defined ARN role, by adding new module for preparing aws account and seperating code into into subtask commands

Author: fmcdonal

modules/oadp-installing-oadp-rosa-sts.adoc

@@ -4,27 +4,28 @@
 
 :_content-type: PROCEDURE
 [id="oadp-installing-oadp-rosa-sts_{context}"]
-= Installing OADP on {product-title} with AWS STS
+= Installing the OADP Operator and providing the IAM role
 
 AWS Security Token Service (AWS STS) is a global web service that provides short-term credentials for IAM or federated users. {product-title} (ROSA) with STS is the recommended credential mode for ROSA clusters. This document describes how to install OpenShift API for Data Protection (OADP) on (ROSA) with AWS STS.
 
+
 [IMPORTANT]
 ====
 Restic is not supported in the OADP on ROSA with AWS STS environment. Ensure the Restic service is disabled. Use native snapshots to backup volumes. See _Known Issues_ for more information.
 ====
 
 .Prerequisites
 
-* A ROSA OpenShift Cluster with the required access and tokens.
-* link:https://docs.openshift.com/container-platform/4.14/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.html#oadp-creating-default-secret_installing-oadp-aws[A default Secret], if your backup and snapshot locations use the same credentials, or if you do not require a snapshot location.
+* A ROSA OpenShift Cluster with the required access and tokens. For instructions, see the procedure in _Preparing AWS credentials_.
+
 
 .Procedure
 
-. Create an Openshift secret from your AWS token file by entering the following commands:
+. Create an Openshift secret from your AWS token file by entering the following commands.
 
 .. Create the credentials file:
 +
-[source, terminal]
+[source,terminal]
 ----
 $ cat <<EOF > ${SCRATCH}/credentials
 [default]
@@ -35,7 +36,7 @@ EOF
 
 .. Create the OpenShift secret:
 +
-[source, terminal]
+[source,terminal]
 ----
 $ oc -n openshift-adp create secret generic cloud-credentials \
   --from-file=${SCRATCH}/credentials
@@ -85,43 +86,35 @@ spec:
         key: credentials
         name: cloud-credentials
       default: true
+      config:
+        region: ${REGION}
   configuration:
     velero:
       defaultPlugins:
       - openshift
       - aws
       restic:
         enable: false
-  volumeSnapshots:
+  snapshotLocations:
   - velero:
       config:
-        credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials
-        enableSharedConfig: "true"
-        region: ${REGION}
+        credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials <1>
+        enableSharedConfig: "true" <2>
+        profile: default <3>
+        region: ${REGION} <4>
       provider: aws
 EOF
 ----
+
++
+<1> The `credentialsFile` is the mounted location of the bucket credential on the pod.
+<2> The `enableSharedConfig` allows the `snapshotLocations` to share or reuse the credential defined for the bucket.
+<3> Assume your Velero default for your `profile: default`. 
+<4> Specify `region` as your AWS region. This must be the same as the cluster region.
 +
 [NOTE]
 ====
 The `enable` parameter of `restic` is set to `false` in this configuration because OADP does not support Restic in ROSA environments.
 ====
 +
 You are now ready to backup and restore OpenShift applications, as described in the link:https://docs.openshift.com/container-platform/4.11/backup_and_restore/application_backup_and_restore/backing_up_and_restoring/backing-up-applications.html[OADP documentation].
-
-== Known Issues
-.Restic is not supported or recommended
-
-* link:https://issues.redhat.com/browse/OADP-1054[CloudStorage: openshift-adp-controller-manager crashloop seg fault with Restic enabled]
-* link:https://issues.redhat.com/browse/OADP-1057[Cloudstorage API: CSI Backup of an app with internal images partially fails with plugin panicked error]
-* (Affects OADP 1.1.x_ only): link:https://issues.redhat.com/browse/OADP-1055[CloudStorage: bucket is removed on CS CR delete, although it doesn't have "oadp.openshift.io/cloudstorage-delete": "true"]
-
-[role="_additional-resources"]
-.Additional resources
-
-* link:https://docs.openshift.com/rosa/rosa_architecture/rosa-understanding.html[Understanding ROSA with STS]
-* link:https://docs.openshift.com/rosa/rosa_getting_started/rosa-sts-getting-started-workflow.html[Getting started with ROSA STS]
-* link:https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.html[Creating a ROSA cluster with STS]
-* link:https://docs.openshift.com/container-platform/4.14/backup_and_restore/application_backup_and_restore/installing/about-installing-oadp.html[About installing OADP]
-* link:https://docs.openshift.com/container-platform/4.14/storage/container_storage_interface/persistent-storage-csi.html[Configuring CSI volumes]
-* link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-storage_rosa-service-definition[ROSA storage options]

