Merge pull request #46287 from EricPonvelle/OSDOCS-3706_Updates-to-OCM-roles

[OSDOCS-3706] Expanded the ocm-role and user-role documentation

Author: EricPonvelle

_topic_maps/_topic_map_rosa.yml

@@ -99,6 +99,8 @@ Distros: openshift-rosa
 Topics:
 - Name: AWS prerequisites for ROSA with STS
   File: rosa-sts-aws-prereqs
+- Name: OpenShift Cluster Manager IAM role resources
+  File: rosa-sts-ocm-role
 - Name: Limits and scalability
   File: rosa-limits-scalability
 - Name: Planning your environment
@@ -320,5 +322,7 @@ Topics:
   File: rosa-troubleshooting-expired-tokens
 - Name: Troubleshooting installations
   File: rosa-troubleshooting-installations
+- Name: Troubleshooting IAM roles
+  File: rosa-troubleshooting-iam-resources
 - Name: Troubleshooting cluster deployments
   File: rosa-troubleshooting-deployments

modules/rosa-sts-about-ocm-role.adoc

@@ -0,0 +1,32 @@
+// Module included in the following assemblies:
+//
+// rosa_planning/rosa-sts-ocm-role.adoc
+//
+:_content-type: CONCEPT
+[id="rosa-sts-about-ocm-role_{context}"]
+= About the ocm-role IAM resource
+
+You must create the `ocm-role` IAM resource to enable a Red Hat organization of users to create ROSA clusters.
+
+Some considerations for your `ocm-role` IAM resource are:
+
+* You have only one `ocm-role` per AWS account in a Red Hat organization. You can have multiple `ocm-role` IAM roles in a Red Hat organization as long as these roles are for different AWS accounts.
+* Any user in a Red Hat organization may create and link an `ocm-role` IAM resource.
+* Only the Red Hat Organization Administrator can unlink an `ocm-role` IAM resource. This limitation is to protect other Red Hat organization members from disturbing the interface capabilities of other users.
++
+[NOTE]
+====
+If you just created a Red Hat account that is not part of an existing organization, this account is also the Red Hat Organization Administrator.
+====
++
+* Only one `ocm-role` IAM resource can be created per AWS account per Red Hat organization.
+* See the associated permission tables for a list of the AWS permissions policy for the basic and admin `ocm-role` IAM resources.
+
+Using the `rosa` CLI, you can link your IAM resource when you create it.
+
+[NOTE]
+====
+"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `ocm-role` IAM role and the Red Hat {cluster-manager} AWS role. After creating and linking your IAM resource, you see a trust relationship from your `ocm-role` IAM resource in AWS with the `arn:aws:iam::7333:role/RH-Managed-OpenShift-Installer` resource.
+====
+
+After a Red Hat Organization Administrator has created and linked an `ocm-role` IAM resource, all organization members may want to create and link their own `user-role` IAM role. This IAM resource only needs to be created and linked only once per user. If another user in your Red Hat organization has already created and linked an `ocm-role` IAM resource, you need to ensure you have created and linked your own `user-role` IAM role.

modules/rosa-sts-about-user-role.adoc

@@ -0,0 +1,22 @@
+// Module included in the following assemblies:
+//
+// rosa_planning/rosa-sts-ocm-role.adoc
+// rosa_planning/rosa-sts-ocm-role.adoc
+//
+:_content-type: CONCEPT
+[id="rosa-sts-about-user-role_{context}"]
+= About the user-role IAM role
+
+You need to create the `user-role` IAM role to enable a Red Hat organization of users to create ROSA clusters.
+
+Some considerations for your `user-role` IAM role are:
+
+* You only need one `user-role` IAM role per Red Hat user account, but your Red Hat organization can have many of these IAM resources.
+* Any user in a Red Hat organization may create and link an `user-role` IAM role.
+* There can be numerous `user-role` IAM roles per AWS account per Red Hat organization.
+* Red Hat uses the `user-role` IAM role to identify the user. This IAM resource has no AWS account permissions.
+
+[NOTE]
+====
+"Linking" or "associating" your IAM resources with your AWS account means creating a trust-policy with your `user-role` IAM role and the Red Hat {cluster-manager} AWS role. After creating and linking this IAM resource, you see a trust relationship from your `user-role` IAM role in AWS with the `arn:aws:iam::710019948333:role/RH-Managed-OpenShift-Installer` resource.
+====

modules/rosa-sts-account-wide-roles-and-policies.adoc

@@ -12,39 +12,23 @@ The account-wide roles and policies are specific to an OpenShift minor release v
 [id="rosa-sts-account-wide-roles-and-policies-creation-methods_{context}"]
 == Methods of account-wide role creation
 
-// Commenting out until ROSA UI release
-//
-// You can create account-wide roles by using the `rosa` CLI tool or the {cluster-manager-url} guided installation. You can create the roles manually or by using an automatic process that uses pre-defined names for these roles and polices.
-//
-//  Commenting out until ROSA UI release
+You can create account-wide roles by using the `rosa` CLI tool or the {cluster-manager-url} guided installation. You can create the roles manually or by using an automatic process that uses pre-defined names for these roles and polices.
 
