From b0d424d585ef050758e093a376c1e1c1eb437aea Mon Sep 17 00:00:00 2001 From: Vladimir Andjelkoski Date: Thu, 30 Jan 2025 13:50:41 +0100 Subject: [PATCH 1/5] docs(VpcPeering): improve tutorial to identify correct principals --- docs/user/resources/04-30-10-aws-vpc-peering.md | 9 +++++++-- docs/user/resources/04-30-30-azure-vpc-peering.md | 7 +++++++ docs/user/tutorials/01-30-10-aws-vpc-peering.md | 7 +++---- docs/user/tutorials/01-30-30-azure-vpc-peering.md | 5 ++--- 4 files changed, 19 insertions(+), 9 deletions(-) diff --git a/docs/user/resources/04-30-10-aws-vpc-peering.md b/docs/user/resources/04-30-10-aws-vpc-peering.md index 54767b609..71ea2933b 100644 --- a/docs/user/resources/04-30-10-aws-vpc-peering.md +++ b/docs/user/resources/04-30-10-aws-vpc-peering.md @@ -14,8 +14,8 @@ Cloud Manager uses [`AssumeRole`](https://awscli.amazonaws.com/v2/documentation/ Use the following table to identify Cloud Manager principal based on your Kyma landscape: -| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal | -|------------------------------------|----------------------------------------|------------------------------------------------------------| +| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal ARN | +|------------------------------------|----------------------------------------|--------------------------------------------------------------| | https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` | | https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod` | @@ -62,6 +62,11 @@ Use the following table to identify Cloud Manager principal based on your Kyma l 3. Attach the **CloudManagerPeeringAccess** policy to the **CloudManagerPeeringRole**: +## Required Actions in the Remote Project + +Before creating the VPC peering, please tag your AWS account VPC with the Kyma shoot name tag. +For more information, check the [Create Virtual Private Cloud Peering in Amazon Web Services](../tutorials/01-30-10-aws-vpc-peering.md) tutorial. + ## Deleting `AwsVpcPeering` Kyma's underlying cloud provider VPC peering connection is deleted as a part of AwsVpcPeering deletion. The remote VPC diff --git a/docs/user/resources/04-30-30-azure-vpc-peering.md b/docs/user/resources/04-30-30-azure-vpc-peering.md index 58d7e39dc..371b55216 100644 --- a/docs/user/resources/04-30-30-azure-vpc-peering.md +++ b/docs/user/resources/04-30-30-azure-vpc-peering.md @@ -24,6 +24,13 @@ And assign the following Identity and Access Management (IAM) roles to the Cloud * Classic Network Contributor * Network Contributor +## Required Actions in the Remote Project + +Before creating the VPC peering, please tag your Azure subscription VPC with the Kyma shoot name tag. +For more information, check the [Create Virtual Private Cloud Peering in Microsoft Azure](../tutorials/01-30-30-azure-vpc-peering.md) tutorial. + + + ## Deleting `AzureVpcPeering` Kyma's underlying cloud provider VPC peering connection is deleted as a part of the AzureVpcPeering deletion. The remote VPC diff --git a/docs/user/tutorials/01-30-10-aws-vpc-peering.md b/docs/user/tutorials/01-30-10-aws-vpc-peering.md index f228d3292..323237fdb 100644 --- a/docs/user/tutorials/01-30-10-aws-vpc-peering.md +++ b/docs/user/tutorials/01-30-10-aws-vpc-peering.md @@ -16,11 +16,10 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne export AWS_REGION={REGION} ``` -2. Create a trust policy document. +2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering?id=authorization) to identify Cloud Manager principal ARN: ```shell - export PRINCIPAL_PROFILE_AWS_ACCOUNT_ID=194230256199 - export USER_NAME=cloud-manager-peering-dev + export PRINCIPAL_ARN=`arn:aws:iam::194230256199:user/cloud-manager-peering-stage` cat > trust_policy.json <<- EOF { "Version": "2012-10-17", @@ -28,7 +27,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne { "Effect": "Allow", "Principal": { - "AWS": "arn:aws:iam::$PRINCIPAL_PROFILE_AWS_ACCOUNT_ID:user/$USER_NAME" + "AWS": "$PRINCIPAL_ARN" }, "Action": "sts:AssumeRole" } diff --git a/docs/user/tutorials/01-30-30-azure-vpc-peering.md b/docs/user/tutorials/01-30-30-azure-vpc-peering.md index d3a58a164..e8d109666 100644 --- a/docs/user/tutorials/01-30-30-azure-vpc-peering.md +++ b/docs/user/tutorials/01-30-30-azure-vpc-peering.md @@ -16,11 +16,10 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne