diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml index 958a033126..86dffeac8a 100644 --- a/_topic_maps/_topic_map_rosa.yml +++ b/_topic_maps/_topic_map_rosa.yml @@ -233,9 +233,16 @@ Topics: - Name: Prerequisites checklist for deploying ROSA using STS File: rosa-cloud-expert-prereq-checklist - Name: Detailed requirements for deploying ROSA using STS - File: rosa-sts-aws-prereqs -- Name: ROSA IAM role resources + File: rosa-classic-aws-prereqs +- Name: Detailed requirements for deploying ROSA with HCP + File: rosa-hcp-aws-prereqs +# Hiding this entry until the HCP migration is completed +# - Name: Detailed requirements for deploying ROSA using STS +# File: rosa-sts-aws-prereqs +- Name: ROSA Classic IAM role resources File: rosa-sts-ocm-role +- Name: ROSA with HCP IAM roles and resources + File: rosa-hcp-prepare-iam-roles-resources ##### NOTE: THE BELOW IS REMOVED AS PART OF OSDOCS-13310 # - Name: Limits and scalability # File: rosa-limits-scalability diff --git a/_topic_maps/_topic_map_rosa_hcp.yml b/_topic_maps/_topic_map_rosa_hcp.yml index 7bab59df0c..cad016a8df 100644 --- a/_topic_maps/_topic_map_rosa_hcp.yml +++ b/_topic_maps/_topic_map_rosa_hcp.yml @@ -164,7 +164,10 @@ Topics: - Name: Prerequisites checklist for deploying ROSA with HCP File: rosa-cloud-expert-prereq-checklist - Name: Detailed requirements for deploying ROSA with HCP - File: rosa-sts-aws-prereqs + File: rosa-hcp-aws-prereqs +# Hiding this entry until the HCP migration is completed +# - Name: Detailed requirements for deploying ROSA with HCP +# File: rosa-sts-aws-prereqs - Name: Required IAM roles and resources File: rosa-hcp-prepare-iam-roles-resources ##### NOTE: THE BELOW IS REMOVED AS PART OF OSDOCS-13310 diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc index bf553f0906..64b3b8f95a 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-detailed-cli-guide.adoc @@ -142,7 +142,9 @@ The default settings are as follows: ** 2 infrastructure nodes ** 2 worker nodes ** No autoscaling -** See the documentation on xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[ec2 instances] for more details. +** See the documentation on xref:../../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-ec2-instances_rosa-classic-aws-prereqs[ec2 instances] for more details. +// This link needs to remain hidden until the HCP migration is published +// ** See the documentation on xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[ec2 instances] for more details. * Region: As configured for the `aws` CLI * Networking IP ranges: ** Machine CIDR: 10.0.0.0/16 diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc index 2b2e382cda..8f0ea06dcf 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-deploying/cloud-experts-getting-started-hcp.adoc @@ -152,7 +152,9 @@ echo "export PRIVATE_SUBNET_ID=$PRIVATE_SUBNET_ID" + [role="_additional-resources"] .Additional resources -* For more about VPC requirements, see the xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[VPC documentation]. +* For more about VPC requirements, see the xref:../../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-vpc_rosa-classic-aws-prereqs[VPC documentation]. +// This link needs to remain hidden until the HCP migration is published +// * For more about VPC requirements, see the xref:../../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[VPC documentation]. . The script outputs commands. Set the commands as environment variables to store the subnet IDs for later use. Copy and run the commands: + diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc index 6366908b52..d4bb68188c 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-getting-started-what-is-rosa.adoc @@ -134,7 +134,9 @@ etcd encryption is configured the same as in OpenShift Container Platform. The a Currently, the ROSA CLI does not accept multi-region KMS keys for EBS encryption. This feature is in our backlog for product updates. The ROSA CLI accepts single region KMS keys for EBS encryption if it is defined at cluster creation. == Infrastructure -ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[AWS prerequisites]. +ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-classic-aws-prereqs[AWS prerequisites]. +// This section needs to remain hidden until the HCP migration is published +// ROSA uses several different cloud services such as virtual machines, storage, and load balancers. You can see a defined list in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[AWS prerequisites]. == Credential methods There are two credential methods to grant Red{nbsp}Hat the permissions needed to perform the required actions in your AWS account: AWS with STS or an IAM user with admin permissions. AWS with STS is the preferred method, and the IAM user method will eventually be deprecated. AWS with STS better aligns with the principles of least privilege and secure practices in cloud service resource management. diff --git a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc index 83d345e670..d5094c74e8 100644 --- a/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc +++ b/cloud_experts_tutorials/cloud-experts-getting-started/cloud-experts-rosa-sts-explained.adoc @@ -61,7 +61,9 @@ STS roles and policies must be created for each ROSA cluster. To make this easie [id="components-specific-to-rosa-with-sts"] == Components specific to ROSA with STS -* *AWS infrastructure* - This provides the infrastructure required for the cluster. It contains the actual EC2 instances, storage, and networking components. See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see supported instance types for compute nodes and xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for control plane and infrastructure node configuration. +* *AWS infrastructure* - This provides the infrastructure required for the cluster. It contains the actual EC2 instances, storage, and networking components. See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see supported instance types for compute nodes and xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-ec2-instances_rosa-classic-aws-prereqs[provisioned AWS infrastructure] for control plane and infrastructure node configuration. +// This section needs to remain hidden until the HCP migration is done +// * *AWS infrastructure* - This provides the infrastructure required for the cluster. It contains the actual EC2 instances, storage, and networking components. See xref:../../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see supported instance types for compute nodes and xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for control plane and infrastructure node configuration. * *AWS STS* - See the credential method section above. * *OpenID Connect (OIDC)* - This provides a mechanism for cluster Operators to authenticate with AWS, assume the cluster roles through a trust policy, and obtain temporary credentials from STS to make the required API calls. * *Roles and policies* - The roles and policies are one of the main differences between ROSA with STS and ROSA with IAM Users. For ROSA with STS, the roles and policies used by ROSA are broken into account-wide roles and policies and Operator roles and policies. diff --git a/modules/rosa-prereq-roles-overview.adoc b/modules/rosa-prereq-roles-overview.adoc index f0349aab11..e5d302e7e3 