Skip to content
This repository has been archived by the owner on Jul 10, 2021. It is now read-only.

Updating the AWS EC2 #1998

Open
wants to merge 10 commits into
base: master
Choose a base branch
from
Open

Updating the AWS EC2 #1998

Changes from 7 commits
Commits
Show all changes
10 commits
Select commit Hold shift + click to select a range
a8c89cc
Updating the AWS EC2
anooptejt Aug 10, 2020
98921b0
Update setup/install/providers/aws/aws-ec2.md
anooptejt Aug 13, 2020
67c1698
Update setup/install/providers/aws/aws-ec2.md
anooptejt Aug 13, 2020
e0137de
Update setup/install/providers/aws/aws-ec2.md
anooptejt Aug 13, 2020
7e75609
Update setup/install/providers/aws/aws-ec2.md
anooptejt Aug 13, 2020
ff1bf77
Update setup/install/providers/aws/aws-ec2.md
anooptejt Aug 13, 2020
393e8df
Merge branch 'master' into patch-1
anooptejt Aug 13, 2020
0709ae4
Update setup/install/providers/aws/aws-ec2.md
dorbin Aug 13, 2020
ca006ee
Update setup/install/providers/aws/aws-ec2.md
anooptejt Aug 13, 2020
d119b29
Merge branch 'master' into patch-1
dorbin Aug 19, 2020
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
32 changes: 28 additions & 4 deletions setup/install/providers/aws/aws-ec2.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -25,10 +25,13 @@ Use this option to deploy Spinnaker, if you are familar with deployment using [A
1. Navigate to [Console](https://console.aws.amazon.com/){:target="\_blank"} > CloudFormation and [select](https://docs.aws.amazon.com/awsconsolehelpdocs/latest/gsg/getting-started.html#select-region) your preferred region.
2. Download [the template](https://d3079gxvs8ayeg.cloudfront.net/templates/managing.yaml) locally to your workstation.

2.a (Optional). Add additional managed account as shown on line 158 in the SpinnakerAssumeRolePolicy section of the downloaded template file.
3. Creating the CloudFormation Stack
2.a Search for ‘SpinnakerInstanceProfileArn’ and comment out the line.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why does this line get commented out? Is this assuming Spinnaker is deployed on EKS?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This is asked to comment because as this Arn is restricting Clouddriver to load AWS account as clouddriver couldnt authenticate AWS Credentials. I have tested these on EKS, AKS, GKE and Vanilla K8s Cluster. Worked Perfectly fine

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you provide the error message you were seeing? I'm not understanding why commenting out an output value in the CloudFormation stack would prevent CloudDriver from loading the account.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Apologies if i had caused any confusion here, when i mean comment out. I actually want the 'SpinnakerInstanceProfileArn' to be commented.. I dont have the exception handy right now, i will have to do the setup again.. Need sometime for that

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I just tried, I believe it's probably this error, which is a bug in the template.

An error occurred (ValidationError) when calling the CreateChangeSet operation: Unresolved resource dependencies [SpinnakerInstanceProfile] in the Outputs block of the template

@dorbin I know at some point, the template source was in this github repo, and at some point it was taken out and replaced by a CloudFront link (#926). I'm not sure what the reasoning was, but ideally the community would be able to own and contribute to the template (and fix bugs like this). What do you think of moving it back into this repo? Would it go in the "downloads" folder?

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, I don't know why those templates were deleted from here, and whether/where they were moved to.

@anshrma and @edwinavalos , I don't know if either of you remember the PR Clare has linked (#926 ), but feel free to chime in.

Failing that, as far as I'm concerned if it fixes the problem to add them back where they were, and doesn't break whatever Anuj and Edwin were trying to do in that PR, please do put them back in. I don't have an opinion on whether they should go back where they were or in the downloads folder; you can probably assess better than I can which is the safer option.

