Merge pull request #67957 from fmcdonal/OSDOCS-5590

EricPonvelle · web-flow · commit 33840c3380ac · 2023-12-05T13:03:46.000-05:00
[OSDOCS 5590]: Creating an AWS KMS key for customer encryption
diff --git a/_topic_maps/_topic_map_rosa.yml b/_topic_maps/_topic_map_rosa.yml
@@ -172,6 +172,8 @@ Distros: openshift-rosa
 Topics:
 - Name: Creating ROSA with HCP clusters using the default options
   File: rosa-hcp-sts-creating-a-cluster-quickly
+- Name: Creating ROSA with HCP clusters using a custom AWS KMS encryption key
+  File: rosa-hcp-creating-cluster-with-aws-kms-key
 - Name: Using the Node Tuning Operator on ROSA with HCP
   File: rosa-tuning-config
 ---
diff --git a/modules/creating-cluster-with-aws-kms-key.adoc b/modules/creating-cluster-with-aws-kms-key.adoc
@@ -0,0 +1,170 @@
+// Module included in the following assemblies:
+//
+// * monitoring/enabling-monitoring-for-user-defined-projects.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="creating-cluster-with-aws-kms-key"]
+= Creating a ROSA cluster using a custom AWS KMS key
+
+You can create a {product-title} (ROSA) cluster with a customer-provided KMS key that is used to encrypt either node root volumes, the etcd database, or both. A different KMS key ARN can be provided for each option.
+
+[NOTE]
+====
+{hcp-title} does not automatically configure the `default` storage class to encrypt persistent volumes with the customer-provided KMS key. This is something that can be configured in-cluster after installation.
+====
+
+
+.Procedure
+
+. Create a custom AWS customer-managed KMS key by running the following command:
++
+[source,terminal]
+----
+$ KMS_ARN=$(aws kms create-key --region $AWS_REGION --description 'Custom ROSA Encryption Key' --tags TagKey=red-hat,TagValue=true --query KeyMetadata.Arn --output text)
+----
++
+This command saves the Amazon Resource Name (ARN) output of this custom key for further steps.
++
+[NOTE]
+====
+Customers must provide the `--tags TagKey=red-hat,TagValue=true` argument that is required for a customer KMS key.
+====
+
+
+. Verify the KMS key has been created by running the following command:
++
+[source,terminal]
+----
+$ echo $KMS_ARN
+----
+
+. Set your AWS account ID to an environment variable.
++
+[source,terminal]
+----
+$ AWS_ACCOUNT_ID=<aws_account_id>
+----
+. Add the ARN for the account-wide installer role and operator roles that you created in the preceding step to the `Statement.Principal.AWS` section in the file. In the following example, the ARN for the default `ManagedOpenShift-HCP-ROSA-Installer-Role` role is added:
+
++
+[source,terminal]
+----
+{
+  "Version": "2012-10-17",
+  "Id": "key-rosa-policy-1",
+  "Statement": [
+  {
+              "Sid": "Enable IAM User Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:root"
+              },
+              "Action": "kms:*",
+              "Resource": "*"
+          },
+        {
+              "Sid": "Installer Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/ManagedOpenShift-HCP-ROSA-Installer-Role"
+              },
+              "Action": [
+                  "kms:CreateGrant",
+                  "kms:DescribeKey",
+                  "kms:GenerateDataKeyWithoutPlaintext"
+              ],
+              "Resource": "*"
+          },
+          {
+              "Sid": "ROSA KubeControllerManager Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/<operator_role_prefix>-kube-system-kube-controller-manager"
+
+              },
+              "Action": "kms:DescribeKey",
+              "Resource": "*"
+          },
+          {
+              "Sid": "ROSA KMS Provider Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/<operator_role_prefix>-kube-system-kms-provider"
+              },
+              "Action": [
+                  "kms:Encrypt",
+                  "kms:Decrypt",
+                  "kms:DescribeKey"
+              ],
+              "Resource": "*"
+          },
+          {
+              "Sid": "ROSA NodeManager Permissions",
+              "Effect": "Allow",
+              "Principal": {
+                  "AWS": "arn:aws:iam::${AWS_ACCOUNT_ID}:role/<operator_role_prefix>-kube-system-capa-controller-manager"
+              },
+              "Action": [
+                  "kms:DescribeKey",
+                  "kms:GenerateDataKeyWithoutPlaintext",
+                  "kms:CreateGrant"
+              ],
+              "Resource": "*"
+          }
+      ]
+  } 
+----
+
+. Confirm the details of the policy file created by running the following command:
++
+[source,terminal]
+----
+$ cat rosa-key-policy.json
+----
+
+. Apply the newly generated key policy to the custom KMS key by running the following command:
+
++
+[source,terminal]
+----
+$ aws kms put-key-policy --key-id $KMS_ARN \
+--policy file://rosa-key-policy.json \
+--policy-name default
+----
+
+. Create the cluster by running the following command:
+
++
+[source,terminal]
+----
+$ rosa create cluster --cluster-name <cluster_name> \
+--subnet-ids <private_subnet_id>,<public_subnet_id> \
+--sts \
+--mode auto \
+--machine-cidr 10.0.0.0/16 \
+--compute-machine-type m5.xlarge \
+--hosted-cp \
+--region <aws_region> \
+--oidc-config-id $OIDC_ID \
+--kms-key-arn $KMS_ARN \ <1>
+--etcd-encryption-kms-arn $KMS_ARN \ <2>
+--operator-roles-prefix $OPERATOR_ROLES_PREFIX
+----
+<1> This KMS key ARN is used to encrypt all worker node root volumes. It is not required if only etcd database encryption is needed.
+<2> This KMS key ARN is used to encrypt the etcd database. The etcd database is always encrypted by default with an AES cipher block, but can be encrypted instead with a KMS key. It is not required if only node root volume encryption is needed.
+
+.Verification
+
+You can verify that your KMS key works by using {cluster-manager-url}. 
+
+. Navigate to {cluster-manager-url} and select *Instances*.
+
+. Select your instance.
+
+. Click the *Storage* tab.
+
+. Copy the *KMS key ID*.
+
+. Search and select *Key Management Service*.
+
+. Enter your copied _KMS key ID_ in the *Filter* field.
diff --git a/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc b/modules/rosa-hcp-creating-account-wide-sts-roles-and-policies.adoc
@@ -3,7 +3,7 @@
 [id="rosa-sts-creating-account-wide-sts-roles-and-policies_{context}"]
 = Creating the account-wide STS roles and policies
 