 You can create account-wide roles by using the `rosa` CLI tool. You can create the roles manually or by using an automatic process that uses pre-defined names for these roles and polices.
 
 [discrete]
 [id="rosa-sts-account-wide-roles-and-policies-creation-methods-manual_{context}"]
 === Manual ocm-role resource creation
 
-// Commenting out until ROSA UI release
-//
-// You can use the manual creation method if you have the necessary CLI access to create these roles on your system. You can run this option in your desired CLI tool or from {cluster-manager}. After you start the manual creation process, the CLI presents a series of commands for you to run that create the roles and link them to the needed policies.
-//
-//  Commenting out until ROSA UI release
-
 You can use the manual creation method if you have the necessary CLI access to create these roles on your system. You can run this option in your desired CLI tool or from {cluster-manager}. After you start the manual creation process, the CLI presents a series of commands for you to run that create the roles and link them to the needed policies.
 
 [discrete]
 [id="rosa-sts-account-wide-roles-and-policies-creation-methods-auto_{context}"]
 === Automatic ocm-role resource creation
 
-// Commenting out until ROSA UI release
-//
-// If you created an `ocm-role` resource with administrative permissions, you can use the automatic creation method in the CLI and from {cluster-manager}. Selecting this method creates the roles and policies that uses the default names.
-//
-// If you use the ROSA guided installation on {cluster-manager}, you must have created an `ocm-role` resource with administrative permissions in the first step of the guided cluster installation. Without this role, you cannot use the automatic Operator role and policy creation option.
-//
-//  Commenting out until ROSA UI release
+If you created an `ocm-role` resource with administrative permissions, you can use the automatic creation method from {cluster-manager}. The `rosa` CLI does not require that you have this admin `ocm-role` IAM resource to automatically create these roles and polices. Selecting this method creates the roles and policies that uses the default names.
 
-If you created an `ocm-role` resource with administrative permissions, you can use the automatic creation method in the CLI. Selecting this method creates the roles and policies that uses the default names.
+If you use the ROSA guided installation on {cluster-manager}, you must have created an `ocm-role` resource with administrative permissions in the first step of the guided cluster installation. Without this role, you cannot use the automatic Operator role and policy creation option, but you can still create the cluster and its roles and policies with the manual process.
 
 [NOTE]
 ====

modules/rosa-sts-aws-requirements-access-req.adoc

@@ -0,0 +1,11 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc
+:_content-type: CONCEPT
+[id="rosa-access-requirements_{context}"]
+= Access requirements
+
+* Red Hat must have AWS console access to the customer-provided AWS account. Red Hat protects and manages this access.
+* You must not use the AWS account to elevate your permissions within the {product-title} cluster.
+* Actions available in the `rosa` CLI utility or {cluster-manager-url} console must not be directly performed in your AWS account.
+* You do not need to have a preconfigured domain to deploy ROSA clusters. If you wish to use a custom domain, see the Additional resources for information.

modules/rosa-sts-aws-requirements-account.adoc

@@ -0,0 +1,23 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc
+:_content-type: CONCEPT
+[id="rosa-account_{context}"]
+= Account
+* You must ensure that the AWS limits are sufficient to support {product-title} provisioned within your AWS account. Running `rosa verify quota` in the CLI validates that you have the required quota to run a cluster.
++
+[NOTE]
+====
+Quota verification checks your AWS quota, but it does not compare your consumption to your AWS quota. See the "Limits and scalability" link in Additional resources for more information.
+====
++
+* If SCP policies are applied and enforced, these policies must not be more restrictive than the roles and policies required by the cluster.
+* Your AWS account should not be transferable to Red Hat.
+* You should not impose additional AWS usage restrictions beyond the defined roles and policies on Red Hat activities. Imposing restrictions will severely hinder Red Hat's ability to respond to incidents.
+* You may deploy native AWS services within the same AWS account.
+* Your account must have a service-linked role set up as it is required for elastic load balancers (ELBs) to be configured. See the "Creating the service role for the elastic load balancer (ELB)" link in the Additional resources for information about creating a service-linked role for your ELB if you have not created a load balancer in your AWS account previously.
++
+[NOTE]
+====
+You are encouraged, but not required, to deploy resources in a Virtual Private Cloud (VPC) separate from the VPC hosting {product-title} and other Red Hat supported services.
+====

modules/rosa-sts-aws-requirements-association-concept.adoc

@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc
+// * rosa_planning/rosa-sts-ocm-role.adoc
+//
+:_content-type: CONCEPT
+[id="rosa-associating-concept_{context}"]
+= AWS account association
+
+{product-title} (ROSA) cluster-provisioning tasks require linking `ocm-role` and `user-role` {cluster-manager} IAM resources to your AWS account using your Amazon Resource Name (ARN).
+
+The `ocm-role` ARN is stored as a label in your Red Hat organization while the `user-role` ARN is stored as a label inside your Red Hat user account. Red Hat uses these ARN labels to confirm that the user is a valid account holder and that the correct permissions are available to perform the necessary tasks in the AWS account.

