Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer! Before you begin, use this checklist to confirm that your environment satisfies the specifications required to operate Infrastructure Optimizer.
...
Component
...
Requirements
...
VPC
Contains at least one private subnet. Check with this command:
...
Info |
---|
The pre-check commands will require the IAM principal to have at least the |
Network
By default, Infrastructure Optimizer schedules workload in private subnets to protect them from direct external accesses.
Use the following commands to ensure that the AWS VPC where Infrastructure Optimizer will run has at least one private subnet with public NAT Gateways.
Check private subnets that are suitable for running the Infrastructure Optimizer workload Workers:
Code Block |
---|
aws ec2 describe-subnets --filter Name=vpc-id,Values= |
...
<vpc_id> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId' |
...
NAT Gateway
...
Check whether there is a public NAT Gateway attached:
Code Block | ||
---|---|---|
| ||
aws ec2 describe-nat-gateways --filter Name=vpc-id,Values= |
...
<vpc_id> --output json | jq '.NatGateways[] | {NatGatewayId, SubnetId, ConnectivityType}' |
...
Component
...
Details
...
SSH Key
...
This will be used to attach to the Management Server.
...
Trusted Certificate
...
Required only if deploying in a private environment.
...
Component
...
Requirements
...
Operating System
...
Using Linux variants.
...
Installations And Deployment
The If no private subnets exist, follow the AWS documentation to create a private subnet and a public NAT Gateway.
Info |
---|
EKS only: the Infrastructure Optimizer must run in the same VPC as the EKS cluster |
Security
A pre-provisioned, user-managed SSH key pair is required to access the Infrastructure Optimizer Management Server.
Info |
---|
OPTIONAL: Follow the AWS EC2 documentation to generate a SSH key pair. |
For environments with existing PKI setup, the x509 certificates, private key, and optionally, intermediate chain certificates and CA certificates will also be needed.
Compute
Infrastructure Optimizer runs on the following OSes:
Rocky Linux
Permissions
Installations and Deployment
The following file contains the minimum IAM permissions required by the AWS IAM principal used to install Infrastructure Optimizer must have the following permissions:
...
View file |
---|
...
language | json |
---|
...
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"ec2:RunInstances",
"ec2:DescribeInstances",
"ec2:DescribeInstanceTypes",
"ec2:DescribeInstanceStatus",
"ec2:StopInstances",
"ec2:TerminateInstances",
"ec2:ModifyInstanceAttribute",
"ec2:DescribeSubnets",
"ec2:DescribeVpcs",
"ec2:DescribeVpcAttribute",
"ec2:DescribeSecurityGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:CreateSecurityGroup",
"ec2:RevokeSecurityGroupIngress",
"ec2:DeleteSecurityGroup",
"ec2:DescribeSecurityGroupRules",
"ec2:CreateTags",
"ec2:DescribeKeyPairs",
"ec2:DescribeImages",
"ec2:DescribeImageAttribute",
"ec2:DescribeAvailabilityZones",
"ec2:DescribeAccountAttributes",
"ec2:DescribeRouteTables",
"ec2:DescribeNetworkAcls",
"ec2:DescribeAddresses",
"ec2:DescribeDhcpOptions",
"ec2:DescribeSnapshots"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:PutObject"
],
"Resource": "arn:aws:s3:::cf-template*"
},
{
"Effect": "Allow",
"Action": [
"cloudformation:CreateStack",
"cloudformation:UpdateStack",
"cloudformation:CreateUploadBucket",
"cloudformation:DescribeStackEvents",
"cloudformation:DescribeStacks",
"cloudformation:GetTemplateSummary",
"cloudformation:ListStacks",
"cloudformation:ListStackResources",
"cloudformation:DeleteStack"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"iam:CreateRole",
"iam:DeleteRole",
"iam:ListRoles",
"iam:TagRole",
"iam:PutRolePolicy",
"iam:DeleteRolePolicy",
"iam:GetRole",
"iam:ListAttachedRolePolicies",
"iam:CreateInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:RemoveRoleFromInstanceProfile",
"iam:DeleteInstanceProfile",
"iam:ListPolicies",
"iam:PassRole",
"iam:ListOpenIDConnectProviders",
"iam:GetOpenIDConnectProvider",
"iam:ListEntitiesForPolicy",
"iam:CreateServiceLinkedRole",
"iam:ListInstanceProfiles",
"iam:ListInstanceProfilesForRole",
"iam:AttachRolePolicy"
],
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"eks:DescribeCluster",
"eks:ListClusters",
"eks:UpdateClusterConfig",
"eks:UpdateClusterVersion",
"eks:CreateNodegroup",
"eks:DescribeNodegroup",
"eks:ListNodegroups",
"eks:UpdateNodegroupConfig",
"eks:UpdateNodegroupVersion",
"eks:DescribeAddon",
"eks:DescribeAddonVersions",
"eks:ListAddons",
"eks:UpdateAddon",
"eks:AccessKubernetesApi",
"eks:ListAccessPolicies",
"eks:AssociateAccessPolicy",
"eks:ListIdentityProviderConfigs",
"eks:DescribeAccessEntry",
"eks:ListPodIdentityAssociations",
"eks:ListAssociatedAccessPolicies",
"eks:CreateAccessEntry"
],
"_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name",
"Resource": "*"
},
{
"Effect": "Allow",
"Action": [
"ssm:ListAssociations",
"ssm:GetParametersByPath"
],
"Resource": "*"
}
]
}
...
title | Expand this section to view a detailed explanation of the scope of each IAM permission |
---|
...