-Before using the {product-title} (ROSA) CLI, `rosa`, to create {hcp-title-first} clusters, create the required account-wide roles and policies, including the Operator policies.
+Before using the {product-title} (ROSA) CLI (`rosa`) to create {hcp-title-first} clusters, create the required account-wide roles and policies, including the Operator policies.
 
 [NOTE]
 ====
@@ -20,9 +20,21 @@ Before using the {product-title} (ROSA) CLI, `rosa`, to create {hcp-title-first}
 
 .Procedure
 
-. If they do not exist in your AWS account, create the required account-wide STS roles and attach the policies by running the following command:
+* If they do not exist in your AWS account, create the required account-wide STS roles and attach the policies by running the following command:
 +
 [source,terminal]
 ----
 $ rosa create account-roles --hosted-cp
-----
+----
++
+[source,terminal]
+----
+$ ACCOUNT_ROLES_PREFIX="${ACCOUNT_ROLES_PREFIX}"
+----
++
+[source,terminal]
+----
+$ rosa create account-roles --hosted-cp --prefix $ACCOUNT_ROLES_PREFIX
+----
++
+For more information regarding AWS managed IAM policies for ROSA, see link:https://docs.aws.amazon.com/ROSA/latest/userguide/security-iam-awsmanpol.html[AWS managed IAM policies for ROSA].
diff --git a/modules/rosa-operator-config.adoc b/modules/rosa-operator-config.adoc
@@ -1,8 +1,9 @@
+
 // Module included in the following assemblies:
 //
 // * rosa_hcp/rosa-hcp-sts-creating-a-cluster-quickly.adoc
 
-:_mod-docs-content-type: PROCEDURE
+:_content-type: PROCEDURE
 [id="rosa-operator-config_{context}"]
 = Creating Operator roles and policies
 
@@ -11,30 +12,39 @@ When using a {hcp-title} cluster, you must create the Operator IAM roles that ar
 .Prerequisites
 
 * You have completed the AWS prerequisites for {hcp-title}.
-* You have installed and configured the latest {product-title} (ROSA) CLI, `rosa`, on your installation host.
+* You have installed and configured the latest {product-title} ROSA CLI (`rosa`), on your installation host.
 * You created the account-wide AWS roles.
 