100644 --- a/modules/rosa-prereq-roles-overview.adoc +++ b/modules/rosa-prereq-roles-overview.adoc @@ -3,7 +3,7 @@ // * rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc :_mod-docs-content-type: MODULE -[id="rosa-prereq-roles-overview"] +[id="rosa-prereq-roles-overview_{context}"] = Overview of required roles To create and manage your diff --git a/networking/network_security/network-verification.adoc b/networking/network_security/network-verification.adoc index a87859b53e..643b9424c3 100644 --- a/networking/network_security/network-verification.adoc +++ b/networking/network_security/network-verification.adoc @@ -41,7 +41,9 @@ ifdef::openshift-dedicated[] * Egress is available to the required domain and port combinations that are specified in the xref:../../osd_planning/aws-ccs.adoc#osd-aws-privatelink-firewall-prerequisites_aws-ccs[AWS firewall prerequisites] section. endif::openshift-dedicated[] ifdef::openshift-rosa[] -* Egress is available to the required domain and port combinations that are specified in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] section. +* Egress is available to the required domain and port combinations that are specified in the xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites] section. +// This link needs to reamin hidden until the HCP migration is published +// * Egress is available to the required domain and port combinations that are specified in the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] section. endif::openshift-rosa[] include::modules/automatic-network-verification-bypassing.adoc[leveloffset=+1] diff --git a/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc b/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc index 9e960d2d9b..bbf334246b 100644 --- a/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc +++ b/networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc @@ -33,7 +33,9 @@ include::modules/cluster-wide-proxy-preqs.adoc[leveloffset=+1] .Additional resources ifdef::openshift-rosa[] -* For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[AWS prerequisites for ROSA with STS]. +* For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prerequisites[AWS prerequisites for ROSA with STS]. +// This section needs to remain hidden until the HCP migration is completed +// * For the installation prerequisites for ROSA clusters that use the AWS Security Token Service (STS), see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prerequisites[AWS prerequisites for ROSA with STS]. * For the installation prerequisites for ROSA clusters that do not use STS, see xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#prerequisites[AWS prerequisites for ROSA]. endif::openshift-rosa[] ifdef::openshift-dedicated[] diff --git a/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc b/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc index 3e95b8265c..50b9f44692 100644 --- a/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc +++ b/rosa_architecture/cloud-experts-rosa-hcp-sts-explained.adoc @@ -37,7 +37,9 @@ Security features for AWS STS include: [id="components-specific-to-rosa-hcp-with-sts"] == Components of {hcp-title} -* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-hcp-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. +* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-hcp-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-ec2-instances_rosa-hcp-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. +// This link remains hidden until the migration is completed +//* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-hcp-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. * *AWS STS* - A method for granting short-term, dynamic tokens to provide users the necessary permissions to temporarily interact with your AWS account resources. * *OpenID Connect (OIDC)* - A mechanism for cluster Operators to authenticate with AWS, assume the cluster roles through a trust policy, and obtain temporary credentials from AWS IAM STS to make the required API calls. * *Roles and policies* - The roles and policies used by {hcp-title} can be divided into account-wide roles and policies and Operator roles and policies. diff --git a/rosa_architecture/rosa-sts-about-iam-resources.adoc b/rosa_architecture/rosa-sts-about-iam-resources.adoc index 4e43c336d0..3d9f7457f3 100644 --- a/rosa_architecture/rosa-sts-about-iam-resources.adoc +++ b/rosa_architecture/rosa-sts-about-iam-resources.adoc @@ -61,7 +61,9 @@ endif::openshift-rosa-hcp[] If you create ROSA clusters by using {cluster-manager-url}, you must have the following AWS IAM roles linked to your AWS account to create and manage the clusters. ifndef::openshift-rosa-hcp[] -For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. + For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-associating-account_rosa-classic-aws-prereqs[Associating your AWS account]. +// This section needs to remain hidden until the migration is completed +// For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. endif::openshift-rosa-hcp[] These AWS IAM roles are as follows: @@ -87,7 +89,9 @@ include::modules/rosa-sts-ocm-role-creation.adoc[leveloffset=+2] AWS IAM roles link to your AWS account to create and manage the clusters. ifndef::openshift-rosa-hcp[] -For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. +For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-associating-account_rosa-classic-aws-prereqs[Associating your AWS account]. +// This section needs to remain hidden until the migration is completed +// For more information about linking your IAM roles to your AWS account, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-associating-account_rosa-sts-aws-prereqs[Associating your AWS account]. endif::openshift-rosa-hcp[] [role="_additional-resources"] diff --git a/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc b/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc index 72f9ea8857..9d1beba817 100644 --- a/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc +++ b/rosa_architecture/rosa_policy_service_definition/rosa-policy-responsibility-matrix.adoc @@ -13,7 +13,9 @@ include::modules/rosa-policy-responsibilities.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources ifdef::openshift-rosa[] -* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +* xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +// This link must remain hidden and changed until the migration is completed +// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] endif::openshift-rosa[] ifdef::openshift-dedicated[] * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] @@ -43,11 +45,18 @@ include::modules/rosa-policy-change-management.adoc[leveloffset=+1] [role="_additional-resources"] .Additional resources ifdef::openshift-rosa-hcp[] -* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {hcp-title}] +* xref:../../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[Firewall prerequisites for {hcp-title}] endif::openshift-rosa-hcp[] ifdef::openshift-rosa[] -* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +* xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] endif::openshift-rosa[] +// These links need to remain hidden until HCP is published +// ifdef::openshift-rosa-hcp[] +// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {hcp-title}] +// endif::openshift-rosa-hcp[] +// ifdef::openshift-rosa[] +// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +// endif::openshift-rosa[] ifdef::openshift-dedicated[] * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] endif::openshift-dedicated[] diff --git a/rosa_cluster_admin/rosa-cluster-notifications.adoc b/rosa_cluster_admin/rosa-cluster-notifications.adoc index 03a45d9b47..d3b0687124 100644 --- a/rosa_cluster_admin/rosa-cluster-notifications.adoc +++ b/rosa_cluster_admin/rosa-cluster-notifications.adoc @@ -62,7 +62,9 @@ include::modules/managed-cluster-remove-notification-contacts.adoc[leveloffset=+ ifndef::openshift-rosa-hcp[] * Ensure that your firewall is configured according to the documented prerequisites: ifdef::openshift-rosa[] -** xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +** xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +// This link needs to remain hidden until the HCP migration is published +// ** xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] endif::openshift-rosa[] ifdef::openshift-dedicated[] ** xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] diff --git a/rosa_getting_started/rosa-getting-started.adoc b/rosa_getting_started/rosa-getting-started.adoc index 026e9ed147..5152112273 100644 --- a/rosa_getting_started/rosa-getting-started.adoc +++ b/rosa_getting_started/rosa-getting-started.adoc @@ -24,7 +24,9 @@ You can create a ROSA cluster either with or without the AWS Security Token Serv // Removed as part of OSDOCS-13310, until figures are verified. //xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[limits and scalability] and -* You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* You have reviewed the detailed xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. +// This link must remain hidden until HCP is published +// * You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * You have the xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[AWS service quotas that are required to run a ROSA cluster]. @@ -88,7 +90,9 @@ include::modules/rosa-getting-started-deleting-a-cluster.adoc[leveloffset=+1] [id="additional-resources_{context}"] == Additional resources -* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow] +* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow] +// This link needs to remain hidden until HCP migration is published +// * For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow] * For more information about setting up accounts and ROSA clusters without using AWS STS, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow] diff --git a/rosa_getting_started/rosa-quickstart-guide-ui.adoc b/rosa_getting_started/rosa-quickstart-guide-ui.adoc index 37648402e8..236e62a1a0 100644 --- a/rosa_getting_started/rosa-quickstart-guide-ui.adoc +++ b/rosa_getting_started/rosa-quickstart-guide-ui.adoc @@ -26,7 +26,9 @@ image::291_OpenShift_on_AWS_Intro_1122_docs.png[{product-title}] // Removed as part of OSDOCS-13310, until figures are verified. // xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[limits and scalability] and -* You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* You have reviewed the detailed xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. +// This link is hidden until HCP migration is published +// * You have reviewed the detailed xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * You have the xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[AWS service quotas that are required to run a ROSA cluster]. @@ -163,7 +165,9 @@ include::modules/rosa-getting-started-deleting-a-cluster.adoc[leveloffset=+1] [id="additional-resources_{context}"] == Additional resources -* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]. +* For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]. +// This link is hidden until HCP migration is published +// * For more information about setting up accounts and ROSA clusters using AWS STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-overview-of-the-deployment-workflow[Understanding the ROSA with STS deployment workflow]. * For more information about setting up accounts and ROSA clusters without using AWS STS, see xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-getting-started-workflow.adoc#rosa-understanding-the-deployment-workflow[Understanding the ROSA deployment workflow]. diff --git a/rosa_getting_started/rosa-sts-getting-started-workflow.adoc b/rosa_getting_started/rosa-sts-getting-started-workflow.adoc index e5399c550e..d18ca54079 100644 --- a/rosa_getting_started/rosa-sts-getting-started-workflow.adoc +++ b/rosa_getting_started/rosa-sts-getting-started-workflow.adoc @@ -17,7 +17,9 @@ The AWS Security Token Service (STS) is a global web service that provides short You can follow the workflow stages outlined in this section to set up and access a ROSA cluster that uses STS. -. xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Complete the AWS prerequisites for ROSA with STS]. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements. +. xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[Complete the AWS prerequisites for ROSA with STS]. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements. +// This link needs to remain hidden until HCP is published +// . xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Complete the AWS prerequisites for ROSA with STS]. To deploy a ROSA cluster with STS, your AWS account must meet the prerequisite requirements. . xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Review the required AWS service quotas]. To prepare for your cluster deployment, review the AWS service quotas that are required to run a ROSA cluster. . xref:../rosa_planning/rosa-sts-setting-up-environment.adoc#rosa-sts-setting-up-environment[Set up the environment and install ROSA using STS]. Before you create a ROSA with STS cluster, you must enable ROSA in your AWS account, install and configure the required CLI tools, and verify the configuration of the CLI tools. You must also verify that the AWS Elastic Load Balancing (ELB) service role exists and that the required AWS resource quotas are available. . xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Create a ROSA cluster with STS quickly] or xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[create a cluster using customizations]. Use the ROSA CLI (`rosa`) or {cluster-manager-first} to create a cluster with STS. You can create a cluster quickly by using the default options, or you can apply customizations to suit the needs of your organization. diff --git a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc index e15b553931..81049cf187 100644 --- a/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc +++ b/rosa_hcp/rosa-hcp-aws-private-creating-cluster.adoc @@ -26,7 +26,9 @@ xref:../rosa_install_access_delete_clusters/rosa-sts-config-identity-providers.a [id="additional-resources_rosa-hcp-aws-privatelink-creating-cluster"] == Additional resources -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[AWS PrivateLink firewall prerequisites] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS PrivateLink firewall prerequisites] +// This link must remain hidden until the HCP migration is completed +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[AWS PrivateLink firewall