@plumpy FYI

Also, @brian-armory and @aimeeu FYI, w/r/t the migration to the new repo.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The template bug is now fixed as #2020, so this change can be reverted @anooptejt


2.b (Optional). Add additional managed account as shown on line 158 in the SpinnakerAssumeRolePolicy section of the downloaded template file.
anooptejt marked this conversation as resolved.
Show resolved Hide resolved
anooptejt marked this conversation as resolved.
Show resolved Hide resolved
3. Create the CloudFormation Stack:
* __Create Stack__ > __Upload a template to Amazon S3__ > __Browse to template you downloaded in Step-2 above__ > __Next__
* Enter __Stack Name__ as spinnaker-**managing**-infrastructure-setup and follow the prompts on screen to create the stack
* Enter __Stack Name__ as spinnaker-**managing**-infrastructure-setup and follow the prompts on screen to create the stack.
* From the dropdown select **‘UseAccessKeyForAuthentication’** as True to get the Access and Secret Key.
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Does this also assume Spinnaker is deployed on EKS?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For, managing accounts we need access and secret keys. In the CLI by default instruction is provided to keep it true, whereas in the Manual no instructions are provided for the Authentication purpose. Again this was validated on Spinnaker being deployed all Kubernetes platforms

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

But this is not needed if Spinnaker is deployed directly to EC2 (not on Kubernetes). Option 2 below more clearly states the options for the UseAccessKeyForAuthentication option. So this should be something like:
If you want to use Access Keys and Secrets to run Spinnaker, set the UseAccessKeyForAuthentication parameter to True. If you want to use an EC2 instance profile to run Spinnaker, set the UseAccessKeyForAuthentication parameter to False.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

For a localdebian spinnaker or distributed spinnaker if we need the halyard to access AWS to Bake, Create Instance or anything IAM roles and user access is mandatory. Which means Access and Secret are needed.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The SpinnakerManaged role is required, but EC2 instance profile can be used by Spinnaker to assume the SpinnakerManager role in the case of localdebian install on EC2. User access keys are not required in that case.

4. Once the stack is select the stack you created in Step-3 > Outputs and note the values. You will need these values for subsequent configurations.


Expand Down Expand Up @@ -93,6 +96,25 @@ Option number 1 is useful for creation of user with AWS Access Key and secret. T
2. Using AWS IAM Roles
Option 2 uses the IAM roles *ManagingRole* and *ManagedRoles*. This setting is applied on some environments that have extra security considerations.

### Spinaker AssumeRole Policy
1. Incase, if you miss to add append the Line 158, then Manually create a Policy by Navigating to **Console > IAM > Policies**.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I saw your reponse to this before, @anooptejt . Sorry, I'm still not getting it.
What does "miss to add append the line" mean? Do we mean if I choose not to add another managed account to the SpinnakerAssumeRolePolicy section?

Or, under what circumstances exactly would I manually create a policy?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This manual Policy we can add it as TroubleShooting. I have noticed clouddriver was not starting up as expected. Hence, i have manually created a policy and checked it out. It worked like a charm. So I would recommend to add this as a Troubleshooting item. Please suggest in case of any other thoughts.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I'll let @clareliguori weigh in on this, for technical input, then I'll look at the wording. Thanks, @anooptejt!

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It would be better to have instructions on how to add a new managed account post-stack-creation by adding it to the template in the SpinnakerAssumeRolePolicy section and then updating the existing CloudFormation stack.

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In the cloudformation template already there is a section to add the SpinnakerAssumeRolePolicy. However, for some weird reason that doesnt make any updates in the AWS. Which is why I have added this section explicitly in the document. Which would make it more easier for users to enable AWS with Spinnaker.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Can you provide repro steps where adding a new account to the list in the SpinnakerAssumeRolePolicy section in the template does not cause updates in AWS?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Search for SpinnakerAssumeRolePolicy in the managing.yaml
Add the managed account and tried to create the stack using the template. I got SpinnakerAssumeRolePolicy created empty without any of the attributes defined in the template. I had to manually add the #arn in the below format

arn:aws:iam::YOUR_MANAGED_ACCOUNT1:role/spinnakerManaged

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I tried to reproduce with the following steps, but I wasn't able to - it worked as expected:

