installing-bare-metal.adoc
 // * installing/installing_bare_metal/installing-restricted-networks-bare-metal.adoc
 // * installing/installing_vsphere/installing-restricted-networks-vsphere.adoc
@@ -12,12 +13,22 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
 :restricted:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:aws-gov:
+endif::[]
 
 [id="installation-initializing-manual_{context}"]
 = Manually creating the installation configuration file
 
+ifndef::aws-gov[]
 For installations of {product-title} that use user-provisioned
 infrastructure, you manually generate your installation configuration file.
+endif::aws-gov[]
+ifdef::aws-gov[]
+When installing {product-title} on Amazon Web Services (AWS) into a region
+requiring a custom {op-system-first} AMI, you must manually generate your
+installation configuration file.
+endif::aws-gov[]
 
 .Prerequisites
 
@@ -80,3 +91,6 @@ endif::[]
 ifeval::["{context}" == "installing-restricted-networks-bare-metal"]
 :!restricted:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:!aws-gov:
+endif::[]

modules/installation-launching-installer.adoc

@@ -2,6 +2,7 @@
 //
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc
@@ -27,6 +28,10 @@ ifeval::["{context}" == "installing-aws-customizations"]
 :custom-config:
 :aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:custom-config:
+:aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :custom-config:
 :aws:
@@ -345,6 +350,10 @@ ifeval::["{context}" == "installing-aws-customizations"]
 :!custom-config:
 :!aws:
 endif::[]
+ifeval::["{context}" == "installing-aws-government-region"]
+:!custom-config:
+:!aws:
+endif::[]
 ifeval::["{context}" == "installing-aws-network-customizations"]
 :!custom-config:
 :!aws:

modules/installation-obtaining-installer.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc

modules/private-clusters-about-aws.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * post_installation_configuration/node-tasks.adoc
 

modules/private-clusters-default.adoc

@@ -1,5 +1,6 @@
 // Module included in the following assemblies:
 //
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_gcp/installing-gcp-private.adoc
 // * installing/installing_azure/installing-azure-private.adoc
@@ -7,10 +8,29 @@
 [id="private-clusters-default_{context}"]
 = Private clusters
 
+ifeval::["{context}" == "installing-aws-government-region"]
+:gov:
+endif::[]
+
+ifndef::gov[]
 If your environment does not require an external internet connection, you can deploy a private {product-title} cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the Internet.
+endif::gov[]
+ifdef::gov[]
+You can deploy a private {product-title} cluster that does not expose external endpoints. Private clusters are accessible from only an internal network and are not visible to the Internet.
+
+[NOTE]
+====
+Public zones are not supported in Route53 in AWS GovCloud. Therefore, clusters
+must be private if they are deployed to an AWS government region.
+====
+endif::gov[]
 
 By default, {product-title} is provisioned to use publicly-accessible DNS and endpoints. A private cluster sets the DNS, Ingress Controller, and API server to private when you deploy your cluster. This means that the cluster resources are only accessible from your internal network and are not visible to the internet.
 
 To deploy a private cluster, you must use existing networking that meets your requirements. Your cluster resources might be shared between other clusters on the network.
 
 Additionally, you must deploy a private cluster from a machine that has access the API services for the cloud you provision to, the hosts on the network that you provision, and to the internet to obtain installation media. You can use any machine that meets these access requirements and follows your company's guidelines. For example, this machine can be a bastion host on your cloud network or a machine that has access to the network through a VPN.
+
+ifeval::["{context}" == "installing-aws-government-region"]
+:!gov:
+endif::[]

modules/ssh-agent-using.adoc

@@ -3,6 +3,7 @@
 // * installing/installing_aws/installing-aws-user-infra.adoc
 // * installing/installing_aws/installing-aws-customizations.adoc
 // * installing/installing_aws/installing-aws-default.adoc
+// * installing/installing_aws/installing-aws-government-region.adoc
 // * installing/installing_aws/installing-aws-network-customizations.adoc
 // * installing/installing_aws/installing-aws-private.adoc
 // * installing/installing_aws/installing-aws-vpc.adoc