remove Vintage code and add CF templates for capa resources (#97)

* Add CF templates for CAPA clusters

* Remove Vintage and provide CF templates as an setup alternative

* Simplify process

* Address Vaclav comments

* Add bucket URL

* Apply suggestions from code review

README.md

@@ -1,155 +1,111 @@
 # giantswarm-aws-account-prerequisites
 
-This repo contains Terraform modules to prepare AWS accounts to run Giant Swarm
-clusters.
+This repo contains Cloud Formation templates and Terraform modules to prepare AWS accounts to run Giant Swarm clusters.
 
 # Cluster API
+
 ## Before starting
-Make sure to adjust AWS account limits according to [these
-docs](https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#limits). 
 
-For Cluster API take a look at theese three modules in this repository:
-1. [admin-role](./admin-role) which creates a role and a policy for our
-   staff to be able to operate the infrastructure created by our automation in
-   case of failures.
-3. [capa-controller-role](./capa-controller-role) which creates
-   the role and policies that the controllers assume to create and manage the kubernetes clusters.
+Make sure to adjust AWS account limits according to [these docs](https://docs.giantswarm.io/getting-started/cloud-provider-accounts/cluster-api/aws/#limits).
 
-## 1. admin-role
+For Cluster API take a look at these two modules in this repository:
 
-For all AWS accounts part of the platform, does not matter if they are for
-management or workload clusters, we need to have access in order to debug and
-manage and operate the infrastructure. To do so, please run this module in the target
-account:
+1. [admin-role](./admin-role) which creates a role and a policy for our staff to be able to operate the infrastructure created by our automation in case of failures.
+2. [capa-controller-role](./capa-controller-role) which creates the role and policies that the controllers assume to create and manage the kubernetes clusters.
 
-```hcl
-module "giantswarm-cp-prereqs" {
-  source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites/admin-role"
-}
+## 1. admin-role
 
-output "giantswarm-admin-role" {
-  value = "${module.giantswarm-cp-prereqs.giantswarm-admin-role}"
-}
-```
+For all AWS accounts part of the platform  Giant Swarm staff need to have access in order to debug and
+manage and operate the infrastructure. To do so, please use one of the following methods to create the necessary role and policy in your AWS account.
 
-The created role and policy name is `GiantSwarmAdmin`.
+### AWS CloudFormation template
 
-The created role ARN needs to be supplied to Giant Swarm.
+You can execute the CloudFormation template directly by clicking [the admin role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/admin-role/cloud-formation-template.yaml&stackName=GiantSwarmAdminRoleBootstrap&&param_AdminRoleName=GiantSwarmAdmin) or uploading the [template file](./admin-role/cloud-formation-template.yaml) when creating a new stack in the AWS console.
 
-## 2. capa-controller-role
-Please read the [README.md](./capa-controller-role/README.md) of the capa-controller-role module.
+You will be asked for the following parameters:
 
+- `AdminRoleName`: The name of the role that will be created. Default is `GiantSwarmAdmin`. You dont need to change this unless you have a specific requirement.
 
-# Vintage
-## Before starting
+Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff.
 
-Make sure to adjust AWS account limits according to [these
-docs](https://docs.giantswarm.io/guides/prepare-aws-account-for-tenant-clusters/#limits).
+### Terraform
 
-For Vintage take a look at theese three modules in this repository:
+#### Requirements
 
-1. [admin-role](./admin-role) which creates a role and a policy for our
-   staff to be able to operate the infrastructure created by our automation in
-   case of failures.
-2. [aws-operator-user](./aws-operator-user) which creates a user and its policy
-   to be used for our automation to manage the infrastructure.
-3. [aws-operator-role](./aws-operator-role) which creates
-   the role and policy to be assumed for the automation user to create and manage
-   resources.
+- `terraform` installed
+- working AWS credentials set to the desired target account
+- AWS region has to be set  either via aws profile or via env `AWS_REGION`
 
-## 1. admin-role
+### Adjust variables
 
-For all AWS accounts part of the platform, does not matter if they are for
-control plane or tenant clusters, we need to have access in order to debug and
-operator the infrastructure. To do so, please run this module in the target
-account:
+- `admin_role_name` - can be adjusted to be more strict and specify role name. You dent need to change this unless you have a specific requirement.
 
