Installing Guardium Data Security Center on Red Hat OpenShift service on Amazon Web Services (ROSA)

Use the guardcenter-cli utility to install Guardium® Data Security Center on Red Hat OpenShift service on Amazon Web Services (ROSA).

Before you begin

Install CLI tools, log in to the AWS CLI, set up policy permissions, obtain your entitlement key, and log in to your Red Hat® OpenShift® cluster.
  1. Install the following CLI tools before you install Guardium Data Security Center on ROSA.

    For more information about CLI tools, see System requirements for the Guardium Data Security Center command-line interface utility.

    The following table includes the CLI tools, their supported information, links to download the tools, and the validation commands to use to verify that the tools are installed successfully.
    Tool Supported version Download information Validation command
    AWS CLI 2.21.0 or later Installing or updating to the latest version of the AWS CLI (https://docs.aws.amazon.com/cli/latest/userguide/getting-started-install.html).
    aws --version
    jq 1.6 or later Download jq (https://jqlang.github.io/jq/download/).
    jq --version
    Wget 1.21.1 or later Choose one of the following options:
    • GNU Wget (https://www.gnu.org/software/wget/).
    • On macOS, you can use the Homebrew command:
      brew install wget
    wget --version
  2. Use either IAM user credentials or short-term credentials to log in to the AWS CLI. To authenticate with the AWS CLI, use a session token.

    If you are using a federated user or already have a valid session token, you do not need to generate a token. Verify that your environment variables are set:

    export AWS_ACCESS_KEY_ID=<Your-Access-Key-ID>
    export AWS_SECRET_ACCESS_KEY=<Your-Secret-Access-Key>
    export AWS_SESSION_TOKEN=<Your-Session-Token>

    For more information, see Authenticating with short-term credentials for the AWS CLI (https://docs.aws.amazon.com/cli/v1/userguide/cli-authentication-short-term.html).

    If you are using IAM user credentials, you must generate a session token.
    1. Configure your AWS credentials and region:
      aws configure
    2. Obtain a session token.
      aws sts get-session-token --duration-seconds 10800
      Important: Session tokens are valid for 3 hours. Complete the installation process within 3 hours to ensure a successful installation.
      The following example shows a successful output:
      {
          "Credentials": {
          "AccessKeyId": "ASIAIOSFODNN7EXAMPLE",
          "SecretAccessKey": "wJalrXUtnFEMI/K7MDENG/bPxRfiCYzEXAMPLEKEY",
          "SessionToken": 
          "AQoEXAMPLEH4aoAH0gNCAPyJxz4BlCFFxWNE1OPTgk5TthT+FvwqnKwRcOIfrRh3c/LTo6UDdyJwOOvEVPvLXCrrrUtdnniCEXAMPLE/IvU1dYUg2RVAJBanLiHb4IgRmpRV3zrkuWJOgQs8IZZaIv2BXIa2R4OlgkBN9bkUDNCJiBeb/AXlzBBko7b15fjrBs2+cTQtpZ3CYWFXG8C5zqx37wnOE49mRl/+OtkIKGO7fAE",
          "Expiration": "2020-05-19T18:06:10+00:00"
          }
      }
    3. Set the session token in your environment:
      export AWS_ACCESS_KEY_ID=<Your-Access-Key-ID>
      export AWS_SECRET_ACCESS_KEY=<Your-Secret-Access-Key>
      export AWS_SESSION_TOKEN=<Your-Session-Token>

    For more information about the get-session-token command, see get-session-token AWS CLI reference (https://awscli.amazonaws.com/v2/documentation/api/latest/reference/sts/get-session-token.html).

  3. Ask your AWS administrator to create a policy with the following permissions and attach it to your IAM account so you have the permissions to install ROSA.

