Git-Mirrors/constellation
1
0
Fork 0
mirror of https://github.com/edgelesssys/constellation.git synced 2025-07-28 09:44:08 -04:00
Code Issues Projects Releases Packages Wiki Activity

AWS Docs (#446)

Browse source 
* document AWS support
Signed-off-by: Fabian Kammel <fk@edgeless.systems>
Co-authored-by: Thomas Tendyck <51411342+thomasten@users.noreply.github.com>
Co-authored-by: Moritz Eckert <m1gh7ym0@gmail.com>
Co-authored-by: Leonard Cohnen <lc@edgeless.systems>
This commit is contained in:
Fabian Kammel 2022-11-08 18:21:09 +01:00 committed by GitHub
parent 46e4ddd8c6
commit 598761541b
No known key found for this signature in database
GPG key ID: 4AEE18F83AFDEB23
8 changed files with 297 additions and 3 deletions
Download patch file Download diff file Expand all files Collapse all files

49
docs/docs/getting-started/first-steps.md
View file

@ -1,4 +1,4 @@
# First steps with Constellation
# First steps with Constellation
The following steps guide you through the process of creating a cluster and deploying a sample app. This example assumes that you have successfully [installed and set up Constellation](install.md),
and have access to a cloud subscription.
@ -25,6 +25,13 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
constellation config generate gcp
```
</tabItem>
<tabItem value="aws" label="AWS">
```bash
constellation config generate aws
```
</tabItem>
</tabs>
@ -164,6 +171,46 @@ If you don't have a cloud subscription, check out [MiniConstellation](first-step
Supported are all machines from the N2D family. It defaults to `n2d-standard-4` (4 vCPUs, 16 GB RAM), but you can use any other VMs from the same family. Refer to [N2D machine series](https://cloud.google.com/compute/docs/general-purpose-machines#n2d_machines) or run `constellation config instance-types` to get the list of all supported options.
</tabItem>
<tabItem value="aws" label="AWS">
* **region**: The name of your chosen AWS data center region, e.g., `us-east-2`.
Constellation OS images are currently replicated to the following regions:
* `eu-central-1`
* `us-east-2`
* `ap-south-1`
If you require the OS image to be available in another region, [let us know](https://github.com/edgelesssys/constellation/issues/new?assignees=&labels=&template=feature_request.md&title=Support+new+AWS+image+region:+xx-xxxx-x).
You can find a list of all [regions in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-available-regions).
* **zone**: The name of your chosen AWS data center availability zone, e.g., `us-east-2a`.
Learn more about [availability zones in AWS's documentation](https://docs.aws.amazon.com/AWSEC2/latest/UserGuide/using-regions-availability-zones.html#concepts-availability-zones).
* **image**: The ID of the amazon machine image (AMI) the Constellation nodes will use:
Constellation OS images are available with the following IDs:
| AMI | Region |
| - | - |
| `ami-0e27ebcefc38f648b` | `eu-central-1` |
| `ami-098cd37f66523b7c3` | `us-east-2` |
| `ami-04a87d302e2509aad` | `ap-south-1` |
* **iamProfileControlPlane**: The name of an IAM instance profile attached to all control-plane nodes.
Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `control_plane_instance_profile`.
Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.control_plane_policy`.
* **iamProfileWorkerNodes**: The name of an IAM instance profile attached to all worker nodes.
Use the [provided Terraform script](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam) to generate the necessary profile. The profile name will be provided as Terraform output value: `worker_nodes_instance_profile`.
Alternatively, you can create the AWS profile with a tool of your choice. Use the JSON policy in [main.tf](https://github.com/edgelesssys/constellation/tree/release/v2.2/hack/terraform/aws/iam/main.tf) in the resource `aws_iam_policy.worker_node_policy`.
</tabItem>
</tabs>

152
docs/docs/getting-started/install.md
View file

@ -11,7 +11,7 @@ Make sure the following requirements are met:
- Your machine is running Linux or macOS
- You have admin rights on your machine
- [kubectl](https://kubernetes.io/docs/tasks/tools/) is installed
- Your CSP is Microsoft Azure or Google Cloud Platform (GCP)
- Your CSP is Microsoft Azure, Google Cloud Platform (GCP), or Amazon Web Services (AWS)
## Install the Constellation CLI
@ -132,6 +132,137 @@ You need the following permissions on this project:
Follow Google's guide on [understanding](https://cloud.google.com/iam/docs/understanding-roles) and [assigning roles](https://cloud.google.com/iam/docs/granting-changing-revoking-access).