prerequisites] * xref:../rosa_getting_started/rosa-sts-getting-started-workflow.adoc#rosa-sts-overview-of-the-deployment-workflow[Overview of the ROSA with STS deployment workflow] * xref:../rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.adoc#rosa-sts-deleting-cluster[Deleting a ROSA cluster] * xref:../architecture/rosa-architecture-models.adoc#rosa-architecture-models[ROSA architecture models] diff --git a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc index 9f1168fec4..4bbce67fe1 100644 --- a/rosa_hcp/rosa-hcp-cluster-no-cni.adoc +++ b/rosa_hcp/rosa-hcp-cluster-no-cni.adoc @@ -29,7 +29,9 @@ If you choose to use your own CNI for {rosa-short} clusters, it is strongly reco == Creating a {rosa-short} cluster without a CNI plugin === Prerequisites -* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. +* Ensure that you have completed the xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites]. +// This link needs to remain hidden until HCP is published +// * Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. * Ensure that you have a configured xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[virtual private cloud] (VPC). diff --git a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc index 6ff1feb38a..39579d051f 100644 --- a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc +++ b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc @@ -95,7 +95,9 @@ ifndef::openshift-rosa-hcp[] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] +// This link needs to be hidden until HCP migration is published +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations] diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc index f7f8c4c4ce..d8f6af0d06 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-ext-auth.adoc @@ -36,7 +36,9 @@ endif::openshift-rosa-hcp[] To create a {rosa-short} cluster, you must have completed the following steps: ifndef::openshift-rosa-hcp[] -* Completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites] +* Completed the xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites] +// This link must remain hidden until HCP migration is published +// * Completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites] endif::openshift-rosa-hcp[] * xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-hcp-creating-vpc[Configured virtual private cloud (VPC)] * Created xref:../rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-account-wide-sts-roles-and-policies_rosa-hcp-sts-creating-a-cluster-quickly[Account-wide roles] @@ -83,7 +85,9 @@ include::modules/rosa-hcp-sts-creating-a-cluster-external-auth-provider-delete-c // * To learn more about the default CIDR ranges for {product-title}, see xref:#../networking/cidr-range-definitions.adoc#cidr-range-definitions[CIDR range definitions]. * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] +// This link needs to be hidden until HCP migration is published +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation. * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP cluster installations] diff --git a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc index 91ad84788d..843edf1746 100644 --- a/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc +++ b/rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc @@ -52,7 +52,9 @@ Alternatively, you can use `manual` mode, which outputs the `aws` commands neede .Next steps ifndef::openshift-rosa-hcp[] -* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. +* Ensure that you have completed the xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites]. +// This link must remain hidden until HCP migration is published +// * Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. endif::openshift-rosa-hcp[] include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1] @@ -148,7 +150,9 @@ ifndef::openshift-rosa-hcp[] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS] * xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Additional custom security groups] * xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS] +// This link needs to be hidden until HCP migration is published +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS] * xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes] * link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] * xref:../support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc#rosa-troubleshooting-installations-hcp[Troubleshooting ROSA with HCP installations] diff --git a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc index 9c13a6054f..a86fb8e0ef 100644 --- a/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc +++ b/rosa_install_access_delete_clusters/rosa-aws-privatelink-creating-cluster.adoc @@ -21,11 +21,18 @@ include::modules/osd-aws-privatelink-config-dns-forwarding.adoc[leveloffset=+1] == Additional resources ifdef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {hcp-title}] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[Firewall prerequisites for {hcp-title}] endif::openshift-rosa-hcp[] ifdef::openshift-rosa[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] endif::openshift-rosa[] +// These links must remain hidden until HCP is migrated +// ifdef::openshift-rosa-hcp[] +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for {hcp-title}] +// endif::openshift-rosa-hcp[] +// ifdef::openshift-rosa[] +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites for ROSA (classic architecture) clusters using STS] +// endif::openshift-rosa[] ifdef::openshift-dedicated[] * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[Firewall prerequisites] endif::openshift-dedicated[] diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc index 29fd8698e4..ca9e895c54 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc @@ -20,7 +20,9 @@ Alternatively, you can use `manual` mode, which outputs the `aws` commands neede [id="next-steps_{context}"] .Next steps -* Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. +* Ensure that you have completed the xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites]. +// This link must remain hidden until the HCP migration is completed +// * Ensure that you have completed the xref:../rosa_planning/rosa-sts-aws-prereqs.adoc[AWS prerequisites]. include::snippets/oidc-cloudfront.adoc[] include::modules/rosa-sts-overview-of-the-default-cluster-specifications.adoc[leveloffset=+1] include::modules/rosa-sts-understanding-aws-account-association.adoc[leveloffset=+1] @@ -71,7 +73,9 @@ include::modules/rosa-sts-creating-a-cluster-quickly-cli.adoc[leveloffset=+1] * For steps to deploy a ROSA cluster using manual mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-cluster-using-customizations_rosa-sts-creating-a-cluster-with-customizations[Creating a cluster using customizations]. * For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS]. * For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]. -* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. +// This link needs to remain hidden until the HCP migration is completed +// * For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * For details about using the `auto` and `manual` modes to create the required STS resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-understanding-deployment-modes_rosa-sts-creating-a-cluster-with-customizations[Understanding the auto and