aws only public subnets coverage

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly-4.18-upgrade-from-stable-4.18.yaml

@@ -294,7 +294,7 @@ tests:
     test:
     - chain: openshift-upgrade-qe-test
     workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service
-- as: aws-ipi-workers-marketplace-mini-perm-f60
+- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f60
   cron: 11 5 11 2,4,6,8,10,12 *
   steps:
     cluster_profile: aws-qe
@@ -303,7 +303,7 @@ tests:
       BASE_DOMAIN: qe.devcluster.openshift.com
     test:
     - chain: openshift-upgrade-qe-test
-    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace
+    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets
 - as: aws-sc2s-ipi-disc-priv-fips-f60
   cron: 55 15 13 2,4,6,8,10,12 *
   steps:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.18__amd64-nightly.yaml

@@ -1033,16 +1033,17 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service
-- as: aws-ipi-workers-marketplace-mini-perm-f7
+- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f7
   cron: 1 19 5,12,19,28 * *
   steps:
     cluster_profile: aws-qe
     env:
       AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
       BASE_DOMAIN: qe.devcluster.openshift.com
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
     test:
     - chain: openshift-e2e-test-qe
-    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace
+    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets
 - as: aws-ipi-workers-marketplace-mini-perm-f28-destructive
   cron: 59 15 16 * *
   steps:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.18.yaml

@@ -295,15 +295,16 @@ tests:
     test:
     - chain: openshift-upgrade-qe-test
     workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service
-- as: aws-ipi-workers-marketplace-f28
+- as: aws-ipi-workers-marketplace-public-subnets-f28
   cron: 12 6 26 * *
   steps:
     cluster_profile: aws-qe
     env:
       BASE_DOMAIN: qe.devcluster.openshift.com
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
     test:
     - chain: openshift-upgrade-qe-test
-    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace
+    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets
 - as: aws-sc2s-ipi-disc-priv-fips-f28
   cron: 51 1 14 * *
   steps:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly-4.19-upgrade-from-stable-4.19.yaml

@@ -310,16 +310,17 @@ tests:
     test:
     - chain: openshift-upgrade-qe-test
     workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service
-- as: aws-ipi-workers-marketplace-mini-perm-f60
+- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f60
   cron: 53 18 15 2,4,6,8,10,12 *
   steps:
     cluster_profile: aws-qe
     env:
       AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
       BASE_DOMAIN: qe.devcluster.openshift.com
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
     test:
     - chain: openshift-upgrade-qe-test
-    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace
+    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets
 - as: aws-sc2s-ipi-disc-priv-fips-f60
   cron: 52 7 15 1,3,5,7,9,11 *
   steps:

ci-operator/config/openshift/openshift-tests-private/openshift-openshift-tests-private-release-4.19__amd64-nightly.yaml

@@ -1068,16 +1068,17 @@ tests:
     test:
     - chain: openshift-e2e-test-qe-destructive
     workflow: cucushift-installer-rehearse-aws-ipi-edge-zone-cco-manual-security-token-service
-- as: aws-ipi-workers-marketplace-mini-perm-f7
+- as: aws-ipi-workers-marketplace-public-subnets-mini-perm-f7
   cron: 30 5 6,13,20,29 * *
   steps:
     cluster_profile: aws-qe
     env:
       AWS_INSTALL_USE_MINIMAL_PERMISSIONS: "yes"
       BASE_DOMAIN: qe.devcluster.openshift.com
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
     test:
     - chain: openshift-e2e-test-qe
-    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace
+    workflow: cucushift-installer-rehearse-aws-ipi-workers-marketplace-byo-subnets
 - as: aws-ipi-workers-marketplace-mini-perm-f28-destructive
   cron: 35 2 14 * *
   steps:

ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.18.yaml

@@ -121,6 +121,19 @@ tests:
       ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false"
       OCP_ARCH: arm64
     workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role
+- as: aws-ipi-byo-subnets-only-public-arm-f14
+  cron: 34 18 1,17 * *
+  steps:
+    cluster_profile: aws-qe
+    dependencies:
+      OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: m6g.xlarge
+      CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge
+      OCP_ARCH: arm64
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
+    workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets
 - as: aws-ipi-default-mini-perm-arm-f7
   cron: 56 23 6,15,22,29 * *
   steps:

ci-operator/config/openshift/verification-tests/openshift-verification-tests-master__installation-nightly-4.19.yaml

@@ -121,6 +121,19 @@ tests:
       ENABLE_BYO_IAM_ROLE_DEFAULT_MACHINE: "false"
       OCP_ARCH: arm64
     workflow: cucushift-installer-rehearse-aws-ipi-byo-iam-role
+- as: aws-ipi-byo-subnets-only-public-arm-f14
+  cron: 32 8 8,24 * *
+  steps:
+    cluster_profile: aws-qe
+    dependencies:
+      OPENSHIFT_INSTALL_RELEASE_IMAGE_OVERRIDE: release:arm64-latest
+    env:
+      BASE_DOMAIN: qe.devcluster.openshift.com
+      COMPUTE_NODE_TYPE: m6g.xlarge
+      CONTROL_PLANE_INSTANCE_TYPE: m6g.xlarge
+      OCP_ARCH: arm64
+      OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY: "true"
+    workflow: cucushift-installer-rehearse-aws-ipi-byo-subnets
 - as: aws-ipi-default-mini-perm-arm-f7
   cron: 7 21 4,11,20,27 * *
   steps:

ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-commands.sh

@@ -74,6 +74,13 @@ Parameters:
     - "no"
     Description: "Create a dhcpOptionSet with a custom DNS name"
     Type: String
+  OnlyPublicSubnets:
+    Default: "no"
+    AllowedValues:
+    - "yes"
+    - "no"
+    Description: "Only create public subnets"
+    Type: String
   AllowedAvailabilityZoneList:
     ConstraintDescription: "Select AZs from this list, e.g. 'us-east-2c,us-east-2a'"
     Type: CommaDelimitedList
@@ -108,6 +115,10 @@ Conditions:
   DoAz3: !Equals [3, !Ref AvailabilityZoneCount]
   DoAz2: !Or [!Equals [2, !Ref AvailabilityZoneCount], Condition: DoAz3]
   DoDhcp: !Equals ["yes", !Ref DhcpOptionSet]
+  DoOnlyPublicSubnets: !Equals ["yes", !Ref OnlyPublicSubnets]
+  DoAz1PrivateSubnet: !Not [Condition: DoOnlyPublicSubnets]
+  DoAz2PrivateSubnet: !And [ !Not [Condition: DoOnlyPublicSubnets], Condition: DoAz2 ]
+  DoAz3PrivateSubnet: !And [ !Not [Condition: DoOnlyPublicSubnets], Condition: DoAz3 ]
   AzRestriction: !Not [ !Equals [!Join ['', !Ref AllowedAvailabilityZoneList], ''] ]
   ShareSubnets: !Not [ !Equals ['', !Ref ResourceSharePrincipals] ]
 
