diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md index 96d125a7d3..8451e29938 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/aws-console.md @@ -28,82 +28,84 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw - In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsInstanceRolePolicy.json policy file: - ```js - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeReadOnlyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeRegions", - "ec2:DescribeSecurityGroups", - "ec2:DescribeTags", - "ec2:DescribeVolumes" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "EC2EBSActions", - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:CreateVolume" - ], - "Resource": [ - "*" - ], - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "SecurityGroupAccessActions", - "Effect": "Allow", - "Action": [ - "ec2:AuthorizeSecurityGroupIngress", - "ec2:DeleteSecurityGroup" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } - } - }, - { - "Sid": "TagResourcesCreation", - "Effect": "Allow", - "Action": [ - "ec2:CreateTags" - ], - "Resource": [ - "*" - ] - }, - { - "Sid": "TagResourcesDelete", + {{< scrollable-code >}} +```js +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeReadOnlyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones", + "ec2:DescribeRegions", + "ec2:DescribeSecurityGroups", + "ec2:DescribeTags", + "ec2:DescribeVolumes" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "EC2EBSActions", "Effect": "Allow", "Action": [ - "ec2:DeleteTags" + "ec2:AttachVolume", + "ec2:CreateVolume" ], "Resource": [ - "*" + "*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" + } + } + }, + { + "Sid": "SecurityGroupAccessActions", + "Effect": "Allow", + "Action": [ + "ec2:AuthorizeSecurityGroupIngress", + "ec2:DeleteSecurityGroup" ], + "Resource": "*", "Condition": { "StringEquals": { "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } } + }, + { + "Sid": "TagResourcesCreation", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags" + ], + "Resource": [ + "*" + ] + }, + { + "Sid": "TagResourcesDelete", + "Effect": "Allow", + "Action": [ + "ec2:DeleteTags" + ], + "Resource": [ + "*" + ], + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } - ] - } - ``` + } + } + ] +} +``` + {{< /scrollable-code >}} - In **Review and Create**, enter `RedisLabsInstanceRolePolicy` in the **Policy name** field. @@ -132,257 +134,259 @@ Follow the steps to [create an IAM policy using the JSON editor](https://docs.aw - In **Specify permissions**, select **JSON**, and then enter the contents of the RedisLabsIAMUserRestrictedPolicy.json policy file: - ```json - { - "Version": "2012-10-17", - "Statement": [ - { - "Sid": "DescribeReadOnlyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:DescribeAvailabilityZones", - "ec2:DescribeInstanceTypeOfferings", - "ec2:DescribeRegions", - "ec2:DescribeInstances", - "ec2:DescribeVolumes", - "ec2:DescribeSnapshots", - "ec2:DescribeVpcs", - "ec2:DescribeSubnets", - "ec2:DescribeSecurityGroups", - "ec2:DescribeRouteTables", - "ec2:DescribeInternetGateways", - "ec2:DescribeImages", - "ec2:DescribeTransitGatewayVpcAttachments", - "ec2:DescribeVpcPeeringConnections", - "ec2:DescribeKeyPairs", - "ec2:DescribeTransitGateways", - "ec2:DescribeInstanceStatus", - "ec2:DescribeNetworkAcls" - ], - "Resource": "*" - }, - { - "Sid": "CloudWatchReadOnly", - "Effect": "Allow", - "Action": [ - "cloudwatch:Describe*", - "cloudwatch:Get*", - "cloudwatch:List*" - ], - "Resource": "*" - }, - { - "Sid": "IamUserOperations", - "Effect": "Allow", - "Action": [ - "iam:GetUser", - "iam:GetUserPolicy", - "iam:ChangePassword" - ], - "Resource": "arn:aws:iam::*:user/${aws:username}" - }, - { - "Sid": "RolePolicyUserReadActions", - "Action": [ - "iam:GetRole", - "iam:GetPolicy", - "iam:ListUsers", - "iam:ListPolicies", - "iam:ListRolePolicies", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfiles", - "iam:ListInstanceProfilesForRole", - "iam:SimulatePrincipalPolicy" - ], - "Effect": "Allow", - "Resource": "*" - }, - { - "Sid": "PassRlClusterNodeRole", - "Effect": "Allow", - "Action": "iam:PassRole", - "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" - }, - { - "Sid": "CreateEc2ResourcesWithoutTag", - "Effect": "Allow", - "Action": [ - "ec2:CreateTags", - "ec2:RunInstances", - "ec2:ImportKeyPair", - "ec2:CreateKeyPair", - "ec2:CreateVpc", - "ec2:CreateSecurityGroup", - "ec2:CreateInternetGateway", - "ec2:CreateRouteTable", - "ec2:CreateSubnet", - "ec2:CreateSnapshot", - "ec2:CreateTransitGateway", - "ec2:AssociateVpcCidrBlock", - "ec2:CreateTransitGatewayVpcAttachment", - "ec2:AttachInternetGateway", - "ec2:ReplaceRoute" - ], - "Resource": "*" - }, - { - "Sid": "ForceUnderlyingResourcesToHaveIdentifierTags", - "Effect": "Deny", - "Action": [ - "ec2:RunInstances", - "ec2:CreateKeyPair" - ], - "Resource": [ - "arn:aws:ec2:*:*:instance/*", - "arn:aws:ec2:*:*:volume/*", - "arn:aws:ec2:*:*:keypair/*" - ], - "Condition": { - "Null": { - "aws:RequestTag/RedisLabsIdentifier": "true" - } + {{< scrollable-code >}} +```json +{ + "Version": "2012-10-17", + "Statement": [ + { + "Sid": "DescribeReadOnlyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:DescribeAvailabilityZones", + "ec2:DescribeInstanceTypeOfferings", + "ec2:DescribeRegions", + "ec2:DescribeInstances", + "ec2:DescribeVolumes", + "ec2:DescribeSnapshots", + "ec2:DescribeVpcs", + "ec2:DescribeSubnets", + "ec2:DescribeSecurityGroups", + "ec2:DescribeRouteTables", + "ec2:DescribeInternetGateways", + "ec2:DescribeImages", + "ec2:DescribeTransitGatewayVpcAttachments", + "ec2:DescribeVpcPeeringConnections", + "ec2:DescribeKeyPairs", + "ec2:DescribeTransitGateways", + "ec2:DescribeInstanceStatus", + "ec2:DescribeNetworkAcls" + ], + "Resource": "*" + }, + { + "Sid": "CloudWatchReadOnly", + "Effect": "Allow", + "Action": [ + "cloudwatch:Describe*", + "cloudwatch:Get*", + "cloudwatch:List*" + ], + "Resource": "*" + }, + { + "Sid": "IamUserOperations", + "Effect": "Allow", + "Action": [ + "iam:GetUser", + "iam:GetUserPolicy", + "iam:ChangePassword" + ], + "Resource": "arn:aws:iam::*:user/${aws:username}" + }, + { + "Sid": "RolePolicyUserReadActions", + "Action": [ + "iam:GetRole", + "iam:GetPolicy", + "iam:ListUsers", + "iam:ListPolicies", + "iam:ListRolePolicies", + "iam:ListAttachedRolePolicies", + "iam:ListInstanceProfiles", + "iam:ListInstanceProfilesForRole", + "iam:SimulatePrincipalPolicy" + ], + "Effect": "Allow", + "Resource": "*" + }, + { + "Sid": "PassRlClusterNodeRole", + "Effect": "Allow", + "Action": "iam:PassRole", + "Resource": "arn:aws:iam::*:role/redislabs-cluster-node-role" + }, + { + "Sid": "CreateEc2ResourcesWithoutTag", + "Effect": "Allow", + "Action": [ + "ec2:CreateTags", + "ec2:RunInstances", + "ec2:ImportKeyPair", + "ec2:CreateKeyPair", + "ec2:CreateVpc", + "ec2:CreateSecurityGroup", + "ec2:CreateInternetGateway", + "ec2:CreateRouteTable", + "ec2:CreateSubnet", + "ec2:CreateSnapshot", + "ec2:CreateTransitGateway", + "ec2:AssociateVpcCidrBlock", + "ec2:CreateTransitGatewayVpcAttachment", + "ec2:AttachInternetGateway", + "ec2:ReplaceRoute" + ], + "Resource": "*" + }, + { + "Sid": "ForceUnderlyingResourcesToHaveIdentifierTags", + "Effect": "Deny", + "Action": [ + "ec2:RunInstances", + "ec2:CreateKeyPair" + ], + "Resource": [ + "arn:aws:ec2:*:*:instance/*", + "arn:aws:ec2:*:*:volume/*", + "arn:aws:ec2:*:*:keypair/*" + ], + "Condition": { + "Null": { + "aws:RequestTag/RedisLabsIdentifier": "true" } - }, - { - "Sid": "AllowVpcPeeringManagement", - "Effect": "Allow", - "Action": [ - "ec2:CreateVpcPeeringConnection", - "ec2:AcceptVpcPeeringConnection" - ], - "Resource": "*" - }, - { - "Sid": "AllowVpcPeeringDeletion", - "Effect": "Allow", - "Action": [ - "ec2:DeleteVpcPeeringConnection" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } + } + }, + { + "Sid": "AllowVpcPeeringManagement", + "Effect": "Allow", + "Action": [ + "ec2:CreateVpcPeeringConnection", + "ec2:AcceptVpcPeeringConnection" + ], + "Resource": "*" + }, + { + "Sid": "AllowVpcPeeringDeletion", + "Effect": "Allow", + "Action": [ + "ec2:DeleteVpcPeeringConnection" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } - }, - { - "Sid": "CreateEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:CreateVolume", - "ec2:CreateRoute", - "ec2:AuthorizeSecurityGroupIngress", - "ec2:AuthorizeSecurityGroupEgress" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } + } + }, + { + "Sid": "CreateEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:CreateVolume", + "ec2:CreateRoute", + "ec2:AuthorizeSecurityGroupIngress", + "ec2:AuthorizeSecurityGroupEgress" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } - }, - { - "Sid": "ModifyEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:AttachVolume", - "ec2:ModifyInstanceAttribute", - "ec2:ModifySubnetAttribute", - "ec2:AssociateRouteTable", - "ec2:StartInstances", - "ec2:StopInstances", - "ec2:RebootInstances" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } + } + }, + { + "Sid": "ModifyEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:AttachVolume", + "ec2:ModifyInstanceAttribute", + "ec2:ModifySubnetAttribute", + "ec2:AssociateRouteTable", + "ec2:StartInstances", + "ec2:StopInstances", + "ec2:RebootInstances" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } - }, - { - "Sid": "DeleteEc2Resources", - "Effect": "Allow", - "Action": [ - "ec2:TerminateInstances", - "ec2:DeleteVolume", - "ec2:DeleteSnapshot", - "ec2:DetachVolume", - "ec2:DeleteKeyPair", - "ec2:DeleteTags", - "ec2:DeleteSubnet", - "ec2:DeleteSecurityGroup", - "ec2:DeleteRouteTable", - "ec2:DeleteRoute", - "ec2:DeleteInternetGateway", - "ec2:DeleteVpc" - ], - "Resource": "*", - "Condition": { - "StringEquals": { - "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" - } + } + }, + { + "Sid": "DeleteEc2Resources", + "Effect": "Allow", + "Action": [ + "ec2:TerminateInstances", + "ec2:DeleteVolume", + "ec2:DeleteSnapshot", + "ec2:DetachVolume", + "ec2:DeleteKeyPair", + "ec2:DeleteTags", + "ec2:DeleteSubnet", + "ec2:DeleteSecurityGroup", + "ec2:DeleteRouteTable", + "ec2:DeleteRoute", + "ec2:DeleteInternetGateway", + "ec2:DeleteVpc" + ], + "Resource": "*", + "Condition": { + "StringEquals": { + "ec2:ResourceTag/RedisLabsIdentifier": "Redislabs-VPC" } - }, - { - "Sid": "DeleteEc2ResourcesWithoutTag", - "Effect": "Allow", - "Action": [ - "ec2:RevokeSecurityGroupIngress", - "ec2:RejectVpcPeeringConnection", - "ec2:DeleteTransitGatewayVpcAttachment", - "ec2:DeleteTransitGateway", - "ec2:DetachInternetGateway" - ], - "Resource": "*" - }, - { - "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway", - "Effect": "Allow", - "Action": "iam:CreateServiceLinkedRole", - "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*", - "Condition": { - "StringLike": { - "iam:AWSServiceName": "transitgateway.amazonaws.com" - } + } + }, + { + "Sid": "DeleteEc2ResourcesWithoutTag", + "Effect": "Allow", + "Action": [ + "ec2:RevokeSecurityGroupIngress", + "ec2:RejectVpcPeeringConnection", + "ec2:DeleteTransitGatewayVpcAttachment", + "ec2:DeleteTransitGateway", + "ec2:DetachInternetGateway" + ], + "Resource": "*" + }, + { + "Sid": "CreateAndChangeServiceLinkedRoleForTransitGateway", + "Effect": "Allow", + "Action": "iam:CreateServiceLinkedRole", + "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*", + "Condition": { + "StringLike": { + "iam:AWSServiceName": "transitgateway.amazonaws.com" } - }, - { - "Sid": "RolePolicyForTransitGateway", - "Effect": "Allow", - "Action": [ - "iam:AttachRolePolicy", - "iam:PutRolePolicy" - ], - "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*" - }, - { - "Sid": "AllowEncryptedVolumeCreation", - "Effect": "Allow", - "Action": [ - "kms:GenerateDataKeyWithoutPlaintext", - "kms:DescribeKey" - ], - "Resource": "*" - }, - { - "Sid": "AllowAttachDetachOfEncryptedVolumes", - "Effect": "Allow", - "Action": [ - "kms:CreateGrant", - "kms:ListGrants", - "kms:RevokeGrant" - ], - "Resource": "*", - "Condition": { - "Bool": { - "kms:GrantIsForAWSResource": "true" - } + } + }, + { + "Sid": "RolePolicyForTransitGateway", + "Effect": "Allow", + "Action": [ + "iam:AttachRolePolicy", + "iam:PutRolePolicy" + ], + "Resource": "arn:aws:iam::*:role/aws-service-role/transitgateway.amazonaws.com/AWSServiceRoleForVPCTransitGateway*" + }, + { + "Sid": "AllowEncryptedVolumeCreation", + "Effect": "Allow", + "Action": [ + "kms:GenerateDataKeyWithoutPlaintext", + "kms:DescribeKey" + ], + "Resource": "*" + }, + { + "Sid": "AllowAttachDetachOfEncryptedVolumes", + "Effect": "Allow", + "Action": [ + "kms:CreateGrant", + "kms:ListGrants", + "kms:RevokeGrant" + ], + "Resource": "*", + "Condition": { + "Bool": { + "kms:GrantIsForAWSResource": "true" } } - ] - } - ``` + } + ] +} +``` + {{< /scrollable-code >}} - In **Review and Create**, enter `RedislabsIAMUserRestrictedPolicy` in the **Policy name** field. diff --git a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md index fe699b4cac..22a93eb9b5 100644 --- a/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md +++ b/content/operate/rc/subscriptions/bring-your-own-cloud/iam-resources/terraform.md @@ -25,9 +25,9 @@ The following example uses the `terraform-aws-Redislabs-Cloud-Account-IAM-Resour 1. Copy the following code into a file called `main.tf`. - {{< expand "View main.tf" >}} + {{< scrollable-code >}} {{% code-include file="rv/terraformIAMTemplate.json" language="js" %}} - {{< /expand >}} + {{< /scrollable-code >}} Replace the following values in the `main.tf` file: diff --git a/layouts/shortcodes/scrollable-code.html b/layouts/shortcodes/scrollable-code.html new file mode 100644 index 0000000000..ff565bf1eb --- /dev/null +++ b/layouts/shortcodes/scrollable-code.html @@ -0,0 +1,18 @@ +{{/* + Scrollable code shortcode + Limits the number of visible lines and adds scrolling for the rest + + Usage: + {{< scrollable-code lines="10" >}} + Content with many lines here... + {{< /scrollable-code >}} + + Ideally used for just code blocks. +*/}} + +{{ $lines := .Get "lines" | default "25" }} +{{ $lineHeight := add (float $lines) 1.5 }} + +
+ {{ .Inner | markdownify }} +