modules/oadp-preparing-aws-credentials.adoc

@@ -0,0 +1,170 @@
+// Module included in the following assemblies:
+//
+// * rosa_backing_up_and_restoring_applications/backing-up-applications.adoc
+
+:_content-type: PROCEDURE
+[id="oadp-preparing-aws-credentials_{context}"]
+= Preparing AWS credentials
+
+An AWS account must be ready to accept an OADP installation.
+
+.Procedure
+. Create the following environment variables by running the following commands:
++
+[NOTE]
+====
+Change the cluster name to match your ROSA cluster, and ensure you are logged into the cluster as an administrator. Ensure that all fields are outputted correctly before continuing.
+====
++
+[source,terminal]
+----
+$ export CLUSTER_NAME=my-cluster <1>
+export ROSA_CLUSTER_ID-$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id)
+export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id)
+export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||')
+export AWS_ACCOUNT_ID='aws sts get-caller-identity --query Account --output text'
+export CLUSTER_VERSION='rosa describe cluster -c ${CLUSTER_NAME} -o json | jq -r .version.raw_id | but -f -2 -d '.' '
+export ROLE_NAME="${CLUSTER_NAME}-openshift-oadp-aws-cloud-credentials"
+export SCRATCH="/tmp/${CLUSTER_NAME}/oadp"
+mkdir -p ${SCRATCH}
+echo "Cluster ID: ${ROSA_CLUSTER_ID}, Region: ${REGION}, OIDC Endpoint: 
+${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
+----
++
+<1> Replace `my-cluster` with your ROSA cluster name.
+
+. On the AWS account, create an IAM policy to allow access to S3.
+
+.. Check to see if the policy exists by running the following command:
++
+[source,terminal]
+----
+$ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaOadpVer1'].{ARN:Arn}" -- output text) <1>
+----
++
+<1> Replace `RosaOadp` with your policy name.
+
+..  Use the following command to create the policy JSON file and then create the policy in ROSA.
++
+[NOTE]
+====
+If the policy ARN is not found, the command will create the policy. If the policy ARN already exists, the `if` statement will intentionally skip the policy creation.
+====
++
+[source,terminal]
+----
+$ if [[ -z "${POLICY_ARN}" ]]; then
+cat << EOF > ${SCRATCH}/policy.json <1>
+{
+"Version": "2012-10-17",
+"Statement": [
+  {
+    "Effect": "Allow",
+    "Action": [
+      "s3:CreateBucket",$ echo ${POLICY_ARN}
+      "s3:DeleteBucket",cd openshift-docs
+      "s3:PutBucketTegging",
+      "s3:GetBucketTegging",
+      "s3:PutEncryptionConfiguration",
+      "s3:GetEncryptionConfiguration",
+      "s3:PutLifecycleConfiguration",
+      "s3:GetLifecycleConfiguration",
+      "s3:GetBucketLocation",
+      "s3:ListBucket",
+      "s3:GetObject",
+      "s3:PutObject",
+      "s3:DeleteOgject",
+      "s3:ListBucketMultipartUpLoads",
+      "s3:AbortMultipartUpLoads",
+      "s3:ListMultipartUpLoadParts",
+      "s3:DescribeSnapshots",
+      "ec2:DescribeVolumes",
+      "ec2:DescribeVolumeAttribute",
+      "ec2:DescribeVolumesModifications",
+      "ec2:DescribeVolumeStatus",
+      "ec2:CreateTags",
+      "ec2:CreateVolume",
+      "ec2:CreateSnapshot",
+      "ec2:DeleteSnapshot",
+    ]
+    "Resource": "*"
+  }
+ ]}
+EOF
+POLICY_ARN=$(aws iam create-policy --policy-mane "RosaOadpVer1" \
+--policy-document file:///${SCRATCH}/policy.json --query Policy.Arn \
+--tags Key=rosa_openshift_version,Value=${CLUSTER_VERSION} Key-rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-oadp Key=operator_name,Value=openshift-oadp \
+--output text)
+fi
+----
++
+<1> `SCRATCH` is a name for a temporary directory created for the environment variables.
+
+.. View the policy ARN by running the following command:
++
+[source,terminal]
+----
+$ echo ${POLICY_ARN}
+----
+
+
+. Create an IAM role trust policy for the cluster:
+
+.. Create the trust policy file by running the following command:
++
+[source,terminal]
+----
+$ cat <<EOF > ${SCRATCH}/trust-policy.json
+{
+    "Version": :2012-10-17",
+    "Statement": [{
+      "Effect": "Allow",
+      "Principal": {
+        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
+      },
+      "Action": "sts:AssumeRoleWithWebIdentity",
+      "Condition": {
+        "StringEquals": {
+          "${OIDC_ENDPOINT}:sub": [
+            "system:serviceaccount:openshift-adp:openshift-adp-controller-manager",
+            "system:serviceaccount:openshift-adp:velero:]
+        }
+      }
+    }]
+}
+EOF
+----
+
+.. Create the role by running the following command:
++
+[source,terminal]
+----
+$ ROLE_ARN=$(aws iam create-role --role-name \
+  "${ROLE_NAME}" \
+  --assume-role-policy-document file://${SCRATCH}/trust-policy.json \
+  --tags Key+rosa_cluster_id,Value=${ROSA_CLUSTER_ID}
+Key=rosa_openshift_verson,Value=${CLUSTER_VERSION}
+Key=rosa_role_prefix,Value=ManagedOpenShift
+Key=operator_namespace,Value=openshift-adp
+Key=operator_name,Value-openshift-oadp \
+   --query Role.Arn --output text)
+----
+
+.. View the role ARN by running the following command:
++
+[source,terminal]
+----
+$ echo ${ROLE_ARN}
+----
+
+. Attach the IAM policy to the IAM role by running the following command:
++
+[source,terminal]
+----
+$ aws iam attach-role-policy --role-name "${ROLE_NAME}" \
+  --policy-arn ${POLICY_ARN}
+----
+
+.Next steps
+
+* Continue to _Installing the OADP Operator and providing the IAM role_.

