Create the IAM roles and instance profile

Enable the LIFTIE_USE_PRECREATED_IAM_RESOURCES entitlement and then create the IAM roles and instance profile.

Confirm that the LIFTIE_USE_PRECREATED_IAM_RESOURCES entitlement is enabled for the tenant in consideration.

  1. Apply the following CloudFormation template to create the following:
    • IAM role called cdp-eks-master-role
    • IAM role and instance profile pair called cdp-liftie-instance-profile
    Figure 1. CloudFormation Template (YAML)
    AWSTemplateFormatVersion: "2010-09-09"
    
    Description: "Creates Liftie IAM resources"
    
    Parameters:
    
      TelemetryLoggingEnabled:
        Description: Telemetry logging is enabled
        Type: String
    
      TelemetryLoggingBucket:
        Description: Telemetry logging bucket where Liftie logs will be stored.
        Type: String
    
      TelemetryLoggingRootDir:
        Description: Telemetry logging root directory inside telemetry logging bucket used for storing logs.
        Default: "cluster-logs"
        Type: String
    
    Conditions:
    
      TelemetryLoggingEnabled:
        Fn::Equals:
          - {Ref: TelemetryLoggingEnabled}
          - true
    
    Resources:
    
      AWSServiceRoleForAmazonEKS:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - eks.amazonaws.com
                Action:
                  - sts:AssumeRole
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/AmazonEKSServicePolicy
            - arn:aws:iam::aws:policy/AmazonEKSClusterPolicy
          RoleName: cdp-eks-master-role
    
      NodeInstanceRole:
        Type: AWS::IAM::Role
        Properties:
          AssumeRolePolicyDocument:
            Version: '2012-10-17'
            Statement:
              - Effect: Allow
                Principal:
                  Service:
                    - ec2.amazonaws.com
                Action:
                  - sts:AssumeRole
          Path: "/"
          ManagedPolicyArns:
            - arn:aws:iam::aws:policy/AmazonEKSWorkerNodePolicy
            - arn:aws:iam::aws:policy/AmazonEKS_CNI_Policy
            - arn:aws:iam::aws:policy/AmazonEC2ContainerRegistryReadOnly
          RoleName: cdp-liftie-instance-profile
          Policies:
            - PolicyName: 'cluster-autoscaler'
              PolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Effect: Allow
                    Action:
                      - autoscaling:DescribeAutoScalingGroups
                      - autoscaling:DescribeAutoScalingInstances
                      - autoscaling:DescribeTags
                      - autoscaling:DescribeLaunchConfigurations
                      - autoscaling:SetDesiredCapacity
                      - autoscaling:TerminateInstanceInAutoScalingGroup
                    Resource:
                      - "*"
            - !If
              - TelemetryLoggingEnabled
              - PolicyName: telemetry-s3-list-bucket
                PolicyDocument:
                  Version: 2012-10-17
                  Statement:
                    - Effect: Allow
                      Action:
                        - 's3:ListBucket'
                      Resource:
                        - !Sub 'arn:aws:s3:::${TelemetryLoggingBucket}'
              - !Ref 'AWS::NoValue'
            - !If
              - TelemetryLoggingEnabled
              - PolicyName: telemetry-s3-read-write
                PolicyDocument:
                  Version: 2012-10-17
                  Statement:
                    - Effect: Allow
                      Action:
                        - 's3:*Object'
                        - 's3:AbortMultipartUpload'
                      Resource:
                        - !Sub >-
                          arn:aws:s3:::${TelemetryLoggingBucket}/${TelemetryLoggingRootDir}*
              - !Ref 'AWS::NoValue'
            - PolicyName: 'calico-cni'
              PolicyDocument:
                Version: '2012-10-17'
                Statement:
                  - Effect: Allow
                    Action:
                      - ec2:ModifyInstanceAttribute
                    Resource:
                      - "*"
      NodeInstanceProfile:
        Type: AWS::IAM::InstanceProfile
        Properties:
          Path: "/"
          InstanceProfileName: cdp-liftie-instance-profile
          Roles:
            - !Ref NodeInstanceRole
    
  2. In the AWS console Cloudformation wizard, provide values for the following properties:
    • Stack Name: Provide an appropriate name. Example: compute-precreated-roles-and-instanceprofile)
    • TelemetryLoggingBucket: Name of the log bucket. Example: compute-logging-bucket
    • TelemetryLoggingEnabled: Set it to true.
    • TelemetryLoggingRootDir: Verify that it is set to the default value cluster-logs.
  3. On the last page in the wizard process, click the I acknowledge... checkbox to allow creation of IAM resources with special names.
  4. Click Create stack.
On the Cloudformation Resources tab, you find the precreated role and instance profile.
Update the environment role to use the restricted role and policy.