-```hcl
-module "giantswarm-cp-prereqs" {
-  source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites//admin-role"
-}
+### Execution
 
-output "giantswarm-admin-role" {
-  value = "${module.giantswarm-cp-prereqs.giantswarm-admin-role}"
-}
 ```
-
-The created role and policy name is `GiantSwarmAdmin`.
+terraform init .
+terraform apply -var="admin_role_name=GiantSwarmAdmin
+```
 
 The created role ARN needs to be supplied to Giant Swarm.
 
-## 2. aws-operator-user
+## 2. capa-controller-role
+
+In the AWS account where you plan to run the management cluster, you need to create a role that the Cluster API controllers will assume to create and manage workload clusters and all infrastructure resources.
 
-Giant Swarm needs a IAM user to be used for the automation in AWS some account.
-This is usually the Control Plane AWS account but it doesn't have to. To do so,
-please run this module in the target account:
+### AWS CloudFormation template
 
-```hcl
-module "giantswarm-cp-prereqs" {
-  source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites//aws-operator-user"
-}
+You can execute directly the CloudFormation template by clocking the [capa controller role stack template](https://eu-central-1.console.aws.amazon.com/cloudformation/home?region=eu-central-1#/stacks/quickcreate?templateURL=https://cf-templates-giantswarm.s3.eu-central-1.amazonaws.com/capa-controller-role/cloud-formation-template.yaml&stackName=CAPAControllerRoleBootstrap&param_InstallationName=CHANGE_THIS_FOR_THE_INSTALLATION_NAME&param_ManagementClusterAccountID=MANAGEMENT_CLUSTER_ACCOUNT_ID) or uploading the [template file](./capa-controller-role/cloud-formation-template.yaml) when creating a new stack in the AWS console.
 
-output "user-access-key-id" {
-  value = "${module.giantswarm-cp-prereqs.user-access-key-id}"
-}
+You will be asked for the following parameters:
 
-output "user-access-key-secret" {
-  value = "${module.giantswarm-cp-prereqs.user-access-key-secret}"
-}
-```
+- `InstallationName`: The name of the installation which you have agreed with Giant Swarm upfront.
+- `ManagementClusterAccountID`: The account ID of the management cluster account. This is the account where the management cluster will be running.
 
-The created user name is `GiantSwarmAWSOperator` and its policy name is
-`GiantSwarmUserAWSOperator`.
+Review the changes and click `Create stack`. In case of any error, please check the `Events` tab in the CloudFormation console and report the error to the Giant Swarm staff.
 
-Get the access key ID and secret from the output - these must be provided to Giant Swarm.
+### Terraform
 
-When `sensitive = true` in output.tf, the secret value will be redacted. You can however 
-find it directly from the state file by running:
+#### Requirements
 
-```bash
-cat terraform.tfstate | grep secret
-```
+- `terraform` installed
+- working AWS credentials set to the desired target account
+- AWS region has to be set  either via aws profile or via env `AWS_REGION`
+
+### Adjust variables
+
+- `management_cluster_account_id` - the account id of the management cluster account.
+- `installation_name` - the name of the installation which you have agreed with Giant Swarm upfront.
+
+### Execution
 
-**Note:** as the access key ID and secret are output in plaintext, they will
-also be included in your Terraform state file. Please take this into
-consideration when using this module. If this isn't acceptable then it is
-possible to encrypt the secret using a [PGP key, or a keybase
-user](https://www.terraform.io/docs/providers/aws/r/iam_access_key.html#pgp_key)
-
-## 3. aws-operator-role
-
-Now, for the Control Plane account and each AWS Tenant account you need to run
-this module to enable our automation to assume the role in order to manage all
-clusters resources.
-
-You will need to provide the `main_account_id` which is the AWS account ID where
-`GiantSwarmAWSOperator` user was created (using `aws-operator-user` module) and
-`target_account_id` which is the AWS account ID of provisioned Control Plane or
-Tenant Cluster AWS account.
-
-```hcl
-module "giantswarm-tc-prereqs" {
-  source = "git@github.com:giantswarm/giantswarm-aws-account-prerequisites//aws-operator-role"
-  main_account_id = "111111111111"   # Account with GiantSwarmAWSOperator user.
-  target_account_id = "22222222222"  # Account to create role in.
-}
-
-output "aws-operator-role-arn" {
-  value = "${module.giantswarm-tc-prereqs.aws-operator-role}"
-}
+```
+terraform init .
+terraform apply -var="installation_name=test"
 ```
 
-The role and policy name is `GiantSwarmAWSOperator`.
+## AWS cli
 
-The AWS Operator Role ARN needs to be supplied to Giant Swarm.
+### Requirements
 
-## Adding new Tenant Cluster account
+- `awscli` installed
+- `jq` installed
+- working AWS credentials set to the desired target account
+- located on the `capa-controller-role` directory of this git repo
+- user `${INSTALLATION}-capa-controller` created in GiantSwarm root account `084190472784`
 
-In case you are adding a new organization that runs in a new AWS Account, you
-need to apply step `1` and `3`. With the outputs you can run this `gsctl`
-command to setup the new configuration.
+### Setup
 
-`gsctl update organization set-credentials --aws-operator-role $(terraform output aws-operator-role) --aws-admin-role $(terraform output giantswarm-admin-role)`
+```
+export INSTALLATION_NAME=test
+chmod +x setup.sh
+./setup.sh
+```
 
