OSDOCS-6652 AWS shared private hosted zones

[bscott-rh]

Version(s):
4.14

Issue:
https://issues.redhat.com/browse/OSDOCS-6652

Link to docs preview:
https://64114--docspreview.netlify.app/openshift-enterprise/latest/installing/installing_aws/installing-aws-vpc#installation-custom-aws-vpc-requirements_installing-aws-vpc

QE review:

• QE has approved this change.

[ocpdocs-previewbot]

🤖 Updated build preview is available at:
https://64114--docspreview.netlify.app

Build log: https://circleci.com/gh/ocpdocs-previewbot/openshift-docs/29320

[bscott-rh]

@yunjiang29 PTAL at this PR modifying the AWS "existing VPC" documentation to account for the shared private hosted zone feature for AWS. Thank you

[yunjiang29]

@bscott-rh Some notable info for your reference:

Restriction for Shared-VPC install:

• Only Manual and Passthrough mode are supported

For Cluster owner’s account (Account-B)

• sts:AssumeRole is required for Shared-VPC install OCPBUGS-17751

For VPC&PHZ owner's account (Account-A)

• The PHZ is associated with VPC.
• The subnets are shared with Account-B
• The Principal of trust policy for shared-vpc role:
  • if Passthrough is used, cluster creator's ARN (e.g. arn:aws:iam::123456789012:user/clustercreator) is required.
  • if Manual is used, cluster creator's ARN and ingress operator role's ARN (e.g. arn:aws:iam::123456789012:role/<cluster-name>-openshift-ingress-operator-cloud-credentials) are required.
• The policy for shared-vpc role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53:ChangeTagsForResource",
                "route53:GetAccountLimit",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListTagsForResource",
                "route53:UpdateHostedZoneComment",
                "tag:GetResources",
                "tag:UntagResources"
            ],
            "Resource": "*"
        }
    ]
}

[bscott-rh]

@bscott-rh Some notable info for your reference:

Restriction for Shared-VPC install:

* Only `Manual` and `Passthrough` mode are supported

For Cluster owner’s account (Account-B)

* `sts:AssumeRole` is required for Shared-VPC install [OCPBUGS-17751](https://issues.redhat.com/browse/OCPBUGS-17751)

For VPC&PHZ owner's account (Account-A)

* The PHZ is associated with VPC.

* The subnets are shared with Account-B

* The `Principal` of trust policy for shared-vpc role:
  
  * if `Passthrough` is used, cluster creator's ARN (e.g. `arn:aws:iam::123456789012:user/clustercreator`) is required.
  * if `Manual` is used, cluster creator's ARN and ingress operator role's ARN (e.g. `arn:aws:iam::123456789012:role/<cluster-name>-openshift-ingress-operator-cloud-credentials`) are required.

* The policy for shared-vpc role

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "route53:ChangeResourceRecordSets",
                "route53:ListHostedZones",
                "route53:ListHostedZonesByName",
                "route53:ListResourceRecordSets",
                "route53:ChangeTagsForResource",
                "route53:GetAccountLimit",
                "route53:GetChange",
                "route53:GetHostedZone",
                "route53:ListTagsForResource",
                "route53:UpdateHostedZoneComment",
                "tag:GetResources",
                "tag:UntagResources"
            ],
            "Resource": "*"
        }
    ]
}

Thanks Yunfei, I have updated the PR to 1) Add the permissions information to the account page 2) add the extra information about the credentials modes and 3) add a new module to the account page describing the trust policy modifications. Please let me know if what I've written makes sense as I am not an AWS expert :)

[yunjiang29]

@bscott-rh thank you for the updates, I added some comments, let me know if there is anything unclear.

[yunjiang29]

1. The platform.aws.hostedZoneRole is designed for Shared VPC scenario, and in the account configuration section, we used word shared VPC, I would suggest to mention shared VPC in this part, to correspond to the former.

2. As my comment, I think we can move trust policy and permission content to here.

[bscott-rh]

Good point, I've made that addition.

[patrickdillon]

LGTM except the one small comment

[yunjiang29]

@bscott-rh looks good to me, just need a small update.

[jldohmann]

Nice job Ben! generally LGTM, some ISG nits below

[bscott-rh]

/cherrypick enterprise-4.14

[openshift-cherrypick-robot]

@bscott-rh: new pull request created: #66667

Details

In response to this:

/cherrypick enterprise-4.14

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.