Deploying a controller node (Cloud(M))

Virtual Storage Platform One SDS Block Cloud Setup and Configuration Guide

Version
1.14.x
Audience
anonymous
Part Number
MK-24VSP1SDS008-01

This section describes the procedure for configuring a controller node (to maintain a storage cluster configured from AWS Marketplace) with the EC2 console.

CAUTION:
  • To use EBS encryption, you need to add rights to access AWS Key Management Service to an IAM role created in this procedure. For details, see the AWS user guide.

  • Note the following additional requirement for the controller node on which the prerequisite packages are installed (as shown in Installing the prerequisite packages later).

    Item

    Requirement

    OS

    SUSE Linux Enterprise Server 15 SP5 (64-bit) (x86)

Create an EC2 instance for a controller node that meets the requirements as described in Controller node requirements and deploy it in the subnet for the control network you created in Configuring a storage cluster. When deploying an EC2 instance for a controller node in a subnet different from the subnet for control network, allow communication with the subnet for control network.

For example security group settings to allow communication, see Example security group settings for controller nodes. For supplementary information for OS image and settings for a controller node, see Additional information for controller node deployment (OS image and settings).

Also, when deploying an EC2 instance for a controller node in a subnet different from the subnet for control network, you must set a security group for the control network created in Configuring a storage cluster to the EC2 instance for control network in addition to the preceding security group. You can confirm the security group for control network by opening the stack window of NetworkResources, and then referring to ControlSecurityGroup in the Resources tab according to the procedure of step 12 in Configuring a storage cluster.

Grant the IAM role that has the following privileges to the created controller node.

