jneczypor
diff --git a/‎modules/rosa-hcp-sharing-vpc-creation-and-sharing.adoc‎
Lines changed: 222 additions & 62 deletions b/‎modules/rosa-hcp-sharing-vpc-creation-and-sharing.adoc‎
Lines changed: 222 additions & 62 deletions
diff --git a/‎modules/rosa-hcp-sharing-vpc-dns-and-roles.adoc‎
Lines changed: 1 addition & 2 deletions b/‎modules/rosa-hcp-sharing-vpc-dns-and-roles.adoc‎
Lines changed: 1 addition & 2 deletions
@@ -14,44 +14,72 @@ image::522-shared-vpc-step-1.png[]
 . Create or modify a VPC to your specifications in the link:https://us-east-1.console.aws.amazon.com/vpc/[VPC section of the AWS console].
 +
 . Create the `Route 53 role`.
-.. Create a custom policy file to allow for necessary shared VPC permissions that uses the name `SharedVPCPolicy`:
++
+[NOTE]
+====
+You must create the `Route 53 role` in the same account as the hosted zones (which are created in Step 3). For example, if you want to create the hosted zones in the centrally-managed VPC account, you must create the `Route 53 role` in the *VPC Owner* account. If you want to create the hosted zones in the workload account, you must create the `Route 53 role` in the *Cluster Creator* account.
+====
++
+.. Create a custom policy file to allow for necessary shared VPC permissions that uses the name `Route53Policy`:
 +
 [source,terminal]
 ----
-$ cat <<EOF > /tmp/shared-vpc-policy.json
+$ cat <<EOF > /tmp/route53-policy.json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "route53:ChangeResourceRecordSets",
-                "route53:ListHostedZones",
-                "route53:ListHostedZonesByName",
-                "route53:ListResourceRecordSets",
-                "route53:ChangeTagsForResource",
-                "route53:GetAccountLimit",
-                "route53:GetChange",
-                "route53:GetHostedZone",
-                "route53:ListTagsForResource",
-                "route53:UpdateHostedZoneComment",
-                "tag:GetResources",
-                "tag:UntagResources"
-            ],
-            "Resource": "*"
+  "Version" : "2012-10-17",
+  "Statement" : [
+    {
+      "Sid" : "ReadPermissions",
+      "Effect" : "Allow",
+      "Action" : [
+        "elasticloadbalancing:DescribeLoadBalancers",
+        "route53:GetHostedZone",
+        "route53:ListResourceRecordSets",
+	"route53:ListHostedZones",
+        "tag:GetResources"
+      ],
+      "Resource" : "*"
+    },
+    {
+      "Sid" : "ChangeResourceRecordSetsRestrictedRecordNames",
+      "Effect" : "Allow",
+      "Action" : [
+        "route53:ChangeResourceRecordSets"
+      ],
+      "Resource" : [
+        "*"
+      ],
+      "Condition" : {
+        "ForAllValues:StringLike" : {
+          "route53:ChangeResourceRecordSetsNormalizedRecordNames" : [
+            "*.hypershift.local",
+            "*.openshiftapps.com",
+            "*.devshift.org",
+            "*.openshiftusgov.com",
+            "*.devshiftusgov.com"
+          ]
         }
-    ]
+      }
+    },
+    {
+      "Sid" : "ChangeTagsForResourceNoCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "route53:ChangeTagsForResource"
+      ],
+      "Resource" : "*"
+    }
+  ]
 }
-EOF
 ----
 +
 .. Create the policy in AWS:
 +
 [source,terminal]
 ----
 $ aws iam create-policy \
-    --policy-name SharedVPCPolicy \
-    --policy-document file:///tmp/shared-vpc-policy.json
+    --policy-name Route53Policy \
+    --policy-document file:///tmp/route53-policy.json
 ----
 +
 You will attach this policy to a role necessary for the shared VPC permissions.
@@ -60,7 +88,7 @@ You will attach this policy to a role necessary for the shared VPC permissions.