@@ -124,6 +135,12 @@ Resources:
   PublicSubnet:
     Type: "AWS::EC2::Subnet"
     Properties:
+      MapPublicIpOnLaunch:
+        !If [
+              "DoOnlyPublicSubnets",
+              "true",
+              "false"
+            ]
       VpcId: !Ref VPC
       CidrBlock: !Select [0, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
       AvailabilityZone:
@@ -136,6 +153,12 @@ Resources:
     Type: "AWS::EC2::Subnet"
     Condition: DoAz2
     Properties:
+      MapPublicIpOnLaunch:
+        !If [
+              "DoOnlyPublicSubnets",
+              "true",
+              "false"
+            ]
       VpcId: !Ref VPC
       CidrBlock: !Select [1, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
       AvailabilityZone:
@@ -148,6 +171,12 @@ Resources:
     Type: "AWS::EC2::Subnet"
     Condition: DoAz3
     Properties:
+      MapPublicIpOnLaunch:
+        !If [
+              "DoOnlyPublicSubnets",
+              "true",
+              "false"
+            ]
       VpcId: !Ref VPC
       CidrBlock: !Select [2, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
       AvailabilityZone:
@@ -193,6 +222,7 @@ Resources:
       RouteTableId: !Ref PublicRouteTable
   PrivateSubnet:
     Type: "AWS::EC2::Subnet"
+    Condition: DoAz1PrivateSubnet
     Properties:
       VpcId: !Ref VPC
       CidrBlock: !Select [3, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
@@ -203,18 +233,21 @@ Resources:
               !Select [0, Fn::GetAZs: !Ref "AWS::Region"]
             ]
   PrivateRouteTable:
+    Condition: DoAz1PrivateSubnet
     Type: "AWS::EC2::RouteTable"
     Properties:
       VpcId: !Ref VPC
   PrivateSubnetRouteTableAssociation:
     Type: "AWS::EC2::SubnetRouteTableAssociation"
+    Condition: DoAz1PrivateSubnet
     Properties:
       SubnetId: !Ref PrivateSubnet
       RouteTableId: !Ref PrivateRouteTable
   NAT:
     DependsOn:
     - GatewayToInternet
     Type: "AWS::EC2::NatGateway"
+    Condition: DoAz1PrivateSubnet
     Properties:
       AllocationId:
         "Fn::GetAtt":
@@ -227,6 +260,7 @@ Resources:
       Domain: vpc
   Route:
     Type: "AWS::EC2::Route"
+    Condition: DoAz1PrivateSubnet
     Properties:
       RouteTableId:
         Ref: PrivateRouteTable
@@ -235,7 +269,7 @@ Resources:
         Ref: NAT
   PrivateSubnet2:
     Type: "AWS::EC2::Subnet"
-    Condition: DoAz2
+    Condition: DoAz2PrivateSubnet
     Properties:
       VpcId: !Ref VPC
       CidrBlock: !Select [4, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
@@ -247,20 +281,20 @@ Resources:
             ]
   PrivateRouteTable2:
     Type: "AWS::EC2::RouteTable"
-    Condition: DoAz2
+    Condition: DoAz2PrivateSubnet
     Properties:
       VpcId: !Ref VPC
   PrivateSubnetRouteTableAssociation2:
     Type: "AWS::EC2::SubnetRouteTableAssociation"
-    Condition: DoAz2
+    Condition: DoAz2PrivateSubnet
     Properties:
       SubnetId: !Ref PrivateSubnet2
       RouteTableId: !Ref PrivateRouteTable2
   NAT2:
     DependsOn:
     - GatewayToInternet
     Type: "AWS::EC2::NatGateway"
-    Condition: DoAz2
+    Condition: DoAz2PrivateSubnet
     Properties:
       AllocationId:
         "Fn::GetAtt":
@@ -269,12 +303,12 @@ Resources:
       SubnetId: !Ref PublicSubnet2
   EIP2:
     Type: "AWS::EC2::EIP"
-    Condition: DoAz2
+    Condition: DoAz2PrivateSubnet
     Properties:
       Domain: vpc
   Route2:
     Type: "AWS::EC2::Route"
-    Condition: DoAz2
+    Condition: DoAz2PrivateSubnet
     Properties:
       RouteTableId:
         Ref: PrivateRouteTable2
@@ -283,7 +317,7 @@ Resources:
         Ref: NAT2
   PrivateSubnet3:
     Type: "AWS::EC2::Subnet"
-    Condition: DoAz3
+    Condition: DoAz3PrivateSubnet
     Properties:
       VpcId: !Ref VPC
       CidrBlock: !Select [5, !Cidr [!Ref VpcCidr, 6, !Ref SubnetBits]]
@@ -295,20 +329,20 @@ Resources:
             ]
   PrivateRouteTable3:
     Type: "AWS::EC2::RouteTable"
-    Condition: DoAz3
+    Condition: DoAz3PrivateSubnet
     Properties:
       VpcId: !Ref VPC
   PrivateSubnetRouteTableAssociation3:
     Type: "AWS::EC2::SubnetRouteTableAssociation"
-    Condition: DoAz3
+    Condition: DoAz3PrivateSubnet
     Properties:
       SubnetId: !Ref PrivateSubnet3
       RouteTableId: !Ref PrivateRouteTable3
   NAT3:
     DependsOn:
     - GatewayToInternet
     Type: "AWS::EC2::NatGateway"
-    Condition: DoAz3
+    Condition: DoAz3PrivateSubnet
     Properties:
       AllocationId:
         "Fn::GetAtt":
@@ -317,12 +351,12 @@ Resources:
       SubnetId: !Ref PublicSubnet3
   EIP3:
     Type: "AWS::EC2::EIP"
-    Condition: DoAz3
+    Condition: DoAz3PrivateSubnet
     Properties:
       Domain: vpc
   Route3:
     Type: "AWS::EC2::Route"
-    Condition: DoAz3
+    Condition: DoAz3PrivateSubnet
     Properties:
       RouteTableId:
         Ref: PrivateRouteTable3
@@ -465,8 +499,7 @@ if (( ZONES_COUNT > MAX_ZONES_COUNT )); then
 fi
 
