Welcome to your first step towards cloud efficiency and savings with Infrastructure Optimizer!
Before you begin, use this checklist to confirm your environment satisfies the specifications required to operate Infrastructure Optimizer.
Network
By default, Infrastructure Optimizer schedules workload workers to run in private subnets to protect them from direct external accesses.
Run the following command to ensure that the AWS VPC where Infrastructure Optimizer will run has at least one private subnets with public NAT Gateways:
aws ec2 describe-subnets --filter Name=vpc-id,Values=<vpc_id> --query 'Subnets[?MapPublicIpOnLaunch==`false`].SubnetId' aws ec2 describe-nat-gateways --filter Name=vpc-id,Values=<vpc_id> --output json | jq '.NatGateways[] | {NatGatewayId, SubnetId, ConnectivityType}'
These commands will provide a list of private subnets suitable for running the Infrastructure Optimizer workload workers.
If no private subnets exist, follow the AWS documentation to create a private subnet and a public NAT Gateway.
Security
A pre-provisioned, user-managed SSH key pair is required to access the Infrastructure Optimizer head node. If needed, follow the AWS EC2 documentation to generate a SSH key pair.
For environments with existing PKI setup, the x509 certificates, private key, and optionally, intermediate chain certificates and CA certificates will be needed.
Compute
Infrastructure Optimizer runs on the following OSes:
Rocky Linux
CentOS
Permissions
Installations And Deployment
The AWS IAM principal used to install Infrastructure Optimizer must have the following permissions:
{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeInstanceStatus", "ec2:StopInstances", "ec2:TerminateInstances", "ec2:ModifyInstanceAttribute", "ec2:DescribeSubnets", "ec2:DescribeVpcs", "ec2:DescribeVpcAttribute", "ec2:DescribeSecurityGroups", "ec2:AuthorizeSecurityGroupIngress", "ec2:CreateSecurityGroup", "ec2:RevokeSecurityGroupIngress", "ec2:DeleteSecurityGroup", "ec2:DescribeSecurityGroupRules", "ec2:CreateTags", "ec2:DescribeKeyPairs", "ec2:DescribeImages", "ec2:DescribeImageAttribute", "ec2:DescribeAvailabilityZones", "ec2:DescribeAccountAttributes", "ec2:DescribeRouteTables", "ec2:DescribeNetworkAcls", "ec2:DescribeAddresses", "ec2:DescribeDhcpOptions", "ec2:DescribeSnapshots" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "s3:GetObject", "s3:PutObject" ], "Resource": "arn:aws:s3:::cf-template*" }, { "Effect": "Allow", "Action": [ "cloudformation:CreateStack", "cloudformation:UpdateStack", "cloudformation:CreateUploadBucket", "cloudformation:DescribeStackEvents", "cloudformation:DescribeStacks", "cloudformation:GetTemplateSummary", "cloudformation:ListStacks", "cloudformation:ListStackResources", "cloudformation:DeleteStack" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "iam:CreateRole", "iam:DeleteRole", "iam:ListRoles", "iam:TagRole", "iam:PutRolePolicy", "iam:DeleteRolePolicy", "iam:GetRole", "iam:ListAttachedRolePolicies", "iam:CreateInstanceProfile", "iam:AddRoleToInstanceProfile", "iam:RemoveRoleFromInstanceProfile", "iam:DeleteInstanceProfile", "iam:ListPolicies", "iam:PassRole", "iam:ListOpenIDConnectProviders", "iam:GetOpenIDConnectProvider", "iam:ListEntitiesForPolicy", "iam:CreateServiceLinkedRole", "iam:ListInstanceProfiles", "iam:ListInstanceProfilesForRole", "iam:AttachRolePolicy" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster", "eks:ListClusters", "eks:UpdateClusterConfig", "eks:UpdateClusterVersion", "eks:CreateNodegroup", "eks:DescribeNodegroup", "eks:ListNodegroups", "eks:UpdateNodegroupConfig", "eks:UpdateNodegroupVersion", "eks:DescribeAddon", "eks:DescribeAddonVersions", "eks:ListAddons", "eks:UpdateAddon", "eks:AccessKubernetesApi", "eks:ListAccessPolicies", "eks:AssociateAccessPolicy", "eks:ListIdentityProviderConfigs", "eks:DescribeAccessEntry", "eks:ListPodIdentityAssociations", "eks:ListAssociatedAccessPolicies", "eks:CreateAccessEntry" ], "_comment": "Change the below Resource to specific cluster - arn:aws:eks:region:account-id:cluster/cluster-name", "Resource": "*" }, { "Effect": "Allow", "Action": [ "ssm:ListAssociations", "ssm:GetParametersByPath" ], "Resource": "*" } ] } |
EC2 Instance Profiles
The X-Spot controllers and workers require a set of IAM permissions to manage and scale your workloads efficiently. Use this CloudFormation template to create the EC2 instance profiles.
