Merge pull request #65124 from bmcelvee/OSDOCS-7749-follow-up

bmcelvee · web-flow · commit 2d4b1822a7d9 · 2023-09-27T10:58:36.000-04:00
OSDOCS-7749: Follow-up edits
diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -82,8 +82,8 @@ Name: Tutorials
 Dir: cloud_experts_tutorials
 Distros: openshift-rosa
 Topics:
-- Name: ROSA prerequisites
-  File: rosa-mobb-prerequisites-tutorial
+#- Name: ROSA prerequisites
+#  File: rosa-mobb-prerequisites-tutorial
 - Name: Configuring ROSA/OSD to use custom TLS ciphers on the ingress controllers
   File: cloud-experts-configure-custom-tls-ciphers
 - Name: Verifying Permissions for a ROSA STS Deployment
@@ -104,7 +104,9 @@ Name: Prepare your environment
 Dir: rosa_planning
 Distros: openshift-rosa
 Topics:
-- Name: AWS prerequisites for ROSA with STS
+- Name: Prerequisites checklist for deploying ROSA using STS
+  File: rosa-cloud-expert-prereq-checklist
+- Name: Detailed requirements for deploying ROSA using STS
   File: rosa-sts-aws-prereqs
 - Name: ROSA IAM role resources
   File: rosa-sts-ocm-role
diff --git a/_unused_topics/rosa-aws-understand.adoc b/_unused_topics/rosa-aws-understand.adoc
@@ -10,3 +10,5 @@ To deploy {product-title} (ROSA) into your existing Amazon Web Services (AWS) ac
 Red Hat recommends the use of AWS Organizations to manage multiple AWS accounts. The AWS Organizations, managed by the customer, host multiple AWS accounts. There is a root account in the organization that all accounts will refer to in the account hierarchy.
 
 It is a best practice for the ROSA cluster to be hosted in an AWS account within an AWS Organizational Unit. A service control policy (SCP) is created and applied to the AWS Organizational Unit that manages what services the AWS sub-accounts are permitted to access. The SCP applies only to available permissions within a single AWS account for all AWS sub-accounts within the Organizational Unit. It is also possible to apply a SCP to a single AWS account. All other accounts in the customer’s AWS Organizations are managed in whatever manner the customer requires. Red Hat Site Reliability Engineers (SRE) will not have any control over SCPs within AWS Organizations.
+
+//2023-09-22: this module is not applicable to the prerequisites content. 
diff --git a/cloud_experts_tutorials/rosa-mobb-prerequisites-tutorial.adoc b/cloud_experts_tutorials/rosa-mobb-prerequisites-tutorial.adoc
@@ -17,7 +17,7 @@ toc::[]
 //  - Steve Mirman
 //  - Paul Czarkowski
 //---
-
+//This file is not being built as of 2023-09-22 based on a conversation with Michael McNeill. 
 
 This document contains a set of prerequisites that must be run once before you can create your first ROSA cluster.
 
diff --git a/modules/osd-aws-privatelink-firewall-prerequisites.adoc b/modules/osd-aws-privatelink-firewall-prerequisites.adoc
@@ -282,7 +282,12 @@ OR
 $ oc -n openshift-image-registry get pod -l docker-registry=default -o json | jq '.items[].spec.containers[].env[] | select(.name=="REGISTRY_STORAGE_S3_BUCKET")'
 ----
 +
-The S3 endpoint should be in the following format: '<cluster-name>-<random-string>-image-registry-<cluster-region>-<random-string>.s3.dualstack.<cluster-region>.amazonaws.com'.
+The S3 endpoint should be in the following format: 
++
+[source,terminal]
+----
+'<cluster-name>-<random-string>-image-registry-<cluster-region>-<random-string>.s3.dualstack.<cluster-region>.amazonaws.com'.
+----
 