    {
        "Version": "2012-10-17",
        "Statement": [
            {
                "Effect": "Allow",
                "Action": [
                    "iam:SimulatePrincipalPolicy",
                    "iam:PassRole",
                    "sts:AssumeRole",
                    "iam:CreateRole",
                    "sts:AssumeRoleWithWebIdentity",
                    "iam:CreatePolicy",
                    "iam:GetPolicy",
                    "sts:GetCallerIdentity",
                    "iam:GetRole",
                    "iam:CreatePolicyVersion",
                    "iam:DeletePolicyVersion",
                    "iam:TagPolicy",
                    "iam:ListRoles",
                    "iam:ListRoleTags",
                    "iam:ListPolicyTags",
                    "iam:GetPolicyVersion",
                    "iam:ListAttachedUserPolicies",
                    "iam:AttachRolePolicy",
                    "iam:DeleteOpenIDConnectProvider",
                    "iam:SetDefaultPolicyVersion",
                    "iam:CreateOpenIDConnectProvider",
                    "iam:DeleteOpenIDConnectProvider",
                    "iam:TagOpenIDConnectProvider",
                    "iam:UntagOpenIDConnectProvider",
                    "iam:UpdateOpenIDConnectProviderThumbprint",
                    "iam:ListOpenIDConnectProviders",
                    "iam:GetOpenIDConnectProvider",
                    "iam:UpdateAssumeRolePolicy",
                    "iam:ListPolicyVersions",
                    "iam:*",       
                    "support:*",
                    "kms:*",
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:CreateRole",
                    "iam:DeleteRole",
                    "iam:ListAttachedUserPolicies",
                    "iam:PassRole",
                    "iam:TagPolicy",
                    "iam:CreateRole",
                    "iam:GetRole",
                    "iam:ListPolicyVersions",
                    "iam:UpdateAssumeRolePolicy",
                    "iam:AttachRolePolicy",
                    "iam:ListRoles",
                    "iam:AttachRolePolicy",
                    "iam:DetachRolePolicy",
                    "iam:CreateOpenIDConnectProvider",
                    "iam:DeleteOpenIDConnectProvider",
                    "iam:TagOpenIDConnectProvider",
                    "iam:UntagOpenIDConnectProvider",
                    "iam:UpdateOpenIDConnectProviderThumbprint",
                    "iam:ListOpenIDConnectProviders",
                    "iam:GetOpenIDConnectProvider",
                    "iam:DeletePolicyVersion",
                    "iam:TagRole",
                    "iam:ListRoleTags",
                    "iam:CreatePolicyVersion",
                    "iam:ListPolicyTags",
                    "iam:GetPolicyVersion",
                    "iam:UntagRole",
                    "iam:UpdateAssumeRolePolicy",
                    "iam:SetDefaultPolicyVersion",
                    "sts:AssumeRole",
                    "sts:AssumeRoleWithWebIdentity",
                    "iam:SimulatePrincipalPolicy"
                ],
                "Resource": [
                    "arn:aws:iam::*:role/ManagedOpenShift-Installer-Role",
                    "arn:aws:iam::*:role/ManagedOpenShift-ControlPlane-Role",
                    "arn:aws:iam::*:role/ManagedOpenShift-Worker-Role",
                    "arn:aws:iam::*:role/ManagedOpenShift-Support-Role",
                    "arn:aws:iam::*:role/*openshift-*"
                ]
            },
            {
                "Effect": "Allow",
                "Action": [
                    "ec2:DescribeInstances",
                    "ec2:DescribeSubnets",
                    "ec2:DescribeSecurityGroups",
                    "ec2:CreateSecurityGroup",
                    "ec2:DeleteSecurityGroup",
                    "ec2:AuthorizeSecurityGroupIngress",
                    "ec2:RevokeSecurityGroupIngress",
                    "ec2:CreateTags",
                    "ec2:DeleteTags",
                    "ec2:DescribeTags",
                    "ec2:CreateVolume",
                    "ec2:DeleteVolume",
                    "ec2:DescribeVolumes",
                    "ec2:DescribeVpcAttribute",
                    "ec2:ModifyVpcAttribute",
                    "ec2:AllocateAddress",
                    "ec2:ReleaseAddress",
                    "ec2:DescribeVpcs",
                    "ec2:CreateVpc",
                    "ec2:DeleteVpc",
                    "ec2:CreateRoute",
                    "ec2:DeleteRoute",
                    "ec2:CreateSubnet",
                    "ec2:DeleteSubnet",
                    "ec2:DescribeRouteTables",
                    "ec2:AssociateRouteTable",
                    "ec2:DisassociateRouteTable",
                    "ec2:CreateNatGateway",
                    "ec2:DeleteNatGateway",
                    "ec2:DescribeNatGateways",
                    "ec2:DescribeNetworkInterfaces",
