openshift
diff --git a/‎_topic_maps/_topic_map_rosa.yml
Lines changed: 7 additions & 5 deletions b/‎_topic_maps/_topic_map_rosa.yml
Lines changed: 7 additions & 5 deletions
diff --git a/‎images/rosa-aws-pre.png
148 KB b/‎images/rosa-aws-pre.png
148 KB
diff --git a/‎modules/rosa-mobb-prereq-checklist.adoc
Lines changed: 198 additions & 0 deletions b/‎modules/rosa-mobb-prereq-checklist.adoc
Lines changed: 198 additions & 0 deletions
diff --git a/‎rosa_planning/rosa-sts-aws-prereqs.adoc
Lines changed: 2 additions & 0 deletions b/‎rosa_planning/rosa-sts-aws-prereqs.adoc
Lines changed: 2 additions & 0 deletions
@@ -77,11 +77,13 @@ Topics:
   File: rosa-getting-support
 # - Name: Training for ROSA
 #   File: rosa-training
-#---
-#Name: Tutorials 
-#Dir: rosa_tutorials 
-#Distros: openshift-rosa
-#Topics:
+---
+Name: Tutorials 
+Dir: rosa_tutorials 
+Distros: openshift-rosa
+Topics:
+- Name: ROSA prerequisites
+  File: rosa-mobb-prerequisites-tutorial
 ---
 Name: Getting started
 Dir: rosa_getting_started
 