 +
 [source,terminal]
 ----
-$ cat <<EOF > /tmp/shared-vpc-role.json
+$ cat <<EOF > /tmp/route53-role.json
 {
     "Version": "2012-10-17",
     "Statement": [
@@ -85,19 +113,19 @@ EOF
 [source,terminal]
 ----
 $ aws iam create-role --role-name <role_name> \  <1>
-    --assume-role-policy-document file:///tmp/shared-vpc-role.json
+    --assume-role-policy-document file:///tmp/route53-role.json
 ----
 +
 --
 <1> Replace _<role_name>_ with the name of the role you want to create.
 --
 +
-.. Attach the custom `SharedVPCPolicy` permissions policy:
+.. Attach the custom `Route53Policy` permissions policy:
 +
 [source, terminal]
 ----
 $ aws iam attach-role-policy --role-name <role_name> --policy-arn \  <1>
-    arn:aws:iam::<AWS_account_ID>:policy/SharedVPCPolicy  <2>
+    arn:aws:iam::<AWS_account_ID>:policy/Route53Policy  <2>
 ----
 +
 --
@@ -106,48 +134,180 @@ $ aws iam attach-role-policy --role-name <role_name> --policy-arn \  <1>
 --
 +
 . Create the `VPC endpoint role`.
-.. Create a custom policy file to allow for necessary shared VPC permissions that uses the name `SharedVPCPolicy`:
+.. Create a custom policy file to allow for necessary shared VPC permissions that uses the name `VPCEPolicy`:
 +
 [source,terminal]
 ----
-$ cat <<EOF > /tmp/shared-vpc-policy.json
+$ cat <<EOF > /tmp/vpce.json
 {
-    "Version": "2012-10-17",
-    "Statement": [
-        {
-            "Effect": "Allow",
-            "Action": [
-                "ec2:CreateVpcEndpoint",
-                "ec2:DescribeVpcEndpoints",
-                "ec2:ModifyVpcEndpoint",
-                "ec2:DeleteVpcEndpoints",
-                "ec2:CreateTags",
-                "ec2:CreateSecurityGroup",
-                "ec2:AuthorizeSecurityGroupIngress",
-                "ec2:AuthorizeSecurityGroupEgress",
-                "ec2:DeleteSecurityGroup",
-                "ec2:RevokeSecurityGroupIngress",
-                "ec2:RevokeSecurityGroupEgress",
-                "ec2:DescribeSecurityGroups",
-                "ec2:DescribeVpcs",
-                "route53:ListHostedZones",
-                "route53:ChangeResourceRecordSets",
-                "route53:ListResourceRecordSets"
-            ],
-            "Resource": "*"
+  "Version" : "2012-10-17",
+  "Statement" : [
+    {
+      "Sid" : "ReadPermissions",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:DescribeVpcEndpoints",
+        "ec2:DescribeVpcs",
+        "ec2:DescribeSecurityGroups"
+      ],
+      "Resource" : "*"
+    },
+    {
+      "Sid" : "CreateSecurityGroups",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:CreateSecurityGroup"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:security-group*/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "aws:RequestTag/red-hat-managed" : "true"
         }
-    ]
+      }
+    },
+    {
+      "Sid" : "DeleteSecurityGroup",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:DeleteSecurityGroup"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:security-group*/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "aws:ResourceTag/red-hat-managed" : "true"
+        }
+      }
+    },
+    {
+      "Sid" : "SecurityGroupIngressEgress",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:AuthorizeSecurityGroupIngress",
+        "ec2:AuthorizeSecurityGroupEgress",
+        "ec2:RevokeSecurityGroupIngress",
+        "ec2:RevokeSecurityGroupEgress"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:security-group*/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "aws:ResourceTag/red-hat-managed" : "true"
+        }
+      }
+    },
+    {
+      "Sid" : "CreateSecurityGroupsVPCNoCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:CreateSecurityGroup"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:vpc/*"