                    "ec2:DeleteNetworkInterface",
                    "ec2:CreateInternetGateway",
                    "ec2:AttachInternetGateway",
                    "ec2:DetachInternetGateway",
                    "ec2:DeleteInternetGateway",
                    "ec2:DescribeInternetGateways",
                    "ec2:AttachVolume",
                    "ec2:DetachVolume",
                    "ec2:ModifyVolume",
                    "ec2:DescribeVolumesModifications",
                    "ec2:DescribeVolumeStatus",
                    "ec2:DescribeVolumeAttribute",
                    "ec2:DescribeAddresses",
                    "ec2:TerminateInstances",
                    "ec2:RunInstances",
                    "ec2:StartInstances",
                    "ec2:StopInstances",
                    "ec2:RebootInstances",
                    "ec2:CreateNetworkAcl",
                    "ec2:DescribeNetworkAcls"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "elasticloadbalancing:*",
                    "autoscaling:*",
                    "cloudwatch:*",
                    "s3:ListBucket",
                    "s3:GetObject",
                    "s3:PutObject",
                    "s3:DeleteObject",
                    "s3:GetBucketPolicy",
                    "s3:PutBucketPolicy",
                    "s3:TagResource",
                    "s3:UntagResource",
                    "s3:ListAllMyBuckets"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "route53:ListHostedZones",
                    "route53:ChangeResourceRecordSets",
                    "route53:CreateHostedZone",
                    "route53:DeleteHostedZone",
                    "route53:GetHostedZone",
                    "route53:ListResourceRecordSets",
                    "route53:AssociateVPCWithHostedZone",
                    "route53:DisassociateVPCFromHostedZone",
                    "route53:GetChange"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "secretsmanager:GetSecretValue",
                    "secretsmanager:ListSecrets",
                    "secretsmanager:CreateSecret",
                    "secretsmanager:DeleteSecret",
                    "secretsmanager:TagResource",
                    "secretsmanager:UntagResource",
                    "secretsmanager:UpdateSecret"
                ],
                "Resource": "*",
                "Condition": {
                    "StringEquals": {
                        "aws:ResourceTag/red-hat-managed": "true"
                    }
                }
            },
            {
                "Effect": "Allow",
                "Action": [
                    "eks:DescribeCluster",
                    "eks:CreateCluster",
                    "eks:DeleteCluster",
                    "eks:ListClusters",
                    "eks:UpdateClusterConfig",
                    "eks:TagResource",
                    "eks:UntagResource",
                    "eks:DescribeNodegroup",
                    "eks:CreateNodegroup",
                    "eks:DeleteNodegroup",
                    "eks:UpdateNodegroupConfig"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "servicequotas:GetServiceQuota",
                    "servicequotas:ListAWSDefaultServiceQuotas",
                    "servicequotas:RequestServiceQuotaIncrease"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "iam:GetPolicy",
                    "iam:CreatePolicy",
                    "iam:DeletePolicy",
                    "iam:ListAttachedRolePolicies",
                    "iam:CreateInstanceProfile",
                    "iam:ListInstanceProfiles"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "logs:CreateLogGroup",
                    "logs:CreateLogStream",
                    "logs:PutLogEvents"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "servicequotas:GetServiceQuota",
                    "servicequotas:ListAWSDefaultServiceQuotas",
                    "servicequotas:RequestServiceQuotaIncrease",
                    "servicequotas:ListServiceQuotas",
                    "servicequotas:ListServices",
                    "servicequotas:GetRequestedServiceQuotaChange"
                ],
                "Resource": "*"
            },
            {
                "Effect": "Allow",
                "Action": [
                    "elasticfilesystem:CreateFileSystem",
                    "elasticfilesystem:DescribeFileSystems",
                    "elasticfilesystem:CreateMountTarget",
                    "elasticfilesystem:DescribeMountTargets",
                    "elasticfilesystem:DeleteMountTarget",
                    "elasticfilesystem:CreateTags",
                    "elasticfilesystem:DescribeTags",
                    "elasticfilesystem:DeleteTags",
                    "elasticfilesystem:TagResource",
                    "elasticfilesystem:*"
                ],
                "Resource": "*"
            },
    
