openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
aad9ccc2ec5fc056ce2007dca36c7409ae10fd6f
openshift-docs/modules/installation-creating-aws-security.adoc
Kathryn Alexander 90d985a0bb [enterprise-4.14] changing content type attribute
2023-10-30 10:13:25 -04:00

116 lines
4.2 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * installing/installing_aws/installing-aws-user-infra.adoc
// * installing/installing_aws/installing-restricted-networks-aws.adoc
:_mod-docs-content-type: PROCEDURE
[id="installation-creating-aws-security_{context}"]
= Creating security group and roles in AWS
You must create security groups and roles in Amazon Web Services (AWS) for your {product-title} cluster to use.
You can use the provided CloudFormation template and a custom parameter file to create a stack of AWS resources. The stack represents the security groups and roles that your {product-title} cluster requires.
[NOTE]
====
If you do not use the provided CloudFormation template to create your AWS
infrastructure, you must review the provided information and manually create
the infrastructure. If your cluster does not initialize correctly, you might
have to contact Red Hat support with your installation logs.
====
.Prerequisites
* You configured an AWS account.
* You added your AWS keys and region to your local AWS profile by running `aws configure`.
* You generated the Ignition config files for your cluster.
* You created and configured a VPC and associated subnets in AWS.
.Procedure
. Create a JSON file that contains the parameter values that the template
requires:
+
[source,json]
----
[
{
"ParameterKey": "InfrastructureName", <1>
"ParameterValue": "mycluster-<random_string>" <2>
},
{
"ParameterKey": "VpcCidr", <3>
"ParameterValue": "10.0.0.0/16" <4>
},
{
"ParameterKey": "PrivateSubnets", <5>
"ParameterValue": "subnet-<random_string>" <6>
},
{
"ParameterKey": "VpcId", <7>
"ParameterValue": "vpc-<random_string>" <8>
}
]
----
<1> The name for your cluster infrastructure that is encoded in your Ignition
config files for the cluster.
<2> Specify the infrastructure name that you extracted from the Ignition config
file metadata, which has the format `<cluster-name>-<random-string>`.
<3> The CIDR block for the VPC.
<4> Specify the CIDR block parameter that you used for the VPC that you defined
in the form `x.x.x.x/16-24`.
<5> The private subnets that you created for your VPC.
<6> Specify the `PrivateSubnetIds` value from the output of the CloudFormation
template for the VPC.
<7> The VPC that you created for the cluster.
<8> Specify the `VpcId` value from the output of the CloudFormation template for
the VPC.
. Copy the template from the *CloudFormation template for security objects*
section of this topic and save it as a YAML file on your computer. This template
describes the security groups and roles that your cluster requires.
. Launch the CloudFormation template to create a stack of AWS resources that represent the security groups and roles:
+
[IMPORTANT]
====
You must enter the command on a single line.
====
+
[source,terminal]
----
$ aws cloudformation create-stack --stack-name <name> <1>
--template-body file://<template>.yaml <2>
--parameters file://<parameters>.json <3>
--capabilities CAPABILITY_NAMED_IAM <4>
----
<1> `<name>` is the name for the CloudFormation stack, such as `cluster-sec`.
You need the name of this stack if you remove the cluster.
<2> `<template>` is the relative path to and name of the CloudFormation template
YAML file that you saved.
<3> `<parameters>` is the relative path to and name of the CloudFormation
parameters JSON file.
<4> You must explicitly declare the `CAPABILITY_NAMED_IAM` capability because the provided template creates some `AWS::IAM::Role` and `AWS::IAM::InstanceProfile` resources.
+
.Example output
[source,terminal]
----
arn:aws:cloudformation:us-east-1:269333783861:stack/cluster-sec/03bd4210-2ed7-11eb-6d7a-13fc0b61e9db
----
. Confirm that the template components exist:
+
[source,terminal]
----
$ aws cloudformation describe-stacks --stack-name <name>
----
+
After the `StackStatus` displays `CREATE_COMPLETE`, the output displays values
for the following parameters. You must provide these parameter values to
the other CloudFormation templates that you run to create your cluster:
[horizontal]
`MasterSecurityGroupId`:: Master Security Group ID
`WorkerSecurityGroupId`:: Worker Security Group ID
`MasterInstanceProfile`:: Master IAM Instance Profile
`WorkerInstanceProfile`:: Worker IAM Instance Profile
View Git Blame Copy Permalink