Feature Overview (aka. Goal Summary)  

The current ROSA Classic Control Plane policy has, based on plentiful feedback, too many unscoped or restricted permissions.

The way to address this it by taking what was learned from the submission of the ROSA HCP control plane policy to AWS for managed policies, and adapt that for ROSA Classic where possible/pragmatic.

This feature is meant to cover the changes to further secure the ROSA Classic control plane policy.

Requirements (aka. Acceptance Criteria):

• New clusters as of a TBD version or date, would be able to use the new control plane policy
• existing customers should not be affected
• Documentation provides details about all of the above to allow customers to make an informed decision as to how to use the policy and when to use which policy and what restrictions exist.
• All clients of ROSA would be functional with this change (Terraform, ROSA CLI, UI)

Questions to Answer (Optional):

Would this break our current ROSA UI without adapting it?

Documentation Considerations

Documentation will need to be updated to indicate that the operator role names can be free-form and how that could be achieved.