az account set --subscription $SUBSCRIPTION ``` -2. Assign the required roles to the Cloud Manager peering service principal: - +2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering?id=authorization) to identify Cloud Manager service principal: ```shell export SUBSCRIPTION_ID=$(az account show --query id -o tsv) - export PRINCIPAL_NAME=kyma-cloud-manager-peering-stage + export PRINCIPAL_NAME={PRINCIPAL_NAME} export OBJECT_ID=$(az ad sp list --display-name $PRINCIPAL_NAME --query "[].id" -o tsv) az role assignment create --assignee $OBJECT_ID \ From e6e70d9f30e66d98d7ca53440977de7f83828708 Mon Sep 17 00:00:00 2001 From: Vladimir Andjelkoski Date: Thu, 30 Jan 2025 14:20:21 +0100 Subject: [PATCH 2/5] docs(VpcPeering): improve tutorial to identify correct principals --- docs/user/tutorials/01-30-10-aws-vpc-peering.md | 2 +- docs/user/tutorials/01-30-30-azure-vpc-peering.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user/tutorials/01-30-10-aws-vpc-peering.md b/docs/user/tutorials/01-30-10-aws-vpc-peering.md index 323237fdb..61b57c2e3 100644 --- a/docs/user/tutorials/01-30-10-aws-vpc-peering.md +++ b/docs/user/tutorials/01-30-10-aws-vpc-peering.md @@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne export AWS_REGION={REGION} ``` -2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering?id=authorization) to identify Cloud Manager principal ARN: +2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md?id=authorization) to identify Cloud Manager principal ARN: ```shell export PRINCIPAL_ARN=`arn:aws:iam::194230256199:user/cloud-manager-peering-stage` diff --git a/docs/user/tutorials/01-30-30-azure-vpc-peering.md b/docs/user/tutorials/01-30-30-azure-vpc-peering.md index e8d109666..103c951b7 100644 --- a/docs/user/tutorials/01-30-30-azure-vpc-peering.md +++ b/docs/user/tutorials/01-30-30-azure-vpc-peering.md @@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne az account set --subscription $SUBSCRIPTION ``` -2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering?id=authorization) to identify Cloud Manager service principal: +2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md?id=authorization) to identify Cloud Manager service principal: ```shell export SUBSCRIPTION_ID=$(az account show --query id -o tsv) export PRINCIPAL_NAME={PRINCIPAL_NAME} From 87ca77461bc83ecfcf81255603549c0d9920c43b Mon Sep 17 00:00:00 2001 From: Vladimir Andjelkoski Date: Thu, 30 Jan 2025 15:05:12 +0100 Subject: [PATCH 3/5] docs(VpcPeering): improve tutorial to identify correct principals --- docs/user/resources/04-30-10-aws-vpc-peering.md | 2 +- docs/user/tutorials/01-30-10-aws-vpc-peering.md | 6 +++--- docs/user/tutorials/01-30-30-azure-vpc-peering.md | 4 ++-- 3 files changed, 6 insertions(+), 6 deletions(-) diff --git a/docs/user/resources/04-30-10-aws-vpc-peering.md b/docs/user/resources/04-30-10-aws-vpc-peering.md index 71ea2933b..b93049bfa 100644 --- a/docs/user/resources/04-30-10-aws-vpc-peering.md +++ b/docs/user/resources/04-30-10-aws-vpc-peering.md @@ -14,7 +14,7 @@ Cloud Manager uses [`AssumeRole`](https://awscli.amazonaws.com/v2/documentation/ Use the following table to identify Cloud Manager principal based on your Kyma landscape: -| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal ARN | +| BTP cockpit URL | Kyma dashboard URL | Cloud Manager principal | |------------------------------------|----------------------------------------|--------------------------------------------------------------| | https://canary.cockpit.btp.int.sap | https://dashboard.stage.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-stage` | | https://emea.cockpit.btp.cloud.sap | https://dashboard.kyma.cloud.sap | `arn:aws:iam::194230256199:user/cloud-manager-peering-prod` | diff --git a/docs/user/tutorials/01-30-10-aws-vpc-peering.md b/docs/user/tutorials/01-30-10-aws-vpc-peering.md index 61b57c2e3..a811c6e67 100644 --- a/docs/user/tutorials/01-30-10-aws-vpc-peering.md +++ b/docs/user/tutorials/01-30-10-aws-vpc-peering.md @@ -16,10 +16,10 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne export AWS_REGION={REGION} ``` -2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md?id=authorization) to identify Cloud Manager principal ARN: +2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md?id=authorization) to