{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Action": [
                "cloudformation:CreateStack",
                "cloudformation:DeleteStack",
                "cloudformation:DescribeStacks",
                "cloudformation:ListStacks",
                "cloudformation:DescribeStackEvents",
                "cloudformation:UpdateStack",
                "cloudformation:ContinueUpdateRollback",
                "cloudformation:ValidateTemplate",
                "cloudformation:DescribeStackResource",
                "cloudformation:DescribeStackResources",
                "cloudformation:ListStackResources",
                "cloudformation:CreateChangeSet",
                "cloudformation:ExecuteChangeSet",
                "cloudformation:DeleteChangeSet",
                "cloudformation:DescribeChangeSet",
                "cloudformation:ListChangeSets",
                "cloudformation:CreateUploadBucket",
                "cloudformation:GetTemplate",
                "cloudformation:GetTemplateSummary",
                "ec2:DescribeAccountAttributes",
                "ec2:DescribeInternetGateways",
                "ec2:CreateVpc",
                "ec2:ModifyVpcAttribute",
                "ec2:DeleteVpc",
                "ec2:DescribeVpcs",
                "ec2:CreateVpcEndpoint",
                "ec2:CreateVpcEndpointServiceConfiguration",
                "ec2:ModifyVpcEndpointServiceConfiguration",
                "ec2:DeleteVpcEndpoints",
                "ec2:DescribeVpcEndpoints",
                "ec2:DescribeAvailabilityZones",
                "ec2:CreateSubnet",
                "ec2:DeleteSubnet",
                "ec2:DescribeSubnets",
                "ec2:ModifySubnetAttribute",
                "ec2:DescribeRouteTables",
                "ec2:CreateNetworkAcl",
                "ec2:DeleteNetworkAcl",
                "ec2:DescribeNetworkAcls",
                "ec2:ReplaceNetworkAclAssociation",
                "ec2:CreateNetworkAclEntry",
                "ec2:DeleteNetworkAclEntry",
                "ec2:CreateSecurityGroup",
                "ec2:DeleteSecurityGroup",
                "ec2:DescribeSecurityGroups",
                "ec2:AuthorizeSecurityGroupEgress",
                "ec2:RevokeSecurityGroupEgress",
                "ec2:AuthorizeSecurityGroupIngress",
                "ec2:RevokeSecurityGroupIngress",
                "ec2:CreateNetworkInterface",
                "ec2:DeleteNetworkInterface",
                "ec2:DescribeNetworkInterfaces",
                "ec2:AttachNetworkInterface",
                "ec2:DetachNetworkInterface",
                "ec2:ModifyNetworkInterfaceAttribute",
                "ec2:AssignPrivateIpAddresses",
                "ec2:RunInstances",
                "ec2:StartInstances",
                "ec2:StopInstances",
                "ec2:TerminateInstances",
                "ec2:DescribeInstances",
                "ec2:ModifyInstanceAttribute",
                "ec2:DescribeInstanceStatus",
                "ec2:DescribeInstanceTypes",
                "ec2:DescribeInstanceTypeOfferings",
                "ec2:DescribeImages",
                "ec2:CreateKeyPair",
                "ec2:DeleteKeyPair",
                "ec2:DescribeKeyPairs",
                "ec2:CreateLaunchTemplate",
                "ec2:DeleteLaunchTemplate",
                "ec2:DescribeLaunchTemplates",
                "ec2:CreateLaunchTemplateVersion",
                "ec2:DescribeLaunchTemplateVersions",
                "ec2:CreateVolume",
                "ec2:DeleteVolume",
                "ec2:DescribeVolumes",
                "ec2:AttachVolume",
                "ec2:DetachVolume",
                "ec2:ModifyVolumeAttribute",
                "ec2:DescribeVolumesModifications",
                "ec2:CreateTags",
                "ec2:DeleteTags",
                "ec2:DescribeTags",
                "ec2:CreatePlacementGroup",
                "ec2:DeletePlacementGroup",
                "ec2:DescribePlacementGroups",
                "ec2:AssociateIamInstanceProfile",
                "ec2:ReplaceIamInstanceProfileAssociation",
                "ec2:DisassociateIamInstanceProfile",
                "ec2:DescribeIamInstanceProfileAssociations",
                "ec2:GetSerialConsoleAccessStatus",
                "ec2-instance-connect:SendSerialConsoleSSHPublicKey",
                "autoscaling:DescribeAutoScalingInstances",
                "elasticloadbalancing:CreateTargetGroup",
                "elasticloadbalancing:DeleteTargetGroup",
                "elasticloadbalancing:DescribeTargetGroups",
                "elasticloadbalancing:DescribeTargetGroupAttributes",
                "elasticloadbalancing:ModifyTargetGroupAttributes",
                "elasticloadbalancing:RegisterTargets",
                "elasticloadbalancing:DeregisterTargets",
                "elasticloadbalancing:ModifyTargetGroup",
                "elasticloadbalancing:DescribeTargetHealth",
                "elasticloadbalancing:CreateLoadBalancer",
                "elasticloadbalancing:DeleteLoadBalancer",
                "elasticloadbalancing:DescribeLoadBalancers",
                "elasticloadbalancing:DescribeLoadBalancerAttributes",
                "elasticloadbalancing:ModifyLoadBalancerAttributes",
                "elasticloadbalancing:SetIpAddressType",
                "elasticloadbalancing:SetSubnets",
                "elasticloadbalancing:CreateListener",
                "elasticloadbalancing:DeleteListener",
                "elasticloadbalancing:DescribeListeners",
                "elasticloadbalancing:ModifyListener",
                "elasticloadbalancing:CreateRule",
                "elasticloadbalancing:DeleteRule",
                "elasticloadbalancing:DescribeRules",
                "elasticloadbalancing:ModifyRule",
                "elasticloadbalancing:SetRulePriorities",
                "elasticloadbalancing:DescribeAccountLimits",
                "elasticloadbalancing:AddTags",
                "elasticloadbalancing:RemoveTags",
                "elasticloadbalancing:DescribeTags",
                "s3:CreateBucket",
                "s3:ListBucket",
                "s3:PutObject",
                "s3:GetObject",
                "s3:GetObjectVersion",
                "aws-portal:ViewBilling",
                "iam:PassRole",
                "iam:GetRole",
                "iam:ListRoles",
                "iam:GetRolePolicy",

                "iam:ListAttachedRolePolicies",
                "iam:AddRoleToInstanceProfile",
                "iam:RemoveRoleFromInstanceProfile",
                "iam:CreateInstanceProfile",
                "iam:DeleteInstanceProfile",
                "iam:GetInstanceProfile",
                "iam:ListInstanceProfiles",
                "iam:ListInstanceProfilesForRole",
                "iam:TagInstanceProfile",
                "iam:UntagInstanceProfile",
                "iam:ListInstanceProfileTags",
                "iam:CreateServiceLinkedRole",
                "iam:GetServiceLinkedRoleDeletionStatus",
                "iam:DeleteServiceLinkedRole",
                "sts:AssumeRole",
                "ssm:GetParameter",
                "ssm:PutParameter",
                "ssm:DeleteParameter"
            ],
            "Resource": "*",
            "Effect": "Allow"
        }
    ]
}