-It is explained here.
-https://docs.giantswarm.io/guides/prepare-aws-account-for-tenant-clusters/#configure-org
+### Cleanup
+
+```
+export INSTALLATION_NAME=test
+chmod +x cleanup.sh
+./cleanup.sh
+```

admin-role/cloud-formation-template.yaml

@@ -0,0 +1,95 @@
+AWSTemplateFormatVersion: '2010-09-09'
+Description: CloudFormation template for bootstrapping the admin role in your AWS account.
+
+Parameters:
+  AdminRoleName:
+    Type: String
+    Default: "GiantSwarmAdmin"
+
+Resources:
+  GiantSwarmAdminRole:
+    Type: "AWS::IAM::Role"
+    Properties:
+      RoleName: !Ref AdminRoleName
+      AssumeRolePolicyDocument:
+        Version: '2012-10-17'
+        Statement:
+          - Effect: "Allow"
+            Principal:
+              AWS: "arn:aws:iam::084190472784:root"
+            Action: "sts:AssumeRole"
+
+  GiantSwarmAdminPolicy:
+    Type: "AWS::IAM::Policy"
+    Properties:
+      PolicyName: "GiantSwarmAdmin"
+      PolicyDocument:
+        Version: "2012-10-17"
+        Statement:
+          - Effect: "Allow"
+            Action:
+              - "acm:*"
+              - "autoscaling:*"
+              - "cloudformation:*"
+              - "cloudfront:*"
+              - "cloudwatch:*"
+              - "dynamodb:*"
+              - "ec2:*"
+              - "ecr:*"
+              - "elasticfilesystem:*"
+              - "elasticloadbalancing:*"
+              - "events:*"
+              - "ram:*"
+              - "iam:AddRoleToInstanceProfile"
+              - "iam:AttachRolePolicy"
+              - "iam:CreateAccessKey"
+              - "iam:CreateInstanceProfile"
+              - "iam:CreatePolicy"
+              - "iam:CreatePolicyVersion"
+              - "iam:CreateRole"
+              - "iam:CreateServiceLinkedRole"
+              - "iam:DeleteAccessKey"
+              - "iam:DeleteInstanceProfile"
+              - "iam:DeletePolicy"
+              - "iam:DeletePolicyVersion"
+              - "iam:DeleteRole"
+              - "iam:DeleteRolePolicy"
+              - "iam:DeleteServiceLinkedRole"
+              - "iam:DetachRolePolicy"
+              - "iam:GenerateServiceLastAccessedDetails"
+              - "iam:Get*"
+              - "iam:List*"
+              - "iam:PassRole"
+              - "iam:PutRolePolicy"
+              - "iam:RemoveRoleFromInstanceProfile"
+              - "iam:TagRole"
+              - "iam:UpdateAccessKey"
+              - "iam:UpdateAssumeRolePolicy"
+              - "iam:UpdateRoleDescription"
+              - "kms:*"
+              - "logs:*"
+              - "route53:*"
+              - "route53domains:*"
+              - "route53resolver:*"
+              - "s3:*"
+              - "sts:AssumeRole"
+              - "sts:DecodeAuthorizationMessage"
+              - "sts:GetFederationToken"
+              - "support:*"
+              - "trustedadvisor:*"
+              - "sqs:*"
+              - "iam:CreateOpenIDConnectProvider"
+              - "iam:DeleteOpenIDConnectProvider"
+              - "iam:TagOpenIDConnectProvider"
+              - "iam:UntagOpenIDConnectProvider"
+              - "iam:UpdateOpenIDConnectProviderThumbprint"
+              - "iam:RemoveClientIDFromOpenIDConnectProvider"
+              - "iam:AddClientIDToOpenIDConnectProvider"
+            Resource: "*"
+      Roles:
+        - !Ref GiantSwarmAdminRole
+
+Outputs:
+  GiantSwarmAdminRoleArn:
+    Description: "The ARN of the IAM role"
+    Value: !GetAtt GiantSwarmAdminRole.Arn

admin-role/iam-giantswarm-cp.tf

@@ -9,7 +9,7 @@ data "aws_iam_policy_document" "giantswarm-admin" {
 
     principals {
       type        = "AWS"
-      identifiers = var.principal_arns_giantswarm_root_account
+      identifiers = "arn:aws:iam::084190472784:root"
     }
 
     actions = ["sts:AssumeRole"]

admin-role/variables.tf

@@ -1,9 +1,3 @@
-variable "principal_arns_giantswarm_root_account" {
-  type        = list(string)
-  description = "ARNs of accounts, groups, or users with the ability to assume this role."
-  default =["arn:aws:iam::084190472784:root"]
-}
-
 variable "admin_role_name" {
   type    = string
   default = "GiantSwarmAdmin"