identify Cloud Manager principal: ```shell - export PRINCIPAL_ARN=`arn:aws:iam::194230256199:user/cloud-manager-peering-stage` + export CLOUD_MANAGER_PRINCIPAL=`arn:aws:iam::194230256199:user/cloud-manager-peering-stage` cat > trust_policy.json <<- EOF { "Version": "2012-10-17", @@ -27,7 +27,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne { "Effect": "Allow", "Principal": { - "AWS": "$PRINCIPAL_ARN" + "AWS": "$CLOUD_MANAGER_PRINCIPAL" }, "Action": "sts:AssumeRole" } diff --git a/docs/user/tutorials/01-30-30-azure-vpc-peering.md b/docs/user/tutorials/01-30-30-azure-vpc-peering.md index 103c951b7..51b00d632 100644 --- a/docs/user/tutorials/01-30-30-azure-vpc-peering.md +++ b/docs/user/tutorials/01-30-30-azure-vpc-peering.md @@ -19,8 +19,8 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne 2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md?id=authorization) to identify Cloud Manager service principal: ```shell export SUBSCRIPTION_ID=$(az account show --query id -o tsv) - export PRINCIPAL_NAME={PRINCIPAL_NAME} - export OBJECT_ID=$(az ad sp list --display-name $PRINCIPAL_NAME --query "[].id" -o tsv) + export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL} + export OBJECT_ID=$(az ad sp list --display-name $CLOUD_MANAGER_PRINCIPAL --query "[].id" -o tsv) az role assignment create --assignee $OBJECT_ID \ --role "Network Contributor" \ From 2592e0943e55068b9f7c54956f1681de3b50105c Mon Sep 17 00:00:00 2001 From: Vladimir Andjelkoski Date: Thu, 30 Jan 2025 15:07:21 +0100 Subject: [PATCH 4/5] docs(VpcPeering): improve tutorial to identify correct principals --- docs/user/tutorials/01-30-10-aws-vpc-peering.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/docs/user/tutorials/01-30-10-aws-vpc-peering.md b/docs/user/tutorials/01-30-10-aws-vpc-peering.md index a811c6e67..cd2a86edf 100644 --- a/docs/user/tutorials/01-30-10-aws-vpc-peering.md +++ b/docs/user/tutorials/01-30-10-aws-vpc-peering.md @@ -19,7 +19,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne 2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md?id=authorization) to identify Cloud Manager principal: ```shell - export CLOUD_MANAGER_PRINCIPAL=`arn:aws:iam::194230256199:user/cloud-manager-peering-stage` + export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL} cat > trust_policy.json <<- EOF { "Version": "2012-10-17", From 43ff7ce9773158c631eb18de06b7f30a998a8757 Mon Sep 17 00:00:00 2001 From: Vladimir Andjelkoski Date: Thu, 30 Jan 2025 15:26:42 +0100 Subject: [PATCH 5/5] docs(VpcPeering): improve tutorial to identify correct principals --- docs/user/tutorials/01-30-10-aws-vpc-peering.md | 2 +- docs/user/tutorials/01-30-30-azure-vpc-peering.md | 2 +- 2 files changed, 2 insertions(+), 2 deletions(-) diff --git a/docs/user/tutorials/01-30-10-aws-vpc-peering.md b/docs/user/tutorials/01-30-10-aws-vpc-peering.md index cd2a86edf..40011b818 100644 --- a/docs/user/tutorials/01-30-10-aws-vpc-peering.md +++ b/docs/user/tutorials/01-30-10-aws-vpc-peering.md @@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne export AWS_REGION={REGION} ``` -2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md?id=authorization) to identify Cloud Manager principal: +2. Create a trust policy document. See [AwsVpcPeering Custom Resource](../resources/04-30-10-aws-vpc-peering.md#authorization) to identify Cloud Manager principal: ```shell export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL} diff --git a/docs/user/tutorials/01-30-30-azure-vpc-peering.md b/docs/user/tutorials/01-30-30-azure-vpc-peering.md index 51b00d632..301ea9b7d 100644 --- a/docs/user/tutorials/01-30-30-azure-vpc-peering.md +++ b/docs/user/tutorials/01-30-30-azure-vpc-peering.md @@ -16,7 +16,7 @@ This tutorial explains how to create a Virtual Private Cloud (VPC) peering conne az account set --subscription $SUBSCRIPTION ``` -2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md?id=authorization) to identify Cloud Manager service principal: +2. Assign the required roles to the Cloud Manager peering service principal. See [AzureVpcPeering Custom Resource](../resources/04-30-30-azure-vpc-peering.md#authorization) to identify Cloud Manager service principal: ```shell export SUBSCRIPTION_ID=$(az account show --query id -o tsv) export CLOUD_MANAGER_PRINCIPAL={CLOUD_MANAGER_PRINCIPAL}