rosa_backing_up_and_restoring_applications/backing-up-applications.adoc

@@ -6,6 +6,38 @@ include::_attributes/common-attributes.adoc[]
 
 toc::[]
 
-You can employ OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS (ROSA) clusters to backup and restore application data. A ROSA deployment of OpenShift is configured specifically for AWS services.
+You can employ OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS (ROSA) clusters to backup and restore application data. Before installing OADP, you must set up role and policy credentials for OADP so that it can use the AWS API. 
 
-include::modules/oadp-installing-oadp-rosa-sts.adoc[leveloffset=+1]
+This is a two stage process:
+
+. Prepare AWS credentials.
+. Install the OADP Operator and provide it with the IAM role.
+
+include::modules/oadp-preparing-aws-credentials.adoc[leveloffset=+1]
+
+include::modules/oadp-installing-oadp-rosa-sts.adoc[leveloffset=+1]
+
+[role="_additional-resources"]
+[id="oadp-addtl-resources_{context}"]
+.Additional resources
+
+* xref:../rosa_backing_up_and_restoring_applications/backing-up-applications.adoc#oadp-preparing-aws-credentials_rosa-backing-up-applications[Preparing AWS credentials]
+
+[id="rosa-backing-up-applications-known-issues"]
+== Known issues
+.Restic is not supported or recommended
+
+* link:https://issues.redhat.com/browse/OADP-1054[CloudStorage: openshift-adp-controller-manager crashloop seg fault with Restic enabled]
+* link:https://issues.redhat.com/browse/OADP-1057[Cloudstorage API: CSI Backup of an app with internal images partially fails with plugin panicked error]
+* (Affects OADP 1.1.x_ only): link:https://issues.redhat.com/browse/OADP-1055[CloudStorage: bucket is removed on CS CR delete, although it doesn't have "oadp.openshift.io/cloudstorage-delete": "true"]
+
+[role="_additional-resources"]
+[id="additional-resources_rosa-backing-up-applications"]
+== Additional resources
+
+* link:https://docs.openshift.com/rosa/rosa_architecture/rosa-understanding.html[Understanding ROSA with STS]
+* link:https://docs.openshift.com/rosa/rosa_getting_started/rosa-sts-getting-started-workflow.html[Getting started with ROSA STS]
+* link:https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.html[Creating a ROSA cluster with STS]
+* link:https://docs.openshift.com/container-platform/4.13/backup_and_restore/application_backup_and_restore/installing/about-installing-oadp.html[About installing OADP]
+* link:https://docs.openshift.com/container-platform/4.13/storage/container_storage_interface/persistent-storage-csi.html[Configuring CSI volumes]
+* link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-storage_rosa-service-definition[ROSA storage options]