Pre-requisites - AWS (4.1)

For details on compatible versions, please refer to the https://infozone.atlassian.net/wiki/x/owDKCg.

AWS Specific Tools

The following AWS specific tools are required to be installed locally:

AWS CLI: The AWS command line interface.
Installation instructions: https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html
eksctl: The Amazon EKS command line interface.
Installation instructions: https://eksctl.io/installation/

For details on compatible versions, please refer to the https://infozone.atlassian.net/wiki/x/owDKCg .

Minimum IAM Policy

To use the installation guide, you need to ensure the user who performs the installation was granted with minimum permission in order to be able to provision AWS resources.

You do not need to setup the following if the user that performs the installation has the AdministratorAccess policy.

For best practice it is preferably to set up a minimum IAM policy for the user to perform the installation.

For IAM user creation, please refer to AWS documentation for guidance https://docs.aws.amazon.com/IAM/latest/UserGuide/id_users_create.html.

The following table contains the policies required by the application.

Application	IAM Policies

Application

IAM Policies

eksctl

Refer to https://eksctl.io/usage/minimum-iam-policies/

Terraform

{
	"Version": "2012-10-17",
	"Statement": [
		{
			"Effect": "Allow",
			"Action": [
				"sts:GetCallerIdentity",
				"ec2:DescribeVpcAttribute",
				"ec2:DescribeSecurityGroups",
				"ec2:DescribeInternetGateways",
				"ec2:DescribeAvailabilityZones",
				"ec2:DescribeVpcs",
				"ec2:DescribeAccountAttributes",
				"ec2:DescribeSubnets",
				"rds:AddTagsToResource",
				"rds:ListTagsForResource",
				"rds:CreateDBInstance",
				"rds:CreateDBSubnetGroup",
				"rds:DeleteDBSubnetGroup",
				"rds:DeleteDBInstance",
				"rds:ModifyDBInstance",
				"ec2:Describe*",
				"rds:Describe*",
				"rds:CreateDBParameterGroup",
				"rds:ModifyDBParameterGroup",
				"rds:DeleteDBParameterGroup",
				"rds:CreateOptionGroup",
				"rds:ModifyOptionGroup",
				"rds:DeleteOptionGroup"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"route53:GetHostedZone",
				"route53:CreateHostedZone",
				"route53:ListHostedZones",
				"route53:ChangeTagsForResource",
				"route53:ChangeResourceRecordSets",
				"route53:ListResourceRecordSets",
				"route53:GetChange",
				"route53:ListTagsForResource",
				"route53:GetDNSSEC",
				"route53:DeleteHostedZone"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"acm:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"kms:*"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"elasticfilesystem:Describe*",
				"elasticfilesystem:DeleteAccessPoint",
				"elasticfilesystem:CreateMountTarget",
				"elasticfilesystem:CreateFileSystem",
				"elasticfilesystem:ListTagsForResource",
				"elasticfilesystem:DeleteMountTarget",
				"elasticfilesystem:CreateAccessPoint",
				"elasticfilesystem:DeleteFileSystem",
				"elasticfilesystem:TagResource",
				"elasticfilesystem:UpdateFileSystem"
			],
			"Resource": "*"
		},
		{
			"Effect": "Allow",
			"Action": [
				"ssm:Describe*",
				"ssm:GetParameter*",
				"ssm:ListTagsForResource",
				"ssm:PutParameter",
				"ssm:DeleteParameter*",
				"ssm:AddTagsToResource"
			],
			"Resource": "*"
		},
		{
			"Action": "iam:CreateServiceLinkedRole",
			"Effect": "Allow",
			"Resource": "arn:aws:iam::*:role/aws-service-role/rds.amazonaws.com/AWSServiceRoleForRDS",
			"Condition": {
				"StringLike": {
					"iam:AWSServiceName": "rds.amazonaws.com"
				}
			}
		}
	]
}