@@ -0,0 +1,198 @@
+
+// Module included in the following assemblies:
+//
+// * rosa_planning/rosa-sts-aws-prereqs.html
+
+
+:_content-type: PROCEDURE
+[id="rosa-mobb-prereq-checklist_{context}"]
+= Prerequisites checklist to deploy a ROSA classic cluster 
+
+//Mobb content metadata
+//Brought into ROSA product docs 2023-09-15; does not follow typical OpenShift documentation formatting
+//---
+//date: '2023-07-27'
+//title: Prerequisites Checklist to Deploy ROSA Cluster with STS 
+//tags: ["ROSA", "STS"]
+//authors:
+//  - Byron Miller
+//  - Connor Wooley
+//  - Diana Sari
+//---
+
+This is a checklist of prerequisites needed to spin up a {product-title} classic cluster with link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[STS]. 
+
+[NOTE] 
+==== 
+This is a high level checklist and your implementation can vary. 
+====
+
+Before running the installation process, verify that you deploy this from a machine that has access to:
+
+* The API services for the cloud to which you provision.
+* Access to `api.openshift.com` and `sso.redhat.com`. 
+* The hosts on the network that you provision.
+* The internet to obtain installation media.
+
+== Accounts and CLIs Prerequisites
+
+Accounts and CLIs you must install to deploy the cluster.
+
+=== AWS account
+
+* Gather the following details:
+** AWS IAM User
+** AWS Access Key ID
+** AWS Secret Access Key
+* Ensure that you have the right permissions as detailed link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol.html[AWS managed IAM policies for ROSA] and link:https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html[About IAM resources for ROSA clusters that use STS].
+* See link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#rosa-account_rosa-sts-aws-prereqs[Account] for more details. 
+
+=== AWS CLI (`aws`)
+
+* Install from https://aws.amazon.com/cli/[AWS Command Line Interface] if you have not already.
+* Configure the CLI:
++
+. Enter `aws configure` in the terminal: 
++
+[source,terminal]
+----
+$ aws configure
+----
++
+. Enter the AWS Access Key ID and press *enter*.
+. Enter the AWS Secret Access Key and press *enter*.
+. Enter the default region you want to deploy into.
+. Enter the output format you want, “table” or “json”. 
+. Verify the output by running:
++
+[source,terminal]
+----
+ $ aws sts get-caller-identity
+----
++
+. Ensure that the service role for ELB already exists by running:
++
+[source,terminal]
+----
+$ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
+----
++
+.. If it does not exist, run:
++
+[source,terminal]
+----
+$ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
+----
+
+=== Red Hat account
+
+* Create a https://console.redhat.com/[hybrid-console]  account if you have not already.
+
+=== ROSA CLI (`rosa`)
+
+. Enable ROSA from your AWS account on the https://console.aws.amazon.com/rosa/[AWS console] if you have not already.
+. Install the CLI from https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.html[Installing the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa[] or from the OpenShift console https://console.redhat.com/openshift/downloads#tool-rosa[AWS console].
+. Enter `rosa login` in a terminal, and this will prompt you to go to the https://console.redhat.com/openshift/token/rosa[token page] through the console:
++
+[source,terminal]
+----
+$ rosa login
+----
++
+. Log in with your Red Hat account credentials.
+. Click the *Load token* button.
+. Copy the token and paste it back into the CLI prompt and press *enter*.
++
+* Alternatively, you can copy the full `$ rosa login --token=abc...` command and paste that in the terminal:
++
+[source,terminal]
+----
+$ rosa login --token=<abc..>
+----
++
+. Verify your credentials by running:
++
+[source,terminal]
+----
+$ rosa whoami
+----
++
+. Ensure you have sufficient quota by running: 
++
+[source,terminal]
+----
+$ rosa verify quota
+----
++
+* See link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[Provisioned AWS Infrastructure] for more details on AWS services provisioned for ROSA cluster. 
+* See link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-required-aws-service-quotas.html[Required AWS service quotas] for more details on AWS services quota. 
+
+=== OpenShift CLI (`oc`)
+
+. Install from link:https://docs.openshift.com/container-platform/4.13/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI] or from the OpenShift console link:https://console.redhat.com/openshift/downloads#tool-oc[Command-line interface (CLI) tools].
+. Verify that the OpenShift CLI has been installed correctly by running: 
++
+[source,terminal]
+----
+$ rosa verify openshift-client
+----
+
+Once you have the above prerequisites installed and enabled, proceed to the next steps.
+
+
+== SCP Prerequisites
+
+ROSA clusters are hosted in an AWS account within an AWS organizational unit. A link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html[service control policy (SCP)] is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access. 
+
+* Ensure that your organization's SCPs are not more restrictive than the roles and policies required by the cluster.
+* Ensure that your SCP is configured to allow the required `aws-marketplace:Subscribe` permission when you choose *Enable ROSA* from the console, and see link:https://docs.aws.amazon.com/ROSA/latest/userguide/troubleshoot-rosa-enablement.html#error-aws-orgs-scp-denies-permissions[AWS Organizations service control policy (SCP) is denying required AWS Marketplace permissions] for more details.
+* When you create a ROSA classic cluster, an associated AWS OpenID Connect (OIDC) identity provider is created. 
+** This OIDC provider configuration relies on a public key that is located in the `us-east-1` AWS region. 
+** Customers with AWS SCPs must allow the use of the `us-east-1` AWS region, even if these clusters are deployed in a different region.
+
+== Networking Prerequisites
+
+Prerequisites needed from a networking standpoint.
+
+=== Firewall
+
+* Configure your firewall to allow access to the domains and ports listed in link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites].
+
+=== Custom DNS
+
+* If you want to use custom DNS, then the ROSA installer must be able to use VPC DNS with default DHCP options so it can resolve hosts locally. 
+** To do so, run `aws ec2 describe-dhcp-options` and see if the VPC is using VPC Resolver: 
++
+[source,terminal]
+----
+$ aws ec2 describe-dhcp-options
+----
++
+* Otherwise, the upstream DNS will need to forward the cluster scope to this VPC so the cluster can resolve internal IPs and services.
+
+== PrivateLink Prerequisites
+
+If you choose to deploy a PrivateLink cluster, then be sure to deploy the cluster in the pre-existing BYO VPC:
+
+* Create a public and private subnet for each AZ that your cluster uses.
+** Alternatively, implement transit gateway for internet and egress with appropriate routes.
+* The VPC's CIDR block must contain the `Networking.MachineCIDR` range, which is the IP address for cluster machines. 
+** The subnet CIDR blocks must belong to the machine CIDR that you specify.
+* Set both `enableDnsHostnames` and `enableDnsSupport` to `true`.
+** That way, the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster internal DNS records.
+* Verify route tables by running: 
++
+[source,terminal]
+ ----
+ $ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc-id>"
+ ----
+ 
+** Ensure that the cluster can egress either through NAT gateway in public subnet or through transit gateway.
+** Ensure whatever UDR you would like to follow is set up.
+* You can also configure a cluster-wide proxy during or after install.
+https://docs.openshift.com/rosa/networking/configuring-cluster-wide-proxy.html[Configuring a cluster-wide proxy] for more details.   
+
+[NOTE]
+====
+You can install a non-PrivateLink ROSA cluster in a pre-existing BYO VPC. 
+====
@@ -12,6 +12,8 @@ include::snippets/rosa-sts.adoc[]
 
 Ensure that the following AWS prerequisites are met before installing ROSA with STS.
 
+include::modules/rosa-mobb-prereq-checklist.adoc[leveloffset=+1]
+
 include::modules/rosa-aws-understand.adoc[leveloffset=+1]
 
 [IMPORTANT]