docs(aws): AWS EC2 provider instructions, diagram and code for manual AWS IAM set up.

[aleon1220]

Something happened in PR1964 i am re-doing the changes and re-committing them.
Please help @dorbin @brian-armory

[dorbin]

@aleon1220 thanks for re-doing this!

I've left some suggestions. Sorry if some of them are repetitive.

[dorbin]

@aleon1220 Oops, looks like I responded some days ago but didn't submit my review. Looks like just the one comment about linking.

[aleon1220]

Hello, @dorbin
I have added enough detail to make the AWS EC2 provider work. I added an example all throughout the instructions to make it simple to understand. A diagram that i added in format .svg based on the .drawio diagram done by @anshrma back in 2018. These instructions work in AWS as this is what i have working. It was based on documentation and experience found throughout the community. Thanks to Armory for writing a wonderful guide on the aws provider. They have instructions for set up with halyard and operator.

Many of the new links are not working because they are not created but in general terms i checked this page after running it locally in my docker container dev set up.

[aleon1220]

@dorbin Hi Dave, I have added details for the EC2 provider. By using it with these instructions one can successfully deploy Instances to EC2. It is a big change because i think his document was not updated much. In summary there are 3 options to set up AWs IAM structure for Spinnaker.
1-AWS CF templates (this doesnt work)
2-AWS CLI to deploy the CF templates (this doesnt work)
3-Set up AWS IAM manually. These are the instructions i am contributing. Is been tested 4 times in my environments. It works but it requires many steps. I used an example to make it simple to understand and relate.

[dorbin]

@brian-armory can you take a look at this when you get a chance? I'm not on AWS, so I can't test these instrux. Thanks!

[317brian]

Hi @aleon1220, I've scheduled time for myself to work on this during this sprint (this week and next). Sorry for the delay.

[aleon1220]

Hi @aleon1220, I've scheduled time for myself to work on this during this sprint (this week and next). Sorry for the delay.

Thanks Brian. I am still preparing my AWS personal account to test this and record a short video. Other than that. Thanks for your review.

[dorbin]

Hi, @aleon1220 . A few more suggestions. Also, it looks like you've got a conflict in one of the files.

[dorbin]

Suggested change

	> :warning: These instructions were updated to manually set up the AWS provider with [Option-3](#option-3--configure-with-aws-iam-console) on **2020-08-22**. <br>
	> :warning: These instructions were updated, on **2020-08-22**, to manually set up the AWS provider with [Option-3](#option-3--configure-with-aws-iam-console). <br>

[aleon1220]

Hi, @aleon1220 . A few more suggestions. Also, it looks like you've got a conflict in one of the files.

sadly yes. This PR is been here for a while. Maybe someone updated the page. I dont understand. This AWS provider really needs some attention.

[aleon1220]

@brian-armory Hi Brian, Thanks for all the help. I have improved the doc based on your suggestions. I have been keeping this branch updated. Would you like to do a review?

[317brian]

LGTM. Thanks for all your hardwork on this @aleon1220. I pushed a commit to fix some indenting on lines 214-16 for the nested list.

[aleon1220]

Thank you so much!

[dorbin]

Thanks for all the work, Andres! And all the re-doing of the work. 😃

[avram]

PowerUserAccess is broader access than Spinnaker really needs; there used to be a very specific policy document doc that had what Spinnaker needs; we should refer to that here. I think that Armory at least has an up-to-date, narrower policy to refer to.

[aleon1220]

what access do you recommend?
the policy is AWS managed it should be ok...

[avram]

The PowerUserAccess policy is extremely broad. Unfortunately it looks like the Armory docs also now recommend PowerUserAccess.

This is the policy I'm using now, which at least limits access to the core services Spinnaker needs, although it would need to be broadened to account for CloudFormation and Lambda and potentially other small revisions. This or a similar policy used to be present in the Spinnaker docs (or perhaps the Armory docs).

