Feature Overview (aka. Goal Summary)  

In order to benefit from the operator roles that have AWS managed policies more widely that just HCP, the ROSA Classic clusters ought to use managed policies as well for the operator roles.

As of a specific version or date, ROSA Classic clusters would use by default the AWS managed policies.

Requirements (aka. Acceptance Criteria):

• New clusters as of a TBD version or date, would have operator roles that attach AWS managed policies by default
• Customers that wish to use customer-managed policies still, may do so.
• Documentation provides details about all of the above to allow customers to make an informed decision as to which one they should use.
• All clients of ROSA would be functional with this change (Terraform, ROSA CLI, UI)

Questions to Answer (Optional):

Would this break our current ROSA UI without adapting it?

Should we default to AWS managed operator role policies and not allow going back to self-managed policies?

Background

The operator roles and their respective policies consist of currently 6 pairs. If we can secure a confirmation that there will be no future deviation of the operators needed between OCP and Hypershift, then we can use the same roles and policies for ROSA Classic as for ROSA HCP. With the same roles and policies available for both architectures, there is less management of IAM resources and a reduction of risks when upgrading clusters.

Customer Considerations

What if a customer wants to have, for some reason, a separate set of roles/policies between HCP and Classic architecture clusters? An immediate need for this is not known, yet this is but one possibility.

Documentation Considerations

Documentation will need to be updated to indicate that the operator role names can be free-form and how that could be achieved.