        ]
    }
    For more information, see the following AWS documentation pages:
  4. Obtain your entitlement key for installing Guardium Data Security Center. For more information, see Obtaining your entitlement key (https://myibm.ibm.com/products-services/containerlibrary).

  5. Use your ROSA token to log in to Red Hat OpenShift. Obtain the token from the ROSA Token Console (https://console.redhat.com/openshift/token/rosa).

Procedure

  1. Install the Guardium Data Security Center CLI.
  2. Create a .tfvars file in the current directory:
    touch config.tfvars
  3. Add the required configuration to config.tfvars.
    The following example shows what a config.tfvars includes:
    cluster_name          = "rosa-cluster"
    region                = "us-east-1"           # Change to your preferred region
    worker_machine_type   = "m6i.4xlarge"         # Adjust based on your deployment needs
    worker_machine_count  = "6"                   # Six is the minimum worker node count for IBM Guardium Data Security Center size small. Adjust based on your deployment needs
    rosa_token            = "your-rosa-token"     # Get Rosa token from here - https://console.redhat.com/openshift/token/rosa/show
    aws_access_key_id     = "your-aws-access-key-id"
    aws_secret_access_key = "your-aws-secret-access-key"
    aws_session_token     = "your-aws-session-token"
    The following table lists the required configuration variables and default values:
    Table 1. Required configuration variables for ROSA installation
    Variable Description
    cluster_name The name of the ROSA cluster that you are creating.
    • Maximum 15 character length.
    • Valid characters include lowercase letters, numbers, and hyphens.
    • Must start with a letter and end with a letter or number.
    rosa_token The token that you must use when you log in to your Red Hat account.
    aws_access_key_id Your AWS access key ID.
    aws_secret_access_key Your AWS secret access key.
    aws_session_token Your AWS session token is required for secure authentication.
    region The AWS region where you want to deploy the ROSA cluster. For information about AWS regional availability, see AWS Services by Region (https://aws.amazon.com/about-aws/global-infrastructure/regional-product-services/).
    The following list includes examples of AWS regions:
    • us-east-1
    • us-west-2
    • eu-west-1
    • ap-southeast-1
    worker_machine_type The instance type for worker nodes in the ROSA cluster.

    The minimum requirement for the instance type is m6i.4xlarge, which includes 16 vCPUs and 64 GB of RAM. Choose an instance that meets or exceeds these requirements to install Guardium Data Security Center.

    For more information about supported instance types, see Amazon EC2 Instance types (https://aws.amazon.com/ec2/instance-types/).

    worker_machine_count The number of worker nodes to provision for the cluster.

    The minimum value is 6.

  4. Update the entitlement key, cloud type, and Guardium Data Security Center version:
    export entitlement_key="your-entitlement-key" # Get entitlement key from here - https://myibm.ibm.com/products-services/containerlibrary 
    export cloud_type="aws_rosa"
    export case-version="2.6.1"
  5. Install Guardium Data Security Center by using the guardcenter-cli utility:
    guardcenter-cli manage install all \
    --cloud-provider ${cloud_type} \
    --var-file config.tfvars \
    --registry-password ${entitlement_key} \
    --case-version ${case_version}
  6. Optional: To obtain cluster login information, run the following command:
    cat ${HOME}/installer-files/.creds
  7. Optional: To delete a ROSA cluster, see Deleting a ROSA cluster (https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-sts-deleting-cluster.html).