manual deployment modes]. * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation. * For more information about troubleshooting ROSA cluster installations, see xref:../support/troubleshooting/rosa-troubleshooting-installations.adoc#rosa-troubleshooting-installations[Troubleshooting installations]. diff --git a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc index 5af56d65e0..b3168eed81 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc @@ -78,7 +78,9 @@ include::modules/rosa-sts-creating-a-cluster-with-customizations-cli.adoc[levelo * For more information about the AWS Identity Access Management (IAM) resources required to deploy {product-title} with STS, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-iam-resources[About IAM resources for clusters that use STS]. * For details about optionally setting an Operator role name prefix, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-about-operator-role-prefixes_rosa-sts-about-iam-resources[About custom Operator IAM role prefixes]. * For an overview of the options that are presented when you create the AWS IAM resources and clusters by using interactive mode, see xref:../rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc#rosa-sts-interactive-mode-reference[Interactive cluster creation mode reference]. -* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS prerequisites for ROSA with STS]. +// This link needs to remain hidden until the HCP migration is completed +// * For information about the prerequisites to installing ROSA with STS, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. * For more information about using OpenID Connect (OIDC) identity providers in AWS IAM, see link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_roles_providers_create_oidc.html[Creating OpenID Connect (OIDC) identity providers] in the AWS documentation. * For more information about etcd encryption, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-etcd-encryption_rosa-service-definition[etcd encryption service definition]. * For information about configuring a proxy with ROSA, see xref:../networking/ovn_kubernetes_network_provider/configuring-cluster-wide-proxy.adoc#configuring-a-cluster-wide-proxy[Configuring a cluster-wide proxy]. diff --git a/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc b/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc index 981cf76719..729b452ca5 100644 --- a/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc +++ b/rosa_install_access_delete_clusters/rosa-sts-interactive-mode-reference.adoc @@ -20,4 +20,6 @@ include::modules/rosa-sts-interactive-cluster-creation-mode-options.adoc[levelof * For detailed steps to quickly create a ROSA cluster with STS, including the AWS IAM resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.adoc#rosa-sts-creating-a-cluster-quickly[Creating a ROSA cluster with STS using the default options]. * For detailed steps to create a ROSA cluster with STS using customizations, including the AWS IAM resources, see xref:../rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-with-customizations.adoc#rosa-sts-creating-a-cluster-with-customizations[Creating a ROSA cluster with STS using customizations]. * For more information about etcd encryption, see the xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-etcd-encryption_rosa-service-definition[etcd encryption service definition]. -* For an example VPC architecture, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[this sample VPC architecture]. +* For an example VPC architecture, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-vpc_rosa-classic-aws-prereqs[this sample VPC architecture]. +// This link must remain hidden until the HCP migration is completed +// * For an example VPC architecture, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-vpc_rosa-sts-aws-prereqs[this sample VPC architecture]. diff --git a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc index d5ad815fe7..d5cee24b8c 100644 --- a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc +++ b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc @@ -9,7 +9,9 @@ toc::[] {product-title} (ROSA) provides a model that allows Red{nbsp}Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account. -You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-prereqs_rosa-sts-aws-prereqs[STS-specific requirements]. +You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-aws-prereqs_rosa-classic-aws-prereqs[STS-specific requirements]. +// This link must remain hidden until HCP is migrated +// You must ensure that the prerequisites are met before installing ROSA. This requirements document does not apply to AWS Security Token Service (STS). If you are using STS, see the xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-prereqs_rosa-sts-aws-prereqs[STS-specific requirements]. include::snippets/rosa-sts.adoc[] diff --git a/rosa_planning/rosa-classic-aws-prereqs.adoc b/rosa_planning/rosa-classic-aws-prereqs.adoc new file mode 100644 index 0000000000..1cf9cf2006 --- /dev/null +++ b/rosa_planning/rosa-classic-aws-prereqs.adoc @@ -0,0 +1,111 @@ +:_mod-docs-content-type: ASSEMBLY +include::_attributes/attributes-openshift-dedicated.adoc[] +//title and ID conditions so this can be shared between Classic and HCP docs while it remains accurate for both +:context: rosa-classic-aws-prereqs +[id="rosa-classic-aws-prereqs"] += Detailed requirements for deploying {rosa-classic-short} using STS + +toc::[] + +{rosa-classic-title} provides a model that allows Red{nbsp}Hat to deploy clusters into a customer's existing Amazon Web Service (AWS) account. + +include::snippets/rosa-sts.adoc[leveloffset=+0] + +Ensure that the following prerequisites are met before installing your cluster. + +[id="rosa-sts-customer-requirements_{context}"] +== Customer requirements when using STS for deployment + +The following prerequisites must be complete before you deploy a {rosa-classic-short} cluster that uses the AWS Security Token Service (STS). + +include::modules/rosa-sts-aws-requirements-account.adoc[leveloffset=+2] + +//Adding conditions around these in case the Additional resources don't get ported to HCP or have different file names / locations; keeping all included for now +[role="_additional-resources"] +[id="additional-resources_aws-account-requirements_{context}"] +.Additional resources +// Removed as part of OSDOCS-13310, until figures are verified. +//* xref:../rosa_planning/rosa-limits-scalability.adoc#rosa-limits-scalability[Limits and scalability] +* xref:../support/troubleshooting/rosa-troubleshooting-deployments.adoc#rosa-troubleshooting-elb-service-role_rosa-troubleshooting-cluster-deployments[Creating the Elastic Load Balancing (ELB) service-linked role] + +//TODO OSDOCS-11789: Nothing in the following module is actually a requirement, it's purely informative/recommended and needs to be re-validated by SRE/Support +include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2] + +//TODO OSDOCS-11789: Need to have this re-validated by SRE/Support +include::modules/rosa-sts-aws-requirements-security-req.adoc[leveloffset=+2] + +//Adding conditions around these in case the Additional resources don't get ported to HCP or have different file names / locations; keeping all included for now +[role="_additional-resources"] +[id="additional-resources_aws-security-requirements_{context}"] +.Additional resources +ifdef::openshift-dedicated[] +* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] +endif::openshift-dedicated[] +ifdef::openshift-rosa[] +* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites] + +// This link needs to remain hidden until the HCP migration is published +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] +endif::openshift-rosa[] + +[id="rosa-ocm-requirements_{context}"] +== Requirements for using {cluster-manager} + +The following configuration details are required only if you use {cluster-manager-url} to manage your clusters. If you use the CLI tools exclusively, then you can disregard these requirements. + +//TODO OSDOCS-11789: when are ocm-role and user-role actually created? Pretty sure this happens as part of the cluster install process, so doesn't need to be done ahead of time?? +include::modules/rosa-sts-aws-requirements-association-concept.adoc[leveloffset=+2] +include::modules/rosa-sts-aws-requirements-creating-association.adoc[leveloffset=+2] + +ifdef::openshift-rosa,openshift-rosa-hcp[] +[discrete] +[role="_additional-resources"] +[id="additional-resources_creating-association_{context}"] +== Additional resources +* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference] +endif::openshift-rosa,openshift-rosa-hcp[] + +include::modules/rosa-sts-aws-requirements-creating-multi-association.adoc[leveloffset=+2] + +include::modules/rosa-requirements-deploying-in-opt-in-regions.adoc[leveloffset=+1] +include::modules/rosa-setting-the-aws-security-token-version.adoc[leveloffset=+2] + +[id="rosa-sts-policy-iam_{context}"] +== Red{nbsp}Hat managed IAM references for AWS + +When you use STS as your cluster credential method, Red{nbsp}Hat is not responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles. + +* To use the `ocm` CLI, you must have an `ocm-role` and `user-role` resource. +See xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-prepare-iam-resources-roles-ocm[Required IAM roles and resources]. +* If you have a single cluster, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference]. +* For each cluster, you must have the necessary Operator roles. See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference]. + +include::modules/rosa-aws-provisioned.adoc[leveloffset=+1] + +[id="rosa-network-prereqs_{context}"] +== Networking prerequisites + +include::modules/mos-network-prereqs-min-bandwidth.adoc[leveloffset=+2] + +[id="osd-aws-privatelink-firewall-prerequisites_rosa-classic-aws-prereqs"] +=== AWS firewall prerequisites + +If you are using a firewall to control egress traffic from your {rosa-classic-short}, you must configure your firewall to grant access to the certain domain and port combinations below. {rosa-classic-short} requires this access to provide a fully managed OpenShift service. + +include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+2] + +[role="_additional-resources"] +.Additional resources +* xref:../support/remote_health_monitoring/about-remote-health-monitoring.adoc#about-remote-health-monitoring[About remote health monitoring] + +[discrete] +== Next steps +* xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas_rosa-sts-required-aws-service-quotas[Review the required AWS service quotas] + +[discrete] +[role="_additional-resources"] +[id="additional-resources_aws-prerequisites_{context}"] +== Additional resources +* xref:../rosa_architecture/rosa_policy_service_definition/rosa-policy-process-security.adoc#rosa-policy-sre-access_rosa-policy-process-security[SRE access to all Red{nbsp}Hat OpenShift Service on AWS clusters] +* xref:../applications/deployments/rosa-config-custom-domains-applications.adoc#rosa-applications-config-custom-domains[Configuring custom domains for applications] +* xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-instance-types_rosa-service-definition[Instance types] \ No newline at end of file diff --git a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc index 87ad9312f2..747ec95042 100644 --- a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc +++ b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc @@ -153,13 +153,22 @@ $ rosa verify quota + This command only checks the total quota allocated to your account; it does not reflect the amount of quota already consumed from that quota. Running this command is optional because your quota is verified during cluster deployment. However, Red Hat recommends running this command to confirm your quota ahead of time so that deployment is not interrupted by issues with quota availability. ifdef::openshift-rosa[] -* For more information about resources provisioned during {rosa-classic-short} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[Provisioned AWS Infrastructure]. +* For more information about resources provisioned during {rosa-classic-short} cluster deployment, see xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-classic-aws-prereqs[Provisioned AWS Infrastructure]. * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -* For more information about resources provisioned during {rosa-short} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-hcp-prereqs[Provisioned AWS Infrastructure]. +* For more information about resources provisioned during {rosa-short} cluster deployment, see xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-hcp-aws-prereqs[Provisioned AWS Infrastructure]. * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. endif::openshift-rosa-hcp[] +// These links need to remain hidden until HCP is published +// ifdef::openshift-rosa[] +// * For more information about resources provisioned during {rosa-classic-short} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[Provisioned AWS Infrastructure]. +// * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. +// endif::openshift-rosa[] +// ifdef::openshift-rosa-hcp[] +// * For more information about resources provisioned during {rosa-short} cluster deployment, see xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-aws-policy-provisioned_rosa-hcp-prereqs[Provisioned AWS Infrastructure]. +// * For more information about the required AWS service quotas, see xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas]. +// endif::openshift-rosa-hcp[] == Service Control Policy (SCP) prerequisites @@ -192,11 +201,19 @@ include::modules/mos-network-prereqs-min-bandwidth.adoc[leveloffset=+2] //TODO OSDOCS-11789: Are these things that your cluster needs access to, or your deploying machine needs access to? * Configure your firewall to allow access to the domains and ports listed in ifdef::openshift-rosa[] -xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites]. +xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites]. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] +xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS firewall prerequisites] endif::openshift-rosa-hcp[] +// These links need to remain hidden until HCP is published +// * Configure your firewall to allow access to the domains and ports listed in +// ifdef::openshift-rosa[] +// xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites]. +// endif::openshift-rosa[] +// ifdef::openshift-rosa-hcp[] +// xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] +// endif::openshift-rosa-hcp[] //Moving up prereqs that are actually required for deployment ifdef::openshift-rosa[] @@ -253,8 +270,12 @@ ifdef::openshift-rosa[] For more details see the detailed requirements for xref:../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-security-groups_prerequisites[Security groups]. endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -For more details see the detailed requirements for xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-security-groups_rosa-hcp-prereqs[Security groups]. +For more details see the detailed requirements for xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-security-groups_rosa-hcp-aws-prereqs[Security groups]. endif::openshift-rosa-hcp[] +// This must remain hidden until HCP is published +// ifdef::openshift-rosa-hcp[] +// For more details see the detailed requirements for xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-security-groups_rosa-hcp-prereqs[Security groups]. +// endif::openshift-rosa-hcp[] === Custom DNS and domains diff --git a/rosa_planning/rosa-hcp-aws-prereqs.adoc b/rosa_planning/rosa-hcp-aws-prereqs.adoc new file mode 100644 index 0000000000..665e435052 --- /dev/null +++ b/rosa_planning/rosa-hcp-aws-prereqs.adoc @@ -0,0 +1,90 @@ +:_mod-docs-content-type: ASSEMBLY +include::_attributes/attributes-openshift-dedicated.adoc[] +//title and ID conditions so this can be shared between Classic and HCP docs while it remains accurate for both +:context: rosa-hcp-aws-prereqs += Detailed requirements for deploying {rosa-short} + +toc::[] + +{rosa-title} provides a model that allows Red{nbsp}Hat to deploy clusters into a customer's existing Amazon Web Service (AWS) account. + +Ensure that the following prerequisites are met before installing your cluster. + +[id="rosa-hcp-customer-requirements_{context}"] +== Customer requirements for all {rosa-short} clusters + +The following prerequisites must be complete before you deploy a {rosa-short} cluster. + +include::modules/rosa-sts-aws-requirements-account.adoc[leveloffset=+2] + +//TODO OSDOCS-11789: Nothing in the following module is actually a requirement, it's purely informative/recommended and needs to be re-validated by SRE/Support +include::modules/rosa-sts-aws-requirements-support-req.adoc[leveloffset=+2] + +//TODO OSDOCS-11789: Need to have this re-validated by SRE/Support +include::modules/rosa-sts-aws-requirements-security-req.adoc[leveloffset=+2] + +//Adding conditions around these in case the Additional resources don't get ported to HCP or have different file names / locations; keeping all included for now +[role="_additional-resources"] +[id="additional-resources_aws-security-requirements_{context}"] +.Additional resources +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS firewall prerequisites] +// This link needs to remain hidden until HCP is published +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] + +[id="rosa-ocm-requirements_{context}"] +== Requirements for using {cluster-manager} + +The following configuration details are required only if you use {cluster-manager-url} to manage your clusters. If you use the CLI tools exclusively, then you can disregard these requirements. + +//TODO OSDOCS-11789: when are ocm-role and user-role actually created? Pretty sure this happens as part of the cluster install process, so doesn't need to be done ahead of time?? +include::modules/rosa-sts-aws-requirements-association-concept.adoc[leveloffset=+2] +include::modules/rosa-sts-aws-requirements-creating-association.adoc[leveloffset=+2] + +ifdef::openshift-rosa,openshift-rosa-hcp[] +[discrete] +[role="_additional-resources"] +[id="additional-resources_creating-association_{context}"] +== Additional resources +* xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference] +endif::openshift-rosa,openshift-rosa-hcp[] + +include::modules/rosa-sts-aws-requirements-creating-multi-association.adoc[leveloffset=+2] + +include::modules/rosa-requirements-deploying-in-opt-in-regions.adoc[leveloffset=+1] +include::modules/rosa-setting-the-aws-security-token-version.adoc[leveloffset=+2] + +[id="rosa-sts-policy-iam_{context}"] +== Red{nbsp}Hat managed IAM references for AWS + +Red{nbsp}Hat is not responsible for creating and managing Amazon Web Services (AWS) IAM policies, IAM users, or IAM roles. For information on creating these roles and policies, see the following sections on IAM roles. + +* To use the `ocm` CLI, you must have an `ocm-role` and `user-role` resource. +See xref:../rosa_planning/rosa-hcp-prepare-iam-roles-resources.adoc#rosa-prepare-iam-resources-roles-ocm[Required IAM roles and resources]. +* If you have a single cluster, see xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-account-wide-roles-and-policies_rosa-sts-about-iam-resources[Account-wide IAM role and policy reference]. +* For each cluster, you must have the necessary Operator roles. See xref:../rosa_architecture/rosa-sts-about-iam-resources.adoc#rosa-sts-operator-roles_rosa-sts-about-iam-resources[Cluster-specific Operator IAM role reference]. + +include::modules/rosa-aws-provisioned.adoc[leveloffset=+1] + +[id="rosa-network-prereqs_{context}"] +== Networking prerequisites + +include::modules/mos-network-prereqs-min-bandwidth.adoc[leveloffset=+2] + +[id="osd-aws-privatelink-firewall-prerequisites_rosa-hcp-aws-prereqs"] +=== AWS firewall prerequisites + +If you are using a firewall to control egress traffic from your {rosa-short}, you must configure your firewall to grant access to the certain domain and port combinations below. {rosa-short} requires this access to provide a fully managed OpenShift service. + +include::modules/osd-aws-privatelink-firewall-prerequisites.adoc[leveloffset=+2] +include::modules/rosa-hcp-firewall-prerequisites.adoc[leveloffset=+2] + +[discrete] +== Next steps +* xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-required-aws-service-quotas_rosa-sts-required-aws-service-quotas[Review the required AWS service quotas] + +[discrete] +[role="_additional-resources"] +[id="additional-resources_aws-prerequisites_{context}"] +== Additional resources +* xref:../rosa_architecture/rosa_policy_service_definition/rosa-sre-access.adoc#rosa-sre-access[SRE and service account access] +* xref:../rosa_architecture/rosa_policy_service_definition/rosa-hcp-instance-types.adoc#rosa-hcp-instance-types[Instance types] \ No newline at end of file diff --git a/rosa_planning/rosa-sts-aws-prereqs.adoc b/rosa_planning/rosa-sts-aws-prereqs.adoc index de4ff325d7..2df6bcf5c6 100644 --- a/rosa_planning/rosa-sts-aws-prereqs.adoc +++ b/rosa_planning/rosa-sts-aws-prereqs.adoc @@ -2,19 +2,30 @@ include::_attributes/attributes-openshift-dedicated.adoc[] //title and ID conditions so this can be shared between Classic and HCP docs while it remains accurate for both ifndef::openshift-rosa-hcp[] -:context: rosa-sts-aws-prereqs -[id="rosa-sts-aws-prereqs"] +:context: rosa-classic-aws-prereqs +[id="rosa-sts-classic-aws-prereqs"] = Detailed requirements for deploying {product-title} using STS endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] -:context: rosa-hcp-prereqs -[id="rosa-hcp-prereqs"] +:context: rosa-hcp-aws-prereqs +[id="rosa-sts-hcp-aws-prereqs"] = Detailed requirements for deploying {product-title} endif::openshift-rosa-hcp[] +// This section needs to remain hidden