# Deploy the stack without updating the template first
$ aws cloudformation deploy \
	--stack-name test-spinnaker-managing-infrastructure-setup \
	--template-file managing.yaml \
	--parameter-overrides UseAccessKeyForAuthentication=true \
	--capabilities CAPABILITY_NAMED_IAM 

# Find the IAM user name
$ aws cloudformation describe-stack-resources \
	--stack-name test-spinnaker-managing-infrastructure-setup \
	--logical-resource-id SpinnakerUser

# Output the provisioned user policy
$ aws iam get-user-policy --policy-name SpinnakerAssumeRolePolicy --user-name test-spinnaker-managing-infrastructu-SpinnakerUser-1V1NBNV5OEEV4
{
    "UserName": "test-spinnaker-managing-infrastructu-SpinnakerUser-1V1NBNV5OEEV4",
    "PolicyName": "SpinnakerAssumeRolePolicy",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Resource": [
                    "arn:aws:iam::XXXXXXXXXXXX:role/spinnakerManaged"
                ],
                "Effect": "Allow"
            }
        ]
    }
}

# Updated managing.yaml template with new managed account
      PolicyDocument:
        Version: "2012-10-17"
        Statement:
          - Action: sts:AssumeRole
            Effect: Allow
            Resource:
              - !Sub arn:aws:iam::${AWS::AccountId}:role/spinnakerManaged # This is the current account
              - arn:aws:iam::YYYYYYYYYYYY:role/spinnakerManaged # New Managed Account
      PolicyName: SpinnakerAssumeRolePolicy

# Update the stack with the updated template that contains a new managed account
$ aws cloudformation deploy \
	--stack-name test-spinnaker-managing-infrastructure-setup \
	--template-file managing.yaml \
	--parameter-overrides UseAccessKeyForAuthentication=true \
	--capabilities CAPABILITY_NAMED_IAM 

# Output the updated provisioned user policy
$ aws iam get-user-policy --policy-name SpinnakerAssumeRolePolicy --user-name test-spinnaker-managing-infrastructu-SpinnakerUser-1V1NBNV5OEEV4
{
    "UserName": "test-spinnaker-managing-infrastructu-SpinnakerUser-1V1NBNV5OEEV4",
    "PolicyName": "SpinnakerAssumeRolePolicy",
    "PolicyDocument": {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Action": "sts:AssumeRole",
                "Resource": [
                    "arn:aws:iam::XXXXXXXXXXXX:role/spinnakerManaged",
                    "arn:aws:iam::YYYYYYYYYYYY:role/spinnakerManaged"
                ],
                "Effect": "Allow"
            }
        ]
    }
}

2. Click on **Create New Policy**, then click on **JSON** and add the code shown below.
3. Name the policy “Spinnaker AssumeRole Policy”
dorbin marked this conversation as resolved.
Show resolved Hide resolved

```JSON
{
"Version": "2012-10-17",
"Statement": [{
"Action": "sts:AssumeRole",
"Resource": [
"arn:aws:iam::<AWS Account ID>:role/spinnakerManaged",
"arn:aws:iam::<AWS Account ID>:role/spinnakerManaged"
],
"Effect": "Allow"
}]
}
```

## Halyard Configurations
After the AWS IAM user, roles, policies and trust relationship have been set up, the next step is to add the AWS configurations to Spinnaker via Halyard CLI:

Expand All @@ -106,7 +128,9 @@ After the AWS IAM user, roles, policies and trust relationship have been set up,

```bash
hal config provider aws edit --access-key-id ${ACCESS_KEY_ID} \
--secret-access-key # do not supply the key here, you will be prompted
--secret-access-key # do not supply the key here, you will be prompted
hal config provider aws bakery edit --aws-access-key ${ACCESS_KEY_ID} \
--aws-secret-key # do not supply the key here, you will be prompted
```

### Configure Halyard to add AWS Accounts
Expand Down