 . Allowlist any site that provides resources for a language or framework that your builds require.
 . Allowlist any outbound URLs that depend on the languages and frameworks used in OpenShift. See link:https://access.redhat.com/solutions/2998411[OpenShift Outbound URLs to Allow] for a list of recommended URLs to be allowed on the firewall or proxy.
diff --git a/modules/rosa-mobb-prereq-checklist.adoc b/modules/rosa-mobb-prereq-checklist.adoc
@@ -1,198 +0,0 @@
-
-// Module included in the following assemblies:
-//
-// * rosa_planning/rosa-sts-aws-prereqs.html
-
-
-:_content-type: PROCEDURE
-[id="rosa-mobb-prereq-checklist_{context}"]
-= Prerequisites checklist to deploy a ROSA classic cluster 
-
-//Mobb content metadata
-//Brought into ROSA product docs 2023-09-15; does not follow typical OpenShift documentation formatting
-//---
-//date: '2023-07-27'
-//title: Prerequisites Checklist to Deploy ROSA Cluster with STS 
-//tags: ["ROSA", "STS"]
-//authors:
-//  - Byron Miller
-//  - Connor Wooley
-//  - Diana Sari
-//---
-
-This is a checklist of prerequisites needed to spin up a {product-title} classic cluster with link:https://docs.aws.amazon.com/IAM/latest/UserGuide/id_credentials_temp.html[STS]. 
-
-[NOTE] 
-==== 
-This is a high level checklist and your implementation can vary. 
-====
-
-Before running the installation process, verify that you deploy this from a machine that has access to:
-
-* The API services for the cloud to which you provision.
-* Access to `api.openshift.com` and `sso.redhat.com`. 
-* The hosts on the network that you provision.
-* The internet to obtain installation media.
-
-== Accounts and CLIs Prerequisites
-
-Accounts and CLIs you must install to deploy the cluster.
-
-=== AWS account
-
-* Gather the following details:
-** AWS IAM User
-** AWS Access Key ID
-** AWS Secret Access Key
-* Ensure that you have the right permissions as detailed link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol.html[AWS managed IAM policies for ROSA] and link:https://docs.openshift.com/rosa/rosa_architecture/rosa-sts-about-iam-resources.html[About IAM resources for ROSA clusters that use STS].
-* See link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#rosa-account_rosa-sts-aws-prereqs[Account] for more details. 
-
-=== AWS CLI (`aws`)
-
-* Install from https://aws.amazon.com/cli/[AWS Command Line Interface] if you have not already.
-* Configure the CLI:
-+
-. Enter `aws configure` in the terminal: 
-+
-[source,terminal]
-----
-$ aws configure
-----
-+
-. Enter the AWS Access Key ID and press *enter*.
-. Enter the AWS Secret Access Key and press *enter*.
-. Enter the default region you want to deploy into.
-. Enter the output format you want, “table” or “json”. 
-. Verify the output by running:
-+
-[source,terminal]
-----
- $ aws sts get-caller-identity
-----
-+
-. Ensure that the service role for ELB already exists by running:
-+
-[source,terminal]
-----
-$ aws iam get-role --role-name "AWSServiceRoleForElasticLoadBalancing"
-----
-+
-.. If it does not exist, run:
-+
-[source,terminal]
-----
-$ aws iam create-service-linked-role --aws-service-name "elasticloadbalancing.amazonaws.com"
-----
-
-=== Red Hat account
-
-* Create a https://console.redhat.com/[hybrid-console]  account if you have not already.
-
-=== ROSA CLI (`rosa`)
-
-. Enable ROSA from your AWS account on the https://console.aws.amazon.com/rosa/[AWS console] if you have not already.
-. Install the CLI from https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-installing-rosa.html[Installing the Red Hat OpenShift Service on AWS (ROSA) CLI, rosa[] or from the OpenShift console https://console.redhat.com/openshift/downloads#tool-rosa[AWS console].
-. Enter `rosa login` in a terminal, and this will prompt you to go to the https://console.redhat.com/openshift/token/rosa[token page] through the console:
-+
-[source,terminal]
-----
-$ rosa login
-----
-+
-. Log in with your Red Hat account credentials.
-. Click the *Load token* button.
-. Copy the token and paste it back into the CLI prompt and press *enter*.
-+
-* Alternatively, you can copy the full `$ rosa login --token=abc...` command and paste that in the terminal:
-+
-[source,terminal]
-----
-$ rosa login --token=<abc..>
-----
-+
-. Verify your credentials by running:
-+
-[source,terminal]
-----
-$ rosa whoami
-----
-+
-. Ensure you have sufficient quota by running: 
-+
-[source,terminal]
-----
-$ rosa verify quota
-----
-+
-* See link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#rosa-aws-policy-provisioned_rosa-sts-aws-prereqs[Provisioned AWS Infrastructure] for more details on AWS services provisioned for ROSA cluster. 
-* See link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-required-aws-service-quotas.html[Required AWS service quotas] for more details on AWS services quota. 