When completed, the roles and instance profile ARNs output by CloudFormation will be needed for subsequent installation steps
AWSTemplateFormatVersion: '2010-09-09' Description: Create IAM roles and policies for Controllers and Workers Resources: ExostellarControllerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ExostellarControllerPolicy PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "ec2:RunInstances", "ec2:StopInstances", "ec2:DescribeSpotPriceHistory", "ec2:DescribeInstances", "ec2:DescribeInstanceTypes", "ec2:DescribeTags", "ec2:CreateTags", "ec2:CreateFleet", "ec2:CreateLaunchTemplate", "ec2:DeleteLaunchTemplate", "ec2:TerminateInstances", "ec2:AssignPrivateIpAddresses", "ec2:UnassignPrivateIpAddresses", "ec2:AttachNetworkInterface", "ec2:DetachNetworkInterface", "ec2:CreateNetworkInterface", "ec2:DeleteNetworkInterface", "ec2:ModifyNetworkInterfaceAttribute", "ec2:DescribeRegions", "ec2:CreateVolume", "ec2:DescribeVolumes", "ec2:AttachVolume", "ec2:ModifyInstanceAttribute", "ec2:DetachVolume", "ec2:DeleteVolume", "ec2:CreateInstanceExportTask", "ec2:DescribeExportTasks", "ec2:RebootInstances", "ec2:CreateSnapshot", "ec2:DescribeSnapshots", "iam:CreateServiceLinkedRole", "iam:ListRoles", "iam:ListInstanceProfiles", "iam:PassRole", "iam:GetRole", "ec2:DescribeSubnets", "ec2:DescribeSecurityGroups", "ec2:DescribeImages", "ec2:DescribeKeyPairs", "ec2:DescribeInstanceTypeOfferings", "iam:GetInstanceProfile", "iam:SimulatePrincipalPolicy", "sns:Publish", "ssm:GetParameters", "ssm:GetParametersByPath" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "eks:DescribeCluster" ], "Resource": "*" } ] } Tags: - Key: "Name" Value: !Sub "${AWS::StackName}-controller-role" ExostellarControllerProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref ExostellarControllerRole ExostellarWorkerRole: Type: 'AWS::IAM::Role' Properties: AssumeRolePolicyDocument: Version: '2012-10-17' Statement: - Effect: Allow Principal: Service: ec2.amazonaws.com Action: 'sts:AssumeRole' Policies: - PolicyName: ExostellarWorkerPolicy PolicyDocument: | { "Version": "2012-10-17", "Statement": [ { "Effect": "Deny", "Action": [ "ec2:UnassignPrivateIpAddresses" ], "Resource": "*" }, { "Effect": "Allow", "Action": [ "ec2:ModifyInstanceMetadataOptions", "eks:DescribeCluster" ], "Resource": "*" } ] } Tags: - Key: "Name" Value: !Sub "${AWS::StackName}-worker-role" ManagedPolicyArns: - "arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly" - "arn:aws:iam::aws:policy/AmazonSSMManagedInstanceCore" - "arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy" - "arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy" - "arn:aws:iam::aws:policy/service-role/AmazonEBSCSIDriverPolicy" ExostellarWorkerProfile: Type: 'AWS::IAM::InstanceProfile' Properties: Roles: - !Ref ExostellarWorkerRole Outputs: ExostellarControllerRoleARN: Description: ARN of the Controller IAM Role. This will be used in the ConfigMap. Value: !GetAtt ExostellarControllerRole.Arn ExostellarControllerRoleInstanceProfileARN: Description: Instance Profile ARN of the Controller IAM Role. This will be used in the Profile Configuration. Value: !GetAtt ExostellarControllerProfile.Arn ExostellarWorkerRoleARN: Description: ARN of the Exostellar Worker Role. This will be used in the ConfigMap. Value: !GetAtt ExostellarWorkerRole.Arn ExostellarWorkerRoleInstanceProfileARN: Description: Instance Profile ARN of the Worker IAM Role. This will be used in the Profile Configuration. Value: !GetAtt ExostellarWorkerProfile.Arn