-
Feature
-
Resolution: Done
-
Normal
-
None
-
None
Feature Overview (aka. Goal Summary)
In the cases where a customer is bringing their own VPC, the current ROSA Classic Installer policy requires too many permissions (Create vpc, etc)
Instead of creating a new installer policy that excludes vpc permissions we can use the existing --permissions-boundary option of the create account-roles command to create a restricted installer role.
Requirements (aka. Acceptance Criteria):
- Red Hat provides sample permissions boundary policies that customers can use as part of this command
- #1 Policy that excludes all network creation (vpc and private link)
- #2 Policy that excludes network creation but allows private link creation
- Ensure that creation of account roles with this permissions boundary does not prevent installation of BYO vpc cluster.
-
- Test BYO VPC without privatelink
- Test BYO VPC with private link.
- Documentation provided to explain use and restriction of this feature
- eg. The account roles created will not have permissions to create VPC
- All clients of ROSA would be functional with this change (Terraform, ROSA CLI, UI)
Questions to Answer (Optional):
Out of Scope
High-level list of items that are out of scope. Initial completion during Refinement status.
Background
Provide any additional context is needed to frame the feature. Initial completion during Refinement status.
Customer Considerations
Provide any additional customer-specific considerations that must be made when designing and delivering the Feature. Initial completion during Refinement status.
Documentation Considerations
Documentation will need to be updated to indicate that the operator role names can be free-form and how that could be achieved.
- clones
-
XCMSTRAT-303 Classic Policies - operator roles use AWS managed policies
- New
- is cloned by
-
XCMSTRAT-307 Classic Policies - Adapt control plane policy
- New