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Sid": "Stmt1486065689000",
            "Effect": "Allow",
            "Action": [
                "autoscaling:CreateAutoScalingGroup",
                "autoscaling:CreateLaunchConfiguration",
                "autoscaling:CreateOrUpdateTags",
                "autoscaling:DeleteAutoScalingGroup",
                "autoscaling:DeleteLaunchConfiguration",
                "autoscaling:DeletePolicy",
                "autoscaling:DeleteScheduledAction",
                "autoscaling:DeleteTags",
                "autoscaling:DescribeAutoScalingGroups",
                "autoscaling:DescribeLaunchConfigurations",
                "autoscaling:DescribeLoadBalancers",
                "autoscaling:DescribePolicies",
                "autoscaling:DescribeScalingActivities",
                "autoscaling:DescribeScheduledActions",
                "autoscaling:DetachInstances",
                "autoscaling:DisableMetricsCollection",
                "autoscaling:EnableMetricsCollection",
                "autoscaling:PutLifecycleHook",
                "autoscaling:PutNotificationConfiguration",
                "autoscaling:PutScalingPolicy",
                "autoscaling:PutScheduledUpdateGroupAction",
                "autoscaling:ResumeProcesses",
                "autoscaling:SuspendProcesses",
                "autoscaling:TerminateInstanceInAutoScalingGroup",
                "autoscaling:UpdateAutoScalingGroup",
                "cloudwatch:DeleteAlarms",
                "cloudwatch:DescribeAlarms",
                "cloudwatch:GetMetricStatistics",
                "cloudwatch:ListMetrics",
                "cloudwatch:PutMetricAlarm",
                "ec2:AttachClassicLinkVpc",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:CreateSecurityGroup",
                "ec2:CreateTags",
                "ec2:DeleteSecurityGroup",
                "ec2:DeleteTags",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeAddresses",
                "ec2:DescribeAvailabilityZones",
                "ec2:DescribeClassicLinkInstances",
                "ec2:DescribeImages",
                "ec2:DescribeInstances",
                "ec2:DescribeKeyPairs",
                "ec2:DescribeRegions",
                "ec2:DescribeReservedInstances",
                "ec2:DescribeReservedInstancesOfferings",
                "ec2:DescribeSecurityGroups",
                "ec2:DescribeSpotPriceHistory",
                "ec2:DescribeSubnets",
                "ec2:DescribeTags",
                "ec2:DescribeVpcClassicLink",
                "ec2:DescribeVpcs",
                "ec2:GetConsoleOutput",
                "ec2:ModifyImageAttribute",
                "ec2:ModifyInstanceAttribute",
                "ec2:RebootInstances",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:TerminateInstances",
                "elasticloadbalancing:ApplySecurityGroupsToLoadBalancer",
                "elasticloadbalancing:ConfigureHealthCheck",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:CreateLoadBalancerListeners",
                "elasticloadbalancing:CreateLoadBalancerPolicy",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancerListeners",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DeregisterInstancesFromLoadBalancer",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:DescribeInstanceHealth",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:DescribeLoadBalancerPolicies",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterInstancesWithLoadBalancer",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:SetLoadBalancerPoliciesOfListener",
                "elasticloadbalancing:SetSecurityGroups",
                "iam:ListServerCertificates",
                "iam:PassRole"
            ],
            "Resource": [
                "*"
            ]
        }
    ]
}

[aleon1220]

A customer managed policy is cumbersome for an organization. Is an interesting concept to try to reduce risk but is just too much to handle.

[avram]

With cloudformation stacksets and AWS organizations it is quite feasible to have a customer managed policy.

The power user policy is an irresponsible one and it reflects poorly on the product to recommend it.

[aleon1220]

@avram I understand. If that's the case I highly encourage you to improve the Cloud formation templates that use the AWS IAM policies at https://github.com/spinnaker/spinnaker.github.io/tree/master/downloads/aws