1. Amazon EC2 (Elastic Compute Cloud)
Instance Management
ec2:RunInstances
ec2:DescribeInstances
ec2:DescribeInstanceTypes
ec2:DescribeInstanceStatus
ec2:StopInstances
ec2:TerminateInstances
ec2:ModifyInstanceAttribute
Network and Security
ec2:DescribeSubnets
ec2:DescribeVpcs
ec2:DescribeVpcAttribute
ec2:DescribeSecurityGroups
ec2:AuthorizeSecurityGroupIngress
ec2:CreateSecurityGroup
ec2:RevokeSecurityGroupIngress
ec2:DeleteSecurityGroup
ec2:DescribeSecurityGroupRules
Resource Tagging and Metadata
ec2:CreateTags
Others
ec2:DescribeKeyPairs
ec2:DescribeImages
ec2:DescribeImageAttribute
ec2:DescribeAvailabilityZones
ec2:DescribeAccountAttributes
ec2:DescribeRouteTables
ec2:DescribeNetworkAcls
ec2:DescribeAddresses
ec2:DescribeDhcpOptions
ec2:DescribeSnapshots
2. Amazon S3 (Simple Storage Service)
Object Operations
s3:GetObject
s3:PutObject
3. Amazon CloudFormation
Stack Operations
cloudformation:CreateStack
cloudformation:UpdateStack
cloudformation:CreateUploadBucket
cloudformation:DescribeStackEvents
cloudformation:DescribeStacks
cloudformation:GetTemplateSummary
cloudformation:ListStacks
cloudformation:ListStackResources
cloudformation:DeleteStack
4. AWS IAM (Identity and Access Management)
Role Management
iam:CreateRole
iam:DeleteRole
iam:ListRoles
iam:TagRole
iam:PutRolePolicy
iam:DeleteRolePolicy
iam:GetRole
iam:ListAttachedRolePolicies
iam:AttachRolePolicy
Instance Profile Operations
iam:CreateInstanceProfile
iam:AddRoleToInstanceProfile
iam:RemoveRoleFromInstanceProfile
iam:DeleteInstanceProfile
Policy Management
iam:ListPolicies
iam:PassRole
Other
iam:ListOpenIDConnectProviders
iam:GetOpenIDConnectProvider
iam:ListEntitiesForPolicy
iam:CreateServiceLinkedRole
iam:ListInstanceProfiles
iam:ListInstanceProfilesForRole
5. Amazon EKS (Elastic Kubernetes Service)
Cluster Operations
eks:DescribeCluster
eks:ListClusters
eks:UpdateClusterConfig
eks:UpdateClusterVersion
Nodegroup Operations
eks:CreateNodegroup
eks:DescribeNodegroup
eks:ListNodegroups
eks:UpdateNodegroupConfig
eks:UpdateNodegroupVersion
Addon Operations
eks:DescribeAddon
eks:DescribeAddonVersions
eks:ListAddons
eks:UpdateAddon
API Access and Policy Management
eks:AccessKubernetesApi
eks:ListAccessPolicies
eks:AssociateAccessPolicy
eks:ListIdentityProviderConfigs
eks:DescribeAccessEntry
eks:ListPodIdentityAssociations
eks:ListAssociatedAccessPolicies
eks:CreateAccessEntry
6. AWS SSM (System Manager)
Association Operations
ssm:ListAssociations
Code Block AWSTemplateFormatVersion: '2010-09-09' Description: Create IAM roles and policies for Controllers and Workers Resources: ExostellarControllerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ExostellarControllerPolicy PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StopInstances", "ec2:DescribeSpotPriceHistory", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeTags", "ec2:CreateTags", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeRegions", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:ModifyInstanceAttribute", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:CreateInstanceExportTask", "ec2:DescribeExportTasks", "ec2:RebootInstances", "ec2:CreateSnapshot", "ec2:DescribeSnapshots", "iam:CreateServiceLinkedRole", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:PassRole", "iam:GetRole", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeInstanceTypeOfferings", "iam:GetInstanceProfile", "iam:SimulatePrincipalPolicy", "sns:Publish", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster" ], "Resource": "*" } ] } Tags: - Key: "Name" Value: !Sub "${AWS::StackName}-controller-role" ExostellarControllerProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref ExostellarControllerRole ExostellarWorkerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ExostellarWorkerPolicy PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:UnassignPrivateIpAddresses" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifyInstanceMetadataOptions", "eks:DescribeCluster" ], "Resource": "*" } ] } Tags: - Key: "Name" Value: !Sub "${AWS::StackName}-worker-role" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" ExostellarWorkerProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref ExostellarWorkerRole Outputs: ExostellarControllerRoleARN: Description: ARN of the Controller IAM Role. This will be used in the ConfigMap. Value: !GetAtt ExostellarControllerRole.Arn ExostellarControllerRoleInstanceProfileARN: Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration. Value: !GetAtt ExostellarControllerProfile.Arn ExostellarWorkerRoleARN: Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap. Value: !GetAtt ExostellarWorkerRole.Arn ExostellarWorkerRoleInstanceProfileARN: Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration. Value: !GetAtt ExostellarWorkerProfile.Arn
ssm:GetParametersByPath
EC2 Instance Profile
The X-Spot controllers and workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the EC2 instance profiles.
When completed, the roles and instance profile ARNs output by CloudFormation will be needed for subsequent installation steps
...
|
Expand | ||
---|---|---|
| ||
|
EC2 Instance Profiles
The Infrastructure Optimizer Controllers and Workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the EC2 instance profiles.
View file | ||
---|---|---|
|
Info |
---|
When completed, the roles and instance profile ARNs outputs by CloudFormation will be needed for subsequent installation steps. |