+      ]
+    },
+    {
+      "Sid" : "VPCEndpointWithCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:CreateVpcEndpoint"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:vpc-endpoint/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "aws:RequestTag/red-hat-managed" : "true"
+        }
+      }
+    },
+    {
+      "Sid" : "VPCEndpointResourceTagCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:CreateVpcEndpoint"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:security-group*/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "aws:ResourceTag/red-hat-managed" : "true"
+        }
+      }
+    },
+    {
+      "Sid" : "VPCEndpointNoCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:CreateVpcEndpoint"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:vpc/*",
+        "arn:aws:ec2:*:*:subnet/*",
+        "arn:aws:ec2:*:*:route-table/*"
+      ]
+    },
+    {
+      "Sid" : "ManageVPCEndpointWithCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:ModifyVpcEndpoint",
+        "ec2:DeleteVpcEndpoints"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:vpc-endpoint/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "aws:ResourceTag/red-hat-managed" : "true"
+        }
+      }
+    },
+    {
+      "Sid" : "ModifyVPCEndpoingNoCondition",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:ModifyVpcEndpoint"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:subnet/*"
+      ]
+    },
+    {
+      "Sid" : "CreateTagsRestrictedActions",
+      "Effect" : "Allow",
+      "Action" : [
+        "ec2:CreateTags"
+      ],
+      "Resource" : [
+        "arn:aws:ec2:*:*:vpc-endpoint/*",
+        "arn:aws:ec2:*:*:security-group/*"
+      ],
+      "Condition" : {
+        "StringEquals" : {
+          "ec2:CreateAction" : [
+            "CreateVpcEndpoint",
+            "CreateSecurityGroup"
+          ]
+        }
+      }
+    }
+  ]
 }
-EOF
 ----
 +
 .. Create the policy in AWS:
 +
 [source,terminal]
 ----
 $ aws iam create-policy \
-    --policy-name SharedVPCPolicy \
-    --policy-document file:///tmp/shared-vpc-policy.json
+    --policy-name VPCEPolicy \
+    --policy-document file:///tmp/vpce-role.json
 ----
 +
 You will attach this policy to a role necessary for the shared VPC permissions.
@@ -156,7 +316,7 @@ You will attach this policy to a role necessary for the shared VPC permissions.
 +
 [source,terminal]
 ----
-$ cat <<EOF > /tmp/shared-vpc-role.json
+$ cat <<EOF > /tmp/vpce-role.json
 {
     "Version": "2012-10-17",
     "Statement": [
@@ -181,19 +341,19 @@ EOF
 [source,terminal]
 ----
 $ aws iam create-role --role-name <role_name> \  <1>
-    --assume-role-policy-document file:///tmp/shared-vpc-role.json
+    --assume-role-policy-document file:///tmp/vpce-role.json
 ----
 +
 --
 <1> Replace _<role_name>_ with the name of the role you want to create.
 --
 +
-.. Attach the custom `SharedVPCPolicy` permissions policy:
+.. Attach the custom `VPCEPolicy` permissions policy:
 +
 [source, terminal]
 ----
 $ aws iam attach-role-policy --role-name <role_name> --policy-arn \  <1>
-    arn:aws:iam::<AWS_account_ID>:policy/SharedVPCPolicy  <2>
+    arn:aws:iam::<AWS_account_ID>:policy/VPCEPolicy  <2>
 ----
 +
 --
 
@@ -101,5 +101,4 @@ The shared information resembles these examples:
 * ``my-rosa-cluster.14eo.p1.openshiftapps.com``
 * ``arn:aws:iam::111122223333:role/ManagedOpenShift-Installer-Role``
 * ``arn:aws:iam::111122223333:role/my-rosa-cluster-openshift-ingress-operator-cloud-credentials``
-* ``arn:aws:iam::962993289388:role/route53-scoped"
-*arn:aws:iam962993289388:role/vpc-endpoint-service"
+* ``arn:aws:iam::111122223333:role/my-rosa-cluster-control-plane-operator``