- Created by Yajing Wang, last modified on Jul 24, 2024
You are viewing an old version of this page. View the current version.
Compare with Current View Page History
« Previous Version 94 Next »
Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer!
Before you begin, use this checklist to confirm your environment satisfies the specifications required to operate Infrastructure Optimizer.
Network
Component | Requirements |
VPC | Contains at least one private subnet. Check with this command: aws ec2 describe-subnets --filter Name=vpc-id,Values=<YOUR VPC ID> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId' |
NAT Gateway | Has a NAT Gateway with public connectivity. Verify with this command: aws ec2 describe-nat-gateways --filter "Name=vpc-id,Values=<YOUR VPC ID>" | jq '.NatGateways[] | {NatGatewayId, ConnectivityType}' |
Security
Component | Details |
SSH Key | This will be used to attach to the Management Server. |
Trusted Certificate | Required only if deploying in a private environment. |
Compute
Component | Requirements |
Operating System | Using Linux variants. |
Permissions
We understand that cloud control and security are important to you.
To use Infrastructure Optimizer and start saving right away, you must create the following least-privilege IAM roles:
This policy needs to be attached to the user who performs the installation and operation.
Least privilege IAM policies | Explanation |
---|---|
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceStatus", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroupRules", "ec2:CreateTags", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeAccountAttributes", "ec2:DescribeRouteTables", "ec2:DescribeNetworkAcls", "ec2:DescribeAddresses", "ec2:DescribeDhcpOptions", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::cf-template*" }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:DeleteStack" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:ListRoles", "iam:TagRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "iam:ListPolicies", "iam:PassRole", "iam:ListOpenIDConnectProviders", "iam:GetOpenIDConnectProvider", "iam:ListEntitiesForPolicy", "iam:CreateServiceLinkedRole", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters", "eks:UpdateClusterConfig", "eks:UpdateClusterVersion", "eks:CreateNodegroup", "eks:DescribeNodegroup", "eks:ListNodegroups", "eks:UpdateNodegroupConfig", "eks:UpdateNodegroupVersion", "eks:DescribeAddon", "eks:DescribeAddonVersions", "eks:ListAddons", "eks:UpdateAddon", "eks:AccessKubernetesApi", "eks:ListAccessPolicies", "eks:AssociateAccessPolicy", "eks:ListIdentityProviderConfigs", "eks:DescribeAccessEntry", "eks:ListPodIdentityAssociations", "eks:ListAssociatedAccessPolicies", "eks:CreateAccessEntry" ], "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListAssociations", "ssm:GetParametersByPath" ], "Resource": "*" } ] } | 1. Amazon EC2 (Elastic Compute Cloud)
2. Amazon S3 (Simple Storage Service)
3. Amazon CloudFormation
4. AWS IAM (Identity and Access Management)
5. Amazon EKS (Elastic Kubernetes Service)
6. AWS SSM (System Manager)
|
Use this CloudFormation template to create the required Controller and Worker IAMs and generates the IAM ARNs and Instance Profile ARNs as outputs, which will be used in the configuration stage.
AWSTemplateFormatVersion: '2010-09-09' Description: Create IAM roles and policies for Controllers and Workers Resources: ExostellarControllerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ExostellarControllerPolicy PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StopInstances", "ec2:DescribeSpotPriceHistory", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeTags", "ec2:CreateTags", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeRegions", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:ModifyInstanceAttribute", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:CreateInstanceExportTask", "ec2:DescribeExportTasks", "ec2:RebootInstances", "ec2:CreateSnapshot", "ec2:DescribeSnapshots", "iam:CreateServiceLinkedRole", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:PassRole", "iam:GetRole", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeInstanceTypeOfferings", "iam:GetInstanceProfile", "iam:SimulatePrincipalPolicy", "sns:Publish", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster" ], "Resource": "*" } ] } Tags: - Key: "Name" Value: !Sub "${AWS::StackName}-controller-role" ExostellarControllerProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref ExostellarControllerRole ExostellarWorkerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ExostellarWorkerPolicy PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:UnassignPrivateIpAddresses" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifyInstanceMetadataOptions", "eks:DescribeCluster" ], "Resource": "*" } ] } Tags: - Key: "Name" Value: !Sub "${AWS::StackName}-worker-role" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" ExostellarWorkerProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref ExostellarWorkerRole Outputs: ExostellarControllerRoleARN: Description: ARN of the Controller IAM Role. This will be used in the ConfigMap. Value: !GetAtt ExostellarControllerRole.Arn ExostellarControllerRoleInstanceProfileARN: Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration. Value: !GetAtt ExostellarControllerProfile.Arn ExostellarWorkerRoleARN: Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap. Value: !GetAtt ExostellarWorkerRole.Arn ExostellarWorkerRoleInstanceProfileARN: Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration. Value: !GetAtt ExostellarWorkerProfile.Arn
- No labels