</tabItem>
<tabItem value="aws" label="AWS">
To set up a Constellation cluster, you need to perform two tasks that require permissions: create the infrastructure and create roles for cluster nodes. Both of these actions can be performed by different users, e.g., an administrator to create roles and a DevOps engineer to create the infrastructure.
To create the AWS IAM policies, your user requires the following minimal set of permissions:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"ec2:DescribeAccountAttributes",
"iam:CreateRole",
"iam:CreatePolicy",
"iam:GetPolicy",
"iam:GetRole",
"iam:GetPolicyVersion",
"iam:ListRolePolicies",
"iam:ListAttachedRolePolicies",
"iam:CreateInstanceProfile",
"iam:AttachRolePolicy",
"iam:GetInstanceProfile",
"iam:AddRoleToInstanceProfile",
"iam:PassRole",
"iam:RemoveRoleFromInstanceProfile",
"iam:DetachRolePolicy",
"iam:DeleteInstanceProfile",
"iam:ListPolicyVersions",
"iam:ListInstanceProfilesForRole",
"iam:DeletePolicy",
"iam:DeleteRole"
],
"Resource": "*"
}
]
}
```
To create the infrastructure, you can either use a predefined role from Amazon,
such as `PowerUserAccess`, or use the following minimal set of permissions:
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"sts:GetCallerIdentity",
"ec2:DescribeAccountAttributes",
"ec2:AllocateAddress",
"ec2:CreateVpc",
"ec2:CreateTags",
"logs:CreateLogGroup",
"ec2:CreateLaunchTemplate",
"ec2:DescribeAddresses",
"ec2:DescribeLaunchTemplates",
"logs:PutRetentionPolicy",
"logs:DescribeLogGroups",
"ec2:DescribeVpcs",
"ec2:DescribeLaunchTemplateVersions",
"logs:ListTagsLogGroup",
"ec2:DescribeVpcClassicLink",
"ec2:DescribeVpcClassicLinkDnsSupport",
"ec2:DescribeVpcAttribute",
"ec2:DescribeNetworkAcls",
"ec2:DescribeRouteTables",
"ec2:DescribeSecurityGroups",
"ec2:CreateSubnet",
"ec2:CreateSecurityGroup",
"elasticloadbalancing:CreateTargetGroup",
"ec2:CreateInternetGateway",
"ec2:DescribeSubnets",
"elasticloadbalancing:DescribeTargetGroups",
"ec2:AttachInternetGateway",
"elasticloadbalancing:ModifyTargetGroupAttributes",
"ec2:DescribeInternetGateways",
"autoscaling:CreateAutoScalingGroup",
"iam:PassRole",
"ec2:CreateNatGateway",
"ec2:RevokeSecurityGroupEgress",
"elasticloadbalancing:DescribeTargetGroupAttributes",
"elasticloadbalancing:CreateLoadBalancer",
"ec2:DescribeNatGateways",
"elasticloadbalancing:DescribeTags",
"autoscaling:DescribeScalingActivities",
"ec2:CreateRouteTable",
"autoscaling:DescribeAutoScalingGroups",
"ec2:AuthorizeSecurityGroupIngress",
"ec2:AuthorizeSecurityGroupEgress",
"ec2:CreateRoute",
"ec2:AssociateRouteTable",
"elasticloadbalancing:DescribeTargetHealth",
"elasticloadbalancing:DescribeLoadBalancers",
"elasticloadbalancing:ModifyLoadBalancerAttributes",
"elasticloadbalancing:AddTags",
"elasticloadbalancing:DescribeLoadBalancerAttributes",
"elasticloadbalancing:CreateListener",
"elasticloadbalancing:DescribeListeners",
"logs:DeleteLogGroup",
"elasticloadbalancing:DeleteListener",
"ec2:DisassociateRouteTable",
"autoscaling:UpdateAutoScalingGroup",
"elasticloadbalancing:DeleteLoadBalancer",
"autoscaling:SetInstanceProtection",
"ec2:DescribeNetworkInterfaces",
"ec2:DeleteRouteTable",
"ec2:DeleteNatGateway",
"ec2:DetachInternetGateway",
"ec2:DisassociateAddress",
"ec2:ReleaseAddress",
"ec2:DeleteInternetGateway",
"ec2:DeleteSubnet",
"autoscaling:DeleteAutoScalingGroup",
"ec2:DeleteLaunchTemplate",
"elasticloadbalancing:DeleteTargetGroup",
"ec2:DeleteSecurityGroup",
"ec2:DeleteVpc"
],
"Resource": "*"
}
]
}
```
Follow Amazon's guide on [understanding](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies.html) and [managing policies](https://docs.aws.amazon.com/IAM/latest/UserGuide/access_policies_managed-vs-inline.html).
</tabItem>
</tabs>
@ -185,6 +316,25 @@ Use one of the following options on a trusted machine:
Follow [Google's guide](https://cloud.google.com/docs/authentication/production#manually) for setting up your credentials.
</tabItem>
<tabItem value="aws" label="AWS">
**Testing**
You can use the [AWS CloudShell](https://console.aws.amazon.com/cloudshell/home). Make sure you are [authorized to use it](https://docs.aws.amazon.com/cloudshell/latest/userguide/sec-auth-with-identities.html).
**Production**
Use the latest version of the [AWS CLI](https://aws.amazon.com/cli/) on a trusted machine:
```bash
aws configure
```
Options and first steps are described in the [AWS CLI documentation](https://docs.aws.amazon.com/cli/index.html).
</tabItem>
</tabs>
## Next steps