until the HCP migration +// ifndef::openshift-rosa-hcp[] +// :context: rosa-sts-aws-prereqs +// [id="rosa-sts-aws-prereqs"] +// = Detailed requirements for deploying {product-title} using STS +// endif::openshift-rosa-hcp[] +// ifdef::openshift-rosa-hcp[] +// :context: rosa-hcp-prereqs +// [id="rosa-hcp-prereqs"] +// = Detailed requirements for deploying {product-title} +// endif::openshift-rosa-hcp[] toc::[] -{product-title} provides a model that allows Red{nbsp}Hat to deploy clusters into a customer’s existing Amazon Web Service (AWS) account. +{product-title} provides a model that allows Red{nbsp}Hat to deploy clusters into a customer's existing Amazon Web Service (AWS) account. ifndef::openshift-rosa-hcp[] include::snippets/rosa-sts.adoc[leveloffset=+0] @@ -61,11 +72,18 @@ ifdef::openshift-dedicated[] * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] endif::openshift-dedicated[] ifdef::openshift-rosa[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] +* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-classic-aws-prereqs[AWS firewall prerequisites] endif::openshift-rosa[] ifdef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-aws-prereqs[AWS firewall prerequisites] endif::openshift-rosa-hcp[] +// These need to remain hidden until the HCP migration is completed +// ifdef::openshift-rosa[] +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-classic-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites] +// endif::openshift-rosa[] +// ifdef::openshift-rosa-hcp[] +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-firewall-prerequisites_rosa-hcp-prereqs[AWS firewall prerequisites] +// endif::openshift-rosa-hcp[] [id="rosa-ocm-requirements_{context}"] == Requirements for using {cluster-manager} diff --git a/rosa_planning/rosa-sts-setting-up-environment.adoc b/rosa_planning/rosa-sts-setting-up-environment.adoc index b3d188f275..abd701f80b 100644 --- a/rosa_planning/rosa-sts-setting-up-environment.adoc +++ b/rosa_planning/rosa-sts-setting-up-environment.adoc @@ -40,10 +40,19 @@ endif::openshift-rosa-hcp[] [role="_additional-resources"] == Additional resources ifndef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS Prerequisites] +* xref:../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[AWS Prerequisites] * xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas and increase requests] endif::openshift-rosa-hcp[] ifdef::openshift-rosa-hcp[] -* xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-prereqs[AWS Prerequisites] +* xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc[AWS Prerequisites] // TODO OSDOCS-11789: AWS quotas for HCP endif::openshift-rosa-hcp[] +// This section needs to remain hidden until the HCP migration is published +//ifndef::openshift-rosa-hcp[] +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS Prerequisites] +// * xref:../rosa_planning/rosa-sts-required-aws-service-quotas.adoc#rosa-sts-required-aws-service-quotas[Required AWS service quotas and increase requests] +// endif::openshift-rosa-hcp[] +// ifdef::openshift-rosa-hcp[] +// * xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-hcp-prereqs[AWS Prerequisites] +// // TODO OSDOCS-11789: AWS quotas for HCP +// endif::openshift-rosa-hcp[] diff --git a/support/troubleshooting/rosa-troubleshooting-deployments.adoc b/support/troubleshooting/rosa-troubleshooting-deployments.adoc index 8582db057a..44151cea97 100644 --- a/support/troubleshooting/rosa-troubleshooting-deployments.adoc +++ b/support/troubleshooting/rosa-troubleshooting-deployments.adoc @@ -41,7 +41,9 @@ include::modules/rosa-troubleshooting-awsinsufficientpermission-failure-deployme ifndef::openshift-rosa-hcp[] [role="_additional-resources"] .Additional resources -* xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Detailed requirements for deploying ROSA (classic architecture) using STS] +* xref:../../rosa_planning/rosa-classic-aws-prereqs.adoc#rosa-classic-aws-prereqs[Detailed requirements for deploying ROSA (classic architecture) using STS] +// This link needs to remain hidden until the HCP migration is completed +// * xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[Detailed requirements for deploying ROSA (classic architecture) using STS] * xref:../../rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc#rosa-aws-prereqs[AWS prerequisites for ROSA] endif::openshift-rosa-hcp[] diff --git a/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc b/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc index 8a6c21036c..e8e46e1abc 100644 --- a/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc +++ b/support/troubleshooting/rosa-troubleshooting-installations-hcp.adoc @@ -14,7 +14,9 @@ include::modules/rosa-verify-hcp-install.adoc[leveloffset=+1] ifndef::openshift-rosa-hcp[] [role="_additional-resources"] .Additional resources -* For information about the prerequisites for installing {hcp-title} clusters, see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. +* For information about the prerequisites for installing {hcp-title} clusters, see xref:../../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-hcp-aws-prereqs[AWS prerequisites for ROSA with STS]. +// This link must remain hidden until the HCP migration is completed +// * For information about the prerequisites for installing {hcp-title} clusters, see xref:../../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-sts-aws-prereqs[AWS prerequisites for ROSA with STS]. endif::openshift-rosa-hcp[] include::modules/rosa-troubleshoot-hcp-install.adoc[leveloffset=+1] diff --git a/welcome/cloud-experts-rosa-hcp-sts-explained.adoc b/welcome/cloud-experts-rosa-hcp-sts-explained.adoc index b8c3640ed7..b08d6757e9 100644 --- a/welcome/cloud-experts-rosa-hcp-sts-explained.adoc +++ b/welcome/cloud-experts-rosa-hcp-sts-explained.adoc @@ -37,7 +37,9 @@ Security features for AWS STS include: [id="components-specific-to-rosa-hcp-with-sts"] == Components of {hcp-title} -* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. +* *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-hcp-aws-prereqs.adoc#rosa-ec2-instances_rosa-hcp-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. +// This section needs to remain hidden until the HCP migration is completed. +// * *AWS infrastructure* - The infrastructure required for the cluster including the Amazon EC2 instances, Amazon EBS storage, and networking components. See xref:../rosa_architecture/rosa_policy_service_definition/rosa-service-definition.adoc#rosa-sdpolicy-aws-compute-types_rosa-service-definition[AWS compute types] to see the supported instance types for compute nodes and xref:../rosa_planning/rosa-sts-aws-prereqs.adoc#rosa-ec2-instances_rosa-sts-aws-prereqs[provisioned AWS infrastructure] for more information on cloud resource configuration. * *AWS STS* - A method for granting short-term, dynamic tokens to provide users the necessary permissions to temporarily interact with your AWS account resources. * *OpenID Connect (OIDC)* - A mechanism for cluster Operators to authenticate with AWS, assume the cluster roles through a trust policy, and obtain temporary credentials from AWS IAM STS to make the required API calls. * *Roles and policies* - The roles and policies used by {hcp-title} can be divided into account-wide roles and policies and Operator roles and policies.