 # The above cloudformation template's max zones account is 3
-if [[ "${ZONES_COUNT}" -gt 3 ]]
-then
+if [[ "${ZONES_COUNT}" -gt 3 ]]; then
   ZONES_COUNT=3
 fi
 
@@ -483,6 +516,10 @@ if [[ ${ENABLE_SHARED_VPC} == "yes" ]]; then
   aws_add_param_to_json "ResourceSharePrincipals" ${CLUSTER_CREATOR_AWS_ACCOUNT_NO} "$vpc_params"
 fi
 
+if [[ "${OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY}" == "true" ]]; then
+    aws_add_param_to_json "OnlyPublicSubnets" "yes" "$vpc_params"
+fi
+
 if [[ -n "${VPC_CIDR}" ]]; then
      aws_add_param_to_json "VpcCidr" ${VPC_CIDR} "$vpc_params"
 fi

ci-operator/step-registry/aws/provision/vpc/shared/aws-provision-vpc-shared-ref.yaml

@@ -31,5 +31,9 @@ ref:
     default: ""
     documentation: |-
       Set VPC CIDR, e.g. '10.0.0.0/16'
+  - name: OPENSHIFT_INSTALL_AWS_PUBLIC_ONLY
+    default: ""
+    documentation: |-
+      Whether to use only public subnets for AWS. Implies no NAT Gateways.
   documentation: |-
     Create a shared VPC.

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/cucushift-installer-rehearse-aws-ipi-byo-subnets-workflow.yaml

@@ -0,0 +1,9 @@
+workflow:
+  as: cucushift-installer-rehearse-aws-ipi-byo-subnets
+  steps: 
+    pre:
+    - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-provision
+    post:
+    - chain: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision
+  documentation: |-
+    This is the workflow to trigger Prow's rehearsal test when submitting installer steps/chain/workflow

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/OWNERS

@@ -0,0 +1,8 @@
+approvers:
+- yunjiang29
+- jianlinliu
+- gpei
+reviewers:
+- yunjiang29
+- jianlinliu
+- gpei

ci-operator/step-registry/cucushift/installer/rehearse/aws/ipi/byo-subnets/deprovision/cucushift-installer-rehearse-aws-ipi-private-deprovision-chain.yaml

@@ -0,0 +1,8 @@
+chain:
+  as: cucushift-installer-rehearse-aws-ipi-byo-subnets-deprovision
+  steps:
+  - chain: cucushift-installer-rehearse-aws-ipi-deprovision
+  - ref: aws-deprovision-security-group
+  - ref: aws-deprovision-stacks
+  documentation: |-
+    Destroy cluster