Bug 1924080

Summary: [aws-c2s] failed to create bootstrap cf stack for UPI cluster
Product: OpenShift Container Platform Reporter: Yunfei Jiang <yunjiang>
Component: InstallerAssignee: aos-install
Installer sub component: openshift-installer QA Contact: Yunfei Jiang <yunjiang>
Status: CLOSED DEFERRED Docs Contact:
Severity: low    
Priority: low CC: bleanhar, mstaeble
Version: 4.7   
Target Milestone: ---   
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2021-08-02 17:24:30 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Yunfei Jiang 2021-02-02 14:49:41 UTC 
Trying to install an UPI cluster on C2S, but creating bootstrap stack failed.

Stack Event:
RegisterBootstrapApiTarget CREATE_FAILED Custom Resource failed to stabilize in expected time

Additional info:
Tried to change following services to lambda.c2s.ic.gov and ec2.c2s.ic.gov
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/02_cluster_infra.yaml#L245
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/02_cluster_infra.yaml#L310
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/04_cluster_bootstrap.yaml#L112
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L498
https://github.com/openshift/installer/blob/master/upi/aws/cloudformation/03_cluster_security.yaml#L563

But got following error (ec2 as an example)
Invalid principal in policy: “SERVICE”:”ec2.c2s.ic.gov” (Service: AmazonIdentityManagement; Status Code: 400; Error Code: MalformedPolicyDocument; Request ID: 0e94202b-e374-49f3-b0b6-0451d523d3a6; Proxy: null)

Per C2S user guide, ec2.c2s.ic.gov should be valid:

```
* AmazonResourceNames(ARNs)(p.38)andendpoints(p.36)havedifferentvalues.Thevaluefora Principle: Service: key in a AWS CloudFormation Template is also different.
In C2S it would look like this:
“Statement”: [
{
“Effect”: “Allow”, “Principal”: {
“Service”: [ “ec2.c2s.ic.gov “ ] },
“Action”: [ “sts:AssumeRole” ] }
```

Looks like the CF templates need to be updated if UPI is supported in C2S.
Comment 2 Russell Teague 2021-08-02 17:24:30 UTC 
Closing with no feedback.