modules/rosa-sts-aws-requirements-creating-association.adoc

@@ -0,0 +1,54 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc
+// * rosa_planning/rosa-sts-ocm-role.adoc
+//
+:_content-type: PROCEDURE
+[id="rosa-associating-account_{context}"]
+= Linking your AWS account
+
+You link your AWS account using the `rosa` CLI.
+
+.Prerequisites
+
+* You have an AWS account.
+* You are using {cluster-manager-url} to create clusters.
+* You have the permissions required to install AWS account-wide roles.
+* You have installed and configured the latest AWS (`aws`) and ROSA (`rosa`) CLIs on your installation host.
+* You have created your `ocm-role` and `user-role` IAM roles.
+
+.Procedure
+
+. From the CLI, link your `ocm-role` resource to your Red Hat organization by using your Amazon Resource Name (ARN):
++
+[NOTE]
+====
+You must have Red Hat Organization Administrator privileges to run the `rosa link` command. After you link the `ocm-role` resource with your AWS account, it is visible for all users in the organization.
+====
++
+[source,terminal]
+----
+$ rosa link ocm-role --role-arn <arn>
+----
++
+.Example output
+[source,terminal]
+----
+I: Linking OCM role
+? Link the '<AWS ACCOUNT ID>` role with organization '<ORG ID>'? Yes
+I: Successfully linked role-arn '<AWS ACCOUNT ID>' with organization account '<ORG ID>'
+----
+. From the CLI, link your `user-role` resource to your Red Hat user account by using your Amazon Resource Name (ARN):
++
+[source,terminal]
+----
+$ rosa link user-role --role-arn <arn>
+----
++
+.Example output
+[source,terminal]
+----
+I: Linking User role
+? Link the 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' role with organization '<AWS ID>'? Yes
+I: Successfully linked role-arn 'arn:aws:iam::<ARN>:role/ManagedOpenShift-User-Role-125' with organization account '<AWS ID>'
+----

modules/rosa-sts-aws-requirements-creating-multi-association.adoc

@@ -0,0 +1,52 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc
+// * rosa_planning/rosa-sts-ocm-role.adoc
+//
+:_content-type: PROCEDURE
+[id="rosa-associating-multiple-account_{context}"]
+= Associating multiple AWS accounts with your Red Hat organization
+
+You can associate multiple AWS accounts with your Red Hat organization. Associating multiple accounts lets you create {product-title} (ROSA) clusters on any of the associated AWS accounts from your Red Hat organization.
+
+With this feature, you can create clusters in different AWS regions by using multiple AWS profiles as region-bound environments.
+
+.Prerequisites
+
+* You have an AWS account.
+* You are using {cluster-manager-url} to create clusters.
+* You have the permissions required to install AWS account-wide roles.
+* You have installed and configured the latest AWS (`aws`) and ROSA (`rosa`) CLIs on your installation host.
+* You have created your `ocm-role` and `user-role` IAM roles.
+
+.Procedure
+
+To associate an additional AWS account, first create a profile in your local AWS configuration. Then, associate the account with your Red Hat organization by creating the `ocm-role`, user, and account roles in the additional AWS account.
+
+To create the roles in an additional region, specify the `--profile <aws-profile>` parameter when running the `rosa create` commands and replace `<aws_profile>` with the additional account profile name:
+
+* To specify an AWS account profile when creating an {cluster-manager} role:
++
+[source,terminal]
+----
+$ rosa create --profile <aws_profile> ocm-role
+----
+
+* To specify an AWS account profile when creating a user role:
++
+[source,terminal]
+----
+$ rosa create --profile <aws_profile> user-role
+----
+
+* To specify an AWS account profile when creating the account roles:
++
+[source,terminal]
+----
+$ rosa create --profile <aws_profile> account-roles
+----
+
+[NOTE]
+====
+If you do not specify a profile, the default AWS profile is used.
+====

modules/rosa-sts-aws-requirements-security-req.adoc

@@ -0,0 +1,9 @@
+// Module included in the following assemblies:
+//
+// * rosa_getting_started_sts/rosa-sts-aws-prereqs.adoc
+:_content-type: CONCEPT
+[id="rosa-security-requirements_{context}"]
+= Security requirements
+* Volume snapshots will remain within the customer's AWS account and customer-specified region.
+* Red Hat must have ingress access to EC2 hosts and the API server from allow-listed IP addresses.
+* Red Hat must have egress allowed to the documented domains. See the "AWS firewall prerequisites" section for the designated domains.