Welcome to Infrastructure Optimizer! 🎉 👏
...
Info |
---|
The pre-check commands will require the IAM principal to have at least the ec2:Describe* permissions |
Network
...
By default, Infrastructure Optimizer schedules workload workers to run in private subnets to protect them from direct external accesses.
Use the following command commands to ensure that the AWS VPC where Infrastructure Optimizer will run has at least one private subnets subnet with public NAT Gateways.
Check private subnets that are suitable for running the Infrastructure Optimizer workload Workers:
Code Block |
---|
language | bash |
---|
aws ec2 describe-subnets --filter Name=vpc-id,Values=<vpc_id> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId'
|
Check whether there is a public NAT Gateway attached:
Code Block |
---|
|
aws ec2 describe-nat-gateways --filter Name=vpc-id,Values=<vpc_id> --output json | jq '.NatGateways[] | {NatGatewayId, SubnetId, ConnectivityType}' |
...
If no private subnets exist, follow the AWS documentation to create a private subnet and a public NAT Gateway.
Security
...
A pre-provisioned, user-managed SSH key pair is required to access the Infrastructure Optimizer head nodeManagement Server.
Info |
---|
OPTIONAL: Follow the AWS EC2 documentation to generate a SSH key pair. |
For environments with existing PKI setup, the x509 certificates, private key, and optionally, intermediate chain certificates and CA certificates will also be also needed.
...
Compute
Infrastructure Optimizer runs on the following OSes:
Permissions
...
Installations and Deployment
The following file contains the minimum IAM permissions required by the AWS IAM principal used to install Infrastructure Optimizer:
...
Expand |
---|
title | Expand this section to view a detailed explanation of the scope of each IAM permission |
---|
|
1. Amazon EC2 (Elastic Compute Cloud) 2. Amazon S3 (Simple Storage Service) 3. Amazon CloudFormation Stack Operations cloudformation:CreateStack
cloudformation:UpdateStack
cloudformation:CreateUploadBucket
cloudformation:DescribeStackEvents
cloudformation:DescribeStacks
cloudformation:GetTemplateSummary
cloudformation:ListStacks
cloudformation:ListStackResources
cloudformation:DeleteStack
4. AWS IAM (Identity and Access Management) 5. Amazon EKS (Elastic Kubernetes Service) 6. AWS SSM (System Manager) Association Operations ssm:ListAssociations
ssm:GetParametersByPath code | AWSTemplateFormatVersion: '2010-09-09'
Description: Create IAM roles and policies for Controllers and Workers
Resources:
ExostellarControllerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: ExostellarControllerPolicy
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:StopInstances",
"ec2:DescribeSpotPriceHistory",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeTags",
"ec2:CreateTags",
"ec2:CreateFleet",
"ec2:CreateLaunchTemplate",
"ec2:DeleteLaunchTemplate",
"ec2:TerminateInstances",
"ec2:AssignPrivateIpAddresses",
"ec2:UnassignPrivateIpAddresses",
"ec2:AttachNetworkInterface",
"ec2:DetachNetworkInterface",
"ec2:CreateNetworkInterface",
"ec2:DeleteNetworkInterface",
"ec2:ModifyNetworkInterfaceAttribute",
"ec2:DescribeRegions",
"ec2:CreateVolume",
"ec2:DescribeVolumes",
"ec2:AttachVolume",
"ec2:ModifyInstanceAttribute",
"ec2:DetachVolume",
"ec2:DeleteVolume",
"ec2:CreateInstanceExportTask",
"ec2:DescribeExportTasks",
"ec2:RebootInstances",
"ec2:CreateSnapshot",
"ec2:DescribeSnapshots",
"iam:CreateServiceLinkedRole",
"iam:ListRoles",
"iam:ListInstanceProfiles",
"iam:PassRole",
"iam:GetRole",
"ec2:DescribeSubnets",
"ec2:DescribeSecurityGroups",
"ec2:DescribeImages",
"ec2:DescribeKeyPairs",
"ec2:DescribeInstanceTypeOfferings",
"iam:GetInstanceProfile",
"iam:SimulatePrincipalPolicy",
"sns:Publish",
"ssm:GetParameters",
"ssm:GetParametersByPath"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster"
],
"Resource": "*"
}
]
}
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-controller-role"
ExostellarControllerProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Roles:
- !Ref ExostellarControllerRole
ExostellarWorkerRole:
Type: 'AWS::IAM::Role'
Properties:
AssumeRolePolicyDocument:
Version: '2012-10-17'
Statement:
- Effect: Allow
Principal:
Service: ec2.amazonaws.com
Action: 'sts:AssumeRole'
Policies:
- PolicyName: ExostellarWorkerPolicy
PolicyDocument: |
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Deny",
"Action": [
"ec2:UnassignPrivateIpAddresses"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ec2:ModifyInstanceMetadataOptions",
"eks:DescribeCluster"
],
"Resource": "*"
}
]
}
Tags:
- Key: "Name"
Value: !Sub "${AWS::StackName}-worker-role"
ManagedPolicyArns:
- "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly"
- "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore"
- "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy"
- "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy"
- "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy"
ExostellarWorkerProfile:
Type: 'AWS::IAM::InstanceProfile'
Properties:
Roles:
- !Ref ExostellarWorkerRole
Outputs:
ExostellarControllerRoleARN:
Description: ARN of the Controller IAM Role. This will be used in the ConfigMap.
Value: !GetAtt ExostellarControllerRole.Arn
ExostellarControllerRoleInstanceProfileARN:
Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration.
Value: !GetAtt ExostellarControllerProfile.Arn
ExostellarWorkerRoleARN:
Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap.
Value: !GetAtt ExostellarWorkerRole.Arn
ExostellarWorkerRoleInstanceProfileARN:
Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration.
Value: !GetAtt ExostellarWorkerProfile.Arn |
|
|
EC2 Instance Profiles
...
EC2 Instance Profiles
The Infrastructure Optimizer Controllers and Workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the EC2 instance profiles.
View file |
---|
name | xio-cloudformation-data-plane-iam.yaml |
---|
|
Info |
---|
When completed, the roles and instance profile ARNs output by CloudFormation will be needed for subsequent installation steps |
...
...