-
-=== OpenShift CLI (`oc`)
-
-. Install from link:https://docs.openshift.com/container-platform/4.13/cli_reference/openshift_cli/getting-started-cli.html[Getting started with the OpenShift CLI] or from the OpenShift console link:https://console.redhat.com/openshift/downloads#tool-oc[Command-line interface (CLI) tools].
-. Verify that the OpenShift CLI has been installed correctly by running: 
-+
-[source,terminal]
-----
-$ rosa verify openshift-client
-----
-
-Once you have the above prerequisites installed and enabled, proceed to the next steps.
-
-
-== SCP Prerequisites
-
-ROSA clusters are hosted in an AWS account within an AWS organizational unit. A link:https://docs.aws.amazon.com/organizations/latest/userguide/orgs_manage_policies_scps.html[service control policy (SCP)] is created and applied to the AWS organizational unit that manages what services the AWS sub-accounts are permitted to access. 
-
-* Ensure that your organization's SCPs are not more restrictive than the roles and policies required by the cluster.
-* Ensure that your SCP is configured to allow the required `aws-marketplace:Subscribe` permission when you choose *Enable ROSA* from the console, and see link:https://docs.aws.amazon.com/ROSA/latest/userguide/troubleshoot-rosa-enablement.html#error-aws-orgs-scp-denies-permissions[AWS Organizations service control policy (SCP) is denying required AWS Marketplace permissions] for more details.
-* When you create a ROSA classic cluster, an associated AWS OpenID Connect (OIDC) identity provider is created. 
-** This OIDC provider configuration relies on a public key that is located in the `us-east-1` AWS region. 
-** Customers with AWS SCPs must allow the use of the `us-east-1` AWS region, even if these clusters are deployed in a different region.
-
-== Networking Prerequisites
-
-Prerequisites needed from a networking standpoint.
-
-=== Firewall
-
-* Configure your firewall to allow access to the domains and ports listed in link:https://docs.openshift.com/rosa/rosa_planning/rosa-sts-aws-prereqs.html#osd-aws-privatelink-firewall-prerequisites_rosa-sts-aws-prereqs[AWS firewall prerequisites].
-
-=== Custom DNS
-
-* If you want to use custom DNS, then the ROSA installer must be able to use VPC DNS with default DHCP options so it can resolve hosts locally. 
-** To do so, run `aws ec2 describe-dhcp-options` and see if the VPC is using VPC Resolver: 
-+
-[source,terminal]
-----
-$ aws ec2 describe-dhcp-options
-----
-+
-* Otherwise, the upstream DNS will need to forward the cluster scope to this VPC so the cluster can resolve internal IPs and services.
-
-== PrivateLink Prerequisites
-
-If you choose to deploy a PrivateLink cluster, then be sure to deploy the cluster in the pre-existing BYO VPC:
-
-* Create a public and private subnet for each AZ that your cluster uses.
-** Alternatively, implement transit gateway for internet and egress with appropriate routes.
-* The VPC's CIDR block must contain the `Networking.MachineCIDR` range, which is the IP address for cluster machines. 
-** The subnet CIDR blocks must belong to the machine CIDR that you specify.
-* Set both `enableDnsHostnames` and `enableDnsSupport` to `true`.
-** That way, the cluster can use the Route 53 zones that are attached to the VPC to resolve cluster internal DNS records.
-* Verify route tables by running: 
-+
-[source,terminal]
- ----
- $ aws ec2 describe-route-tables --filters "Name=vpc-id,Values=<vpc-id>"
- ----
- 
-** Ensure that the cluster can egress either through NAT gateway in public subnet or through transit gateway.
-** Ensure whatever UDR you would like to follow is set up.
-* You can also configure a cluster-wide proxy during or after install.
-https://docs.openshift.com/rosa/networking/configuring-cluster-wide-proxy.html[Configuring a cluster-wide proxy] for more details.   
-
-[NOTE]
-====
-You can install a non-PrivateLink ROSA cluster in a pre-existing BYO VPC. 
-====
diff --git a/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc b/rosa_install_access_delete_clusters/rosa_getting_started_iam/rosa-aws-prereqs.adoc
@@ -13,7 +13,6 @@ You must ensure that the prerequisites are met before installing ROSA. This requ
 
 include::snippets/rosa-sts.adoc[]
 
-include::modules/rosa-aws-understand.adoc[leveloffset=+1]
 include::modules/rosa-aws-requirements.adoc[leveloffset=+1]
 include::modules/rosa-aws-procedure.adoc[leveloffset=+1]
 include::modules/rosa-aws-scp.adoc[leveloffset=+2]
diff --git a/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc b/rosa_planning/rosa-cloud-expert-prereq-checklist.adoc
diff --git a/rosa_planning/rosa-hcp-prereqs.adoc b/rosa_planning/rosa-hcp-prereqs.adoc
diff --git a/rosa_planning/rosa-sts-aws-prereqs.adoc b/rosa_planning/rosa-sts-aws-prereqs.adoc