 .Procedure
 
-* To create your Operator roles, run the following command:
+. Set your prefix name to an environment variable using the following command:
 +
 [source,terminal]
 ----
-$ rosa create operator-roles --hosted-cp --prefix <prefix-name> --oidc-config-id <oidc-config-id>
+$ OPERATOR_ROLES_PREFIX=<prefix_name>
+----
+. To create your Operator roles, run the following command:
+
++
+[source,terminal]
+----
+$ rosa create operator-roles --hosted-cp --prefix $OPERATOR_ROLES_PREFIX --oidc-config-id $OIDC_ID --installer-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ACCOUNT_ROLES_PREFIX}-HCP-ROSA-Installer-Role
 ----
 +
 The following breakdown provides options for the Operator role creation.
 +
 [source,terminal]
 ----
 $ rosa create operator-roles --hosted-cp
-	--prefix <prefix-name> <1>
-	--oidc-config-id <oidc-config-id> <2>
+	--prefix $OPERATOR_ROLES_PREFIX <1>
+	--oidc-config-id $OIDC_ID <2>
+	--installer-role-arn arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ACCOUNT_ROLES_PREFIX}-HCP-ROSA-Installer-Role <3>
 ----
 +
 --
 <1> You must supply a prefix when creating these Operator roles. Failing to do so produces an error. See the Additional resources of this section for information on the Operator prefix.
 <2> This value is the OIDC configuration ID that you created for your {hcp-title} cluster.
+<3> This value is the installer role ARN that you created when you created the ROSA account roles.
 --
 +
 You must include the `--hosted-cp` parameter to create the correct roles for {hcp-title} clusters. This command returns the following information.
@@ -48,7 +58,7 @@ You must include the `--hosted-cp` parameter to create the correct roles for {hc
 ? OIDC Configuration ID: 23soa2bgvpek9kmes9s7os0a39i13qm4 | https://dvbwgdztaeq9o.cloudfront.net/23soa2bgvpek9kmes9s7os0a39i13qm4 <2>
 ? Create hosted control plane operator roles: Yes
 W: More than one Installer role found
-? Installer role ARN: arn:aws:iam::4540112244:role/<prefix>-Installer-Role
+? Installer role ARN: arn:aws:iam::4540112244:role/<prefix>-HCP-ROSA-Installer-Role
 ? Permissions boundary ARN (optional):
 I: Reusable OIDC Configuration detected. Validating trusted relationships to operator roles:
 I: Creating roles using 'arn:aws:iam::4540112244:user/<userName>'
@@ -65,15 +75,15 @@ I: To create a cluster with these roles, run the following command:
 ----
 +
 --
-<1> This field is prefilled with the prefix that you set in the initial creation command.
+<1> This field is prepopulated with the prefix that you set in the initial creation command.
 <2> This field requires you to select an OIDC configuration that you created for your {hcp-title} cluster.
 --
 +
 The Operator roles are now created and ready to use for creating your {hcp-title} cluster.
 
 .Verification
 
-. You can list the Operator roles associated with your ROSA account. Run the following command:
+* You can list the Operator roles associated with your ROSA account. Run the following command:
 +
 [source,terminal]
 ----
@@ -102,4 +112,4 @@ ROLE NAME                                                         ROLE ARN
 +
 --
 <1> After the command runs, it displays all the prefixes associated with your AWS account and notes how many roles are associated with this prefix. If you need to see all of these roles and their details, enter "Yes" on the detail prompt to have these roles listed out with specifics.
---
+--
diff --git a/modules/rosa-sts-byo-oidc.adoc b/modules/rosa-sts-byo-oidc.adoc
@@ -83,7 +83,7 @@ $ 30f5dqmk
 
 .Verification
 
-. You can list the possible OIDC configurations available for your clusters that are associated with your user organization. Run the following command:
+* You can list the possible OIDC configurations available for your clusters that are associated with your user organization. Run the following command:
 +
 [source,terminal]
 ----
@@ -98,4 +98,4 @@ ID                                MANAGED  ISSUER URL
 2330dbs0n8m3chkkr25gkkcd8pnj3lk2  true     https://dvbwgdztaeq9o.cloudfront.net/2330dbs0n8m3chkkr25gkkcd8pnj3lk2
 233hvnrjoqu14jltk6lhbhf2tj11f8un  false    https://oidc-r7u1.s3.us-east-1.amazonaws.com                           aws:secretsmanager:us-east-1:242819244:secret:rosa-private-key-oidc-r7u1-tM3MDN
 
-----
+----
diff --git a/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc b/rosa_hcp/rosa-hcp-creating-cluster-with-aws-kms-key.adoc
